gadmin/gsb2021
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Premier commit

Browse Source
This commit is contained in:
phil 2021-01-04 22:49:46 +01:00
parent da1100578d
commit 65b2a3eaf3
538 changed files with 52570 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
agoss Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
HOST=$(hostname)
FHOST=$(pwd)/goss/$HOST
if [ -r "$FHOST".yaml ] ; then
goss -gossfile "$FHOST".yaml v --no-color
else
echo $0 : erreur lecture fichier "$FHOST".yaml
exit 1
fi

7
changelog Normal file
View File

@ -0,0 +1,7 @@
v5.0.2.j : 2019-01-25 -kb
ejout role s-nas-cliet et s-nas-server
v5.0.1 : 2019-01-24 - ps
reorganisation : anciens playbooks et roles deplaces dans repertoire old
v3.2.0 : 2017-11-16 - ps
ajout changelog

38
doc/Docker-openvas.txt Normal file
View File

@ -0,0 +1,38 @@
Fichier de documentation fait par Adnan Baljic, le 31/01/2019
Configuration machine:
Système: Carte Mère: Mémoire Vive: 2048
Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go
Réseau 1: n-adm
Réseau 2: n-infra
USB: Décocher "Activer le contrôleur USB"
Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb:
-fdisk /dev/sdb
-o
-n
-p
-1
-w
La configuration de docker se fait automatiquement via le playbook s-docker.yml
De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en
commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit.
Manipulation à faire pour la mise en place d'Openvas via Docker:
Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
les interfaces...) et exécuter la commande ci-dessous:
docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas
Manipulation à faire pour la mise en place d'Openvas via Docker:
Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
les interfaces...) et exécuter la commande ci-dessous:
docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail
Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer.
L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443.
Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook.
Les tests effectués:
Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK

3
doc/icinga.txt Normal file
View File

@ -0,0 +1,3 @@
Roles fait par Adnan Baljic, le 17/01/2019
Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg)
et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg)

BIN
doc/pics/e4-SAN-V2.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-adm.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-adm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

BIN
doc/pics/e4-agence.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-agence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
doc/pics/e4-dmz-ab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
doc/pics/e4-dmz-ha.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-dmz-ha.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
doc/pics/e4-dmz-old.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
doc/pics/e4-dmz.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-dmz.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
doc/pics/e4-v2.3.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-v2.3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
doc/pics/e4-v2.3x.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-v2.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-vpn-infra-v1.2.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4-vpn-infra-v1.2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
doc/pics/e4-vpn-infra.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4.dia Normal file
View File

Binary file not shown.

BIN
doc/pics/e4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

23
doc/r-vp.txt Normal file
View File

@ -0,0 +1,23 @@
Fichier de documentation fait par Adnan Baljic, le 24/01/2019
Manipulation à faire pour la mise en place de r-vp1 et r-vp2:
Après exécution de gsbboot et du pull-config, il faudra désactiver l'interface
de n-adm pour éviter une boucle. Pour cela, il suffit de faire "ifdown enp0sx"
Pour ce qui est des tests pour vérifier que l'agence passe bien par le tunnel
chiffré, vous pouvez stopper le service ipsec ou strongswan ("service
strongswan stop" ou "service ipsec stop", cela revient à faire la même chose)
Important: sur r-vp2, si la route par défaut est celui de s-adm, veuillez
supprimer cette route en faisant "route del default" sinon l'agence ne passera
pas par le tunnel chiffré mais vers s-adm
cf. Schéma GSB/E4 - VPN/Infra - Version 1.2 - 2019-01-23
La mise en place de strongswan via les certificats se fait via le playbook
r-vpx-x509.yml. La manipulation ci-dessus n'est pas à faire pour les vpn avec
certificat si r-vp2-x509 et r-vp1-x509 n'ont pas de route par défaut. Si ils ont
une route par défaut, veuillez effectuer la même manipulation que pour r-vp2.
Il faudra tout de même désactiver l'interface de n-adm sur les 2 r-vpx-x509.
Les tests effectués:
Jeudi 24 janvier 2019, 14:45 par Adnan Baljic= TEST OK

11
doc/s-fog.txt Normal file
View File

@ -0,0 +1,11 @@
fichier de documentation réalier par Olivier Soares et Gaetan Maillard, le 25/01/2019
Pour mettre en oeuvre le serveur fog, il faut déployer une machine virtuel debian (une ova), de la mettre à jour, de la renommer (s-fog), puis de récupérer gsbboot et faire un bash pull-config.
Après avoir avoir fait l'installation de base, il suffit d'éxécuter le playbook "s-fog.yml" avec la commande ansible-playbooks -i hosts s-fog.yml". Ce playbook va récupérer le fichier d'installation de fog, le décompacter et configurer les différentes cartes réseaux de s-fog sachant qu'il y en a trois:
L'interface enp0s3 permet d'avoir accès internet via le réseau "n-adm"
L'interface enp0s8 permet de communiquer avec le réseau "n-infra"
L'interface enp0s9 permet d'avoir accès et deployer des postes sur le réseau "n-user"
Maintenant le serveur fog est prêt à être installer, avant de commencer l'installation il faut tout d'abord vérifier que l'accès à tous les réseaux soit correcte. Pour ça il suffit d'éxécuter le fichier de test goss

