Premier commit

README.md

@@ -1,2 +1,63 @@
 # gsb2023
 
+Environnement et playbooks ansible pour le projet GSB 2023
+
+## Quickstart
+prérequis : une machine Debian Bullseye
+
+
+## Les machines
+  * s-adm
+  * s-infra
+  * r-int
+  * r-ext
+  * s-proxy
+
+
+## Les playbooks
+
+
+## Installation
+
+On utilisera l'image de machine virtuelle suivante : 
+  * **debian-bullseye-2023a.ova** (2022-05-07)
+    * Debian Bullseye 11 - 2 cartes - 1 Go - stockage 20 Go
+
+
+### Machine s-adm
+  * créer la machine virtuelle **s-adm** en important l'image ova décrite plus haut
+  * renommer la machine puis redémarrer
+  * taper :
+```shell
+    mkdir -p tools/ansible ; cd tools/ansible
+    git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git
+    cd gsb2023/pre
+    bash inst-depl
+    cd /var/www/html/gsbstore
+    bash getall
+    cd /root/tools/ansible/gsb022/pre
+    bash gsbboot
+    cd .. ; bash pull-config
+```
+  - redémarrer
+  
+### Pour chaque machine
+
+  - importer la machine à partir du fichier **.ova**
+  - définir les cartes réseau en accord avec le plan d'adressage et le schéma
+  - donner le nom adapté (avec sed -i …)
+  - redémarrer
+  - mettre à jour les paquets : apt update && apt upgrade
+  - cloner le dépot : 
+```shell
+mkdir -p tools/ansible ; cd tools/ansible
+git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git
+cd gsb2023/pre
+export DEPL=192.168.99.99
+bash gsbboot
+cd ../..
+bash pull-config
+```
+  - **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration
+
+

agoss

@@ -0,0 +1,11 @@
+#!/bin/bash
+HOST=$(hostname)
+FHOST=$(pwd)/goss/$HOST
+if [ -r "$FHOST".yaml ] ; then
+	#goss -gossfile "$FHOST".yaml v --no-color
+	goss -gossfile "$FHOST".yaml v "$@"
+else
+	echo $0 : erreur lecture fichier "$FHOST".yaml 
+	exit 1 
+fi
+

changelog

@@ -0,0 +1,7 @@
+v5.0.2.j : 2019-01-25 -kb
+  ejout role s-nas-cliet et s-nas-server
+v5.0.1 : 2019-01-24 - ps
+  reorganisation : anciens playbooks et roles deplaces dans repertoire old
+v3.2.0 : 2017-11-16 - ps 
+  ajout changelog
+

confwireguard/r-ext/r-ext.ip

@@ -0,0 +1,36 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:03:d3:28 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.99.13/24 brd 192.168.99.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe03:d328/64 scope link 
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:63:40:ea brd ff:ff:ff:ff:ff:ff
+    inet 192.168.100.254/24 brd 192.168.100.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe63:40ea/64 scope link 
+       valid_lft forever preferred_lft forever
+4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:4f:29:27 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic enp0s9
+       valid_lft 77233sec preferred_lft 77233sec
+    inet6 fe80::a00:27ff:fe4f:2927/64 scope link 
+       valid_lft forever preferred_lft forever
+5: enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:9d:16:f8 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.1.1/24 brd 192.168.1.255 scope global enp0s10
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe9d:16f8/64 scope link 
+       valid_lft forever preferred_lft forever
+6: enp0s16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:07:c1:0f brd ff:ff:ff:ff:ff:ff
+    inet 192.168.200.253/24 brd 192.168.200.255 scope global enp0s16
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe07:c10f/64 scope link 
+       valid_lft forever preferred_lft forever

confwireguard/r-ext/r-ext.routes

@@ -0,0 +1,9 @@
+default via 192.168.0.1 dev enp0s9 
+169.254.0.0/16 dev enp0s3 scope link metric 1000 
+172.16.0.0/24 via 192.168.200.254 dev enp0s16 
+172.16.128.0/24 via 192.168.1.2 dev enp0s10 
+192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.20 
+192.168.1.0/24 dev enp0s10 proto kernel scope link src 192.168.1.1 
+192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.13 
+192.168.100.0/24 dev enp0s8 proto kernel scope link src 192.168.100.254 
+192.168.200.0/24 dev enp0s16 proto kernel scope link src 192.168.200.253 

confwireguard/r-int/r-int.ip

@@ -0,0 +1,36 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host 
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:c9:4e:0b brd ff:ff:ff:ff:ff:ff
+    inet 192.168.99.12/24 brd 192.168.99.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fec9:4e0b/64 scope link 
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:34:ef:8f brd ff:ff:ff:ff:ff:ff
+    inet 192.168.200.254/24 brd 192.168.200.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe34:ef8f/64 scope link 
+       valid_lft forever preferred_lft forever
+4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:56:72:01 brd ff:ff:ff:ff:ff:ff
+    inet 172.16.65.254/24 brd 172.16.65.255 scope global enp0s9
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe56:7201/64 scope link 
+       valid_lft forever preferred_lft forever
+5: enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:7c:d7:5b brd ff:ff:ff:ff:ff:ff
+    inet 172.16.64.254/24 brd 172.16.64.255 scope global enp0s10
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fe7c:d75b/64 scope link 
+       valid_lft forever preferred_lft forever
+6: enp0s16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:e6:59:3d brd ff:ff:ff:ff:ff:ff
+    inet 172.16.0.254/24 brd 172.16.0.255 scope global enp0s16
+       valid_lft forever preferred_lft forever
+    inet6 fe80::a00:27ff:fee6:593d/64 scope link 
+       valid_lft forever preferred_lft forever

confwireguard/r-int/r-int.routes

@@ -0,0 +1,7 @@
+default via 192.168.200.253 dev enp0s8 onlink 
+169.254.0.0/16 dev enp0s9 scope link metric 1000 
+172.16.0.0/24 dev enp0s16 proto kernel scope link src 172.16.0.254 
+172.16.64.0/24 dev enp0s10 proto kernel scope link src 172.16.64.254 
+172.16.65.0/24 dev enp0s9 proto kernel scope link src 172.16.65.254 
+192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.12 
+192.168.200.0/24 dev enp0s8 proto kernel scope link src 192.168.200.254 

