Premier commit
61
README.md
@ -1,2 +1,63 @@
|
|||||||
# gsb2023
|
# gsb2023
|
||||||
|
|
||||||
|
Environnement et playbooks ansible pour le projet GSB 2023
|
||||||
|
|
||||||
|
## Quickstart
|
||||||
|
prérequis : une machine Debian Bullseye
|
||||||
|
|
||||||
|
|
||||||
|
## Les machines
|
||||||
|
* s-adm
|
||||||
|
* s-infra
|
||||||
|
* r-int
|
||||||
|
* r-ext
|
||||||
|
* s-proxy
|
||||||
|
|
||||||
|
|
||||||
|
## Les playbooks
|
||||||
|
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
On utilisera l'image de machine virtuelle suivante :
|
||||||
|
* **debian-bullseye-2023a.ova** (2022-05-07)
|
||||||
|
* Debian Bullseye 11 - 2 cartes - 1 Go - stockage 20 Go
|
||||||
|
|
||||||
|
|
||||||
|
### Machine s-adm
|
||||||
|
* créer la machine virtuelle **s-adm** en important l'image ova décrite plus haut
|
||||||
|
* renommer la machine puis redémarrer
|
||||||
|
* taper :
|
||||||
|
```shell
|
||||||
|
mkdir -p tools/ansible ; cd tools/ansible
|
||||||
|
git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git
|
||||||
|
cd gsb2023/pre
|
||||||
|
bash inst-depl
|
||||||
|
cd /var/www/html/gsbstore
|
||||||
|
bash getall
|
||||||
|
cd /root/tools/ansible/gsb022/pre
|
||||||
|
bash gsbboot
|
||||||
|
cd .. ; bash pull-config
|
||||||
|
```
|
||||||
|
- redémarrer
|
||||||
|
|
||||||
|
### Pour chaque machine
|
||||||
|
|
||||||
|
- importer la machine à partir du fichier **.ova**
|
||||||
|
- définir les cartes réseau en accord avec le plan d'adressage et le schéma
|
||||||
|
- donner le nom adapté (avec sed -i …)
|
||||||
|
- redémarrer
|
||||||
|
- mettre à jour les paquets : apt update && apt upgrade
|
||||||
|
- cloner le dépot :
|
||||||
|
```shell
|
||||||
|
mkdir -p tools/ansible ; cd tools/ansible
|
||||||
|
git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git
|
||||||
|
cd gsb2023/pre
|
||||||
|
export DEPL=192.168.99.99
|
||||||
|
bash gsbboot
|
||||||
|
cd ../..
|
||||||
|
bash pull-config
|
||||||
|
```
|
||||||
|
- **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration
|
||||||
|
|
||||||
|
|
||||||
|
11
agoss
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
HOST=$(hostname)
|
||||||
|
FHOST=$(pwd)/goss/$HOST
|
||||||
|
if [ -r "$FHOST".yaml ] ; then
|
||||||
|
#goss -gossfile "$FHOST".yaml v --no-color
|
||||||
|
goss -gossfile "$FHOST".yaml v "$@"
|
||||||
|
else
|
||||||
|
echo $0 : erreur lecture fichier "$FHOST".yaml
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
7
changelog
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
v5.0.2.j : 2019-01-25 -kb
|
||||||
|
ejout role s-nas-cliet et s-nas-server
|
||||||
|
v5.0.1 : 2019-01-24 - ps
|
||||||
|
reorganisation : anciens playbooks et roles deplaces dans repertoire old
|
||||||
|
v3.2.0 : 2017-11-16 - ps
|
||||||
|
ajout changelog
|
||||||
|
|
36
confwireguard/r-ext/r-ext.ip
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||||
|
inet 127.0.0.1/8 scope host lo
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 ::1/128 scope host
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:03:d3:28 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.99.13/24 brd 192.168.99.255 scope global enp0s3
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe03:d328/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:63:40:ea brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.100.254/24 brd 192.168.100.255 scope global enp0s8
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe63:40ea/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:4f:29:27 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic enp0s9
|
||||||
|
valid_lft 77233sec preferred_lft 77233sec
|
||||||
|
inet6 fe80::a00:27ff:fe4f:2927/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
5: enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:9d:16:f8 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s10
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe9d:16f8/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
6: enp0s16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:07:c1:0f brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.200.253/24 brd 192.168.200.255 scope global enp0s16
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe07:c10f/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
9
confwireguard/r-ext/r-ext.routes
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
default via 192.168.0.1 dev enp0s9
|
||||||
|
169.254.0.0/16 dev enp0s3 scope link metric 1000
|
||||||
|
172.16.0.0/24 via 192.168.200.254 dev enp0s16
|
||||||
|
172.16.128.0/24 via 192.168.1.2 dev enp0s10
|
||||||
|
192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.20
|
||||||
|
192.168.1.0/24 dev enp0s10 proto kernel scope link src 192.168.1.1
|
||||||
|
192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.13
|
||||||
|
192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.254
|
||||||
|
192.168.200.0/24 dev enp0s16 proto kernel scope link src 192.168.200.253
|
36
confwireguard/r-int/r-int.ip
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||||
|
inet 127.0.0.1/8 scope host lo
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 ::1/128 scope host
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:c9:4e:0b brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.99.12/24 brd 192.168.99.255 scope global enp0s3
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fec9:4e0b/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:34:ef:8f brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.200.254/24 brd 192.168.200.255 scope global enp0s8
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe34:ef8f/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:56:72:01 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 172.16.65.254/24 brd 172.16.65.255 scope global enp0s9
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe56:7201/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
5: enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:7c:d7:5b brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 172.16.64.254/24 brd 172.16.64.255 scope global enp0s10
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fe7c:d75b/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
6: enp0s16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:e6:59:3d brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 172.16.0.254/24 brd 172.16.0.255 scope global enp0s16
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
inet6 fe80::a00:27ff:fee6:593d/64 scope link
|
||||||
|
valid_lft forever preferred_lft forever
|
7
confwireguard/r-int/r-int.routes
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
default via 192.168.200.253 dev enp0s8 onlink
|
||||||
|
169.254.0.0/16 dev enp0s9 scope link metric 1000
|
||||||
|
172.16.0.0/24 dev enp0s16 proto kernel scope link src 172.16.0.254
|
||||||
|
172.16.64.0/24 dev enp0s10 proto kernel scope link src 172.16.64.254
|
||||||
|
172.16.65.0/24 dev enp0s9 proto kernel scope link src 172.16.65.254
|
||||||
|
192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.12
|
||||||
|
192.168.200.0/24 dev enp0s8 proto kernel scope link src 192.168.200.254
|
20
confwireguard/r-vp1/r-vp1.ip
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||||
|
inet 127.0.0.1/8 scope host lo
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:53:62:8c brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.99.112/24 brd 192.168.99.255 scope global enp0s3
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:b0:5e:11 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.1.2/24 brd 192.168.1.255 scope global enp0s8
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:28:10:4c brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.0.51/24 brd 192.168.0.255 scope global enp0s9
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/none
|
||||||
|
inet 10.0.0.1/32 scope global wg0
|
||||||
|
valid_lft forever preferred_lft forever
|
8
confwireguard/r-vp1/r-vp1.routes
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
10.0.0.2 dev wg0 scope link
|
||||||
|
169.254.0.0/16 dev enp0s3 scope link metric 1000
|
||||||
|
172.16.0.0/24 via 192.168.1.1 dev enp0s8
|
||||||
|
172.16.128.0/24 dev wg0 scope link
|
||||||
|
192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.51
|
||||||
|
192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.2
|
||||||
|
192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.112
|
||||||
|
192.168.200.0/24 via 192.168.1.1 dev enp0s8
|
18
confwireguard/r-vp2/r-vp2.ip
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||||
|
inet 127.0.0.1/8 scope host lo
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
|
||||||
|
link/ether 08:00:27:46:2b:0a brd ff:ff:ff:ff:ff:ff
|
||||||
|
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:99:b7:7f brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 172.16.128.254/24 brd 172.16.128.255 scope global enp0s8
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:34:71:77 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.0.52/24 brd 192.168.0.255 scope global enp0s9
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/none
|
||||||
|
inet 10.0.0.2/32 scope global wg0
|
||||||
|
valid_lft forever preferred_lft forever
|
7
confwireguard/r-vp2/r-vp2.routes
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
10.0.0.1 dev wg0 scope link
|
||||||
|
169.254.0.0/16 dev enp0s9 scope link metric 1000
|
||||||
|
172.16.0.0/24 dev wg0 scope link
|
||||||
|
172.16.128.0/24 dev enp0s8 proto kernel scope link src 172.16.128.254
|
||||||
|
192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.52
|
||||||
|
192.168.1.0/24 dev wg0 scope link
|
||||||
|
192.168.200.0/24 dev wg0 scope link
|
12
confwireguard/s-infra/s-infra.ip
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
|
||||||
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||||
|
inet 127.0.0.1/8 scope host lo
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:4a:25:54 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 192.168.99.1/24 brd 192.168.99.255 scope global enp0s3
|
||||||
|
valid_lft forever preferred_lft forever
|
||||||
|
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
|
||||||
|
link/ether 08:00:27:ee:b4:01 brd ff:ff:ff:ff:ff:ff
|
||||||
|
inet 172.16.0.1/24 brd 172.16.0.255 scope global enp0s8
|
||||||
|
valid_lft forever preferred_lft forever
|
7
confwireguard/s-infra/s-infra.routes
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
default via 192.168.99.99 dev enp0s3 onlink
|
||||||
|
169.254.0.0/16 dev enp0s3 scope link metric 1000
|
||||||
|
172.16.0.0/24 dev enp0s8 proto kernel scope link src 172.16.0.1
|
||||||
|
172.16.64.0/24 via 172.16.0.254 dev enp0s8
|
||||||
|
172.16.128.0/24 via 172.16.0.254 dev enp0s8
|
||||||
|
192.168.0.0/16 via 172.16.0.254 dev enp0s8
|
||||||
|
192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.1
|
38
doc/Docker-openvas.txt
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
Fichier de documentation fait par Adnan Baljic, le 31/01/2019
|
||||||
|
|
||||||
|
Configuration machine:
|
||||||
|
Système: Carte Mère: Mémoire Vive: 2048
|
||||||
|
Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go
|
||||||
|
Réseau 1: n-adm
|
||||||
|
Réseau 2: n-infra
|
||||||
|
USB: Décocher "Activer le contrôleur USB"
|
||||||
|
|
||||||
|
Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb:
|
||||||
|
-fdisk /dev/sdb
|
||||||
|
-o
|
||||||
|
-n
|
||||||
|
-p
|
||||||
|
-1
|
||||||
|
-w
|
||||||
|
|
||||||
|
La configuration de docker se fait automatiquement via le playbook s-docker.yml
|
||||||
|
De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en
|
||||||
|
commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit.
