gadmin/gsb2021
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Premier commit

Browse Source
This commit is contained in:
phil
2021-01-04 22:49:46 +01:00
parent da1100578d
commit 65b2a3eaf3
538 changed files with 52570 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/apache2/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

14
roles/apache2/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Update apt cache
apt: update_cache=yes cache_valid_time=3600
- name: Install required software
apt: name={{ item }} state=present
with_items:
- apache2
- mysql-server
- php-mysql
- php
- libapache2-mod-php
- php-mcrypt
- python-mysqldb

4
roles/appli/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart apache
service: name=apache2 state=restarted
become: yes

73
roles/appli/tasks/main.yml Normal file
View File

@@ -0,0 +1,73 @@
---
- name: Installation des packets
apt:
name: "{{ item }}"
state: latest
with_items:
- php
- php-fpm
- php-mbstring
- php-ssh2
- php-gd
- php-mysql
- python-mysqldb
- libapache2-mod-php
- mariadb-server
- apache2
- python
- name: Création du répertoire pour wordpress
file:
path: /var/www/html/wordpress
state: directory
- name: Téléchargement de wordpress
get_url:
url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
- name: Création de la base de donnée mysql
mysql_db:
name: wordpress
state: present
- name: Création de l'utilisateur mysql
mysql_user:
name: wordpress
password: wp
priv: "*.*:ALL"

1
roles/base/files/apt.conf Normal file
View File

@@ -0,0 +1 @@
Acquire::http::Proxy "http://192.168.99.99:8080";

4
roles/base/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 192.168.99.99

10
roles/base/files/sources.list Normal file
View File

@@ -0,0 +1,10 @@
#
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
deb http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
deb http://http.debian.net/debian wheezy-backports main

9
roles/base/files/sources.list.Debian Normal file
View File

@@ -0,0 +1,9 @@
#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
#deb http://security.debian.org/ stretch/updates main
#deb http://ftp.fr.debian.org/debian/ stretch-updates main
deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb http://deb.debian.org/debian/ buster-updates main contrib non-free

13
roles/base/files/sources.list.Ubuntu Normal file
View File

@@ -0,0 +1,13 @@
#------------------------------------------------------------------------------#
# OFFICIAL UBUNTU REPOS #
#------------------------------------------------------------------------------#
###### Ubuntu Main Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe
###### Ubuntu Update Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe
deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe

22
roles/base/files/sources.list.jessie Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main
deb http://ftp.fr.debian.org/debian/ jessie-updates main
#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
#deb http://backports.debian.org/debian-backports jessie-backports main
#deb http://packages.steve.org.uk/slaughter/jessie/ ./
#deb https://rex.linux-files.org/debian/ jessie rex
#deb http://http.debian.net/debian jessie-backports main

22
roles/base/files/sources.list.wheezy Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
#deb-src http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb http://backports.debian.org/debian-backports wheezy-backports main
#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
#deb https://rex.linux-files.org/debian/ wheezy rex
deb http://http.debian.net/debian wheezy-backports main

49
roles/base/tasks/main.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: Copie sources.list
copy: src=sources.list.{{ ansible_distribution }} dest=/etc/apt/sources.list
- name: Copie apt.conf pour proxy
copy: src=apt.conf dest=/etc/apt/apt.conf
when: ansible_hostname != "s-adm"
- name: Update + Upgrade
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Install paquets
apt:
state: present
name:
- vim
- ntp
- mc
- tcpdump
- curl
- net-tools
- rsync
- sudo
- name: Desinstall paquets
apt:
state: absent
name:
- nfs-common
- rpcbind
- bluetooth
- name: Configure Vim
alternatives: name=editor path=/usr/bin/vim
#- name: copie fichier
# copy: src=mesg.txt dest=/root/tools/mesg.txt
- name: Generation /etc/hosts
template: src=hosts.j2 dest=/etc/hosts
when: ansible_hostname != "s-proxy"
- name: Generation /etc/hosts pour s-proxy
template: src=hosts.s-proxy.j2 dest=/etc/hosts
when: ansible_hostname == "s-proxy"

27
roles/base/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,27 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
10.121.38.10 depl.sio.lan depl
192.168.99.99 s-adm.gsb.adm
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-mess.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.15 s-san.gsb.adm
192.168.99.16 s-fog.gsb.adm
192.168.99.8 syslog.gsb.adm

26
roles/base/templates/hosts.s-proxy.j2 Normal file
View File

@@ -0,0 +1,26 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
172.16.0.2 s-proxy.gsb.lan s-proxy
10.121.38.10 depl
192.168.99.99 s-adm.gsb.adm
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-mess.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.8 syslog.gsb.adm

7
roles/db-user/tasks/main.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- name: Create mysql user
mysql_user:
host: "{{ cli_ip }}"
name: "{{ maria_dbuser }}"
password: "{{ maria_dbpasswd }}"
priv: "*.*:ALL"

152
roles/dhcp-ag/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,152 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
#subnet 172.16.64.0 netmask 255.255.255.0 {
# range 172.16.64.20 172.16.64.120;
# option domain-name-servers 172.16.0.6, 172.16.0.1 ;
# option routers 172.16.64.254;
# option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau AGENCE
subnet 172.16.128.0 netmask 255.255.255.0 {
range 172.16.128.10 172.16.128.50;
option domain-name-servers 172.16.0.1;
option routers 172.16.128.254;
option broadcast-address 172.16.128.255;
default-lease-time 86400;
max-lease-time 86400;
}

18
roles/dhcp-ag/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s8"
INTERFACESv6=""

3
roles/dhcp-ag/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dhcp
service: name=isc-dhcp-server state=restarted

11
roles/dhcp-ag/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation serveur dhcp
apt: name=isc-dhcp-server state=present update_cache=yes
- name: copie dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp
# notify: restart dhcp
- name: copie conf isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server
# notify: restart dhcp

142
roles/dhcp-fog/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

18
roles/dhcp-fog/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9"
INTERFACESv6=""

3
roles/dhcp-fog/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcp-fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

142
roles/dhcp/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
subnet 172.16.65.0 netmask 255.255.255.0 {
range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}

18
roles/dhcp/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9 enp0s10"
INTERFACESv6=""

3
roles/dhcp/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcp/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

23
roles/dns-ag-cs/files/named.conf.options Normal file
View File

@@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-ag-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-ag-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

23
roles/dns-agence/files/named.conf.options Normal file
View File

@@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-agence/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-agence/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

30
roles/dns-master/files/db.gsb.lan Normal file
View File

@@ -0,0 +1,30 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2016011401 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
@ IN A 127.0.0.1
@ IN AAAA ::1
s-infra IN A 172.16.0.1
s-backup IN A 172.16.0.4
s-proxy IN A 172.16.0.2
s-appli IN A 172.16.0.3
s-win IN A 172.16.0.6
s-mess IN A 172.16.0.7
s-mon IN A 172.16.0.8
s-itil IN A 172.16.0.9
r-int IN A 172.16.0.254
r-int-lnk IN A 192.168.200.254
r-ext IN A 192.168.200.253
ns IN CNAME s-infra.gsb.lan.
wpad IN CNAME s-infra.gsb.lan.