42
goss/r-ext.yaml Normal file
View File

@ -0,0 +1,42 @@
command:
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
ping -c 4 172.16.0.1:
exit-status: 0
stdout:
- 0% packet loss
stderr: []
timeout: 10000
ping -c 4 172.16.0.254:
exit-status: 0
stdout:
- 0% packet loss
stderr: []
timeout: 10000
ping -c 4 192.168.200.254:
exit-status: 0
stdout:
- 0% packet loss
stderr: []
timeout: 10000
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.13/24
enp0s8:
exists: true
addrs:
- 192.168.100.254/24
enp0s9:
exists: true
addrs:
- 192.168.0.36/24
enp0s16:
exists: true
addrs:
- 192.168.200.253/24

35
goss/r-int.yaml Normal file
View File

@ -0,0 +1,35 @@
package:
isc-dhcp-server:
installed: true
service:
isc-dhcp-server:
enabled: true
running: true
command:
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.12/24
enp0s8:
exists: true
addrs:
- 192.168.200.254/24
enp0s9:
exists: true
addrs:
- 172.16.65.254/24
enp0s10:
exists: true
addrs:
- 172.16.64.254/24
enp0s16:
exists: true
addrs:
- 172.16.0.254/24

106
goss/r-vp1-cs.yaml Normal file
View File

@ -0,0 +1,106 @@
file:
/etc/ipsec.d/cacerts/strongswanCert.pem:
exists: true
mode: "0644"
size: 1834
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp1Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp2Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp1Key.pem:
exists: true
mode: "0600"
size: 1675
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp2Key.pem:
exists: true
mode: "0600"
size: 1679
owner: root
group: root
filetype: file
contains: []
package:
strongswan:
installed: true
versions:
- 5.2.1-6+deb8u2
service:
strongswan:
enabled: true
running: true
user:
strongswan:
exists: true
uid: 112
gid: 65534
groups:
- nogroup
home: /var/lib/strongswan
shell: /usr/sbin/nologin
command:
Associations:
exit-status: 127
stdout: []
stderr:
- 'sh: 1: Associations: not found'
timeout: 10000
ip r|grep default:
exit-status: 0
stdout:
- default via 192.168.1.1 dev enp0s9
stderr: []
timeout: 10000
ipsec listcacerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=Root CA"'
stderr: []
timeout: 10000
ipsec listcerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
stderr: []
timeout: 10000
ipsec statusall|grep Security:
exit-status: 0
stdout:
- 'Security Associations (1 up, 0 connecting):'
stderr: []
timeout: 10000
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
interface:
enp0s8:
exists: true
addrs:
- 192.168.0.51/24
enp0s9:
exists: true
addrs:
- 192.168.1.2/24

106
goss/r-vp1-old.yaml Normal file
View File

@ -0,0 +1,106 @@
file:
/etc/ipsec.d/cacerts/strongswanCert.pem:
exists: true
mode: "0644"
size: 1834
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp1Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp2Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp1Key.pem:
exists: true
mode: "0600"
size: 1675
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp2Key.pem:
exists: true
mode: "0600"
size: 1679
owner: root
group: root
filetype: file
contains: []
package:
strongswan:
installed: true
versions:
- 5.2.1-6+deb8u2
service:
strongswan:
enabled: true
running: true
user:
strongswan:
exists: true
uid: 112
gid: 65534
groups:
- nogroup
home: /var/lib/strongswan
shell: /usr/sbin/nologin
command:
Associations:
exit-status: 127
stdout: []
stderr:
- 'sh: 1: Associations: not found'
timeout: 10000
ip r|grep default:
exit-status: 0
stdout:
- default via 192.168.1.1 dev enp0s9
stderr: []
timeout: 10000
ipsec listcacerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=Root CA"'
stderr: []
timeout: 10000
ipsec listcerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
stderr: []
timeout: 10000
ipsec statusall|grep Security:
exit-status: 0
stdout:
- 'Security Associations (1 up, 0 connecting):'
stderr: []
timeout: 10000
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
interface:
enp0s8:
exists: true
addrs:
- 192.168.0.51/24
enp0s9:
exists: true
addrs:
- 192.168.1.2/24

67
goss/r-vp1.yaml Normal file
View File

@ -0,0 +1,67 @@
package:
# ferm:
# installed: true
strongswan:
installed: true
port:
udp:68:
listening: true
service:
# dnsmasq:
# enabled: true
# running: true
strongswan:
enabled: true
running: true
ssh:
enabled: true
running: true
command:
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
command:
ping -c 4 192.168.0.52:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
command:
ping -c 4 192.168.1.1:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
command:
ping -c 4 192.168.200.254:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
command:
ping -c 4 172.16.0.1:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
#process:
# dnsmasq:
# running: true
# squid:
# running: true
interface:
enp0s8:
exists: true
addrs:
- 192.168.0.51/24
enp0s9:
exists: true
addrs:
- 192.168.1.2/24