|
||||||
|
|
||||||
|
Manipulation à faire pour la mise en place d'Openvas via Docker:
|
||||||
|
Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
|
||||||
|
les interfaces...) et exécuter la commande ci-dessous:
|
||||||
|
docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas
|
||||||
|
|
||||||
|
Manipulation à faire pour la mise en place d'Openvas via Docker:
|
||||||
|
Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
|
||||||
|
les interfaces...) et exécuter la commande ci-dessous:
|
||||||
|
docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail
|
||||||
|
|
||||||
|
Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer.
|
||||||
|
L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443.
|
||||||
|
|
||||||
|
Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook.
|
||||||
|
|
||||||
|
Les tests effectués:
|
||||||
|
Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK
|
3
doc/icinga.txt
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
Roles fait par Adnan Baljic, le 17/01/2019
|
||||||
|
Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg)
|
||||||
|
et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg)
|
BIN
doc/pics/e4-SAN-V2.dia
Normal file
BIN
doc/pics/e4-adm.dia
Normal file
BIN
doc/pics/e4-adm.png
Normal file
After Width: | Height: | Size: 84 KiB |
BIN
doc/pics/e4-agence.dia
Normal file
BIN
doc/pics/e4-agence.png
Normal file
After Width: | Height: | Size: 16 KiB |
BIN
doc/pics/e4-dmz-ab.png
Normal file
After Width: | Height: | Size: 67 KiB |
BIN
doc/pics/e4-dmz-ha.dia
Normal file
BIN
doc/pics/e4-dmz-ha.png
Normal file
After Width: | Height: | Size: 48 KiB |
BIN
doc/pics/e4-dmz-old.png
Normal file
After Width: | Height: | Size: 51 KiB |
BIN
doc/pics/e4-dmz-tl.dia
Normal file
BIN
doc/pics/e4-dmz-tl.png
Normal file
After Width: | Height: | Size: 37 KiB |
BIN
doc/pics/e4-dmz.dia
Normal file
BIN
doc/pics/e4-dmz.png
Normal file
After Width: | Height: | Size: 30 KiB |
BIN
doc/pics/e4-v2.3.dia
Normal file
BIN
doc/pics/e4-v2.3.png
Normal file
After Width: | Height: | Size: 115 KiB |
BIN
doc/pics/e4-v2.3x.dia
Normal file
BIN
doc/pics/e4-v2.dia
Normal file
BIN
doc/pics/e4-vpn-infra-v1.2.dia
Normal file
BIN
doc/pics/e4-vpn-infra-v1.2.png
Normal file
After Width: | Height: | Size: 162 KiB |
BIN
doc/pics/e4-vpn-infra.dia
Normal file
BIN
doc/pics/e4.dia
Normal file
BIN
doc/pics/e4.png
Normal file
After Width: | Height: | Size: 108 KiB |
23
doc/r-vp.txt
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
Fichier de documentation fait par Adnan Baljic, le 24/01/2019
|
||||||
|
|
||||||
|
Manipulation à faire pour la mise en place de r-vp1 et r-vp2:
|
||||||
|
Après exécution de gsbboot et du pull-config, il faudra désactiver l'interface
|
||||||
|
de n-adm pour éviter une boucle. Pour cela, il suffit de faire "ifdown enp0sx"
|
||||||
|
|
||||||
|
Pour ce qui est des tests pour vérifier que l'agence passe bien par le tunnel
|
||||||
|
chiffré, vous pouvez stopper le service ipsec ou strongswan ("service
|
||||||
|
strongswan stop" ou "service ipsec stop", cela revient à faire la même chose)
|
||||||
|
|
||||||
|
Important: sur r-vp2, si la route par défaut est celui de s-adm, veuillez
|
||||||
|
supprimer cette route en faisant "route del default" sinon l'agence ne passera
|
||||||
|
pas par le tunnel chiffré mais vers s-adm
|
||||||
|
cf. Schéma GSB/E4 - VPN/Infra - Version 1.2 - 2019-01-23
|
||||||
|
|
||||||
|
La mise en place de strongswan via les certificats se fait via le playbook
|
||||||
|
r-vpx-x509.yml. La manipulation ci-dessus n'est pas à faire pour les vpn avec
|
||||||
|
certificat si r-vp2-x509 et r-vp1-x509 n'ont pas de route par défaut. Si ils ont
|
||||||
|
une route par défaut, veuillez effectuer la même manipulation que pour r-vp2.
|
||||||
|
Il faudra tout de même désactiver l'interface de n-adm sur les 2 r-vpx-x509.
|
||||||
|
|
||||||
|
Les tests effectués:
|
||||||
|
Jeudi 24 janvier 2019, 14:45 par Adnan Baljic= TEST OK
|
11
doc/s-fog.txt
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
fichier de documentation réalier par Olivier Soares et Gaetan Maillard, le 25/01/2019
|
||||||
|
|
||||||
|
Pour mettre en oeuvre le serveur fog, il faut déployer une machine virtuel debian (une ova), de la mettre à jour, de la renommer (s-fog), puis de récupérer gsbboot et faire un bash pull-config.
|
||||||
|
|
||||||
|
Après avoir avoir fait l'installation de base, il suffit d'éxécuter le playbook "s-fog.yml" avec la commande ansible-playbooks -i hosts s-fog.yml". Ce playbook va récupérer le fichier d'installation de fog, le décompacter et configurer les différentes cartes réseaux de s-fog sachant qu'il y en a trois:
|
||||||
|
|
||||||
|
L'interface enp0s3 permet d'avoir accès internet via le réseau "n-adm"
|
||||||
|
L'interface enp0s8 permet de communiquer avec le réseau "n-infra"
|
||||||
|
L'interface enp0s9 permet d'avoir accès et deployer des postes sur le réseau "n-user"
|
||||||
|
|
||||||
|
Maintenant le serveur fog est prêt à être installer, avant de commencer l'installation il faut tout d'abord vérifier que l'accès à tous les réseaux soit correcte. Pour ça il suffit d'éxécuter le fichier de test goss
|
42
goss/r-ext.yaml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
command:
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 4 172.16.0.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 4 172.16.0.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 4 192.168.200.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.13/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.100.254/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.38/24
|
||||||
|
enp0s16:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.200.253/24
|
35
goss/r-int.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
package:
|
||||||
|
isc-dhcp-server:
|
||||||
|
installed: true
|
||||||
|
service:
|
||||||
|
isc-dhcp-server:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.12/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.200.254/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.65.254/24
|
||||||
|
enp0s10:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.64.254/24
|
||||||
|
enp0s16:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.254/24
|
106
goss/r-vp1-cs.yaml
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
file:
|
||||||
|
/etc/ipsec.d/cacerts/strongswanCert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1834
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp1Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp2Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp1Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1675
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp2Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1679
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
strongswan:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.2.1-6+deb8u2
|
||||||
|
service:
|
||||||
|
strongswan:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
strongswan:
|
||||||
|
exists: true
|
||||||
|
uid: 112
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/lib/strongswan
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
Associations:
|
||||||
|
exit-status: 127
|
||||||
|
stdout: []
|
||||||
|
stderr:
|
||||||
|
- 'sh: 1: Associations: not found'
|
||||||
|
timeout: 10000
|
||||||
|
ip r|grep default:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- default via 192.168.1.1 dev enp0s9
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcacerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=Root CA"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec statusall|grep Security:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'Security Associations (1 up, 0 connecting):'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.51/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.1.2/24
|
106
goss/r-vp1-old.yaml
Normal file
@ -0,0 +1,106 @@
|
|||||||
|
file:
|
||||||
|
/etc/ipsec.d/cacerts/strongswanCert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1834
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp1Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp2Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp1Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1675
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp2Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1679
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
strongswan:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.2.1-6+deb8u2
|
||||||
|
service:
|
||||||
|
strongswan:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
strongswan:
|
||||||
|
exists: true
|
||||||
|
uid: 112
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/lib/strongswan
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
Associations:
|
||||||
|
exit-status: 127
|
||||||
|
stdout: []
|
||||||
|
stderr:
|
||||||
|
- 'sh: 1: Associations: not found'
|
||||||
|
timeout: 10000
|
||||||
|
ip r|grep default:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- default via 192.168.1.1 dev enp0s9
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcacerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=Root CA"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec statusall|grep Security:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'Security Associations (1 up, 0 connecting):'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.51/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.1.2/24
|
67
goss/r-vp1.yaml
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
package:
|
||||||
|
# ferm:
|
||||||
|
# installed: true
|
||||||
|
strongswan:
|
||||||
|
installed: true
|
||||||
|
port:
|
||||||
|
udp:68:
|
||||||
|
listening: true
|
||||||
|
service:
|
||||||
|
# dnsmasq:
|
||||||
|
# enabled: true
|
||||||
|
# running: true
|
||||||
|
strongswan:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
ssh:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
command:
|
||||||
|
ping -c 4 192.168.0.52:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
command:
|
||||||
|
ping -c 4 192.168.1.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
command:
|
||||||
|
ping -c 4 192.168.200.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
command:
|
||||||
|
ping -c 4 172.16.0.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
#process:
|
||||||
|
# dnsmasq:
|
||||||
|
# running: true
|
||||||
|
# squid:
|
||||||
|