24
roles/dns-master/files/db.gsb.lan.rev Normal file
View File

@@ -0,0 +1,24 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2015121701 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
1.0 IN PTR s-infra.gsb.lan.
4.0 IN PTR s-backup.gsb.lan.
2.0 IN PTR s-proxy.gsb.lan.
3.0 IN PTR s-appli.gsb.lan.
6.0 IN PTR s-win.gsb.lan.
7.0 IN PTR s-mess.gsb.lan.
8.0 IN PTR s-mon.gsb.lan.
9.0 IN PTR s-itil.gsb.lan.
254.0 IN PTR r-int.gsb.lan.

2
roles/dns-master/files/forbidden.html Normal file
View File

@@ -0,0 +1,2 @@
<center><img src="http://sio.lyc-lecastel.fr/~nicolas.denizot/warning.jpg" alt="Bloque"></img></center>
<center><h1>Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.</h1></center>

7
roles/dns-master/files/hosts Normal file
View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

20
roles/dns-master/files/named.conf.local Normal file
View File

@@ -0,0 +1,20 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "gsb.lan" {
type master;
file "/etc/bind/db.gsb.lan";
};
zone "16.172.in-addr.arpa"{
type master;
notify no;
file "/etc/bind/db.gsb.lan.rev";
};

25
roles/dns-master/files/named.conf.options Normal file
View File

@@ -0,0 +1,25 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
};

4
roles/dns-master/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-master/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

33
roles/dns-master/tasks/main.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy: src=named.conf.local dest=/etc/bind
notify:
- restart bind9
- name: Copie db.gsb.lan
copy: src=db.gsb.lan dest=/etc/bind
notify:
- restart bind9
- name: Copie db.gsb.lan.rev
copy: src=db.gsb.lan.rev dest=/etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy: src=resolv.conf dest=/etc
notify:
- restart bind9
- name: Copie page squidguard
copy: src=forbidden.html dest=/var/www/

531
roles/dnsmasq/files/dnsmasq.conf Normal file
View File

@@ -0,0 +1,531 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via enp0s8
# server=10.1.2.3@enp0s8
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg enp0s3) here.
# Repeat the line for more than one interface.
interface=enp0s8
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=enp0s3
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
dhcp-range=192.168.99.100,192.168.99.120,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/*.conf

3
roles/dnsmasq/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dnsmasq
service: name=dnsmasq state=restarted

11
roles/dnsmasq/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation dnsmasq
apt: name=dnsmasq state=present
- name: Copie du fichier dnsmasq.conf
copy: src=dnsmasq.conf dest=/etc/
notify:
- restart dnsmasq

44
roles/docker-graylog-pont/files/docker-compose.yml Normal file
View File

@@ -0,0 +1,44 @@
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:3
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4
environment:
- http.host=192.168.0.50
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:2.5
environment:
# CHANGE ME!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
links:
- mongodb:mongo
- elasticsearch
depends_on:
- mongodb
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 515:514
# Syslog UDP
- 515:514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp

13
roles/docker-graylog-pont/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/docker-graylog-pont/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://10.121.38.1:8080/"

3
roles/docker-graylog-pont/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

62
roles/docker-graylog-pont/tasks/main.yml Normal file
View File

@@ -0,0 +1,62 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://10.121.38.1:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://10.121.38.1:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Création du répertoire graylog
shell: mkdir /root/graylog
- name: Copie du docker-compose.yml graylog
copy: src=docker-compose.yml dest=/root/graylog
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker

44
roles/docker-graylog/files/docker-compose.yml Normal file
View File

@@ -0,0 +1,44 @@
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:3
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.5.4
environment:
- http.host=172.16.0.20
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:2.5.1
environment:
# CHANGE ME!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
links:
- mongodb:mongo
- elasticsearch
depends_on:
- mongodb
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 515:514
# Syslog UDP
- 515:514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp

13
roles/docker-graylog/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/docker-graylog/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

3
roles/docker-graylog/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

62
roles/docker-graylog/tasks/main.yml Normal file
View File

@@ -0,0 +1,62 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Création du répertoire graylog
shell: mkdir /root/graylog
- name: Copie du docker-compose.yml graylog
copy: src=docker-compose.yml dest=/root/graylog
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker

13
roles/docker-iredmail-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/docker-iredmail-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

14
roles/docker-iredmail-ab/files/iredmail.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
docker run --privileged -p 80:80 -p 443:443 \
-h s-mess.sio.lan \
-e "DOMAIN=sio.lan" \
-e "MYSQL_ROOT_PASSWORD=iredmail" \
-e "SOGO_WORKERS=1" \
-e "TIMEZONE=Europe/Paris" \
-e "POSTMASTER_PASSWORD=Azertyuiop1+" \
-e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
-v /root/mysql:/var/lib/mysql \
-v /root/vmail:/var/vmail \
-v /root/clamav:/var/lib/clamav \
--name=iredmail lejmr/iredmail:mysql-latest

3
roles/docker-iredmail-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

83
roles/docker-iredmail-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Copie du script bash Iredmail
copy: src=iredmail.sh dest=/root/tools/ansible
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Droit pour le script Iredmail
shell: chmod a+x /root/tools/ansible/iredmail.sh
- name: Création du répertoire mysql
shell: mkdir /root//mysql
- name: Création du répertoire vmail
shell: mkdir /root/vmail
- name: Création du répertoire clamav
shell: mkdir /root/clamav
- name: Exécution du script Iredmail
debug: msg="Exécuter le script iredmail.sh qui se trouve dans tools/ansible"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

13
roles/docker-openvas-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/docker-openvas-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

3
roles/docker-openvas-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

77
roles/docker-openvas-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,77 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Création du docker portainer_data
shell: docker volume create portainer_data
- name: Initialisation de portainer
shell: docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Installation d'OpenVAS
debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas puis redémarrer docker avec service docker restart"
#- name: Installation d'IredMail
#debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name iredmail lejmr/iredmail puis redémarrer docker avec service docker restart"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