105
goss/r-vp2-cs.yaml Normal file
View File

@ -0,0 +1,105 @@
file:
/etc/ipsec.d/cacerts/strongswanCert.pem:
exists: true
mode: "0644"
size: 1834
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp1Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp2Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp1Key.pem:
exists: true
mode: "0600"
size: 1675
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp2Key.pem:
exists: true
mode: "0600"
size: 1679
owner: root
group: root
filetype: file
contains: []
package:
strongswan:
installed: true
versions:
- 5.2.1-6+deb8u2
service:
strongswan:
enabled: true
running: true
user:
strongswan:
exists: true
gid: 65534
groups:
- nogroup
home: /var/lib/strongswan
shell: /usr/sbin/nologin
command:
Associations:
exit-status: 127
stdout: []
stderr:
- 'sh: 1: Associations: not found'
timeout: 10000
ip r|grep default:
exit-status: 0
stdout:
- default via 192.168.99.99 dev enp0s3
stderr: []
timeout: 10000
ipsec listcacerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=Root CA"'
stderr: []
timeout: 10000
ipsec listcerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
stderr: []
timeout: 10000
ipsec statusall|grep Security:
exit-status: 0
stdout:
- 'Security Associations (1 up, 0 connecting):'
stderr: []
timeout: 10000
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
interface:
enp0s8:
exists: true
addrs:
- 172.16.128.254/24
enp0s9:
exists: true
addrs:
- 192.168.0.52/24

105
goss/r-vp2-old.yaml Normal file
View File

@ -0,0 +1,105 @@
file:
/etc/ipsec.d/cacerts/strongswanCert.pem:
exists: true
mode: "0644"
size: 1834
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp1Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/certs/r-vp2Cert.pem:
exists: true
mode: "0644"
size: 1509
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp1Key.pem:
exists: true
mode: "0600"
size: 1675
owner: root
group: root
filetype: file
contains: []
/etc/ipsec.d/private/r-vp2Key.pem:
exists: true
mode: "0600"
size: 1679
owner: root
group: root
filetype: file
contains: []
package:
strongswan:
installed: true
versions:
- 5.2.1-6+deb8u2
service:
strongswan:
enabled: true
running: true
user:
strongswan:
exists: true
gid: 65534
groups:
- nogroup
home: /var/lib/strongswan
shell: /usr/sbin/nologin
command:
Associations:
exit-status: 127
stdout: []
stderr:
- 'sh: 1: Associations: not found'
timeout: 10000
ip r|grep default:
exit-status: 0
stdout:
- default via 192.168.99.99 dev enp0s3
stderr: []
timeout: 10000
ipsec listcacerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=Root CA"'
stderr: []
timeout: 10000
ipsec listcerts|grep subject:
exit-status: 0
stdout:
- 'subject: "C=CH, O=GSB, CN=r-vp2"'
- 'subject: "C=CH, O=GSB, CN=r-vp1"'
stderr: []
timeout: 10000
ipsec statusall|grep Security:
exit-status: 0
stdout:
- 'Security Associations (1 up, 0 connecting):'
stderr: []
timeout: 10000
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
interface:
enp0s8:
exists: true
addrs:
- 172.16.128.254/24
enp0s9:
exists: true
addrs:
- 192.168.0.52/24

67
goss/r-vp2goss.yaml Normal file
View File

@ -0,0 +1,67 @@
package:
ferm:
installed: true
ipsec:
installed: true
port:
tcp:53:
listening: true
udp:67:
listening: true
udp:68:
listening: true
service:
dnsmasq:
enabled: true
running: true
ferm:
enabled: true
running: true
ssh:
enabled: true
running: true
command:
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
sysctl ping -c 4 192.168.0.51:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
sysctl ping -c 4 192.168.1.1:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
sysctl ping -c 4 192.168.200.254:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
sysctl ping -c 4 172.16.0.1:
exit-status: 0
stdout:
- 4 received = 1
stderr: []
timeout: 10000
process:
dnsmasq:
running: true
squid3:
running: true
interface:
enp0s8:
exists: true
addrs:
- 172.16.128.254/24
enp0s9:
exists: true
addrs:
- 192.168.0.52/24

80
goss/s-adm.yaml Normal file
View File

@ -0,0 +1,80 @@
package:
dnsmasq:
installed: true
squid:
installed: true
addr:
tcp://depl.sio.lan:80:
reachable: true
timeout: 500
port:
tcp:53:
listening: true
ip:
- 0.0.0.0
tcp6:53:
listening: true
ip:
- '::'
tcp6:8080:
listening: true
ip:
- '::'
udp:53:
listening: true
ip:
- 0.0.0.0
udp:67:
listening: true
ip:
- 0.0.0.0
udp6:53:
listening: true
ip:
- '::'
service:
dnsmasq:
enabled: true
running: true
squid:
enabled: true
running: true
ssh:
enabled: true
running: true
user:
dnsmasq:
exists: true
uid: 107
gid: 65534
groups:
- nogroup
home: /var/lib/misc
shell: /usr/sbin/nologin
group:
ssh:
exists: true
gid: 111
command:
/sbin/sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 1
stderr: []
timeout: 10000
dns:
depl.sio.lan:
resolveable: true
addrs:
- 10.121.38.10
timeout: 500
process:
dnsmasq:
running: true
squid:
running: true
interface:
enp0s8:
exists: true
addrs:
- 192.168.99.99/24