# running: true
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.51/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.1.2/24
|
105
goss/r-vp2-cs.yaml
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
file:
|
||||||
|
/etc/ipsec.d/cacerts/strongswanCert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1834
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp1Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp2Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp1Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1675
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp2Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1679
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
strongswan:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.2.1-6+deb8u2
|
||||||
|
service:
|
||||||
|
strongswan:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
strongswan:
|
||||||
|
exists: true
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/lib/strongswan
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
Associations:
|
||||||
|
exit-status: 127
|
||||||
|
stdout: []
|
||||||
|
stderr:
|
||||||
|
- 'sh: 1: Associations: not found'
|
||||||
|
timeout: 10000
|
||||||
|
ip r|grep default:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- default via 192.168.99.99 dev enp0s3
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcacerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=Root CA"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec statusall|grep Security:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'Security Associations (1 up, 0 connecting):'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.128.254/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.52/24
|
105
goss/r-vp2-old.yaml
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
file:
|
||||||
|
/etc/ipsec.d/cacerts/strongswanCert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1834
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp1Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/certs/r-vp2Cert.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1509
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp1Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1675
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/etc/ipsec.d/private/r-vp2Key.pem:
|
||||||
|
exists: true
|
||||||
|
mode: "0600"
|
||||||
|
size: 1679
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
strongswan:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.2.1-6+deb8u2
|
||||||
|
service:
|
||||||
|
strongswan:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
strongswan:
|
||||||
|
exists: true
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/lib/strongswan
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
Associations:
|
||||||
|
exit-status: 127
|
||||||
|
stdout: []
|
||||||
|
stderr:
|
||||||
|
- 'sh: 1: Associations: not found'
|
||||||
|
timeout: 10000
|
||||||
|
ip r|grep default:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- default via 192.168.99.99 dev enp0s3
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcacerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=Root CA"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec listcerts|grep subject:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
|
||||||
|
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ipsec statusall|grep Security:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 'Security Associations (1 up, 0 connecting):'
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.128.254/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.52/24
|
67
goss/r-vp2goss.yaml
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
package:
|
||||||
|
ferm:
|
||||||
|
installed: true
|
||||||
|
ipsec:
|
||||||
|
installed: true
|
||||||
|
port:
|
||||||
|
tcp:53:
|
||||||
|
listening: true
|
||||||
|
udp:67:
|
||||||
|
listening: true
|
||||||
|
udp:68:
|
||||||
|
listening: true
|
||||||
|
service:
|
||||||
|
dnsmasq:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
ferm:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
ssh:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl ping -c 4 192.168.0.51:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl ping -c 4 192.168.1.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl ping -c 4 192.168.200.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
sysctl ping -c 4 172.16.0.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 4 received = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
dnsmasq:
|
||||||
|
running: true
|
||||||
|
squid3:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.128.254/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.0.52/24
|
80
goss/s-adm.yaml
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
package:
|
||||||
|
dnsmasq:
|
||||||
|
installed: true
|
||||||
|
squid:
|
||||||
|
installed: true
|
||||||
|
addr:
|
||||||
|
tcp://depl.sio.lan:80:
|
||||||
|
reachable: true
|
||||||
|
timeout: 500
|
||||||
|
port:
|
||||||
|
tcp:53:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp6:53:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
tcp6:8080:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
udp:53:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
udp:67:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
udp6:53:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
service:
|
||||||
|
dnsmasq:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
squid:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
ssh:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
dnsmasq:
|
||||||
|
exists: true
|
||||||
|
uid: 109
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/lib/misc
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
group:
|
||||||
|
ssh:
|
||||||
|
exists: true
|
||||||
|
gid: 111
|
||||||
|
command:
|
||||||
|
/sbin/sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
dns:
|
||||||
|
depl.sio.lan:
|
||||||
|
resolveable: true
|
||||||
|
addrs:
|
||||||
|
- 10.121.38.10
|
||||||
|
timeout: 500
|
||||||
|
process:
|
||||||
|
dnsmasq:
|
||||||
|
running: true
|
||||||
|
squid:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.99/24
|
39
goss/s-agence.yaml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
command:
|
||||||
|
ip r:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- default via 172.16.128.254 dev enp0s8
|
||||||
|
- 172.16.128.0/24
|
||||||
|
- 192.168.99.0/24
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 2 172.16.128.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 2 192.168.1.2:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 2 192.168.1.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 2 192.168.200.254:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 2 172.16.0.1:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
35
goss/s-appli.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
service:
|
||||||
|
mariadb:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
|
||||||
|
apache2:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
|
||||||
|
file:
|
||||||
|
/var/www/html/wordpress:
|
||||||
|
exists: true
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
filetype: directory
|
||||||
|
|
||||||
|
/var/www/html/wordpress-5.8.2-fr_FR.tar.gz:
|
||||||
|
exists: true
|
||||||
|
|
||||||
|
/var/www/html/wordpress/wp-config-sample.php:
|
||||||
|
exists: true
|
||||||
|
|
||||||
|
/etc/apache2/sites-enabled/000-default.conf:
|
||||||
|
exists: true
|
||||||
|
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.3/24
|
||||||
|
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.3/24
|
28
goss/s-fog.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.16/24
|
||||||
|
interface:
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.16/24
|
||||||
|
interface:
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.64.16/24
|
||||||
|
command:
|
||||||
|
ping -c 4 192.168.99.99:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
ping -c 4 google.fr:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 0% packet loss
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
90
goss/s-infra.yaml
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
package:
|
||||||
|
bind9:
|
||||||
|
installed: true
|
||||||
|
lighttpd:
|
||||||
|
installed: true
|
||||||
|
addr:
|
||||||
|
tcp://192.168.99.99:8080:
|
||||||
|
reachable: true
|
||||||
|
timeout: 500
|
||||||
|
port:
|
||||||
|
tcp:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp6:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
service:
|
||||||
|
bind9:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
lighttpd:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
host 172.16.0.2:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host 172.16.0.9:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 9.0.16.172.in-addr.arpa domain name pointer s-itil.gsb.lan.
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host free.fr:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- free.fr has address 212.27.48.10
|
||||||
|
- free.fr has IPv6 address 2a01:e0c:1::1
|
||||||
|
- free.fr mail is handled by 10 mx1.free.fr.
|
||||||
|
- free.fr mail is handled by 20 mx2.free.fr.
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host s-infra:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- s-infra.gsb.lan has address 172.16.0.1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host s-infra.gsb.lan:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- s-infra.gsb.lan has address 172.16.0.1
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host s-mon:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- s-mon.gsb.lan has address 172.16.0.8
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
host s-mon.gsb.lan:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- s-mon.gsb.lan has address 172.16.0.8
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
lighttpd:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.1/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.1/24
|
||||||
|
http:
|
||||||
|
http://localhost/wpad.dat:
|
||||||
|
status: 200
|
||||||
|
allow-insecure: false
|
||||||
|
no-follow-redirects: false
|
||||||
|
timeout: 5000
|
||||||
|
body: []
|
36
goss/s-itil.yaml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
file:
|
||||||
|
/var/www/html/glpi:
|
||||||
|
exists: true
|
||||||
|
mode: "0755"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
filetype: directory
|
||||||
|
|
||||||
|