58
roles/firewall-vpn-l-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/firewall-vpn-l-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

122
roles/firewall-vpn-l/files/ferm.conf Normal file
View File

@@ -0,0 +1,122 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_VPN = enp0s8;
@def $DEV_EXT = enp0s9;
@def $NET_ADM=192.168.99.0/24;
@def $NET_VPN=192.168.0.0/24;
@def $NET_EXT=192.168.1.0/30;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
#interface ($DEV_ADM) {
proto tcp dport ssh ACCEPT;
#}
# allow DNS connections
#interface ($DEV_INT) {
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
#}
# DHCP
proto udp dport (67 68) ACCEPT;
# allow IPsec
interface ($DEV_VPN $DEV_EXT) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
# interface ($DEV_VPN) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
# }
# allow DNS connections
#interface ($DEV_INT) {
proto (udp tcp) dport domain ACCEPT;
#}
# autoriser supervision
proto udp sport 161 ACCEPT;
# autoriser NTP
proto udp sport 123 ACCEPT;
# respond to ping
proto icmp mod limit limit 30/minut ACCEPT;
}
chain OUTPUT {
policy DROP;
# interface ($DEV_PUB) {
# Autoriser SSH
proto tcp sport ssh ACCEPT;
# Autoriser DNS
proto udp dport domain ACCEPT;
proto udp sport domain ACCEPT;
# DHCP
proto udp sport (67 68) ACCEPT;
# Autoriser ipsec
proto udp dport 500 ACCEPT;
proto udp sport 500 ACCEPT;
# Autoriser nat-t-ike
proto udp dport 4500 ACCEPT;
proto udp sport 4500 ACCEPT;
# Autoriser supervision
proto udp dport 161 ACCEPT;
# Autoriser NTP
proto udp dport 123 ACCEPT;
# respond to ping
proto icmp ACCEPT;
# }
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}

58
roles/firewall-vpn-l/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/firewall-vpn-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

8
roles/firewall-vpn-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name : installer ferm
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

58
roles/firewall-vpn-r-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/firewall-vpn-r-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

116
roles/firewall-vpn-r/files/ferm.conf Normal file
View File

@@ -0,0 +1,116 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_VPN = enp0s8;
@def $DEV_EXT = enp0s9;
@def $NET_ADM=192.168.99.0/24;
@def $NET_VPN=192.168.0.0/24;
@def $NET_EXT=192.168.1.0/30;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
#interface ($DEV_ADM) {
proto tcp dport ssh ACCEPT;
#}
# allow DNS connections
#interface ($DEV_INT) {
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
#}
# allow IPsec
interface ($DEV_VPN) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
interface ($DEV_VPN) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
}
# allow DNS connections
#interface ($DEV_INT) {
# proto (udp tcp) dport domain ACCEPT;
#}
# autoriser supervision
proto udp sport 161 ACCEPT;
# autoriser NTP
proto udp sport 123 ACCEPT;
# respond to ping
proto icmp mod limit limit 30/minut ACCEPT;
}
chain OUTPUT {
policy DROP;
# interface ($DEV_PUB) {
# Autoriser SSH
proto tcp sport ssh ACCEPT;
# Autoriser DNS
proto udp dport domain ACCEPT;
proto udp sport domain ACCEPT;
# Autoriser ipsec
proto udp dport 500 ACCEPT;
proto udp sport 500 ACCEPT;
# Autoriser nat-t-ike
proto udp dport 4500 ACCEPT;
proto udp sport 4500 ACCEPT;
# Autoriser supervision
proto udp dport 161 ACCEPT;
# Autoriser NTP
proto udp dport 123 ACCEPT;
# respond to ping
proto icmp ACCEPT;
# }
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}

58
roles/firewall-vpn-r/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/firewall-vpn-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

15
roles/firewall-vpn-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: redemarrer interfaces
command: ifdown enp0s8
- name: redemarrer interfaces
command: ifup enp0s8
- name: redemarrer interfaces
command: ifdown enp0s9
- name: redemarrer interfaces
command: ifup enp0s9
- name: redemarrer interfaces
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

15
roles/fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: creation d'un repertoire fog
file:
path: /root/fog
state: directory
- name: recuperation du fichier d'installation de fog
get_url:
url: http://depl/gsbstore/fogproject-1.5.7.tar.gz
dest: /root/fog
- name: decompression du fichier d'installation de fog
unarchive:
src: /root/fog/fogproject-1.5.7.tar.gz
dest: /root/fog

10
roles/goss/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: goss binary exists
stat: path=/usr/local/bin/goss
register: gossbin
- name: install goss
shell: export https_proxy=http://10.121.38.1:8080 && curl -fsSL https://goss.rocks/install | sh
when: gossbin.stat.exists == False

59
roles/icinga-ab/files/cfg/contacts_icinga.cfg Normal file
View File

@@ -0,0 +1,59 @@
###############################################################################
# contacts.cfg
###############################################################################
###############################################################################
###############################################################################
#
# CONTACTS
#
###############################################################################
###############################################################################
# In this simple config file, a single contact will receive all alerts.
#define contact{
# contact_name root
# alias Root
# service_notification_period 24x7
# host_notification_period 24x7
# service_notification_options w,u,c,r
# host_notification_options d,r
# service_notification_commands notify-service-by-email
# host_notification_commands notify-host-by-email
# email root@localhost
# }
define contact{
contact_name admin
alias Administrateur
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email icinga.ppe31@gmail.com
}
###############################################################################
###############################################################################
#
# CONTACT GROUPS
#
###############################################################################
###############################################################################
# We only have one contact in this simple configuration file, so there is
# no need to create more than one contact group.
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members admin
}

13
roles/icinga-ab/files/cfg/extinfo_icinga.cfg Normal file
View File

@@ -0,0 +1,13 @@
##
## Extended Host and Service Information
##
define hostextinfo{
hostgroup_name debian-servers
notes Debian GNU/Linux servers
# notes_url http://webserver.localhost.localdomain/hostinfo.pl?host=netware1
icon_image base/debian.png
icon_image_alt Debian GNU/Linux
vrml_image debian.png
statusmap_image base/debian.gd2
}

19
roles/icinga-ab/files/cfg/generic-host_icinga.cfg Normal file
View File

@@ -0,0 +1,19 @@
Generic host definition template - This is NOT a real host, just a template!
define host{
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
check_command check-host-alive
max_check_attempts 10
notification_interval 0
notification_period 24x7
notification_options d,u,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}