confwireguard/r-vp1/r-vp1.ip

@@ -0,0 +1,20 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:53:62:8c brd ff:ff:ff:ff:ff:ff
+    inet 192.168.99.112/24 brd 192.168.99.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:b0:5e:11 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.1.2/24 brd 192.168.1.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:28:10:4c brd ff:ff:ff:ff:ff:ff
+    inet 192.168.0.51/24 brd 192.168.0.255 scope global enp0s9
+       valid_lft forever preferred_lft forever
+12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/none 
+    inet 10.0.0.1/32 scope global wg0
+       valid_lft forever preferred_lft forever

confwireguard/r-vp1/r-vp1.routes

@@ -0,0 +1,8 @@
+10.0.0.2 dev wg0 scope link 
+169.254.0.0/16 dev enp0s3 scope link metric 1000 
+172.16.0.0/24 via 192.168.1.1 dev enp0s8 
+172.16.128.0/24 dev wg0 scope link 
+192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.51 
+192.168.1.0/24 dev enp0s8 proto kernel scope link src 192.168.1.2 
+192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.112 
+192.168.200.0/24 via 192.168.1.1 dev enp0s8 

confwireguard/r-vp2/r-vp2.ip

@@ -0,0 +1,18 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
+    link/ether 08:00:27:46:2b:0a brd ff:ff:ff:ff:ff:ff
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:99:b7:7f brd ff:ff:ff:ff:ff:ff
+    inet 172.16.128.254/24 brd 172.16.128.255 scope global enp0s8
+       valid_lft forever preferred_lft forever
+4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:34:71:77 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.0.52/24 brd 192.168.0.255 scope global enp0s9
+       valid_lft forever preferred_lft forever
+7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/none 
+    inet 10.0.0.2/32 scope global wg0
+       valid_lft forever preferred_lft forever

confwireguard/r-vp2/r-vp2.routes

@@ -0,0 +1,7 @@
+10.0.0.1 dev wg0 scope link 
+169.254.0.0/16 dev enp0s9 scope link metric 1000 
+172.16.0.0/24 dev wg0 scope link 
+172.16.128.0/24 dev enp0s8 proto kernel scope link src 172.16.128.254 
+192.168.0.0/24 dev enp0s9 proto kernel scope link src 192.168.0.52 
+192.168.1.0/24 dev wg0 scope link 
+192.168.200.0/24 dev wg0 scope link 

confwireguard/s-infra/s-infra.ip

@@ -0,0 +1,12 @@
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:4a:25:54 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.99.1/24 brd 192.168.99.255 scope global enp0s3
+       valid_lft forever preferred_lft forever
+3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 08:00:27:ee:b4:01 brd ff:ff:ff:ff:ff:ff
+    inet 172.16.0.1/24 brd 172.16.0.255 scope global enp0s8
+       valid_lft forever preferred_lft forever

confwireguard/s-infra/s-infra.routes

@@ -0,0 +1,7 @@
+default via 192.168.99.99 dev enp0s3 onlink 
+169.254.0.0/16 dev enp0s3 scope link metric 1000 
+172.16.0.0/24 dev enp0s8 proto kernel scope link src 172.16.0.1 
+172.16.64.0/24 via 172.16.0.254 dev enp0s8 
+172.16.128.0/24 via 172.16.0.254 dev enp0s8 
+192.168.0.0/16 via 172.16.0.254 dev enp0s8 
+192.168.99.0/24 dev enp0s3 proto kernel scope link src 192.168.99.1 

doc/Docker-openvas.txt

@@ -0,0 +1,38 @@
+Fichier de documentation fait par Adnan Baljic, le 31/01/2019
+
+Configuration machine:
+Système: Carte Mère: Mémoire Vive: 2048
+Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go
+Réseau 1: n-adm
+Réseau 2: n-infra
+USB: Décocher "Activer le contrôleur USB"
+
+Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb:
+-fdisk /dev/sdb
+-o
+-n
+-p
+-1
+-w
+
+La configuration de docker se fait automatiquement via le playbook s-docker.yml
+De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en
+commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit.
+
+Manipulation à faire pour la mise en place d'Openvas via Docker:
+Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
+les interfaces...) et exécuter la commande ci-dessous:
+docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas
+
+Manipulation à faire pour la mise en place d'Openvas via Docker:
+Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
+les interfaces...) et exécuter la commande ci-dessous:
+docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail
+
+Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer.
+L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443.
+
+Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook.
+
+Les tests effectués:
+Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK

doc/icinga.txt

@@ -0,0 +1,3 @@
+Roles fait par Adnan Baljic, le 17/01/2019
+Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg) 
+et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg)

doc/r-vp.txt

@@ -0,0 +1,23 @@
+Fichier de documentation fait par Adnan Baljic, le 24/01/2019
+
+Manipulation à faire pour la mise en place de r-vp1 et r-vp2:
+Après exécution de gsbboot et du pull-config, il faudra désactiver l'interface 
+de n-adm pour éviter une boucle. Pour cela, il suffit de faire "ifdown enp0sx"
+
+Pour ce qui est des tests pour vérifier que l'agence passe bien par le tunnel 
+chiffré, vous pouvez stopper le service ipsec ou strongswan ("service 
+strongswan stop" ou "service ipsec stop", cela revient à faire la même chose)
+
+Important: sur r-vp2, si la route par défaut est celui de s-adm, veuillez 
+supprimer cette route en faisant "route del default" sinon l'agence ne passera
+pas par le tunnel chiffré mais vers s-adm 
+cf. Schéma GSB/E4 - VPN/Infra - Version 1.2 - 2019-01-23
+
+La mise en place de strongswan via les certificats se fait via le playbook
+r-vpx-x509.yml. La manipulation ci-dessus n'est pas à faire pour les vpn avec
+certificat si r-vp2-x509 et r-vp1-x509 n'ont pas de route par défaut. Si ils ont
+une route par défaut, veuillez effectuer la même manipulation que pour r-vp2.
+Il faudra tout de même désactiver l'interface de n-adm sur les 2 r-vpx-x509.
+
+Les tests effectués:
+Jeudi 24 janvier 2019, 14:45 par Adnan Baljic= TEST OK