/var/www/html/ficlients:
|
||||||
|
exists: true
|
||||||
|
mode: "0775"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
filetype: directory
|
||||||
|
|
||||||
|
/var/www/html/glpi/plugins:
|
||||||
|
exists: true
|
||||||
|
mode: "0777"
|
||||||
|
filetype: directory
|
||||||
|
|
||||||
|
/var/www/html/index.nginx-debian.html:
|
||||||
|
exists: true
|
||||||
|
mode: "0775"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
filetype: file
|
||||||
|
|
||||||
|
service:
|
||||||
|
mariadb:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
|
||||||
|
nginx:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
|
21
goss/s-lb-bd.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
package:
|
||||||
|
mysql-server:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.5.54-0+deb8u1
|
||||||
|
command:
|
||||||
|
egrep "#bind-address" /etc/mysql/my.cnf:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- "#bind-address\t\t= 127.0.0.1"
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.13/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.102.50/24
|
63
goss/s-lb-web1.yaml
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
package:
|
||||||
|
apache2:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 2.4.10-10+deb8u7
|
||||||
|
php5:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.6.29+dfsg-0+deb8u1
|
||||||
|
port:
|
||||||
|
tcp:22:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp6:22:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
tcp6:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
service:
|
||||||
|
apache2:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
sshd:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
sshd:
|
||||||
|
exists: true
|
||||||
|
uid: 105
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/run/sshd
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
egrep 192.168.102.14:/export/www /etc/fstab:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
apache2:
|
||||||
|
running: true
|
||||||
|
sshd:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.11/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.101.1/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.102.1/24
|
63
goss/s-lb-web2.yaml
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
package:
|
||||||
|
apache2:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 2.4.10-10+deb8u7
|
||||||
|
php5:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 5.6.29+dfsg-0+deb8u1
|
||||||
|
port:
|
||||||
|
tcp:22:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp6:22:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
tcp6:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
service:
|
||||||
|
apache2:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
sshd:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
sshd:
|
||||||
|
exists: true
|
||||||
|
uid: 105
|
||||||
|
gid: 65534
|
||||||
|
groups:
|
||||||
|
- nogroup
|
||||||
|
home: /var/run/sshd
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
command:
|
||||||
|
egrep 192.168.102.14:/export/www /etc/fstab:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
apache2:
|
||||||
|
running: true
|
||||||
|
sshd:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.12/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.101.2/24
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.102.2/24
|
28
goss/s-lb.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
port:
|
||||||
|
tcp:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 192.168.100.11
|
||||||
|
service:
|
||||||
|
haproxy:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
sshd:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.100/24
|
||||||
|
mtu: 1500
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.100.11/24
|
||||||
|
mtu: 1500
|
||||||
|
enp0s9:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.101.254/24
|
||||||
|
mtu: 1500
|
65
goss/s-lb.yaml.old
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
file:
|
||||||
|
/etc/haproxy/haproxy.cfg:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 1518
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
haproxy:
|
||||||
|
installed: true
|
||||||
|
port:
|
||||||
|
tcp:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 192.168.100.10
|
||||||
|
service:
|
||||||
|
haproxy:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
user:
|
||||||
|
haproxy:
|
||||||
|
exists: true
|
||||||
|
uid: 111
|
||||||
|
gid: 117
|
||||||
|
groups:
|
||||||
|
- haproxy
|
||||||
|
home: /var/lib/haproxy
|
||||||
|
shell: /bin/false
|
||||||
|
group:
|
||||||
|
haproxy:
|
||||||
|
exists: true
|
||||||
|
gid: 117
|
||||||
|
command:
|
||||||
|
egrep "balance\s+roundrobin" /etc/haproxy/haproxy.cfg:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- balance roundrobin
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
egrep "bind\s+192.168.100.10:80" /etc/haproxy/haproxy.cfg:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- bind 192.168.100.10:80
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
egrep "mode\s+http" /etc/haproxy/haproxy.cfg:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- "mode\thttp"
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
haproxy:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.10/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.100.10/24
|
62
goss/s-mon.yaml
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
file:
|
||||||
|
/etc/icinga/htpasswd.users:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
size: 26
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
apache2:
|
||||||
|
installed: true
|
||||||
|
nagios-snmp-plugins:
|
||||||
|
installed: true
|
||||||
|
icinga:
|
||||||
|
installed: true
|
||||||
|
snmp:
|
||||||
|
installed: true
|
||||||
|
port:
|
||||||
|
tcp6:80:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '::'
|
||||||
|
udp:514:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
service:
|
||||||
|
apache2:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
icinga:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
sysctl net.ipv4.ip_forward:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- net.ipv4.ip_forward = 0
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
process:
|
||||||
|
apache2:
|
||||||
|
running: true
|
||||||
|
icinga:
|
||||||
|
running: true
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.8/24
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.8/24
|
||||||
|
http:
|
||||||
|
http://localhost/icinga:
|
||||||
|
status: 401
|
||||||
|
allow-insecure: false
|
||||||
|
no-follow-redirects: false
|
||||||
|
timeout: 5000
|
||||||
|
body: []
|
30
goss/s-proxy.yaml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
package:
|
||||||
|
squid:
|
||||||
|
installed: true
|
||||||
|
port:
|
||||||
|
tcp:8080:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- '0.0.0.0'
|
||||||
|
service:
|
||||||
|
squid:
|
||||||
|
enabled: true
|
||||||
|
running: true
|
||||||
|
command:
|
||||||
|
host 172.16.0.2:
|
||||||
|
exit-status: 0
|
||||||
|
stdout:
|
||||||
|
- 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
|
||||||
|
stderr: []
|
||||||
|
timeout: 10000
|
||||||
|
interface:
|
||||||
|
enp0s3:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 192.168.99.2/24
|
||||||
|
mtu: 1500
|
||||||
|
enp0s8:
|
||||||
|
exists: true
|
||||||
|
addrs:
|
||||||
|
- 172.16.0.2/24
|
||||||
|
mtu: 1500
|
8
graylog-pont.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- goss
|
||||||
|
- docker-graylog-pont
|
||||||
|
- post
|
14
gsbchk
Executable file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
filename=/root/tools/ansible/gsb/goss/$HOSTNAME.yaml
|
||||||
|
|
||||||
|
if ! [ -e $filename ] ; then
|
||||||
|
echo gsbchk : erreur ouverture $filename
|
||||||
|
exit 1
|
||||||
|
|
||||||
|
fi
|
||||||
|
if [ $# == 1] ; then
|
||||||
|
goss -g $filename v
|
||||||
|
else
|
||||||
|
goss $*
|
||||||
|
fi
|
179
gsbstart
Executable file
@ -0,0 +1,179 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
|
||||||
|
#use strict;
|
||||||
|
#use warnings;
|
||||||
|
#SCRIPT PERMETTANT DE METTRE LES INTERFACES APPROPRIEES POUR LA MACHINE ENTREE EN PARAMETRE ET DE LA DEMARRER
|
||||||
|
my %machines = (
|
||||||
|
's-infra' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-proxy' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-spec' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-mon' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-mess' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-itil' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-proxy' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-backup' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
's-appli' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-infra'
|
||||||
|
},
|
||||||
|
'r-int' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-link',
|
||||||
|
netif3 => 'n-wifi',
|
||||||
|
netif4 => 'n-user',
|
||||||
|
netif5 => 'n-infra'
|
||||||
|
},
|
||||||
|
'r-ext' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz',
|
||||||
|
netif3 => 'enp0s3',
|
||||||
|
netif4 => 'n-linkv',
|
||||||
|
netif5 => 'n-link'
|
||||||
|
},
|
||||||
|
'r-vp2' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-agence',
|
||||||
|
netif3 => 'enp0s3'
|
||||||
|
},
|
||||||
|
'r-vp1' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'enp0s3',
|
||||||
|
netif3 => 'n-linkv'
|
||||||
|
},
|
||||||
|
's-lb' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz',
|
||||||
|
netif3 => 'n-dmz-lb'
|
||||||
|
},
|
||||||
|
's-lb-bd' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz-db'
|
||||||
|
|
||||||
|
},
|
||||||
|
's-lb-web1' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz-lb',
|
||||||
|
netif3 => 'n-dmz-db'
|
||||||
|
},
|
||||||
|
's-lb-web2' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz-lb',
|
||||||
|
netif3 => 'n-dmz-db'
|
||||||
|
},
|
||||||
|
's-nas' => {
|
||||||
|
netif1 => 'n-adm',
|
||||||
|
netif2 => 'n-dmz-db',
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
my ($net1, $net2, $net3, $net4, $net5);
|
||||||
|
|
||||||
|
my $machine = shift;
|
||||||
|
die "usage : gsbstart <machine>" unless ( $machine);
|
||||||
|
|
||||||
|
#print $machines { $machine } "\n";
|
||||||
|
if (%{$machines{$machine}}) {
|
||||||
|
# print $machines { $machine } {netif1}, "\n";
|
||||||
|
$net1 = $machines { $machine } {netif1};
|
||||||
|
$net2 = $machines { $machine } {netif2};
|
||||||
|
$net3 = $machines { $machine } {netif3};