26
roles/icinga-ab/files/cfg/generic-service_icinga.cfg Normal file
View File

@@ -0,0 +1,26 @@
# generic service template definition
define service{
name generic-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
notification_interval 0 ; Only send notifications on status change by default.
is_volatile 0
check_period 24x7
normal_check_interval 5
retry_check_interval 1
max_check_attempts 4
notification_period 24x7
notification_options w,u,c,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

14
roles/icinga-ab/files/cfg/gwsio2.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name gwsio2
alias Passerelle
address 192.168.0.1
icon_image cook/linux_server.gif
statusmap_image cook/linux_server.gd2
}

13
roles/icinga-ab/files/cfg/localhost.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host
host_name localhost
alias Serveur monitoring
address localhost
}

60
roles/icinga-ab/files/cfg/localhost_icinga.cfg Normal file
View File

@@ -0,0 +1,60 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in icinga-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name localhost
alias localhost
address 127.0.0.1
parents gwsio2
}
# Define a service to check the disk space of the root partition
# on the local machine. Warning if < 20% free, critical if
# < 10% free space on partition.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Disk Space
check_command check_all_disks!20%!10%
}
# Define a service to check the number of currently logged in
# users on the local machine. Warning if > 20 users, critical
# if > 50 users.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Users
check_command check_users!20!50
}
# Define a service to check the number of currently running procs
# on the local machine. Warning if > 250 processes, critical if
# > 400 processes.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Total Processes
check_command check_procs!250!400
}
# Define a service to check the load on the local machine.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Load
check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
}

16
roles/icinga-ab/files/cfg/netgear.cfg Normal file
View File

@@ -0,0 +1,16 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name netgear
alias switch
address 192.168.0.2
parents gwsio4
icon_image cook/switch.gif
statusmap_image cook/switch.gd2
}

13
roles/icinga-ab/files/cfg/r-ext.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-ext
alias Routeur externe
address 192.168.200.253
parents localhost
}

13
roles/icinga-ab/files/cfg/r-int.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-int
alias Routeur interne
address 172.16.0.254
parents r-ext
}

14
roles/icinga-ab/files/cfg/s-adm.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-adm
alias debian-servers
address 192.168.99.99
parents r-int
}

14
roles/icinga-ab/files/cfg/s-infra.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-infra
alias debian-servers
address 172.16.0.1
parents r-int
}

13
roles/icinga-ab/files/cfg/s-proxy.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-proxy
alias serveur proxy
address 172.16.0.2
parents r-int
}

13
roles/icinga-ab/files/cfg/s-test.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-test
alias machine test
address 172.16.0.18
parents r-int
}

106
roles/icinga-ab/files/cfg/services_icinga.cfg Normal file
View File

@@ -0,0 +1,106 @@
define service {
hostgroup_name http-servers
service_description HTTP
check_command check_http
use generic-service
notification_interval 0 ; set > 0 if you want to be renotified
}
define service {
hostgroup_name ssh-servers
service_description SSH
check_command check_ssh
use generic-service
notification_interval 0 ; set > 0 if you want to be renotified
}
define service{
use generic-service
hostgroup_name debian-servers
service_description Espace disque
check_command check_snmp_storage!public!--v2c!"^/$|tmp|usr|var"!90!95
}
define service{
use generic-service
hostgroup_name debian-servers
service_description Charge machine
check_command check_snmp_load!public!--v2c!netsl!2,1,1!3,2,2
}
define service{
use generic-service
hostgroup_name localhost
service_description Charge machine
check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
}
define service{
use generic-service
hostgroup_name debian-servers
service_description RAM
check_command check_snmp_mem!public!--v2c!-N!95,60!99,90
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Version NSClient++
check_command check_nt!CLIENTVERSION
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Charge CPU
check_command check_nt!CPULOAD!-l 5,80,90,15,80,90
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Uptime
check_command check_nt!UPTIME
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Mem Use
check_command check_nt!MEMUSE!80,90
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Disk Space
check_command check_nt!USEDDISKSPACE!-l C!10,5
}
define service{
use generic-service
hostgroup_name windows-servers
service_description Service DNS
check_command check_nt!SERVICESTATE!-l W32Time,"Client DNS"
}
define service{
use generic-service
hostgroup_name uptimegrp
service_description Uptime
check_command check_snmp!-C public -o 1.3.6.1.2.1.1.3.0
}
define service{
use generic-service
hostgroup_name dns-servers
service_description DNS Ext
check_command check_dns
}
#define service{
# use generic-service
# hostgroup_name dhcp-servers
# service_description Service DHCP
# check_command check_dhcp
#}

16
roles/icinga-ab/files/cfg/srv-2012.cfg Normal file
View File

@@ -0,0 +1,16 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name srv-2012
alias windows-servers
address 172.16.0.6
parents r-int
icon_image base/win40.gif
statusmap_image base/win40.gd2
}

50
roles/icinga-ab/files/cfg/timeperiods_icinga.cfg Normal file
View File

@@ -0,0 +1,50 @@
###############################################################################
# timeperiods.cfg
###############################################################################
# This defines a timeperiod where all times are valid for checks,
# notifications, etc. The classic "24x7" support nightmare. :-)
define timeperiod{
timeperiod_name 24x7
alias 24 Hours A Day, 7 Days A Week
sunday 00:00-24:00
monday 00:00-24:00
tuesday 00:00-24:00
wednesday 00:00-24:00
thursday 00:00-24:00
friday 00:00-24:00
saturday 00:00-24:00
}
# Here is a slightly friendlier period during work hours
define timeperiod{
timeperiod_name workhours
alias Standard Work Hours
monday 09:00-17:00
tuesday 09:00-17:00
wednesday 09:00-17:00
thursday 09:00-17:00
friday 09:00-17:00
}
# The complement of workhours
define timeperiod{
timeperiod_name nonworkhours
alias Non-Work Hours
sunday 00:00-24:00
monday 00:00-09:00,17:00-24:00
tuesday 00:00-09:00,17:00-24:00
wednesday 00:00-09:00,17:00-24:00
thursday 00:00-09:00,17:00-24:00
friday 00:00-09:00,17:00-24:00
saturday 00:00-24:00
}
# This one is a favorite: never :)
define timeperiod{
timeperiod_name never
alias Never
}
# end of file