35
goss/s-appli.yaml Normal file
View File

@ -0,0 +1,35 @@
service:
mariadb:
enabled: true
running: true
apache2:
enabled: true
running: true
file:
/var/www/html/wordpress:
exists: true
owner: www-data
group: www-data
filetype: directory
/var/www/html/wordpress-5.3.2-fr_FR.tar.gz:
exists: true
/var/www/html/wordpress/wp-config-sample.php:
exists: true
/etc/apache2/sites-enabled/000-default.conf:
exists: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.3/24
enp0s8:
exists: true
addrs:
- 172.16.0.3/24

28
goss/s-fog.yaml Normal file
View File

@ -0,0 +1,28 @@
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.16/24
interface:
enp0s8:
exists: true
addrs:
- 172.16.0.16/24
interface:
enp0s9:
exists: true
addrs:
- 172.16.64.16/24
command:
ping -c 4 192.168.99.99:
exit-status: 0
stdout:
- 0% packet loss
stderr: []
timeout: 10000
ping -c 4 google.fr:
exit-status: 0
stdout:
- 0% packet loss
stderr: []
timeout: 10000

90
goss/s-infra.yaml Normal file
View File

@ -0,0 +1,90 @@
package:
bind9:
installed: true
lighttpd:
installed: true
addr:
tcp://192.168.99.99:8080:
reachable: true
timeout: 500
port:
tcp:80:
listening: true
ip:
- 0.0.0.0
tcp6:80:
listening: true
ip:
- '::'
service:
bind9:
enabled: true
running: true
lighttpd:
enabled: true
running: true
command:
host 172.16.0.2:
exit-status: 0
stdout:
- 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
stderr: []
timeout: 10000
host 172.16.0.9:
exit-status: 0
stdout:
- 9.0.16.172.in-addr.arpa domain name pointer s-itil.gsb.lan.
stderr: []
timeout: 10000
host free.fr:
exit-status: 0
stdout:
- free.fr has address 212.27.48.10
- free.fr has IPv6 address 2a01:e0c:1::1
- free.fr mail is handled by 10 mx1.free.fr.
- free.fr mail is handled by 20 mx2.free.fr.
stderr: []
timeout: 10000
host s-infra:
exit-status: 0
stdout:
- s-infra.gsb.lan has address 172.16.0.1
stderr: []
timeout: 10000
host s-infra.gsb.lan:
exit-status: 0
stdout:
- s-infra.gsb.lan has address 172.16.0.1
stderr: []
timeout: 10000
host s-mon:
exit-status: 0
stdout:
- s-mon.gsb.lan has address 172.16.0.8
stderr: []
timeout: 10000
host s-mon.gsb.lan:
exit-status: 0
stdout:
- s-mon.gsb.lan has address 172.16.0.8
stderr: []
timeout: 10000
process:
lighttpd:
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.1/24
enp0s8:
exists: true
addrs:
- 172.16.0.1/24
http:
http://localhost/wpad.dat:
status: 200
allow-insecure: false
no-follow-redirects: false
timeout: 5000
body: []

36
goss/s-itil.yaml Normal file
View File

@ -0,0 +1,36 @@
file:
/var/www/html/glpi:
exists: true
mode: "0755"
owner: www-data
group: www-data
filetype: directory
/var/www/html/ficlients:
exists: true
mode: "0775"
owner: www-data
group: www-data
filetype: directory
/var/www/html/glpi/plugins:
exists: true
mode: "0777"
filetype: directory
/var/www/html/index.nginx-debian.html:
exists: true
mode: "0775"
owner: www-data
group: www-data
filetype: file
service:
mariadb:
enabled: true
running: true
nginx:
enabled: true
running: true

21
goss/s-lb-bd.yaml Normal file
View File

@ -0,0 +1,21 @@
package:
mysql-server:
installed: true
versions:
- 5.5.54-0+deb8u1
command:
egrep "#bind-address" /etc/mysql/my.cnf:
exit-status: 0
stdout:
- "#bind-address\t\t= 127.0.0.1"
stderr: []
timeout: 10000
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.13/24
enp0s8:
exists: true
addrs:
- 192.168.102.50/24

63
goss/s-lb-web1.yaml Normal file
View File

@ -0,0 +1,63 @@
package:
apache2:
installed: true
versions:
- 2.4.10-10+deb8u7
php5:
installed: true
versions:
- 5.6.29+dfsg-0+deb8u1
port:
tcp:22:
listening: true
ip:
- 0.0.0.0
tcp6:22:
listening: true
ip:
- '::'
tcp6:80:
listening: true
ip:
- '::'
service:
apache2:
enabled: true
running: true
sshd:
enabled: true
running: true
user:
sshd:
exists: true
uid: 105
gid: 65534
groups:
- nogroup
home: /var/run/sshd
shell: /usr/sbin/nologin
command:
egrep 192.168.102.14:/export/www /etc/fstab:
exit-status: 0
stdout:
- 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
stderr: []
timeout: 10000
process:
apache2:
running: true
sshd:
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.11/24
enp0s8:
exists: true
addrs:
- 192.168.101.1/24
enp0s9:
exists: true
addrs:
- 192.168.102.1/24