doc/s-fog.txt

@@ -0,0 +1,11 @@
+fichier de documentation réalier par Olivier Soares et Gaetan Maillard, le 25/01/2019
+
+Pour mettre en oeuvre le serveur fog, il faut déployer une machine virtuel debian (une ova), de la mettre à jour, de la renommer (s-fog), puis de récupérer gsbboot et faire un bash pull-config.
+
+Après avoir avoir fait l'installation de base, il suffit d'éxécuter le playbook "s-fog.yml" avec la commande ansible-playbooks -i hosts s-fog.yml". Ce playbook va récupérer le fichier d'installation de fog, le décompacter et configurer les différentes cartes réseaux de s-fog sachant qu'il y en a trois:
+
+L'interface enp0s3 permet d'avoir accès internet via le réseau "n-adm"
+L'interface enp0s8 permet de communiquer avec le réseau "n-infra"
+L'interface enp0s9 permet d'avoir accès et deployer des postes sur le réseau "n-user"
+
+Maintenant le serveur fog est prêt à être installer, avant de commencer l'installation il faut tout d'abord vérifier que l'accès à tous les réseaux soit correcte. Pour ça il suffit d'éxécuter le fichier de test goss

goss/r-ext.yaml

@@ -0,0 +1,42 @@
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+  ping -c 4 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 4 172.16.0.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 4 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.13/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.38/24
+  enp0s16:
+    exists: true
+    addrs:
+    - 192.168.200.253/24

goss/r-int.yaml

@@ -0,0 +1,35 @@
+package:
+  isc-dhcp-server:
+    installed: true
+service:
+  isc-dhcp-server:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.12/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.200.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 172.16.65.254/24
+  enp0s10:
+    exists: true
+    addrs:
+    - 172.16.64.254/24
+  enp0s16:
+    exists: true
+    addrs:
+    - 172.16.0.254/24

goss/r-vp1-cs.yaml

@@ -0,0 +1,106 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    uid: 112
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.1.1 dev enp0s9
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.1.2/24

goss/r-vp1-old.yaml

@@ -0,0 +1,106 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    uid: 112
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.1.1 dev enp0s9
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.1.2/24

goss/r-vp1.yaml

@@ -0,0 +1,67 @@
+package:
+#  ferm:
+#    installed: true
+  strongswan:
+    installed: true
+port:
+  udp:68:
+    listening: true
+service:
+#  dnsmasq:
+#    enabled: true
+#    running: true
+  strongswan:
+    enabled: true
+    running: true
+  ssh:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+command:  
+  ping -c 4 192.168.0.52:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+command:
+  ping -c 4 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+command:
+  ping -c 4 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+command:
+  ping -c 4 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+#process:
+#  dnsmasq:
+#    running: true
+#  squid:
+#    running: true
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.1.2/24

goss/r-vp2-cs.yaml

@@ -0,0 +1,105 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.99.99 dev enp0s3
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24

goss/r-vp2-old.yaml

@@ -0,0 +1,105 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.99.99 dev enp0s3
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24

goss/r-vp2goss.yaml

@@ -0,0 +1,67 @@
+package:
+  ferm:
+    installed: true
+  ipsec:
+    installed: true
+port:
+  tcp:53: 
+    listening: true
+  udp:67:
+    listening: true
+  udp:68:
+    listening: true
+service:
+  dnsmasq:
+    enabled: true
+    running: true
+  ferm:
+    enabled: true
+    running: true
+  ssh:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+  sysctl ping -c 4 192.168.0.51:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+  sysctl ping -c 4 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+  sysctl ping -c 4 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+  sysctl ping -c 4 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 4 received = 1
+    stderr: []
+    timeout: 10000
+process:
+  dnsmasq:
+    running: true
+  squid3:
+    running: true
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24

goss/s-adm.yaml

@@ -0,0 +1,80 @@
+package:
+  dnsmasq:
+    installed: true
+  squid:
+    installed: true
+addr:
+  tcp://depl.sio.lan:80:
+    reachable: true
+    timeout: 500
+port:
+  tcp:53:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:53:
+    listening: true
+    ip:
+    - '::'
+  tcp6:8080:
+    listening: true
+    ip:
+    - '::'
+  udp:53:
+    listening: true
+    ip:
+    - 0.0.0.0
+  udp:67:
+    listening: true
+    ip:
+    - 0.0.0.0
+  udp6:53:
+    listening: true
+    ip:
+    - '::'
+service:
+  dnsmasq:
+    enabled: true
+    running: true
+  squid:
+    enabled: true
+    running: true
+  ssh:
+    enabled: true
+    running: true
+user:
+  dnsmasq:
+    exists: true
+    uid: 109
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/misc
+    shell: /usr/sbin/nologin
+group:
+  ssh:
+    exists: true
+    gid: 111
+command:
+  /sbin/sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+dns:
+  depl.sio.lan:
+    resolveable: true
+    addrs:
+    - 10.121.38.10
+    timeout: 500
+process:
+  dnsmasq:
+    running: true
+  squid:
+    running: true
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.99.99/24

goss/s-agence.yaml

@@ -0,0 +1,39 @@
+command:
+  ip r:
+    exit-status: 0
+    stdout:
+    - default via 172.16.128.254 dev enp0s8
+    - 172.16.128.0/24
+    - 192.168.99.0/24
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.128.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.2:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000

goss/s-appli.yaml

@@ -0,0 +1,35 @@
+service:
+  mariadb:
+    enabled: true
+    running: true
+
+  apache2:
+    enabled: true
+    running: true
+
+file:
+  /var/www/html/wordpress:
+    exists: true
+    owner: www-data
+    group: www-data
+    filetype: directory
+
+  /var/www/html/wordpress-5.8.2-fr_FR.tar.gz:
+    exists: true
+
+  /var/www/html/wordpress/wp-config-sample.php:
+    exists: true
+
+  /etc/apache2/sites-enabled/000-default.conf:
+    exists: true
+
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.3/24
+
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.3/24

goss/s-fog.yaml

@@ -0,0 +1,28 @@
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.16/24
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.16/24
+interface:
+  enp0s9:
+    exists: true
+    addrs:
+    - 172.16.64.16/24
+command:
+  ping -c 4 192.168.99.99:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 4 google.fr:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000