643
roles/icinga-ab/files/check_iftraffic3.pl Executable file
View File

@@ -0,0 +1,643 @@
#!/usr/bin/perl -w
#
# check_iftraffic.pl - Nagios(r) network traffic monitor plugin
# Copyright (C) 2004 Gerd Mueller / Netways GmbH
# $Id: check_iftraffic.pl 1119 2006-02-09 10:30:09Z gmueller $
#
# mw = Markus Werner mw+nagios@wobcom.de
# Remarks (mw):
#
# I adopted as much as possible the programming style of the origin code.
#
# There should be a function to exit this programm,
# instead of calling print and exit statements all over the place.
#
#
# minor changes by mw
# The snmp if_counters on net devices can have overflows.
# I wrote this code to address this situation.
# It has no automatic detection and which point the overflow
# occurs but it will generate a warning state and you
# can set the max value by calling this script with an additional
# arg.
#
# minor cosmetic changes by mw
# Sorry but I couldn't sustain to clean up some things.
#
# gj = Greg Frater gregATfraterfactory.com
# Remarks (gj):
# minor (gj):
#
# * fixed the performance data, formating was not to spec
# * Added a check of the interfaces status (up/down).
# If down the check returns a critical status.
# * Allow either textual or the numeric index value.
# * If the interface speed is not specified on the command line
# it gets it automatically from IfSpeed
# * Added option for second ifSpeed to allow for asymetrcal links
# such as a DSL line or cable modem where the download and upload
# speeds are different
# * Added -B option to display results in bits/sec instead of Bytes/sec
# * Added the current usage in Bytes/s (or bit/s) to the perfdata output
# * Added ability for plugin to determine interface to query by matching IP
# address of host with entry in ipAdEntIfIndex (.1.3.6.1.2.1.4.20.1.2)
# * Added -L flag to list entries found in the ipAdEntIfIndex table
# Otherwise, it works as before.
#
#
#
#
# based on check_traffic from Adrian Wieczorek, <ads (at) irc.pila.pl>
#
# Send us bug reports, questions and comments about this plugin.
# Latest version of this software: http://www.nagiosexchange.org
#
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307
use strict;
use Net::SNMP;
use Getopt::Long;
&Getopt::Long::config('bundling');
use Data::Dumper;
my $host_ip;
my $host_address;
my $iface_number;
my $iface_descr;
my $iface_speed;
my $iface_speedOut;
my $index_list;
my $opt_h;
my $units;
my $session;
my $error;
my $port = 161;
my $snmp_version = 1;
my @snmpoids;
# SNMP OIDs for Traffic
my $snmpIfOperStatus = '1.3.6.1.2.1.2.2.1.8';
my $snmpIfInOctets = '1.3.6.1.2.1.2.2.1.10';
my $snmpIfOutOctets = '1.3.6.1.2.1.2.2.1.16';
my $snmpIfDescr = '1.3.6.1.2.1.2.2.1.2';
my $snmpIfSpeed = '1.3.6.1.2.1.2.2.1.5';
my $snmpIPAdEntIfIndex = '1.3.6.1.2.1.4.20.1.2';
my $response;
# Path to tmp files
my $TRAFFIC_FILE = "/tmp/traffic";
# changes sos 20090717 UNKNOWN must bes 3
my %STATUS_CODE =
( 'UNKNOWN' => '3', 'OK' => '0', 'WARNING' => '1', 'CRITICAL' => '2' );
#default values;
my $state = "UNKNOWN";
my $if_status = '4';
my ( $in_bytes, $out_bytes ) = 0;
my $warn_usage = 85;
my $crit_usage = 98;
my $COMMUNITY = "public";
my $use_reg = undef; # Use Regexp for name
my $output = "";
my $bits = undef;
my $suffix = "Bs";
my $label = "MBytes";
#added 20050614 by mw
my $max_value;
my $max_bytes;
#cosmetic changes 20050614 by mw, see old versions for detail
# Added options for bits and second max ifspeed 20100202 by gj
# Added options for specificy IP addr to match 20100405 by gj
my $status = GetOptions(
"h|help" => \$opt_h,
'B' => \$bits,
'bits' => \$bits,
"C|community=s" => \$COMMUNITY,
"w|warning=s" => \$warn_usage,
"c|critical=s" => \$crit_usage,
"b|bandwidth|I|inBandwidth=i" => \$iface_speed,
"O|outBandwidth=i" => \$iface_speedOut,
'r' => \$use_reg,
'noregexp' => \$use_reg,
"p|port=i" => \$port,
"u|units=s" => \$units,
"i|interface=s" => \$iface_number,
"A|address=s" => \$host_ip,
"H|hostname=s" => \$host_address,
'L' => \$index_list,
'list' => \$index_list,
#added 20050614 by mw
"M|max=i" => \$max_value
);
if ( $status == 0 ) {
print_help();
exit $STATUS_CODE{'OK'};
}
# Changed 20091214 gj
# Check for missing options
#if ( ( !$host_address ) or ( !$iface_descr ) ) {
if ( !$host_address ) {
print "\nMissing host address!\n\n";
stop(print_usage(),"OK");
} elsif ( ( $iface_speed ) and ( !$units ) ){
print "\nMissing units!\n\n";
stop(print_usage(),"OK");
} elsif ( ( $units ) and ( ( !$iface_speed ) and ( !$iface_speedOut ) ) ) {
print "\nMissing interface maximum speed!\n\n";
stop(print_usage(),"OK");
} elsif ( ( $iface_speedOut ) and ( !$units ) ) {
print "\nMissing units for Out maximum speed!\n\n";
stop(print_usage(),"OK");
}
if ($bits) {
$suffix = "bs"
}
if ( !$iface_speed ) {
# Do nothing
}else{
#change 20050414 by mw
# Added iface_speedOut 20100202 by gj
# Convert interface speed to kiloBytes
$iface_speed = bits2bytes( $iface_speed, $units ) / 1024;
if ( $iface_speedOut ) {
$iface_speedOut = bits2bytes( $iface_speedOut, $units ) / 1024;
}
if ( !$max_value ) {
# If no -M Parameter was set, set it to 32Bit Overflow
$max_bytes = 4194304 ; # the value is (2^32/1024)
}
else {
$max_bytes = unit2bytes( $max_value, $units );
}
}
if ( $snmp_version =~ /[12]/ ) {
( $session, $error ) = Net::SNMP->session(
-hostname => $host_address,
-community => $COMMUNITY,
-port => $port,
-version => $snmp_version
);
if ( !defined($session) ) {
stop("UNKNOWN: $error","UNKNOWN");
}
}
elsif ( $snmp_version =~ /3/ ) {
$state = 'UNKNOWN';
stop("$state: No support for SNMP v3 yet\n",$state);
}