63
goss/s-lb-web2.yaml Normal file
View File

@ -0,0 +1,63 @@
package:
apache2:
installed: true
versions:
- 2.4.10-10+deb8u7
php5:
installed: true
versions:
- 5.6.29+dfsg-0+deb8u1
port:
tcp:22:
listening: true
ip:
- 0.0.0.0
tcp6:22:
listening: true
ip:
- '::'
tcp6:80:
listening: true
ip:
- '::'
service:
apache2:
enabled: true
running: true
sshd:
enabled: true
running: true
user:
sshd:
exists: true
uid: 105
gid: 65534
groups:
- nogroup
home: /var/run/sshd
shell: /usr/sbin/nologin
command:
egrep 192.168.102.14:/export/www /etc/fstab:
exit-status: 0
stdout:
- 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
stderr: []
timeout: 10000
process:
apache2:
running: true
sshd:
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.12/24
enp0s8:
exists: true
addrs:
- 192.168.101.2/24
enp0s9:
exists: true
addrs:
- 192.168.102.2/24

28
goss/s-lb.yaml Normal file
View File

@ -0,0 +1,28 @@
port:
tcp:80:
listening: true
ip:
- 192.168.100.11
service:
haproxy:
enabled: true
running: true
sshd:
enabled: true
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.100/24
mtu: 1500
enp0s8:
exists: true
addrs:
- 192.168.100.11/24
mtu: 1500
enp0s9:
exists: true
addrs:
- 192.168.101.254/24
mtu: 1500

65
goss/s-lb.yaml.old Normal file
View File

@ -0,0 +1,65 @@
file:
/etc/haproxy/haproxy.cfg:
exists: true
mode: "0644"
size: 1518
owner: root
group: root
filetype: file
contains: []
package:
haproxy:
installed: true
port:
tcp:80:
listening: true
ip:
- 192.168.100.10
service:
haproxy:
enabled: true
running: true
user:
haproxy:
exists: true
uid: 111
gid: 117
groups:
- haproxy
home: /var/lib/haproxy
shell: /bin/false
group:
haproxy:
exists: true
gid: 117
command:
egrep "balance\s+roundrobin" /etc/haproxy/haproxy.cfg:
exit-status: 0
stdout:
- balance roundrobin
stderr: []
timeout: 10000
egrep "bind\s+192.168.100.10:80" /etc/haproxy/haproxy.cfg:
exit-status: 0
stdout:
- bind 192.168.100.10:80
stderr: []
timeout: 10000
egrep "mode\s+http" /etc/haproxy/haproxy.cfg:
exit-status: 0
stdout:
- "mode\thttp"
stderr: []
timeout: 10000
process:
haproxy:
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.10/24
enp0s8:
exists: true
addrs:
- 192.168.100.10/24

62
goss/s-mon.yaml Normal file
View File

@ -0,0 +1,62 @@
file:
/etc/icinga/htpasswd.users:
exists: true
mode: "0644"
size: 26
owner: root
group: root
filetype: file
contains: []
package:
apache2:
installed: true
nagios-snmp-plugins:
installed: true
icinga:
installed: true
snmp:
installed: true
port:
tcp6:80:
listening: true
ip:
- '::'
udp:514:
listening: true
ip:
- 0.0.0.0
service:
apache2:
enabled: true
running: true
icinga:
enabled: true
running: true
command:
sysctl net.ipv4.ip_forward:
exit-status: 0
stdout:
- net.ipv4.ip_forward = 0
stderr: []
timeout: 10000
process:
apache2:
running: true
icinga:
running: true
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.8/24
enp0s8:
exists: true
addrs:
- 172.16.0.8/24
http:
http://localhost/icinga:
status: 401
allow-insecure: false
no-follow-redirects: false
timeout: 5000
body: []

42
goss/s-proxy.yaml Normal file
View File

@ -0,0 +1,42 @@
package:
squid:
installed: true
addr:
tcp://192.168.99.99:8080:
reachable: true
timeout: 500
port:
tcp6:8080:
listening: true
ip:
- '::'
squid:
enabled: true
running: true
command:
host 172.16.0.2:
exit-status: 0
stdout:
- 2.0.16.172.in-addr.arpa domaine name pointer s-proxy.gsb.lan
stderr: []
timeout: 10000
interface:
enp0s3:
exists: true
addrs:
- 192.168.99.1/24
enp0s8
exists: true
addrs:
- 192.168.99.1/24
enp0s8:
exists: true
addrs:
- 172.16.0.1/24
http:
http://localhost/wpad.dat:
status: 200
allow-insecure: false
no-follow-redirects: false
timeout: 5000
body: []

8
graylog-pont.yml Normal file
View File

@ -0,0 +1,8 @@
---
- hosts: localhost
connection: local
roles:
- goss
- docker-graylog-pont
- post

14
gsbchk Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
filename=/root/tools/ansible/gsb/goss/$HOSTNAME.yaml
if ! [ -e $filename ] ; then
echo gsbchk : erreur ouverture $filename
exit 1
fi
if [ $# == 1] ; then
goss -g $filename v
else
goss $*
fi