goss/s-infra.yaml

@@ -0,0 +1,90 @@
+package:
+  bind9:
+    installed: true
+  lighttpd:
+    installed: true
+addr:
+  tcp://192.168.99.99:8080:
+    reachable: true
+    timeout: 500
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  bind9:
+    enabled: true
+    running: true
+  lighttpd:
+    enabled: true
+    running: true
+command:
+  host 172.16.0.2:
+    exit-status: 0
+    stdout:
+    - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
+    stderr: []
+    timeout: 10000
+  host 172.16.0.9:
+    exit-status: 0
+    stdout:
+    - 9.0.16.172.in-addr.arpa domain name pointer s-itil.gsb.lan.
+    stderr: []
+    timeout: 10000
+  host free.fr:
+    exit-status: 0
+    stdout:
+    - free.fr has address 212.27.48.10
+    - free.fr has IPv6 address 2a01:e0c:1::1
+    - free.fr mail is handled by 10 mx1.free.fr.
+    - free.fr mail is handled by 20 mx2.free.fr.
+    stderr: []
+    timeout: 10000
+  host s-infra:
+    exit-status: 0
+    stdout:
+    - s-infra.gsb.lan has address 172.16.0.1
+    stderr: []
+    timeout: 10000
+  host s-infra.gsb.lan:
+    exit-status: 0
+    stdout:
+    - s-infra.gsb.lan has address 172.16.0.1
+    stderr: []
+    timeout: 10000
+  host s-mon:
+    exit-status: 0
+    stdout:
+    - s-mon.gsb.lan has address 172.16.0.8
+    stderr: []
+    timeout: 10000
+  host s-mon.gsb.lan:
+    exit-status: 0
+    stdout:
+    - s-mon.gsb.lan has address 172.16.0.8
+    stderr: []
+    timeout: 10000
+process:
+  lighttpd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.1/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.1/24
+http:
+  http://localhost/wpad.dat:
+    status: 200
+    allow-insecure: false
+    no-follow-redirects: false
+    timeout: 5000
+    body: []

goss/s-itil.yaml

@@ -0,0 +1,36 @@
+file:
+  /var/www/html/glpi:
+    exists: true
+    mode: "0755"
+    owner: www-data
+    group: www-data
+    filetype: directory
+
+  /var/www/html/ficlients:
+    exists: true
+    mode: "0775"
+    owner: www-data
+    group: www-data
+    filetype: directory
+
+  /var/www/html/glpi/plugins:
+    exists: true
+    mode: "0777"
+    filetype: directory
+
+  /var/www/html/index.nginx-debian.html:
+    exists: true
+    mode: "0775"
+    owner: www-data
+    group: www-data
+    filetype: file
+
+service:
+  mariadb:
+    enabled: true
+    running: true
+
+  nginx:
+    enabled: true
+    running: true
+

goss/s-lb-bd.yaml

@@ -0,0 +1,21 @@
+package:
+  mysql-server:
+    installed: true
+    versions:
+    - 5.5.54-0+deb8u1
+command:
+  egrep "#bind-address" /etc/mysql/my.cnf:
+    exit-status: 0
+    stdout:
+    - "#bind-address\t\t= 127.0.0.1"
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.13/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.102.50/24

goss/s-lb-web1.yaml

@@ -0,0 +1,63 @@
+package:
+  apache2:
+    installed: true
+    versions:
+    - 2.4.10-10+deb8u7
+  php5:
+    installed: true
+    versions:
+    - 5.6.29+dfsg-0+deb8u1
+port:
+  tcp:22:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:22:
+    listening: true
+    ip:
+    - '::'
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  apache2:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+user:
+  sshd:
+    exists: true
+    uid: 105
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/run/sshd
+    shell: /usr/sbin/nologin
+command:
+  egrep 192.168.102.14:/export/www /etc/fstab:
+    exit-status: 0
+    stdout:
+    - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  sshd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.11/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.101.1/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.102.1/24

goss/s-lb-web2.yaml

@@ -0,0 +1,63 @@
+package:
+  apache2:
+    installed: true
+    versions:
+    - 2.4.10-10+deb8u7
+  php5:
+    installed: true
+    versions:
+    - 5.6.29+dfsg-0+deb8u1
+port:
+  tcp:22:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:22:
+    listening: true
+    ip:
+    - '::'
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  apache2:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+user:
+  sshd:
+    exists: true
+    uid: 105
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/run/sshd
+    shell: /usr/sbin/nologin
+command:
+  egrep 192.168.102.14:/export/www /etc/fstab:
+    exit-status: 0
+    stdout:
+    - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  sshd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.12/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.101.2/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.102.2/24

goss/s-lb.yaml

@@ -0,0 +1,28 @@
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 192.168.100.11
+service:
+  haproxy:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.100/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.11/24
+    mtu: 1500
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.101.254/24
+    mtu: 1500

goss/s-lb.yaml.old

@@ -0,0 +1,65 @@
+file:
+  /etc/haproxy/haproxy.cfg:
+    exists: true
+    mode: "0644"
+    size: 1518
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  haproxy:
+    installed: true
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 192.168.100.10
+service:
+  haproxy:
+    enabled: true
+    running: true
+user:
+  haproxy:
+    exists: true
+    uid: 111
+    gid: 117
+    groups:
+    - haproxy
+    home: /var/lib/haproxy
+    shell: /bin/false
+group:
+  haproxy:
+    exists: true
+    gid: 117
+command:
+  egrep "balance\s+roundrobin" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - balance roundrobin
+    stderr: []
+    timeout: 10000
+  egrep "bind\s+192.168.100.10:80" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - bind 192.168.100.10:80
+    stderr: []
+    timeout: 10000
+  egrep "mode\s+http" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - "mode\thttp"
+    stderr: []
+    timeout: 10000
+process:
+  haproxy:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.10/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.10/24

goss/s-mon.yaml

@@ -0,0 +1,62 @@
+file:
+  /etc/icinga/htpasswd.users:
+    exists: true
+    mode: "0644"
+    size: 26
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  apache2:
+    installed: true
+  nagios-snmp-plugins:
+    installed: true
+  icinga:
+    installed: true
+  snmp:
+    installed: true
+port:
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+  udp:514:
+    listening: true
+    ip:
+    - 0.0.0.0
+service:
+  apache2:
+    enabled: true
+    running: true
+  icinga:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  icinga:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.8/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.8/24
+http:
+  http://localhost/icinga:
+    status: 401
+    allow-insecure: false
+    no-follow-redirects: false
+    timeout: 5000
+    body: []