else {
$state = 'UNKNOWN';
stop("$state: No support for SNMP v$snmp_version yet\n",$state);
}
# Neither Interface Index nor Host IP address were specified
if ( !$iface_descr ) {
if ( !$host_ip ){
# try to resolve host name and find index from ip addr
$iface_descr = fetch_Ip2IfIndex( $session, $host_address );
} else {
# Use ip addr to find index
$iface_descr = fetch_Ip2IfIndex( $session, $host_ip );
}
}
#push( @snmpoids, $snmpIPAdEntIfIndex . "." . $host_address );
# Added 20091209 gj
# Detect if a string description was given or a numberic interface index number
if ( $iface_descr =~ /[^0123456789]+/ ) {
$iface_number = fetch_ifdescr( $session, $iface_descr );
}else{
$iface_number = $iface_descr;
}
push( @snmpoids, $snmpIfSpeed . "." . $iface_number );
push( @snmpoids, $snmpIfOperStatus . "." . $iface_number );
push( @snmpoids, $snmpIfInOctets . "." . $iface_number );
push( @snmpoids, $snmpIfOutOctets . "." . $iface_number );
if ( !defined( $response = $session->get_request(@snmpoids) ) ) {
my $answer = $session->error;
$session->close;
stop("WARNING: SNMP error: $answer\n", "WARNING");
}
# Added 20091209 gj
# Get interface speed from device if not provided on command line
# Convert to kiloBytes
if ( !$iface_speed ) {
$iface_speed = $response->{ $snmpIfSpeed . "." . $iface_number };
$units = "b";
$iface_speed = bits2bytes( $iface_speed, $units ) / 1024;
}
# Added 20100201 gj
# Check if Out max speed was provided, use same if speed for both if not
if (!$iface_speedOut) {
$iface_speedOut = $iface_speed;
}
$if_status = $response->{ $snmpIfOperStatus . "." . $iface_number };
$in_bytes = $response->{ $snmpIfInOctets . "." . $iface_number } / 1024; # in kiloBytes
$out_bytes = $response->{ $snmpIfOutOctets . "." . $iface_number } / 1024; # in kiloBytes
$session->close;
my $row;
my $last_check_time = time - 1;
my $last_in_bytes = $in_bytes;
my $last_out_bytes = $out_bytes;
if (
open( FILE,
"<" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address
)
)
{
while ( $row = <FILE> ) {
#cosmetic change 20050416 by mw
#Couldn't sustain;-)
## chomp();
( $last_check_time, $last_in_bytes, $last_out_bytes ) =
split( ":", $row );
### by sos 17.07.2009 check for last_bytes
if ( ! $last_in_bytes ) { $last_in_bytes=$in_bytes; }
if ( ! $last_out_bytes ) { $last_out_bytes=$out_bytes; }
if ($last_in_bytes !~ m/\d/) { $last_in_bytes=$in_bytes; }
if ($last_out_bytes !~ m/\d/) { $last_out_bytes=$out_bytes; }
}
close(FILE);
}
my $update_time = time;
open( FILE, ">" . $TRAFFIC_FILE . "_if" . $iface_number . "_" . $host_address )
or die "Can't open $TRAFFIC_FILE for writing: $!";
printf FILE ( "%s:%.0ld:%.0ld\n", $update_time, $in_bytes, $out_bytes );
close(FILE);
my $db_file;
#added 20050614 by mw
#Check for and correct counter overflow (if possible).
#See function counter_overflow.
$in_bytes = counter_overflow( $in_bytes, $last_in_bytes, $max_bytes );
$out_bytes = counter_overflow( $out_bytes, $last_out_bytes, $max_bytes );
# Calculate traffic since last check (RX\TX) in kiloBytes
my $in_traffic = sprintf( "%.2lf",
( $in_bytes - $last_in_bytes ) / ( time - $last_check_time ) );
my $out_traffic = sprintf( "%.2lf",
( $out_bytes - $last_out_bytes ) / ( time - $last_check_time ) );
# sos 20090717 changed due to rrdtool needs bytes
my $in_traffic_absolut = $in_bytes * 1024 ;
my $out_traffic_absolut = $out_bytes * 1024;
# Calculate usage percentages
my $in_usage = sprintf( "%.2f", ( 1.0 * $in_traffic * 100 ) / $iface_speed );
my $out_usage = sprintf( "%.2f", ( 1.0 * $out_traffic * 100 ) / $iface_speedOut );
if ($bits) {
# Convert output from Bytes to bits
$in_bytes = $in_bytes * 8;
$out_bytes = $out_bytes * 8;
$in_traffic = $in_traffic * 8;
$out_traffic = $out_traffic * 8;
$label = "Mbits";
}
my $in_prefix = "K";
my $out_prefix = "K";
if ( $in_traffic > 1024 ) {
$in_traffic = sprintf( "%.2f", $in_traffic / 1024 );
$in_prefix = "M";
}
if ( $out_traffic > 1024 ) {
$out_traffic = sprintf( "%.2f", $out_traffic / 1024 );
$out_prefix = "M";
}
if ( $in_traffic > 1024 * 1024 ) {
$in_traffic = sprintf( "%.2f", $in_traffic / 1024 * 1024 );
$in_prefix = "G";
}
if ( $out_traffic > 1024 * 1024 ) {
$out_traffic = sprintf( "%.2f",$out_traffic / 1024 * 1024 );
$out_prefix = "G";
}
# Convert from kiloBytes to megaBytes
$in_bytes = sprintf( "%.2f", $in_bytes / 1024 );
$out_bytes = sprintf( "%.2f", $out_bytes / 1024 );
$state = "OK";
# Added 20091209 by gj
if ( $if_status != 1 ) {
$output = "Interface $iface_descr is down!";
}else{
$output =
"Average IN: "
. $in_traffic . $in_prefix . $suffix . " (" . $in_usage . "%), "
. "Average OUT: " . $out_traffic . $out_prefix . $suffix . " (" . $out_usage . "%)<br>";
$output .= "Total RX: $in_bytes $label, Total TX: $out_bytes $label";
}
# Changed 20091209 gj
if ( ( $in_usage > $crit_usage ) or ( $out_usage > $crit_usage ) or ( $if_status != 1 ) ) {
$state = "CRITICAL";
}
if ( ( $in_usage > $warn_usage )
or ( $out_usage > $warn_usage ) && $state eq "OK" )
{
$state = "WARNING";
}
# Changed 20091209 gj
$output = "$state - $output"
if ( $state ne "OK" );
# Changed 20091214 gj - commas should have been semi colons
$output .=
"|inUsage=$in_usage%;$warn_usage;$crit_usage outUsage=$out_usage%;$warn_usage;$crit_usage"
. " inBandwidth=" . $in_traffic . $in_prefix . $suffix . " outBandwidth=" . $out_traffic . $out_prefix . $suffix
. " inAbsolut=$in_traffic_absolut outAbsolut=$out_traffic_absolut";
stop($output, $state);
sub fetch_Ip2IfIndex {
my $state;
my $response;
my $snmpkey;
my $answer;
my $key;
my ( $session, $host ) = @_;