|
||||||
|
$net4 = $machines { $machine } {netif4};
|
||||||
|
$net5 = $machines { $machine } {netif5};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
} else {
|
||||||
|
print "machine $machine inconnue\n";
|
||||||
|
}
|
||||||
|
#
|
||||||
|
|
||||||
|
my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"";
|
||||||
|
|
||||||
|
my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
|
||||||
|
|
||||||
|
my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
|
||||||
|
|
||||||
|
my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n";
|
||||||
|
|
||||||
|
my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
|
||||||
|
|
||||||
|
my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n";
|
||||||
|
|
||||||
|
my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
|
||||||
|
|
||||||
|
my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
|
||||||
|
|
||||||
|
my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
|
||||||
|
|
||||||
|
#print $routeur;
|
||||||
|
|
||||||
|
|
||||||
|
if ($machine eq "r-int") {
|
||||||
|
qx($rint);
|
||||||
|
print "la création des interfaces du routeur $machine a fonctionné!\n";
|
||||||
|
}else{
|
||||||
|
if ($machine eq "r-ext") {
|
||||||
|
qx($rext);
|
||||||
|
}else{
|
||||||
|
qx($ninfra);
|
||||||
|
print "la création des interfaces de $machine a fonctionné!\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ($machine eq "r-vp2") {
|
||||||
|
qx($rvp2);
|
||||||
|
}
|
||||||
|
if ($machine eq "r-vp1") {
|
||||||
|
qx($rvp1);
|
||||||
|
}
|
||||||
|
if ($machine eq "s-lb"){
|
||||||
|
qx($lb);
|
||||||
|
}
|
||||||
|
if ($machine eq "s-lb-web1"){
|
||||||
|
qx($lbweb);
|
||||||
|
}
|
||||||
|
if ($machine eq "s-lb-web2"){
|
||||||
|
qx($lbweb);
|
||||||
|
}
|
||||||
|
if ($machine eq "s-lb-bd"){
|
||||||
|
qx($lbbd);
|
||||||
|
}
|
||||||
|
if ($machine eq "s-nas"){
|
||||||
|
qx($snas);
|
||||||
|
}
|
||||||
|
|
||||||
|
qx(VBoxManage startvm $machine);
|
||||||
|
|
||||||
|
|
||||||
|
|
28
gsbstartl
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
while ($_ = shift @ARGV) {
|
||||||
|
if ($_ eq "-a"){
|
||||||
|
qx(./gsbstart s-infra);
|
||||||
|
qx(./gsbstart s-spec);
|
||||||
|
qx(./gsbstart s-proxy);
|
||||||
|
qx(./gsbstart s-mon);
|
||||||
|
qx(./gsbstart s-mess);
|
||||||
|
qx(./gsbstart s-itil);
|
||||||
|
qx(./gsbstart s-backup);
|
||||||
|
qx(./gsbstart s-appli);
|
||||||
|
qx(./gsbstart r-vp1);
|
||||||
|
qx(./gsbstart r-vp2);
|
||||||
|
qx(./gsbstart r-int);
|
||||||
|
qx(./gsbstart r-ext);
|
||||||
|
qx(./gsbstart s-lb);
|
||||||
|
qx(./gsbstart s-lb-web-1);
|
||||||
|
qx(./gsbstart s-lb-web-2);
|
||||||
|
qx(./gsbstart s-lb-bd);
|
||||||
|
|
||||||
|
}else{
|
||||||
|
qx(./gsbstart $_);
|
||||||
|
}
|
||||||
|
}
|
14
lisezmoi.txt
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
lisezmoi.txt
|
||||||
|
------------
|
||||||
|
|
||||||
|
Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4
|
||||||
|
|
||||||
|
|
||||||
|
Le projet GSB décrit les diférents playbooks permttant d'installer les
|
||||||
|
machines du projet GSB
|
||||||
|
|
||||||
|
Les répertoires :
|
||||||
|
|
||||||
|
- roles : les roles
|
||||||
|
- goss : les outils de test
|
||||||
|
|
14
ping-agence.sh
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
ping -c3 172.16.128.254
|
||||||
|
|
||||||
|
ping -c3 192.168.1.2
|
||||||
|
|
||||||
|
ping -c3 192.168.1.1
|
||||||
|
|
||||||
|
ping -c3 192.168.200.253
|
||||||
|
|
||||||
|
ping -c3 192.168.200.254
|
||||||
|
|
||||||
|
ping -c3 172.16.0.254
|
||||||
|
|
||||||
|
ping -c3 172.16.0.1
|
14
ping-rext.sh
Executable file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
ping -c3 172.16.0.1
|
||||||
|
|
||||||
|
ping -c3 172.16.0.254
|
||||||
|
|
||||||
|
ping -c3 192.168.200.254
|
||||||
|
|
||||||
|
ping -c3 192.168.1.1
|
||||||
|
|
||||||
|
ping -c3 192.168.1.2
|
||||||
|
|
||||||
|
ping -c3 172.16.128.254
|
||||||
|
|
||||||
|
ping -c3 172.16.128.10
|
12
ping-rint.sh
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
ping -c3 172.16.0.1
|
||||||
|
|
||||||
|
ping -c3 192.168.200.253
|
||||||
|
|
||||||
|
ping -c3 192.168.1.1
|
||||||
|
|
||||||
|
ping -c3 192.168.1.2
|
||||||
|
|
||||||
|
ping -c3 172.16.128.254
|
||||||
|
|
||||||
|
ping -c3 172.16.128.10
|
14
ping-sinfra.sh
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
ping -c3 172.16.0.254
|
||||||
|
|
||||||
|
ping -c3 192.168.200.254
|
||||||
|
|
||||||
|
ping -c3 192.168.200.253
|
||||||
|
|
||||||
|
ping -c3 192.168.1.1
|
||||||
|
|
||||||
|
ping -c3 192.168.1.2
|
||||||
|
|
||||||
|
ping -c3 172.16.125.254
|
||||||
|
|
||||||
|
ping -c3 172.16.128.10
|
77
pre/Vagrantfile-s-adm
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
# -*- mode: ruby -*-
|
||||||
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
|
# All Vagrant configuration is done below. The "2" in Vagrant.configure
|
||||||
|
# configures the configuration version (we support older styles for
|
||||||
|
# backwards compatibility). Please don't change it unless you know what
|
||||||
|
# you're doing.
|
||||||
|
Vagrant.configure("2") do |config|
|
||||||
|
# The most common configuration options are documented and commented below.
|
||||||
|
# For a complete reference, please see the online documentation at
|
||||||
|
# https://docs.vagrantup.com.
|
||||||
|
|
||||||
|
# Every Vagrant development environment requires a box. You can search for
|
||||||
|
# boxes at https://vagrantcloud.com/search.
|
||||||
|
config.vm.box = "debian/buster64"
|
||||||
|
config.vm.hostname = "s-adm"
|
||||||
|
config.vm.define "s-adm"
|
||||||
|
config.vm.provider :virtualbox do |vb|
|
||||||
|
vb.name = "s-adm"
|
||||||
|
end
|
||||||
|
# Disable automatic box update checking. If you disable this, then
|
||||||
|
# boxes will only be checked for updates when the user runs
|
||||||
|
# `vagrant box outdated`. This is not recommended.
|
||||||
|
# config.vm.box_check_update = false
|
||||||
|
|
||||||
|
# Create a forwarded port mapping which allows access to a specific port
|
||||||
|
# within the machine from a port on the host machine. In the example below,
|
||||||
|
# accessing "localhost:8080" will access port 80 on the guest machine.
|
||||||
|
# NOTE: This will enable public access to the opened port
|
||||||
|
# config.vm.network "forwarded_port", guest: 80, host: 8080
|
||||||
|
|
||||||
|
# Create a forwarded port mapping which allows access to a specific port
|
||||||
|
# within the machine from a port on the host machine and only allow access
|
||||||
|
# via 127.0.0.1 to disable public access
|
||||||
|
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
|
||||||
|
|
||||||
|
# Create a private network, which allows host-only access to the machine
|
||||||
|
# using a specific IP.
|
||||||
|
config.vm.network "public_network", ip: "192.168.1.91"
|
||||||
|
config.vm.network "private_network", ip: "192.168.99.99"
|
||||||
|
|
||||||
|
# Create a public network, which generally matched to bridged network.
|
||||||
|
# Bridged networks make the machine appear as another physical device on
|
||||||
|
# your network.
|
||||||
|
# config.vm.network "public_network"
|
||||||
|
|
||||||
|
# Share an additional folder to the guest VM. The first argument is
|
||||||
|
# the path on the host to the actual folder. The second argument is
|
||||||
|
# the path on the guest to mount the folder. And the optional third
|
||||||
|
# argument is a set of non-required options.
|
||||||
|
# config.vm.synced_folder "../data", "/vagrant_data"
|
||||||
|
|
||||||
|
# Provider-specific configuration so you can fine-tune various
|
||||||
|
# backing providers for Vagrant. These expose provider-specific options.
|
||||||
|
# Example for VirtualBox:
|
||||||
|
#
|
||||||
|
# config.vm.provider "virtualbox" do |vb|
|
||||||
|
# # Display the VirtualBox GUI when booting the machine
|
||||||
|
# vb.gui = true
|
||||||
|
#
|
||||||
|
# # Customize the amount of memory on the VM:
|
||||||
|
# vb.memory = "1024"
|
||||||
|
# end
|
||||||
|
#
|
||||||
|
# View the documentation for the provider you are using for more
|
||||||
|
# information on available options.
|
||||||
|
|
||||||
|
# Enable provisioning with a shell script. Additional provisioners such as
|
||||||
|
# Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
|
||||||
|
# documentation for more information about their specific syntax and use.
|
||||||
|
config.vm.provision "shell", inline: <<-SHELL
|
||||||
|
apt-get update
|
||||||
|
apt-get upgrade
|
||||||
|
apt-get install -y vim wget curl
|
||||||
|
# apt-get install -y apache2
|
||||||
|
SHELL
|
||||||
|
end
|
54
pre/gsbboot
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
version="1.8"
|
||||||
|
__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
|
__file="${__dir}/$(basename "${BASH_SOURCE[0]}")"
|
||||||
|
__base="$(basename ${__file})"
|
||||||
|
__root="$(cd "$(dirname "${__dir}")" && pwd)"
|
||||||
|
echo "dir : ${__dir}"
|
||||||
|
echo "file : ${__file}"
|
||||||
|
echo "base : ${__base}"
|
||||||
|
echo "root : ${__root}"
|
||||||
|
|
||||||
|
# version 1.8
|
||||||
|
# install git si besoin
|
||||||
|
# install ansible si besoin + backports si wheezy
|
||||||
|
|
||||||
|
readonly base=/root/tools/ansible
|
||||||
|
readonly slist=/etc/apt/sources.list
|
||||||
|
readonly host=depl
|
||||||
|
if [[ -z ${DEPL+x} ]]; then
|
||||||
|
echo "erreur : DEPL indefini"
|
||||||
|
echo " DEPL : adresse serveur deploiement"
|
||||||
|
echo "export DEPL=xyzt ; ./$0"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
hostf="${host}.local"
|
||||||
|
prj=gsb2022
|
||||||
|
APT=apt
|
||||||
|
|
||||||
|
which git >> /dev/null
|
||||||
|
if [[ $? != 0 ]]; then
|
||||||
|
${APT} update
|
||||||
|
echo "installation de git ..."
|
||||||
|
${APT} install -y git-core
|
||||||
|
fi
|
||||||
|
${APT} update
|
||||||
|
${APT} upgrade -y
|
||||||
|
|
||||||
|
which ansible >> /dev/null
|
||||||
|
if [[ $? != 0 ]]; then
|
||||||
|
echo "installation de ansible ..."
|
||||||
|
${APT} install -y ansible
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -e "${base}" ] || mkdir -p "${base}"
|
||||||
|
|
||||||
|
grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts
|
||||||
|
cd "${base}"
|
||||||
|
|
||||||
|
cp ${prj}/pull-config ${base}
|
||||||
|
|
||||||
|
#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'"
|
||||||
|
echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..."