goss/s-proxy.yaml

@@ -0,0 +1,30 @@
+package:
+  squid:
+    installed: true
+port:
+  tcp:8080:
+    listening: true
+    ip:
+    - '0.0.0.0'
+service:
+  squid:
+    enabled: true
+    running: true
+command:
+  host 172.16.0.2:
+    exit-status: 0
+    stdout:
+    - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.2/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.2/24
+    mtu: 1500

graylog-pont.yml

@@ -0,0 +1,8 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - goss
+    - docker-graylog-pont
+    - post

gsbchk

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+filename=/root/tools/ansible/gsb/goss/$HOSTNAME.yaml
+
+if ! [ -e $filename ] ; then
+	echo gsbchk : erreur ouverture $filename
+	exit 1
+
+fi
+if [ $# == 1] ; then
+	goss -g $filename v
+else
+	goss $*
+fi

gsbstart

@@ -0,0 +1,179 @@
+#!/usr/bin/perl
+
+#use strict;
+#use warnings;
+#SCRIPT PERMETTANT DE METTRE LES INTERFACES APPROPRIEES POUR LA MACHINE ENTREE EN PARAMETRE ET DE LA DEMARRER
+my %machines = (
+             's-infra' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-proxy' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-spec' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-mon' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-mess' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-itil' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-proxy' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-backup' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-appli' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             'r-int' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-link',
+		    netif3 => 'n-wifi',
+		    netif4 => 'n-user',
+		    netif5 => 'n-infra'
+             },
+             'r-ext' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz',
+		    netif3 => 'enp0s3',
+                    netif4 => 'n-linkv',
+                    netif5 => 'n-link'
+             },
+             'r-vp2' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-agence',
+                    netif3 => 'enp0s3'
+             },
+             'r-vp1' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'enp0s3',
+                    netif3 => 'n-linkv' 
+             },
+             's-lb' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz',
+                    netif3 => 'n-dmz-lb'
+             },
+             's-lb-bd' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-db'
+                    
+             },
+             's-lb-web1' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-lb',
+                    netif3 => 'n-dmz-db'
+             },
+             's-lb-web2' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-lb',
+                    netif3 => 'n-dmz-db'
+             },
+  	     's-nas' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-db',
+             }
+
+
+
+
+
+
+
+);
+
+
+my ($net1, $net2, $net3, $net4, $net5);
+
+my $machine = shift;
+die "usage : gsbstart <machine>" unless ( $machine);
+
+#print $machines { $machine }  "\n";
+if (%{$machines{$machine}}) { 
+#	print $machines { $machine } {netif1}, "\n";
+        $net1   =  $machines { $machine } {netif1};
+        $net2   =  $machines { $machine } {netif2};
+	$net3   =  $machines { $machine } {netif3};
+        $net4   =  $machines { $machine } {netif4};
+        $net5   =  $machines { $machine } {netif5};
+
+	
+
+} else {
+	print "machine $machine inconnue\n";
+}
+#
+  
+my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\""; 
+
+my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
+
+my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
+
+my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n";
+
+my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
+
+my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n";
+
+my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
+
+my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; 
+
+my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
+
+#print $routeur;
+
+
+if ($machine eq "r-int") {
+		qx($rint);
+		print "la création des interfaces du routeur $machine a fonctionné!\n";
+}else{
+	if ($machine eq "r-ext") {
+		qx($rext);
+	}else{
+		qx($ninfra);
+		print "la création des interfaces de $machine a fonctionné!\n";
+	}	
+}
+if ($machine eq "r-vp2") {
+	qx($rvp2);
+}
+if ($machine eq "r-vp1") {
+        qx($rvp1);
+}
+if ($machine eq "s-lb"){
+	qx($lb);
+}
+if ($machine eq "s-lb-web1"){
+	qx($lbweb);
+}
+if ($machine eq "s-lb-web2"){
+        qx($lbweb);
+}
+if ($machine eq "s-lb-bd"){
+        qx($lbbd);
+}
+if ($machine eq "s-nas"){
+        qx($snas);
+}
+
+qx(VBoxManage startvm $machine);	
+	
+
+

gsbstartl

@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+while ($_ = shift @ARGV) {
+	if ($_ eq "-a"){
+		qx(./gsbstart s-infra);
+		qx(./gsbstart s-spec);
+		qx(./gsbstart s-proxy);
+                qx(./gsbstart s-mon);
+                qx(./gsbstart s-mess);
+                qx(./gsbstart s-itil);
+                qx(./gsbstart s-backup);
+                qx(./gsbstart s-appli);
+                qx(./gsbstart r-vp1);
+                qx(./gsbstart r-vp2);
+                qx(./gsbstart r-int);
+                qx(./gsbstart r-ext);
+                qx(./gsbstart s-lb);
+                qx(./gsbstart s-lb-web-1);
+                qx(./gsbstart s-lb-web-2);
+                qx(./gsbstart s-lb-bd);
+
+	}else{
+                qx(./gsbstart $_);
+	}	
+}

lisezmoi.txt

@@ -0,0 +1,14 @@
+lisezmoi.txt
+------------
+
+Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4
+
+
+Le projet GSB décrit les diférents playbooks permttant d'installer les
+machines du projet GSB
+
+Les répertoires :
+
+- roles : les roles
+- goss : les outils de test
+

ping-agence.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+ping -c3 172.16.128.254
+
+ping -c3 192.168.1.2
+
+ping -c3 192.168.1.1
+
+ping -c3 192.168.200.253
+
+ping -c3 192.168.200.254
+
+ping -c3 172.16.0.254
+
+ping -c3 172.16.0.1

ping-rext.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+ping -c3 172.16.0.1
+
+ping -c3 172.16.0.254
+
+ping -c3 192.168.200.254
+
+ping -c3 192.168.1.1
+
+ping -c3 192.168.1.2
+
+ping -c3 172.16.128.254
+
+ping -c3 172.16.128.10

ping-rint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+ping -c3 172.16.0.1
+
+ping -c3 192.168.200.253
+
+ping -c3 192.168.1.1
+
+ping -c3 192.168.1.2
+
+ping -c3 172.16.128.254
+
+ping -c3 172.16.128.10

ping-sinfra.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+ping -c3 172.16.0.254
+
+ping -c3 192.168.200.254
+
+ping -c3 192.168.200.253
+
+ping -c3 192.168.1.1
+
+ping -c3 192.168.1.2
+
+ping -c3 172.16.125.254
+
+ping -c3 172.16.128.10