179
gsbstart Executable file
View File

@ -0,0 +1,179 @@
#!/usr/bin/perl
#use strict;
#use warnings;
#SCRIPT PERMETTANT DE METTRE LES INTERFACES APPROPRIEES POUR LA MACHINE ENTREE EN PARAMETRE ET DE LA DEMARRER
my %machines = (
's-infra' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-proxy' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-spec' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-mon' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-mess' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-itil' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-proxy' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-backup' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
's-appli' => {
netif1 => 'n-adm',
netif2 => 'n-infra'
},
'r-int' => {
netif1 => 'n-adm',
netif2 => 'n-link',
netif3 => 'n-wifi',
netif4 => 'n-user',
netif5 => 'n-infra'
},
'r-ext' => {
netif1 => 'n-adm',
netif2 => 'n-dmz',
netif3 => 'enp0s3',
netif4 => 'n-linkv',
netif5 => 'n-link'
},
'r-vp2' => {
netif1 => 'n-adm',
netif2 => 'n-agence',
netif3 => 'enp0s3'
},
'r-vp1' => {
netif1 => 'n-adm',
netif2 => 'enp0s3',
netif3 => 'n-linkv'
},
's-lb' => {
netif1 => 'n-adm',
netif2 => 'n-dmz',
netif3 => 'n-dmz-lb'
},
's-lb-bd' => {
netif1 => 'n-adm',
netif2 => 'n-dmz-db'
},
's-lb-web1' => {
netif1 => 'n-adm',
netif2 => 'n-dmz-lb',
netif3 => 'n-dmz-db'
},
's-lb-web2' => {
netif1 => 'n-adm',
netif2 => 'n-dmz-lb',
netif3 => 'n-dmz-db'
},
's-nas' => {
netif1 => 'n-adm',
netif2 => 'n-dmz-db',
}
);
my ($net1, $net2, $net3, $net4, $net5);
my $machine = shift;
die "usage : gsbstart <machine>" unless ( $machine);
#print $machines { $machine } "\n";
if (%{$machines{$machine}}) {
# print $machines { $machine } {netif1}, "\n";
$net1 = $machines { $machine } {netif1};
$net2 = $machines { $machine } {netif2};
$net3 = $machines { $machine } {netif3};
$net4 = $machines { $machine } {netif4};
$net5 = $machines { $machine } {netif5};
} else {
print "machine $machine inconnue\n";
}
#
my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"";
my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n";
my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n";
my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
#print $routeur;
if ($machine eq "r-int") {
qx($rint);
print "la création des interfaces du routeur $machine a fonctionné!\n";
}else{
if ($machine eq "r-ext") {
qx($rext);
}else{
qx($ninfra);
print "la création des interfaces de $machine a fonctionné!\n";
}
}
if ($machine eq "r-vp2") {
qx($rvp2);
}
if ($machine eq "r-vp1") {
qx($rvp1);
}
if ($machine eq "s-lb"){
qx($lb);
}
if ($machine eq "s-lb-web1"){
qx($lbweb);
}
if ($machine eq "s-lb-web2"){
qx($lbweb);
}
if ($machine eq "s-lb-bd"){
qx($lbbd);
}
if ($machine eq "s-nas"){
qx($snas);
}
qx(VBoxManage startvm $machine);

28
gsbstartl Executable file
View File

@ -0,0 +1,28 @@
#!/usr/bin/perl
use strict;
use warnings;
while ($_ = shift @ARGV) {
if ($_ eq "-a"){
qx(./gsbstart s-infra);
qx(./gsbstart s-spec);
qx(./gsbstart s-proxy);
qx(./gsbstart s-mon);
qx(./gsbstart s-mess);
qx(./gsbstart s-itil);
qx(./gsbstart s-backup);
qx(./gsbstart s-appli);
qx(./gsbstart r-vp1);
qx(./gsbstart r-vp2);
qx(./gsbstart r-int);
qx(./gsbstart r-ext);
qx(./gsbstart s-lb);
qx(./gsbstart s-lb-web-1);
qx(./gsbstart s-lb-web-2);
qx(./gsbstart s-lb-bd);
}else{
qx(./gsbstart $_);
}
}

14
lisezmoi.txt Normal file
View File

@ -0,0 +1,14 @@
lisezmoi.txt
------------
Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4
Le projet GSB décrit les diférents playbooks permttant d'installer les
machines du projet GSB
Les répertoires :
- roles : les roles
- goss : les outils de test

48
pre/inst-depl Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
set -o errexit
set -o pipefail
GITUSR=gitgsb
GITPRJ=gsb
apt update && apt upgrade
apt install -y apache2 git
getent passwd "${GITUSR}" >> /dev/null
if [[ $? != 0 ]]; then
echo "creation utilisateur "${GITUSR}" ..."
/sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}"
echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd
else
echo "utilisateur "${GITUSR}" existant..."
fi
su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}"
su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}"
[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git
[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore
(cat <<EOT > /var/www/html/gsbstore/getall
#!/bin/bash
set -o errexit
set -o pipefail
GLPIREL=9.4.5
wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz
FIREL=9.4+2.4
wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz
#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g
FIAGREL=2.5.2
wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe
wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe
FOGREL=1.5.7
wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz
wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
EOT
)
cat /var/www/html/gsbstore/getall

24
pre/pull-config Normal file
View File

@ -0,0 +1,24 @@
#!/bin/bash
dir=/root/tools/ansible
host=depl
hostf=$host.sio.lan
repo=gsb
[ -e $dir ] || mkdir -p $dir
grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
cd $dir
hostname > hosts
#git clone http://$host/$repo.git
cd $repo
git pull
ansible-playbook -c local -i 'localhost,' $(hostname).yml
#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
exit 0