|
||||||
|
|
93
pre/inst-depl
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
## ps : 2021-04-01 15:25
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o pipefail
|
||||||
|
GITUSR=gitgsb
|
||||||
|
GITPRJ=gsb2022
|
||||||
|
apt update && apt upgrade
|
||||||
|
apt install -y apache2 git
|
||||||
|
STOREREP="/var/www/html/gsbstore"
|
||||||
|
|
||||||
|
GLPIREL=9.5.6
|
||||||
|
str="wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz"
|
||||||
|
|
||||||
|
FIREL=9.5
|
||||||
|
str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2"
|
||||||
|
|
||||||
|
FIAGREL=2.6
|
||||||
|
str31="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe"
|
||||||
|
|
||||||
|
str32="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe"
|
||||||
|
|
||||||
|
FOGREL=1.5.9
|
||||||
|
str4="wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz"
|
||||||
|
|
||||||
|
WPREL=5.8.2
|
||||||
|
str5="wget -nc https://fr.wordpress.org/wordpress-${WPREL}-fr_FR.tar.gz"
|
||||||
|
|
||||||
|
GOSSVER=v0.3.16
|
||||||
|
str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss"
|
||||||
|
|
||||||
|
DOCKERREL=1.29.2
|
||||||
|
str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose"
|
||||||
|
|
||||||
|
GESTSUPREL=3.2.15
|
||||||
|
str8="wget -nc https://gestsup.fr/downloads/versions/current/version/gestsup_${GESTSUPREL}.zip"
|
||||||
|
|
||||||
|
ELKREL=7.16.3
|
||||||
|
str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb"
|
||||||
|
|
||||||
|
str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip"
|
||||||
|
|
||||||
|
str83="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-windows-x86_64.zip"
|
||||||
|
|
||||||
|
str84="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-amd64.deb"
|
||||||
|
|
||||||
|
|
||||||
|
[[ -d "${STOREREP}" ]]|| mkdir "${STOREREP}"
|
||||||
|
|
||||||
|
(cat <<EOT > "${STOREREP}/getall"
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
${str}
|
||||||
|
|
||||||
|
${str2}
|
||||||
|
|
||||||
|
${str31}
|
||||||
|
|
||||||
|
${str32}
|
||||||
|
|
||||||
|
${str4}
|
||||||
|
|
||||||
|
${str5}
|
||||||
|
|
||||||
|
${str6}
|
||||||
|
|
||||||
|
chmod +x ./goss
|
||||||
|
|
||||||
|
curl -L https://get.docker.com -o getdocker.sh
|
||||||
|
|
||||||
|
chmod +x ./getdocker.sh
|
||||||
|
|
||||||
|
${str7}
|
||||||
|
|
||||||
|
chmod +x ./docker-compose
|
||||||
|
|
||||||
|
|
||||||
|
wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
|
||||||
|
|
||||||
|
chmod +x ./mkcert
|
||||||
|
|
||||||
|
${str8}
|
||||||
|
|
||||||
|
${str81}
|
||||||
|
${str82}
|
||||||
|
${str83}
|
||||||
|
${str84}
|
||||||
|
|
||||||
|
EOT
|
||||||
|
)
|
||||||
|
|
||||||
|
cat "${STOREREP}/getall"
|
||||||
|
|
48
pre/inst-depl.old
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -o errexit
|
||||||
|
set -o pipefail
|
||||||
|
GITUSR=gitgsb
|
||||||
|
GITPRJ=gsb
|
||||||
|
apt update && apt upgrade
|
||||||
|
apt install -y apache2 git
|
||||||
|
getent passwd "${GITUSR}" >> /dev/null
|
||||||
|
if [[ $? != 0 ]]; then
|
||||||
|
echo "creation utilisateur "${GITUSR}" ..."
|
||||||
|
/sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}"
|
||||||
|
echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd
|
||||||
|
else
|
||||||
|
echo "utilisateur "${GITUSR}" existant..."
|
||||||
|
fi
|
||||||
|
su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}"
|
||||||
|
su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}"
|
||||||
|
[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git
|
||||||
|
[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore
|
||||||
|
|
||||||
|
(cat <<EOT > /var/www/html/gsbstore/getall
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
GLPIREL=9.4.5
|
||||||
|
wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz
|
||||||
|
|
||||||
|
FIREL=9.4+2.4
|
||||||
|
wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz
|
||||||
|
#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g
|
||||||
|
|
||||||
|
FIAGREL=2.5.2
|
||||||
|
wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe
|
||||||
|
|
||||||
|
wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe
|
||||||
|
|
||||||
|
FOGREL=1.5.7
|
||||||
|
wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz
|
||||||
|
|
||||||
|
wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
|
||||||
|
|
||||||
|
EOT
|
||||||
|
)
|
||||||
|
cat /var/www/html/gsbstore/getall
|
||||||
|
|
16
pre/pull-config
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -z ${UREP+x} ]; then
|
||||||
|
UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git
|
||||||
|
fi
|
||||||
|
|
||||||
|
dir=/root/tools/ansible
|
||||||
|
|
||||||
|
[ -e "${dir}" ] || mkdir -p "${dir}"
|
||||||
|
|
||||||
|
cd "${dir}" || exit 1
|
||||||
|
|
||||||
|
hostname > hosts
|
||||||
|
ansible-pull -i "${dir}/hosts" -U "${UREP}"
|
||||||
|
|
||||||
|
exit 0
|
16
pull-config
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -z ${UREP+x} ]; then
|
||||||
|
UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git
|
||||||
|
fi
|
||||||
|
|
||||||
|
dir=/root/tools/ansible
|
||||||
|
|
||||||
|
[ -e "${dir}" ] || mkdir -p "${dir}"
|
||||||
|
|
||||||
|
cd "${dir}" || exit 1
|
||||||
|
|
||||||
|
hostname > hosts
|
||||||
|
ansible-pull -i "${dir}/hosts" -U "${UREP}"
|
||||||
|
|
||||||
|
exit 0
|
12
r-ext.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- goss
|
||||||
|
- r-ext
|
||||||
|
- snmp-agent
|
||||||
|
- ssh-cli
|
||||||
|
- syslog-cli
|
||||||
|
- post
|
13
r-int.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- goss
|
||||||
|
- r-int
|
||||||
|
- ssh-cli
|
||||||
|
- syslog-cli
|
||||||
|
- dhcp
|
||||||
|
- snmp-agent
|
||||||
|
- post
|
20
r-vp1.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
|
||||||
|
vars:
|
||||||
|
- ip1: 192.168.0.51
|
||||||
|
- remip: 192.168.0.52
|
||||||
|
- mynet: 192.168.1.0
|
||||||
|
- remnet: 172.16.128.0
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- goss
|
||||||
|
# - snmp-agent
|
||||||
|
# - firewall-vpn-r
|
||||||
|
- wireguard-r
|
||||||
|
# - x509-r
|
||||||
|
- ssh-cli
|
||||||
|
- syslog-cli
|
||||||
|
- post
|
23
r-vp2.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
|
||||||
|
vars:
|
||||||
|
- ip1: 192.168.0.52
|
||||||
|
- remip: 192.168.0.51
|
||||||
|
- mynet: 172.16.128.0
|
||||||
|
- remnet: 192.168.1.0
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- base
|
||||||
|
- goss
|
||||||
|
- dhcp-ag
|
||||||
|
- dns-agence
|
||||||
|
- ssh-root-access
|
||||||
|
# - snmp-agent
|
||||||
|
# - firewall-vpn-l
|
||||||
|
- wireguard-l
|
||||||
|
# - x509-l
|
||||||
|
- ssh-cli
|
||||||
|
- syslog-cli
|
||||||
|
- post
|
6
roles/apache2/handlers/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: restart apache2
|
||||||
|
service: name=apache2 state=restarted
|
||||||
|
|
||||||
|
- name: restart mysql-server
|
||||||
|
service: name=mysql-server state=restarted
|
14
roles/apache2/tasks/main.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
- name: Update apt cache
|
||||||
|
apt: update_cache=yes cache_valid_time=3600
|
||||||
|
|
||||||
|
- name: Install required software
|
||||||
|
apt: name={{ item }} state=present
|
||||||
|
with_items:
|
||||||
|
- apache2
|
||||||
|
- mariadb-server
|
||||||
|
- php-mysql
|
||||||
|
- php
|
||||||
|
- libapache2-mod-php
|
||||||
|
- php-mcrypt
|
||||||
|
- python-mysqldb
|
4
roles/appli/README.md
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
## Fonctionnement du rôle appli
|
||||||
|
|
||||||
|
Ce rôle permet de créer un serveur wordpress avec MariaDB et apache.
|
||||||
|
Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress.