pre/Vagrantfile-s-adm

@@ -0,0 +1,77 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/buster64"
+  config.vm.hostname = "s-adm"
+  config.vm.define "s-adm"
+  config.vm.provider :virtualbox do |vb|
+     vb.name = "s-adm"
+  end
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+   config.vm.network "public_network", ip: "192.168.1.91"
+   config.vm.network "private_network", ip: "192.168.99.99"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+   config.vm.provision "shell", inline: <<-SHELL
+     apt-get update
+     apt-get upgrade
+     apt-get install -y vim wget curl
+    # apt-get install -y apache2
+   SHELL
+end

pre/gsbboot

@@ -0,0 +1,54 @@
+#!/bin/bash
+version="1.8"
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+__file="${__dir}/$(basename "${BASH_SOURCE[0]}")"
+__base="$(basename ${__file})"
+__root="$(cd "$(dirname "${__dir}")" && pwd)" 
+echo "dir : ${__dir}"
+echo "file : ${__file}"
+echo "base : ${__base}"
+echo "root : ${__root}"
+
+# version 1.8
+# install git si besoin
+# install ansible si besoin + backports si wheezy
+
+readonly base=/root/tools/ansible
+readonly slist=/etc/apt/sources.list
+readonly host=depl
+if [[ -z ${DEPL+x} ]]; then
+  echo "erreur : DEPL indefini"
+  echo " DEPL : adresse serveur deploiement"
+  echo "export DEPL=xyzt ; ./$0"
+  exit 1
+fi
+
+hostf="${host}.local" 
+prj=gsb2022
+APT=apt
+
+which git >> /dev/null
+if [[ $? != 0 ]]; then
+	${APT} update
+	echo "installation de git ..."
+	${APT} install -y git-core
+fi
+${APT} update
+${APT} upgrade -y
+
+which ansible >> /dev/null
+if [[ $? != 0 ]]; then
+	echo "installation de ansible ..."
+	${APT} install -y ansible 
+fi
+
+[ -e "${base}" ] || mkdir -p "${base}"
+
+grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts
+cd "${base}"
+
+cp ${prj}/pull-config ${base}
+
+#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'"
+echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..."
+

pre/inst-depl

@@ -0,0 +1,93 @@
+#!/bin/bash
+## ps : 2021-04-01 15:25
+
+set -o errexit
+set -o pipefail
+GITUSR=gitgsb
+GITPRJ=gsb2022
+apt update && apt upgrade
+apt install -y apache2 git 
+STOREREP="/var/www/html/gsbstore" 
+
+GLPIREL=9.5.6
+str="wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz"
+
+FIREL=9.5 
+str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2"
+
+FIAGREL=2.6
+str31="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe"
+
+str32="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe"
+
+FOGREL=1.5.9
+str4="wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz"
+
+WPREL=5.8.2
+str5="wget -nc https://fr.wordpress.org/wordpress-${WPREL}-fr_FR.tar.gz"
+
+GOSSVER=v0.3.16
+str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss"
+
+DOCKERREL=1.29.2
+str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose"
+
+GESTSUPREL=3.2.15
+str8="wget -nc https://gestsup.fr/downloads/versions/current/version/gestsup_${GESTSUPREL}.zip"
+
+ELKREL=7.16.3
+str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb"
+
+str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip"
+
+str83="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-windows-x86_64.zip"
+
+str84="wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-amd64.deb"
+
+
+[[ -d "${STOREREP}" ]]|| mkdir "${STOREREP}"
+
+(cat <<EOT > "${STOREREP}/getall"
+#!/bin/bash
+
+${str}
+
+${str2}
+
+${str31}
+
+${str32}
+
+${str4}
+
+${str5}
+
+${str6}
+
+chmod +x ./goss
+
+curl -L https://get.docker.com -o getdocker.sh
+
+chmod +x ./getdocker.sh
+
+${str7}
+
+chmod +x ./docker-compose
+
+
+wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
+
+chmod +x ./mkcert
+
+${str8}
+
+${str81} 
+${str82} 
+${str83} 
+${str84} 
+
+EOT
+)
+
+cat "${STOREREP}/getall"
+

pre/inst-depl.old

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+GITUSR=gitgsb
+GITPRJ=gsb
+apt update && apt upgrade
+apt install -y apache2 git 
+getent passwd "${GITUSR}" >> /dev/null
+if [[ $? != 0 ]]; then
+  echo "creation utilisateur "${GITUSR}" ..."
+  /sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}" 
+  echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd 
+else
+  echo "utilisateur "${GITUSR}" existant..."
+fi
+su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}"
+su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}"
+[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git
+[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore
+ 
+(cat <<EOT > /var/www/html/gsbstore/getall
+
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+
+GLPIREL=9.4.5
+wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz
+ 
+FIREL=9.4+2.4
+wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz 
+#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g 
+ 
+FIAGREL=2.5.2 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe
+ 
+FOGREL=1.5.7
+wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz
+ 
+wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+
+EOT
+)
+cat /var/www/html/gsbstore/getall
+

pre/pull-config

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git 
+fi
+
+dir=/root/tools/ansible
+
+[ -e "${dir}" ] || mkdir -p "${dir}"
+
+cd  "${dir}" || exit 1
+
+hostname  > hosts
+ansible-pull -i "${dir}/hosts"  -U "${UREP}"
+
+exit 0

proxy

@@ -0,0 +1 @@
+/etc/nginx/sites-availables/proxy

pull-config

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2022.git 
+fi
+
+dir=/root/tools/ansible
+
+[ -e "${dir}" ] || mkdir -p "${dir}"
+
+cd  "${dir}" || exit 1
+
+hostname  > hosts
+ansible-pull -i "${dir}/hosts"  -U "${UREP}"
+
+exit 0

r-ext.yml

@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+   - base
+   - goss
+   - r-ext
+   - snmp-agent
+   - ssh-cli
+   - syslog-cli
+   - post

r-int.yml

@@ -0,0 +1,13 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+   - base
+   - goss
+   - r-int
+   - ssh-cli
+   - syslog-cli
+   - dhcp
+   - snmp-agent
+   - post

r-vp1.yml

@@ -0,0 +1,20 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.51
+   - remip: 192.168.0.52
+   - mynet: 192.168.1.0
+   - remnet: 172.16.128.0
+
+  roles:
+   - base
+   - goss
+#   - snmp-agent
+#   - firewall-vpn-r
+   - wireguard-r
+#   - x509-r
+   - ssh-cli
+   - syslog-cli
+   - post