24
pull-config Normal file
View File

@ -0,0 +1,24 @@
#!/bin/bash
dir=/root/tools/ansible
host=depl
hostf=$host.sio.lan
repo=gsb
[ -e $dir ] || mkdir -p $dir
grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
cd $dir
hostname > hosts
#git clone http://$host/$repo.git
cd $repo
git pull
ansible-playbook -c local -i 'localhost,' $(hostname).yml
#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
exit 0

12
r-ext.yml Normal file
View File

@ -0,0 +1,12 @@
---
- hosts: localhost
connection: local
roles:
- base
- goss
- r-ext
- snmp-agent
- ssh-cli
- syslog-cli
- post

13
r-int.yml Normal file
View File

@ -0,0 +1,13 @@
---
- hosts: localhost
connection: local
roles:
- base
- goss
- r-int
- ssh-cli
- syslog-cli
- dhcp
- snmp-agent
- post

20
r-vp1.yml Normal file
View File

@ -0,0 +1,20 @@
---
- hosts: localhost
connection: local
vars:
- ip1: 192.168.0.51
- remip: 192.168.0.52
- mynet: 192.168.1.0
- remnet: 172.16.128.0
roles:
- base
- goss
- snmp-agent
- vpn-stg-r
# - x509-r
# - firewall-vpn-r
- ssh-cli
- syslog-cli
- post

22
r-vp2.yml Normal file
View File

@ -0,0 +1,22 @@
---
- hosts: localhost
connection: local
vars:
- ip1: 192.168.0.52
- remip: 192.168.0.51
- mynet: 172.16.128.0
- remnet: 192.168.1.0
roles:
- base
- goss
- dhcp-ag
- dns-agence
- snmp-agent
- vpn-stg-l
# - x509-l
# - firewall-vpn-l
- ssh-cli
- syslog-cli
- post

6
roles/apache2/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

14
roles/apache2/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Update apt cache
apt: update_cache=yes cache_valid_time=3600
- name: Install required software
apt: name={{ item }} state=present
with_items:
- apache2
- mysql-server
- php-mysql
- php
- libapache2-mod-php
- php-mcrypt
- python-mysqldb

4
roles/appli/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: restart apache
service: name=apache2 state=restarted
become: yes

73
roles/appli/tasks/main.yml Normal file
View File

@ -0,0 +1,73 @@
---
- name: Installation des packets
apt:
name: "{{ item }}"
state: latest
with_items:
- php
- php-fpm
- php-mbstring
- php-ssh2
- php-gd
- php-mysql
- python-mysqldb
- libapache2-mod-php
- mariadb-server
- apache2
- python
- name: Création du répertoire pour wordpress
file:
path: /var/www/html/wordpress
state: directory
- name: Téléchargement de wordpress
get_url:
url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
- name: Création de la base de donnée mysql
mysql_db:
name: wordpress
state: present
- name: Création de l'utilisateur mysql
mysql_user:
name: wordpress
password: wp
priv: "*.*:ALL"

1
roles/base/files/apt.conf Normal file
View File

@ -0,0 +1 @@
Acquire::http::Proxy "http://192.168.99.99:8080";

4
roles/base/files/resolv.conf Normal file
View File

@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 192.168.99.99

10
roles/base/files/sources.list Normal file
View File

@ -0,0 +1,10 @@
#
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
deb http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
deb http://http.debian.net/debian wheezy-backports main

9
roles/base/files/sources.list.Debian Normal file
View File

@ -0,0 +1,9 @@
#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
#deb http://security.debian.org/ stretch/updates main
#deb http://ftp.fr.debian.org/debian/ stretch-updates main
deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb http://deb.debian.org/debian/ buster-updates main contrib non-free

13
roles/base/files/sources.list.Ubuntu Normal file
View File

@ -0,0 +1,13 @@
#------------------------------------------------------------------------------#
# OFFICIAL UBUNTU REPOS #
#------------------------------------------------------------------------------#
###### Ubuntu Main Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe
###### Ubuntu Update Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe
deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe

22
roles/base/files/sources.list.jessie Normal file
View File

@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main
deb http://ftp.fr.debian.org/debian/ jessie-updates main
#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
#deb http://backports.debian.org/debian-backports jessie-backports main
#deb http://packages.steve.org.uk/slaughter/jessie/ ./
#deb https://rex.linux-files.org/debian/ jessie rex
#deb http://http.debian.net/debian jessie-backports main

22
roles/base/files/sources.list.wheezy Normal file
View File

@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
#deb-src http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb http://backports.debian.org/debian-backports wheezy-backports main
#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
#deb https://rex.linux-files.org/debian/ wheezy rex
deb http://http.debian.net/debian wheezy-backports main