# Determine if we have a host name or IP addr
if ( $host =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ ){
#print "\nI found an IP address\n\n";
} else {
$host = get_ip ( $host );
#print "\nWe have a host name $host\n\n";
}
# Quit if results not found
if ( !defined( $response = $session->get_table($snmpIPAdEntIfIndex) ) ) {
$answer = $session->error;
$session->close;
$state = 'CRITICAL';
$session->close;
exit $STATUS_CODE{$state};
}
my %resp = %{$response};
# foreach $key ( keys %{$response} ) {
if ( $index_list ){
print ("\nInterfaces found:\n");
print (" IP Addr\tIndex\n");
print ("------------------------\n");
}
# Check each returned value
foreach $key ( keys %resp ) {
if ( $index_list ){
my $index_addr = substr $key, 21;
print ($index_addr,"\t ",$resp{$key},"\n");
}
# Check for ip address mathcin in returned index results
if ( $key =~ /$host$/ ) {
$snmpkey = $resp{$key};
}
}
unless ( defined $snmpkey ) {
$session->close;
$state = 'CRITICAL';
printf "$state: Could not match $host \n";
exit $STATUS_CODE{$state};
}
return $snmpkey;
}
sub fetch_ifdescr {
my $state;
my $response;
my $snmpkey;
my $answer;
my $key;
my ( $session, $ifdescr ) = @_;
if ( !defined( $response = $session->get_table($snmpIfDescr) ) ) {
$answer = $session->error;
$session->close;
$state = 'CRITICAL';
$session->close;
exit $STATUS_CODE{$state};
}
foreach $key ( keys %{$response} ) {
# added 20070816 by oer: remove trailing 0 Byte for Windows :-(
my $resp=$response->{$key};
$resp =~ s/\x00//;
my $test = defined($use_reg)
? $resp =~ /$ifdescr/
: $resp eq $ifdescr;
if ($test) {
###if ( $resp =~ /^$ifdescr$/ ) {
###if ( $resp =~ /$ifdescr/ ) {
### print "$resp \n";
###if ( $response->{$key} =~ /^$ifdescr$/ ) {
$key =~ /.*\.(\d+)$/;
$snmpkey = $1;
# print "$ifdescr = $key / $snmpkey \n"; #debug
}
}
unless ( defined $snmpkey ) {
$session->close;
$state = 'CRITICAL';
printf "$state: Could not match $ifdescr \n";
exit $STATUS_CODE{$state};
}
return $snmpkey;
}
#added 20050416 by mw
#Converts an input value to value in bits
sub bits2bytes {
return unit2bytes(@_) / 8;
}
#added 20050416 by mw
#Converts an input value to value in bytes
sub unit2bytes {
my ( $value, $unit ) = @_;
if ( $unit eq "g" ) {
return $value * 1024 * 1024 * 1024;
}
elsif ( $unit eq "m" ) {
return $value * 1024 * 1024;
}
elsif ( $unit eq "k" ) {
return $value * 1024;
}
elsif ( $unit eq "b" ) {
return $value * 1;
}
else {
print "You have to supply a supported unit\n";
exit $STATUS_CODE{'UNKNOWN'};
}
}
#added 20050414 by mw
#This function detects if an overflow occurs. If so, it returns
#a computed value for $bytes.
#If there is no counter overflow it simply returns the origin value of $bytes.
#IF there is a Counter reboot wrap, just use previous output.
sub counter_overflow {
my ( $bytes, $last_bytes, $max_bytes ) = @_;
$bytes += $max_bytes if ( $bytes < $last_bytes );
$bytes = $last_bytes if ( $bytes < $last_bytes );
return $bytes;
}
# Added 20100202 by gj
# Print results and exit script
sub stop {
my $result = shift;
my $exit_code = shift;
print $result . "\n";
exit ( $STATUS_CODE{$exit_code} );
}
# Added 20100405 by gj
# Lookup hosts ip address
sub get_ip {
use Net::DNS;
my ( $host_name ) = @_;
my $res = Net::DNS::Resolver->new;
my $query = $res->search($host_name);
if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
#print $rr->address, "\n";
return $rr->address;
}
} else {
stop("Error: IP address not resolved\n","UNKNOWN");
}
}
#cosmetic changes 20050614 by mw
#Couldn't sustain "HERE";-), either.
sub print_usage {
print <<EOU;
Usage: check_iftraffic3.pl -H host [ -C community_string ] [ -i if_index|if_descr ] [ -r ] [ -b if_max_speed_in | -I if_max_speed_in ] [ -O if_max_speed_out ] [ -u ] [ -B ] [ -A IP Address ] [ -L ] [ -M ] [ -w warn ] [ -c crit ]
Example 1: check_iftraffic3.pl -H host1 -C sneaky
Example 2: check_iftraffic3.pl -H host1 -C sneaky -i "Intel Pro" -r -B
Example 3: check_iftraffic3.pl -H host1 -C sneaky -i 5
Example 4: check_iftraffic3.pl -H host1 -C sneaky -i 5 -B -b 100 -u m
Example 5: check_iftraffic3.pl -H host1 -C sneaky -i 5 -B -b 20 -O 5 -u m
Example 6: check_iftraffic3.pl -H host1 -C sneaky -A 192.168.1.1 -B -b 100 -u m
Options:
-H, --host STRING or IPADDRESS
Check interface on the indicated host.
-B, --bits
Display results in bits per second b/s (default: Bytes/s)
-C, --community STRING
SNMP Community.
-r, --regexp
Use regexp to match NAME in description OID
-i, --interface STRING
Interface Name
-b, --bandwidth INTEGER
-I, --inBandwidth INTEGER
Interface maximum speed in kilo/mega/giga/bits per second. Applied to
both IN and OUT if no second (-O) max speed is provided.
-O, --outBandwidth INTEGER
Interface maximum speed in kilo/mega/giga/bits per second. Applied to
OUT traffic. Uses the same units value given for -b.
-u, --units STRING
g=gigabits/s,m=megabits/s,k=kilobits/s,b=bits/s. Required if -b, -I, or
-O are used.
-w, --warning INTEGER
% of bandwidth usage necessary to result in warning status (default: 85%)
-c, --critical INTEGER
% of bandwidth usage necessary to result in critical status (default: 98%)
-M, --max INTEGER
Max Counter Value of net devices in kilo/mega/giga/bytes.
-A, --address STRING (IP Address)
IP Address to use when determining the interface index to use. Can be
used when the index changes frequently or as in the case of Windows
servers the index is different depending on the NIC installed.
-L, --list FLAG (on/off)
Tell plugin to list available interfaces. This is not supported inside
of Nagios, but may be useful from the command line.
EOU
}