r-vp2.yml

@@ -0,0 +1,23 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.52
+   - remip: 192.168.0.51
+   - mynet: 172.16.128.0
+   - remnet: 192.168.1.0
+
+  roles:
+   - base
+   - goss
+   - dhcp-ag
+   - dns-agence
+   - ssh-root-access
+#   - snmp-agent
+#   - firewall-vpn-l
+   - wireguard-l
+#   - x509-l
+   - ssh-cli
+   - syslog-cli
+   - post

roles/apache2/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+ - name: restart apache2
+   service: name=apache2 state=restarted
+
+ - name: restart mysql-server
+   service: name=mysql-server state=restarted

roles/apache2/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Update apt cache
+  apt: update_cache=yes cache_valid_time=3600
+
+- name: Install required software
+  apt: name={{ item }} state=present
+  with_items:
+    - apache2
+    - mariadb-server
+    - php-mysql
+    - php
+    - libapache2-mod-php
+    - php-mcrypt
+    - python-mysqldb

roles/appli/README.md

@@ -0,0 +1,4 @@
+## Fonctionnement du rôle appli
+  
+Ce rôle permet de créer un serveur wordpress avec MariaDB et apache.  
+Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress.  

roles/appli/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: restart apache
+  service: name=apache2 state=restarted
+  become: yes

roles/appli/tasks/main.yml

@@ -0,0 +1,72 @@
+
+---
+- name: Installation des packets
+  apt:
+    state: present
+    name:
+    - php
+    - php-fpm
+    - php-mbstring
+    - php-ssh2
+    - php-gd
+    - php-mysql
+    - python3-mysqldb
+    - libapache2-mod-php
+    - mariadb-server
+    - apache2 
+    - python3
+
+- name: Création du répertoire pour wordpress
+  file:
+    path: /var/www/html/wordpress
+    state: directory
+
+- name: Téléchargement de wordpress
+  get_url:
+    url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz
+    dest: /var/www/html
+
+- name: Extraction du fichier wordpress
+  unarchive:
+    src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz
+    dest: /var/www/html
+
+- name: Fix permissions owner
+  shell: chown -R www-data /var/www/html/wordpress
+
+- name: Fix permissions groups
+  shell: chgrp -R www-data /var/www/html/wordpress
+
+- name: Mettre à jour le site Apache par défaut
+  lineinfile:
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    regexp: "(.)+DocumentRoot /var/www/html"
+    line: "DocumentRoot /var/www/html/wordpress"
+
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
+
+- name: Mettre à jour le fichier de configuration WordPress
+  lineinfile:
+    dest: /var/www/html/wordpress/wp-config-sample.php
+    backup: yes
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
+    - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
+    - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
+    - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
+
+- name: Création de la base de donnée mysql
+  mysql_db:
+    name: wordpress
+    state: present
+
+- name: Création de l'utilisateur mysql
+  mysql_user:
+    name: wordpress
+    password: wp
+    priv: "*.*:ALL"

roles/base/files/apt.conf

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.99.99:8080";

roles/base/files/resolv.conf

@@ -0,0 +1,4 @@
+domain gsb.lan
+search gsb.lan
+nameserver 192.168.99.99
+

roles/base/files/sources.list

@@ -0,0 +1,10 @@
+# 
+
+deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
+
+deb http://security.debian.org/ wheezy/updates main
+
+deb http://ftp.fr.debian.org/debian/ wheezy-updates main
+
+deb http://http.debian.net/debian wheezy-backports main
+

roles/base/files/sources.list.Debian

@@ -0,0 +1,4 @@
+deb http://deb.debian.org/debian/ bullseye main non-free contrib
+deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
+

roles/base/files/sources.list.Ubuntu

@@ -0,0 +1,13 @@
+#------------------------------------------------------------------------------#
+#                            OFFICIAL UBUNTU REPOS                             #
+#------------------------------------------------------------------------------#
+
+
+###### Ubuntu Main Repos
+deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe 
+
+###### Ubuntu Update Repos
+deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe 
+deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe 
+
+

roles/base/files/sources.list.buster

@@ -0,0 +1,9 @@
+
+#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
+#deb http://security.debian.org/ stretch/updates main
+#deb http://ftp.fr.debian.org/debian/ stretch-updates main
+
+deb http://deb.debian.org/debian/ buster main contrib non-free
+deb http://security.debian.org/debian-security buster/updates main contrib non-free
+deb http://deb.debian.org/debian/ buster-updates main contrib non-free
+

roles/base/files/sources.list.jessie

@@ -0,0 +1,22 @@
+# 
+
+# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
+
+#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
+
+
+deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ jessie main
+
+deb http://security.debian.org/ jessie/updates main
+#deb-src http://security.debian.org/ jessie/updates main
+
+deb http://ftp.fr.debian.org/debian/ jessie-updates main
+#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
+#deb http://backports.debian.org/debian-backports jessie-backports main
+#deb http://packages.steve.org.uk/slaughter/jessie/ ./
+#deb https://rex.linux-files.org/debian/ jessie rex
+
+
+#deb http://http.debian.net/debian jessie-backports main
+

roles/base/files/sources.list.wheezy

@@ -0,0 +1,22 @@
+# 
+
+# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
+
+#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
+
+
+deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ wheezy main
+
+deb http://security.debian.org/ wheezy/updates main
+#deb-src http://security.debian.org/ wheezy/updates main
+
+deb http://ftp.fr.debian.org/debian/ wheezy-updates main
+#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
+#deb http://backports.debian.org/debian-backports wheezy-backports main
+#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
+#deb https://rex.linux-files.org/debian/ wheezy rex
+
+
+deb http://http.debian.net/debian wheezy-backports main
+