|
4
roles/appli/handlers/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- name: restart apache
|
||||||
|
service: name=apache2 state=restarted
|
||||||
|
become: yes
|
72
roles/appli/tasks/main.yml
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
|
||||||
|
---
|
||||||
|
- name: Installation des packets
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- php
|
||||||
|
- php-fpm
|
||||||
|
- php-mbstring
|
||||||
|
- php-ssh2
|
||||||
|
- php-gd
|
||||||
|
- php-mysql
|
||||||
|
- python3-mysqldb
|
||||||
|
- libapache2-mod-php
|
||||||
|
- mariadb-server
|
||||||
|
- apache2
|
||||||
|
- python3
|
||||||
|
|
||||||
|
- name: Création du répertoire pour wordpress
|
||||||
|
file:
|
||||||
|
path: /var/www/html/wordpress
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Téléchargement de wordpress
|
||||||
|
get_url:
|
||||||
|
url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz
|
||||||
|
dest: /var/www/html
|
||||||
|
|
||||||
|
- name: Extraction du fichier wordpress
|
||||||
|
unarchive:
|
||||||
|
src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz
|
||||||
|
dest: /var/www/html
|
||||||
|
|
||||||
|
- name: Fix permissions owner
|
||||||
|
shell: chown -R www-data /var/www/html/wordpress
|
||||||
|
|
||||||
|
- name: Fix permissions groups
|
||||||
|
shell: chgrp -R www-data /var/www/html/wordpress
|
||||||
|
|
||||||
|
- name: Mettre à jour le site Apache par défaut
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apache2/sites-enabled/000-default.conf
|
||||||
|
regexp: "(.)+DocumentRoot /var/www/html"
|
||||||
|
line: "DocumentRoot /var/www/html/wordpress"
|
||||||
|
|
||||||
|
- name: restart apache2
|
||||||
|
service:
|
||||||
|
name: apache2
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Mettre à jour le fichier de configuration WordPress
|
||||||
|
lineinfile:
|
||||||
|
dest: /var/www/html/wordpress/wp-config-sample.php
|
||||||
|
backup: yes
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
line: "{{ item.line }}"
|
||||||
|
with_items:
|
||||||
|
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
|
||||||
|
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
|
||||||
|
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
|
||||||
|
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
|
||||||
|
|
||||||
|
- name: Création de la base de donnée mysql
|
||||||
|
mysql_db:
|
||||||
|
name: wordpress
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Création de l'utilisateur mysql
|
||||||
|
mysql_user:
|
||||||
|
name: wordpress
|
||||||
|
password: wp
|
||||||
|
priv: "*.*:ALL"
|
1
roles/base/files/apt.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
Acquire::http::Proxy "http://192.168.99.99:8080";
|
4
roles/base/files/resolv.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
domain gsb.lan
|
||||||
|
search gsb.lan
|
||||||
|
nameserver 192.168.99.99
|
||||||
|
|
10
roles/base/files/sources.list
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
|
||||||
|
|
||||||
|
deb http://security.debian.org/ wheezy/updates main
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
|
||||||
|
|
||||||
|
deb http://http.debian.net/debian wheezy-backports main
|
||||||
|
|
4
roles/base/files/sources.list.Debian
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
deb http://deb.debian.org/debian/ bullseye main non-free contrib
|
||||||
|
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
|
||||||
|
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
|
||||||
|
|
13
roles/base/files/sources.list.Ubuntu
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
#------------------------------------------------------------------------------#
|
||||||
|
# OFFICIAL UBUNTU REPOS #
|
||||||
|
#------------------------------------------------------------------------------#
|
||||||
|
|
||||||
|
|
||||||
|
###### Ubuntu Main Repos
|
||||||
|
deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe
|
||||||
|
|
||||||
|
###### Ubuntu Update Repos
|
||||||
|
deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe
|
||||||
|
deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe
|
||||||
|
|
||||||
|
|
9
roles/base/files/sources.list.buster
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
|
||||||
|
#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
|
||||||
|
#deb http://security.debian.org/ stretch/updates main
|
||||||
|
#deb http://ftp.fr.debian.org/debian/ stretch-updates main
|
||||||
|
|
||||||
|
deb http://deb.debian.org/debian/ buster main contrib non-free
|
||||||
|
deb http://security.debian.org/debian-security buster/updates main contrib non-free
|
||||||
|
deb http://deb.debian.org/debian/ buster-updates main contrib non-free
|
||||||
|
|
22
roles/base/files/sources.list.jessie
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
#
|
||||||
|
|
||||||
|
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
|
||||||
|
|
||||||
|
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
|
||||||
|
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
|
||||||
|
#deb-src http://ftp.fr.debian.org/debian/ jessie main
|
||||||
|
|
||||||
|
deb http://security.debian.org/ jessie/updates main
|
||||||
|
#deb-src http://security.debian.org/ jessie/updates main
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ jessie-updates main
|
||||||
|
#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
|
||||||
|
#deb http://backports.debian.org/debian-backports jessie-backports main
|
||||||
|
#deb http://packages.steve.org.uk/slaughter/jessie/ ./
|
||||||
|
#deb https://rex.linux-files.org/debian/ jessie rex
|
||||||
|
|
||||||
|
|
||||||
|
#deb http://http.debian.net/debian jessie-backports main
|
||||||
|
|
22
roles/base/files/sources.list.wheezy
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
#
|
||||||
|
|
||||||
|
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
|
||||||
|
|
||||||
|
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
|
||||||
|
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
|
||||||
|
#deb-src http://ftp.fr.debian.org/debian/ wheezy main
|
||||||
|
|
||||||
|
deb http://security.debian.org/ wheezy/updates main
|
||||||
|
#deb-src http://security.debian.org/ wheezy/updates main
|
||||||
|
|
||||||
|
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
|
||||||
|
#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
|
||||||
|
#deb http://backports.debian.org/debian-backports wheezy-backports main
|
||||||
|
#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
|
||||||
|
#deb https://rex.linux-files.org/debian/ wheezy rex
|
||||||
|
|
||||||
|
|
||||||
|
deb http://http.debian.net/debian wheezy-backports main
|
||||||
|
|
76
roles/base/tasks/main.yml
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Copie sources.list
|
||||||
|
copy:
|
||||||
|
src: sources.list.{{ ansible_distribution }}
|
||||||
|
dest: /etc/apt/sources.list
|
||||||
|
|
||||||
|
- name: Copie apt.conf pour proxy
|
||||||
|
copy:
|
||||||
|
src: apt.conf
|
||||||
|
dest: /etc/apt/apt.conf
|
||||||
|
when: ansible_hostname != "s-adm"
|
||||||
|
|
||||||
|
#- name: Sysctl desactive ipv6
|
||||||
|
# sysctl:
|
||||||
|
# name: net.ipv6.conf.all.disable_ipv6
|
||||||
|
# value: 1
|
||||||
|
# sysctl_set: yes
|
||||||
|
# state: present
|
||||||
|
# reload: yes
|
||||||
|
|
||||||
|
- name: Update + Upgrade
|
||||||
|
apt:
|
||||||
|
upgrade: yes
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 86400 #One day
|
||||||
|
|
||||||
|
- name: Install paquets
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name:
|
||||||
|
- vim
|
||||||
|
- ntp
|
||||||
|
- mc
|
||||||
|
- tcpdump
|
||||||
|
- curl
|
||||||
|
- net-tools
|
||||||
|
- rsync
|
||||||
|
- sudo
|
||||||
|
- iptables
|
||||||
|
|
||||||
|
- name: Desinstall paquets
|
||||||
|
apt:
|
||||||
|
state: absent
|
||||||
|
name:
|
||||||
|
- nfs-common
|
||||||
|
- rpcbind
|
||||||
|
- bluetooth
|
||||||
|
|
||||||
|
- name: Configure Vim
|
||||||
|
alternatives:
|
||||||
|
name: editor
|
||||||
|
path: /usr/bin/vim
|
||||||
|
|
||||||
|
- name: Generation /etc/hosts
|
||||||
|
template:
|
||||||
|
src: hosts.j2
|
||||||
|
dest: /etc/hosts
|
||||||
|
when: ansible_hostname != "s-proxy"
|
||||||
|
|
||||||
|
- name: Generation /etc/hosts pour s-proxy
|
||||||
|
template:
|
||||||
|
src: hosts.s-proxy.j2
|
||||||
|
dest: /etc/hosts
|
||||||
|
when: ansible_hostname == "s-proxy"
|
||||||
|
|
||||||
|
- name: Desactive IPV6 avec sysctl
|
||||||
|
sysctl:
|
||||||
|
name: "{{ item }}"
|
||||||
|
value: 1
|
||||||
|
state: present
|
||||||
|
reload: yes
|
||||||
|
with_items:
|
||||||
|
- net.ipv6.conf.all.disable_ipv6
|
||||||
|
- net.ipv6.conf.default.disable_ipv6
|
||||||
|
- net.ipv6.conf.lo.disable_ipv6
|
27
roles/base/templates/hosts.j2
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
127.0.0.1 localhost
|
||||||
|
127.0.1.1 {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }}
|
||||||
|
127.0.0.1 localhost ip6-localhost ip6-loopback
|
||||||
|
|
||||||
|
#10.121.38.10 depl.sio.lan depl
|
||||||
|
|
||||||
|
192.168.99.99 s-adm.gsb.adm depl.sio.lan depl
|
||||||
|
192.168.99.1 s-infra.gsb.adm
|
||||||
|
192.168.99.2 s-proxy.gsb.adm
|
||||||
|
192.168.99.3 s-appli.gsb.adm
|
||||||
|
192.168.99.4 s-backup.gsb.adm
|
||||||
|
192.168.99.5 s-puppet.gsb.adm
|
||||||
|
192.168.99.6 s-win.gsb.adm
|
||||||
|
192.168.99.7 s-nxc.gsb.adm
|
||||||
|
192.168.99.8 s-mon.gsb.adm
|
||||||
|
192.168.99.9 s-itil.gsb.adm
|
||||||
|
192.168.99.10 s-sspec.gsb.adm
|
||||||
|
192.168.99.11 s-web-ext.gsb.adm
|
||||||
|
192.168.99.10 s-dns.gsb.adm
|
||||||
|
192.168.99.12 r-int.gsb.adm
|
||||||
|
192.168.99.13 r-ext.gsb.adm
|
||||||
|
192.168.99.14 s-nas.gsb.adm
|
||||||
|
192.168.99.15 s-san.gsb.adm
|
||||||
|
192.168.99.16 s-fog.gsb.adm
|
||||||
|
|
||||||
|
192.168.99.8 syslog.gsb.adm
|
||||||
|
|
26
roles/base/templates/hosts.s-proxy.j2
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
127.0.0.1 localhost
|
||||||
|
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
|
||||||
|
127.0.0.1 localhost ip6-localhost ip6-loopback
|
||||||
|
172.16.0.2 s-proxy.gsb.lan s-proxy
|
||||||
|
|
||||||
|
#10.121.38.10 depl
|
||||||
|
|
||||||
|
192.168.99.99 s-adm.gsb.adm depl
|
||||||
|
192.168.99.1 s-infra.gsb.adm
|
||||||
|
192.168.99.2 s-proxy.gsb.adm
|
||||||
|
192.168.99.3 s-appli.gsb.adm
|
||||||
|
192.168.99.4 s-backup.gsb.adm
|
||||||
|
192.168.99.5 s-puppet.gsb.adm
|
||||||
|
192.168.99.6 s-win.gsb.adm
|
||||||
|
192.168.99.7 s-nxc.gsb.adm
|
||||||
|
192.168.99.8 s-mon.gsb.adm
|
||||||
|
192.168.99.9 s-itil.gsb.adm
|
||||||
|
192.168.99.10 s-sspec.gsb.adm
|
||||||
|
192.168.99.11 s-web-ext.gsb.adm
|
||||||
|
192.168.99.10 s-dns.gsb.adm
|
||||||
|
192.168.99.12 r-int.gsb.adm
|
||||||
|
192.168.99.13 r-ext.gsb.adm
|
||||||
|
192.168.99.14 s-nas.gsb.adm
|
||||||
|
|
||||||
|
192.168.99.8 syslog.gsb.adm
|
||||||
|
|
3
roles/db-user/files/resolv.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
search gsb.lan
|
||||||
|
domain gsb.lan
|
||||||
|
nameserver 172.16.0.1
|
12
roles/db-user/tasks/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
- name: Create mysql user
|
||||||
|
mysql_user:
|
||||||
|
host: "{{ cli_ip }}"
|
||||||
|
name: "{{ maria_dbuser }}"
|
||||||
|
password: "{{ maria_dbpasswd }}"
|
||||||
|
priv: "*.*:ALL"
|
||||||
|
|
||||||
|
- name: Copie du fichier resolv.conf
|
||||||
|
copy:
|
||||||
|
src: resolv.conf
|
||||||
|
dest: /etc/resolv.conf
|
152
roles/dhcp-ag/files/dhcpd.conf
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
#
|
||||||
|
# Sample configuration file for ISC dhcpd for Debian
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
# The ddns-updates-style parameter controls whether or not the server will
|
||||||
|
# attempt to do a DNS update when a lease is confirmed. We default to the
|
||||||
|
# behavior of the version 2 packages ('none', since DHCP v2 didn't
|
||||||
|
# have support for DDNS.)
|
||||||
|
ddns-update-style none;
|
||||||
|
|
||||||
|
# option definitions common to all supported networks...
|
||||||
|
option domain-name "gsb.lan";
|
||||||
|
option domain-name-servers 172.16.0.1;
|
||||||
|
|
||||||
|
default-lease-time 86400;
|
||||||
|
max-lease-time 86400;
|
||||||
|
|
||||||
|
# If this DHCP server is the official DHCP server for the local
|
||||||
|
# network, the authoritative directive should be uncommented.
|
||||||
|
#authoritative;
|
||||||
|
|
||||||
|
# Use this to send dhcp log messages to a different log file (you also
|
||||||
|
# have to hack syslog.conf to complete the redirection).
|
||||||
|
log-facility local7;
|
||||||
|
|
||||||
|
# No service will be given on this subnet, but declaring it helps the
|
||||||
|
# DHCP server to understand the network topology.
|
||||||
|
|
||||||
|
#subnet 10.152.187.0 netmask 255.255.255.0 {
|
||||||
|
#}
|
||||||
|
|
||||||
|
# This is a very basic subnet declaration.
|
||||||
|
|
||||||
|
#subnet 10.254.239.0 netmask 255.255.255.224 {
|
||||||
|
# range 10.254.239.10 10.254.239.20;
|
||||||
|
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# This declaration allows BOOTP clients to get dynamic addresses,
|
||||||
|
# which we don't really recommend.
|
||||||
|
|
||||||
|
#subnet 10.254.239.32 netmask 255.255.255.224 {
|
||||||
|
# range dynamic-bootp 10.254.239.40 10.254.239.60;
|
||||||
|
# option broadcast-address 10.254.239.31;
|
||||||
|
# option routers rtr-239-32-1.example.org;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# A slightly different configuration for an internal subnet.
|
||||||
|
#subnet 10.5.5.0 netmask 255.255.255.224 {
|
||||||
|
# range 10.5.5.26 10.5.5.30;
|
||||||
|
# option domain-name-servers ns1.internal.example.org;
|
||||||
|
# option domain-name "internal.example.org";
|
||||||
|
# option routers 10.5.5.1;
|
||||||
|
# option broadcast-address 10.5.5.31;
|
||||||
|
# default-lease-time 600;
|
||||||
|
# max-lease-time 7200;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# Hosts which require special configuration options can be listed in
|
||||||
|
# host statements. If no address is specified, the address will be
|
||||||
|
# allocated dynamically (if possible), but the host-specific information
|
||||||
|
# will still come from the host declaration.
|
||||||
|
|
||||||
|
#host passacaglia {
|
||||||
|
# hardware ethernet 0:0:c0:5d:bd:95;
|
||||||
|
# filename "vmunix.passacaglia";
|
||||||
|
# server-name "toccata.fugue.com";
|
||||||
|
#}
|
||||||
|
|
||||||
|
# Fixed IP addresses can also be specified for hosts. These addresses
|
||||||
|
# should not also be listed as being available for dynamic assignment.
|
||||||
|
# Hosts for which fixed IP addresses have been specified can boot using
|
||||||
|
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
|
||||||
|
# be booted with DHCP, unless there is an address range on the subnet
|
||||||
|
# to which a BOOTP client is connected which has the dynamic-bootp flag
|
||||||
|
# set.
|
||||||
|
#host fantasia {
|
||||||
|
# hardware ethernet 08:00:07:26:c0:a5;
|
||||||
|
# fixed-address fantasia.fugue.com;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# You can declare a class of clients and then do address allocation
|
||||||
|
# based on that. The example below shows a case where all clients
|
||||||
|
# in a certain class get addresses on the 10.17.224/24 subnet, and all
|
||||||
|
# other clients get addresses on the 10.0.29/24 subnet.
|
||||||
|
|
||||||
|
#class "foo" {
|
||||||
|
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
|
||||||
|
#}
|
||||||
|
|
||||||
|
#shared-network 224-29 {
|
||||||
|
# subnet 10.17.224.0 netmask 255.255.255.0 {
|
||||||
|
# option routers rtr-224.example.org;
|
||||||
|
# }
|
||||||
|
# subnet 10.0.29.0 netmask 255.255.255.0 {
|
||||||
|
# option routers rtr-29.example.org;
|
||||||
|
# }
|
||||||
|
# pool {
|
||||||
|
# allow members of "foo";
|
||||||
|
# range 10.17.224.10 10.17.224.250;
|
||||||
|
# }
|
||||||
|
# pool {
|
||||||
|
# deny members of "foo";
|
||||||
|
# range 10.0.29.10 10.0.29.230;
|
||||||
|
# }
|
||||||
|
#}
|
||||||
|
|
||||||
|
#DHCP pour le réseau wifi
|
||||||
|
#subnet 172.16.65.0 netmask 255.255.255.0 {
|
||||||
|
# range 172.16.65.1 172.16.65.100;
|
||||||
|
# option domain-name-servers ns1.internal.example.org;
|
||||||
|
# option domain-name "internal.example.org";
|
||||||
|
# option routers 10.5.5.1;
|
||||||
|
# option broadcast-address 10.5.5.31;
|
||||||
|
# default-lease-time 600;
|
||||||
|
# max-lease-time 7200;
|
||||||
|
#}
|
||||||
|
|
||||||
|
#DHCP pour le réseau USER
|
||||||
|
|
||||||
|
#subnet 172.16.64.0 netmask 255.255.255.0 {
|
||||||
|
# range 172.16.64.20 172.16.64.120;
|
||||||
|
# option domain-name-servers 172.16.0.6, 172.16.0.1 ;
|
||||||
|
# option routers 172.16.64.254;
|
||||||
|
# option broadcast-address 172.16.64.255;
|
||||||
|
# default-lease-time 600;
|
||||||
|
# max-lease-time 7200;
|
||||||
|
#}
|
||||||
|
|
||||||
|
#DHCP pour le réseau INFRA
|
||||||
|
|
||||||
|
#subnet 172.16.0.0 netmask 255.255.255.0 {
|
||||||
|
# range 172.16.0.1 172.16.0.100;
|
||||||
|
# option domain-name-servers ns1.internal.example.org;
|
||||||
|
# option domain-name "internal.example.org";
|
||||||
|
# option routers 10.5.5.1;
|
||||||
|
# option broadcast-address 10.5.5.31;
|
||||||
|
# default-lease-time 600;
|
||||||
|
# max-lease-time 7200;
|
||||||
|
#}
|
||||||
|
|
||||||
|
#DHCP pour le réseau AGENCE
|
||||||
|
|
||||||
|
subnet 172.16.128.0 netmask 255.255.255.0 {
|
||||||
|
range 172.16.128.10 172.16.128.50;
|
||||||
|
option domain-name-servers 172.16.0.1;
|
||||||
|
option routers 172.16.128.254;
|
||||||
|
option broadcast-address 172.16.128.255;
|
||||||
|
default-lease-time 86400;
|
||||||
|
max-lease-time 86400;
|
||||||
|
}
|
18
roles/dhcp-ag/files/isc-dhcp-server
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
|
||||||
|
|
||||||
|
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||||
|
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||||
|
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||||
|
|
||||||
|
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||||
|
DHCPDv4_PID=/var/run/dhcpd.pid
|
||||||
|
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||||
|
|
||||||
|
# Additional options to start dhcpd with.
|
||||||
|
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||||
|
#OPTIONS=""
|
||||||
|
|
||||||
|
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||||
|
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||||
|
INTERFACESv4="enp0s8"
|
||||||
|
INTERFACESv6=""
|