90
roles/icinga-ab/files/commands.cfg Normal file
View File

@@ -0,0 +1,90 @@
###############################################################################
# COMMANDS.CFG - SAMPLE COMMAND DEFINITIONS FOR NAGIOS
###############################################################################
################################################################################
# NOTIFICATION COMMANDS
################################################################################
# 'notify-host-by-email' command definition
define command{
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
# 'notify-service-by-email' command definition
define command{
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
################################################################################
# HOST CHECK COMMANDS
################################################################################
# On Debian, check-host-alive is being defined from within the
# nagios-plugins-basic package
define command{
command_name check_snmp_storage
command_line $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -m $ARG3$ -w $ARG4$ -c $ARG5$
}
define command{
command_name check_snmp_load
command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -T $ARG3$ -w $ARG4$ -c $ARG5$
}
define command{
command_name check_snmp_mem
command_line $USER1$/check_snmp_mem.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ $ARG3$ -w $ARG4$ -c $ARG5$
}
define command{
command_name check_snmp_int
command_line $USER1$/check_snmp_netint.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -a -m -k -M -w $ARG4$ -c $ARG5$
}
define command{
command_name check_iftraffic3
#command_name check_win_int
#command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$
#command_line $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ $ARG2$ -n $ARG3$ -k -M -g -w $ARG4$ -c $ARG5$
command_line $USER1$/check_iftraffic3.pl -H $HOSTADDRESS$ -C $ARG1$ -i $ARG2$ -w $ARG3$ -c $ARG4$
}
define command{
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
###############################
##WINDOWS
###############################
define command{
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -s root -p 12489 -v $ARG1$ $ARG2$
}
################################################################################
# PERFORMANCE DATA COMMANDS
################################################################################
# 'process-host-perfdata' command definition
define command{
command_name process-host-perfdata
command_line /usr/bin/printf "%b" "$LASTHOSTCHECK$\t$HOSTNAME$\t$HOSTSTATE$\t$HOSTATTEMPT$\t$HOSTSTATETYPE$\t$HOSTEXECUTIONTIME$\t$HOSTOUTPUT$\t$HOSTPERFDATA$\n" >> /var/lib/nagios3/host-perfdata.out
}
# 'process-service-perfdata' command definition
define command{
command_name process-service-perfdata
command_line /usr/bin/printf "%b" "$LASTSERVICECHECK$\t$HOSTNAME$\t$SERVICEDESC$\t$SERVICESTATE$\t$SERVICEATTEMPT$\t$SERVICESTATETYPE$\t$SERVICEEXECUTIONTIME$\t$SERVICELATENCY$\t$SERVICEOUTPUT$\t$SERVICEPERFDATA$\n" >> /var/lib/nagios3/service-perfdata.out
}

59
roles/icinga-ab/files/contacts_icinga.cfg Normal file
View File

@@ -0,0 +1,59 @@
###############################################################################
# contacts.cfg
###############################################################################
###############################################################################
###############################################################################
#
# CONTACTS
#
###############################################################################
###############################################################################
# In this simple config file, a single contact will receive all alerts.
#define contact{
# contact_name root
# alias Root
# service_notification_period 24x7
# host_notification_period 24x7
# service_notification_options w,u,c,r
# host_notification_options d,r
# service_notification_commands notify-service-by-email
# host_notification_commands notify-host-by-email
# email root@localhost
# }
define contact{
contact_name admin
alias Administrateur
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email icinga.ppe31@gmail.com
}
###############################################################################
###############################################################################
#
# CONTACT GROUPS
#
###############################################################################
###############################################################################
# We only have one contact in this simple configuration file, so there is
# no need to create more than one contact group.
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members admin
}

11
roles/icinga-ab/files/dns.cfg Normal file
View File

@@ -0,0 +1,11 @@
# 'check_dns' command definition
define command{
command_name check_dns
command_line /usr/lib/nagios/plugins/check_dns -H www.dfco.fr -s '$HOSTADDRESS$'
}
# 'check_dig' command definition
define command{
command_name check_dig
command_line /usr/lib/nagios/plugins/check_dig -H '$HOSTADDRESS$' -l '$ARG1$'
}

74
roles/icinga-ab/files/hostgroups_icinga.cfg Normal file
View File

@@ -0,0 +1,74 @@
# Some generic hostgroup definitions
define hostgroup {
hostgroup_name all
alias All Servers
members *
}
define hostgroup {
hostgroup_name localhost
alias Debian GNU/Linux Servers
members localhost
}
define hostgroup {
hostgroup_name debian-servers
alias Serveurs distant
members s-infra, s-proxy, r-int, r-ext, s-adm, s-test
}
define hostgroup { 
hostgroup_name ssh-servers
alias acces SSH
members s-adm, s-infra, s-proxy, r-int, r-ext, localhost, s-test, gwsio2
}
define hostgroup { 
hostgroup_name dns-servers
alias serveurs-dns
members s-infra, srv-2012
}
define hostgroup { 
hostgroup_name dhcp-servers
alias serveurs-dhcp
members r-int, srv-2012
}
define hostgroup {
hostgroup_name http-servers
alias serveurs-web
members localhost
}
#define hostgroup {
# hostgroup_name email-servers
# alias serveurs-email
# members s-mess
# }
define hostgroup { 
hostgroup_name proxy-servers
alias serveurs-proxy
members s-proxy
}
define hostgroup{
hostgroup_name windows-servers
alias windows-servers
members srv-2012
}
#define hostgroup{
# hostgroup_name switch
# alias switch
# members netgear
#}
define hostgroup{
hostgroup_name uptimegrp
alias uptimegrp
members s-infra, s-proxy, r-int, r-ext, s-adm, s-test
}

Some files were not shown because too many files have changed in this diff Show More