roles/base/tasks/main.yml

@@ -0,0 +1,76 @@
+---
+
+- name: Copie sources.list
+  copy:
+    src: sources.list.{{ ansible_distribution }}
+    dest: /etc/apt/sources.list
+
+- name: Copie apt.conf pour proxy 
+  copy:
+    src: apt.conf
+    dest: /etc/apt/apt.conf
+  when: ansible_hostname != "s-adm"    
+
+#- name: Sysctl desactive ipv6
+#  sysctl:
+#    name: net.ipv6.conf.all.disable_ipv6
+#    value: 1
+#    sysctl_set: yes
+#    state: present
+#    reload: yes
+
+- name: Update + Upgrade
+  apt:
+    upgrade: yes
+    update_cache: yes
+    cache_valid_time: 86400 #One day
+
+- name: Install paquets
+  apt:
+    state: present
+    name: 
+    - vim 
+    - ntp 
+    - mc
+    - tcpdump
+    - curl
+    - net-tools
+    - rsync
+    - sudo
+    - iptables
+
+- name: Desinstall paquets
+  apt:
+    state: absent
+    name: 
+    - nfs-common 
+    - rpcbind 
+    - bluetooth
+
+- name: Configure Vim
+  alternatives:
+    name: editor
+    path: /usr/bin/vim
+
+- name:  Generation /etc/hosts
+  template:
+    src: hosts.j2
+    dest: /etc/hosts
+  when: ansible_hostname != "s-proxy"
+
+- name:  Generation /etc/hosts pour s-proxy
+  template:
+    src: hosts.s-proxy.j2
+    dest: /etc/hosts
+  when: ansible_hostname == "s-proxy"
+
+- name: Desactive IPV6 avec sysctl
+  sysctl:
+    name: "{{ item }}"
+    value: 1
+    state: present
+    reload: yes
+  with_items:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+    - net.ipv6.conf.lo.disable_ipv6

roles/base/templates/hosts.j2

@@ -0,0 +1,27 @@
+127.0.0.1       localhost
+127.0.1.1       {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }}
+127.0.0.1       localhost ip6-localhost ip6-loopback
+
+#10.121.38.10	depl.sio.lan depl
+
+192.168.99.99	s-adm.gsb.adm depl.sio.lan depl
+192.168.99.1	s-infra.gsb.adm
+192.168.99.2	s-proxy.gsb.adm
+192.168.99.3	s-appli.gsb.adm
+192.168.99.4	s-backup.gsb.adm
+192.168.99.5	s-puppet.gsb.adm
+192.168.99.6 	s-win.gsb.adm 
+192.168.99.7	s-nxc.gsb.adm
+192.168.99.8	s-mon.gsb.adm
+192.168.99.9	s-itil.gsb.adm
+192.168.99.10	s-sspec.gsb.adm
+192.168.99.11	s-web-ext.gsb.adm
+192.168.99.10	s-dns.gsb.adm
+192.168.99.12	r-int.gsb.adm
+192.168.99.13	r-ext.gsb.adm
+192.168.99.14	s-nas.gsb.adm
+192.168.99.15	s-san.gsb.adm
+192.168.99.16	s-fog.gsb.adm
+
+192.168.99.8	syslog.gsb.adm
+

roles/base/templates/hosts.s-proxy.j2

@@ -0,0 +1,26 @@
+127.0.0.1       localhost
+127.0.1.1       {{ ansible_nodename }} {{ ansible_hostname }}
+127.0.0.1       localhost ip6-localhost ip6-loopback
+172.16.0.2	s-proxy.gsb.lan s-proxy
+
+#10.121.38.10	depl
+
+192.168.99.99	s-adm.gsb.adm depl
+192.168.99.1	s-infra.gsb.adm
+192.168.99.2	s-proxy.gsb.adm
+192.168.99.3	s-appli.gsb.adm
+192.168.99.4	s-backup.gsb.adm
+192.168.99.5	s-puppet.gsb.adm
+192.168.99.6 	s-win.gsb.adm 
+192.168.99.7	s-nxc.gsb.adm
+192.168.99.8	s-mon.gsb.adm
+192.168.99.9	s-itil.gsb.adm
+192.168.99.10	s-sspec.gsb.adm
+192.168.99.11	s-web-ext.gsb.adm
+192.168.99.10	s-dns.gsb.adm
+192.168.99.12	r-int.gsb.adm
+192.168.99.13	r-ext.gsb.adm
+192.168.99.14	s-nas.gsb.adm
+
+192.168.99.8	syslog.gsb.adm
+

roles/db-user/files/resolv.conf

@@ -0,0 +1,3 @@
+search gsb.lan
+domain gsb.lan
+nameserver 172.16.0.1

roles/db-user/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Create mysql user
+  mysql_user: 
+    host: "{{ cli_ip }}"
+    name: "{{ maria_dbuser }}"
+    password: "{{ maria_dbpasswd }}"
+    priv: "*.*:ALL"
+
+- name: Copie du fichier resolv.conf
+  copy:
+    src: resolv.conf
+    dest: /etc/resolv.conf

roles/dhcp-ag/files/dhcpd.conf

@@ -0,0 +1,152 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option domain-name "gsb.lan";
+option domain-name-servers 172.16.0.1;
+
+default-lease-time 86400;
+max-lease-time 86400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
+
+#DHCP pour le réseau wifi
+#subnet 172.16.65.0 netmask 255.255.255.0 {
+#	range 172.16.65.1 172.16.65.100;
+#  	option domain-name-servers ns1.internal.example.org;
+#  	option domain-name "internal.example.org";
+#  	option routers 10.5.5.1;
+#  	option broadcast-address 10.5.5.31;
+#  	default-lease-time 600;
+#  	max-lease-time 7200;
+#}
+
+#DHCP pour le réseau USER
+
+#subnet 172.16.64.0 netmask 255.255.255.0 {
+#        range 172.16.64.20 172.16.64.120;
+#        option domain-name-servers 172.16.0.6, 172.16.0.1 ;
+#        option routers 172.16.64.254;
+#        option broadcast-address 172.16.64.255;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+#}
+
+#DHCP pour le réseau INFRA
+
+#subnet 172.16.0.0 netmask 255.255.255.0 {
+#        range 172.16.0.1 172.16.0.100;
+#       option domain-name-servers ns1.internal.example.org;
+#       option domain-name "internal.example.org";
+#       option routers 10.5.5.1;
+#       option broadcast-address 10.5.5.31;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+#}
+
+#DHCP pour le réseau AGENCE
+
+subnet 172.16.128.0 netmask 255.255.255.0 {
+	range 172.16.128.10 172.16.128.50;
+	option domain-name-servers 172.16.0.1;
+	option routers 172.16.128.254;
+	option broadcast-address 172.16.128.255;
+	default-lease-time 86400;
+	max-lease-time 86400;
+}

roles/dhcp-ag/files/isc-dhcp-server

@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s8"
+INTERFACESv6=""