49
roles/base/tasks/main.yml Normal file
View File

@ -0,0 +1,49 @@
---
- name: Copie sources.list
copy: src=sources.list.{{ ansible_distribution }} dest=/etc/apt/sources.list
- name: Copie apt.conf pour proxy
copy: src=apt.conf dest=/etc/apt/apt.conf
when: ansible_hostname != "s-adm"
- name: Update + Upgrade
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Install paquets
apt:
state: present
name:
- vim
- ntp
- mc
- tcpdump
- curl
- net-tools
- rsync
- sudo
- name: Desinstall paquets
apt:
state: absent
name:
- nfs-common
- rpcbind
- bluetooth
- name: Configure Vim
alternatives: name=editor path=/usr/bin/vim
#- name: copie fichier
# copy: src=mesg.txt dest=/root/tools/mesg.txt
- name: Generation /etc/hosts
template: src=hosts.j2 dest=/etc/hosts
when: ansible_hostname != "s-proxy"
- name: Generation /etc/hosts pour s-proxy
template: src=hosts.s-proxy.j2 dest=/etc/hosts
when: ansible_hostname == "s-proxy"

27
roles/base/templates/hosts.j2 Normal file
View File

@ -0,0 +1,27 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
10.121.38.10 depl.sio.lan depl
192.168.99.99 s-adm.gsb.adm
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-mess.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.15 s-san.gsb.adm
192.168.99.16 s-fog.gsb.adm
192.168.99.8 syslog.gsb.adm

26
roles/base/templates/hosts.s-proxy.j2 Normal file
View File

@ -0,0 +1,26 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
172.16.0.2 s-proxy.gsb.lan s-proxy
10.121.38.10 depl
192.168.99.99 s-adm.gsb.adm
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-mess.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.8 syslog.gsb.adm

7
roles/db-user/tasks/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Create mysql user
mysql_user:
host: "{{ cli_ip }}"
name: "{{ maria_dbuser }}"
password: "{{ maria_dbpasswd }}"
priv: "*.*:ALL"

152
roles/dhcp-ag/files/dhcpd.conf Normal file
View File

@ -0,0 +1,152 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
#subnet 172.16.64.0 netmask 255.255.255.0 {
# range 172.16.64.20 172.16.64.120;
# option domain-name-servers 172.16.0.6, 172.16.0.1 ;
# option routers 172.16.64.254;
# option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau AGENCE
subnet 172.16.128.0 netmask 255.255.255.0 {
range 172.16.128.10 172.16.128.50;
option domain-name-servers 172.16.0.1;
option routers 172.16.128.254;
option broadcast-address 172.16.128.255;
default-lease-time 86400;
max-lease-time 86400;
}

18
roles/dhcp-ag/files/isc-dhcp-server Normal file
View File

@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s8"
INTERFACESv6=""

3
roles/dhcp-ag/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart dhcp
service: name=isc-dhcp-server state=restarted

11
roles/dhcp-ag/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Installation serveur dhcp
apt: name=isc-dhcp-server state=present update_cache=yes
- name: copie dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp
# notify: restart dhcp
- name: copie conf isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server
# notify: restart dhcp

142
roles/dhcp-fog/files/dhcpd.conf Normal file
View File

@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

18
roles/dhcp-fog/files/isc-dhcp-server Normal file
View File

@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9"
INTERFACESv6=""

3
roles/dhcp-fog/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcp-fog/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

142
roles/dhcp/files/dhcpd.conf Normal file
View File

@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
subnet 172.16.65.0 netmask 255.255.255.0 {
range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}

18
roles/dhcp/files/isc-dhcp-server Normal file
View File

@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9 enp0s10"
INTERFACESv6=""

3
roles/dhcp/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcp/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

23
roles/dns-ag-cs/files/named.conf.options Normal file
View File

@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-ag-cs/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-ag-cs/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

23
roles/dns-agence/files/named.conf.options Normal file
View File

@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-agence/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-agence/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

30
roles/dns-master/files/db.gsb.lan Normal file
View File

@ -0,0 +1,30 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2016011401 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
@ IN A 127.0.0.1
@ IN AAAA ::1
s-infra IN A 172.16.0.1
s-backup IN A 172.16.0.4
s-proxy IN A 172.16.0.2
s-appli IN A 172.16.0.3
s-win IN A 172.16.0.6
s-mess IN A 172.16.0.7
s-mon IN A 172.16.0.8
s-itil IN A 172.16.0.9
r-int IN A 172.16.0.254
r-int-lnk IN A 192.168.200.254
r-ext IN A 192.168.200.253
ns IN CNAME s-infra.gsb.lan.
wpad IN CNAME s-infra.gsb.lan.

24
roles/dns-master/files/db.gsb.lan.rev Normal file
View File

@ -0,0 +1,24 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2015121701 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
1.0 IN PTR s-infra.gsb.lan.
4.0 IN PTR s-backup.gsb.lan.
2.0 IN PTR s-proxy.gsb.lan.
3.0 IN PTR s-appli.gsb.lan.
6.0 IN PTR s-win.gsb.lan.
7.0 IN PTR s-mess.gsb.lan.
8.0 IN PTR s-mon.gsb.lan.
9.0 IN PTR s-itil.gsb.lan.
254.0 IN PTR r-int.gsb.lan.

2
roles/dns-master/files/forbidden.html Normal file
View File

@ -0,0 +1,2 @@
<center><img src="http://sio.lyc-lecastel.fr/~nicolas.denizot/warning.jpg" alt="Bloque"></img></center>
<center><h1>Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.</h1></center>

7
roles/dns-master/files/hosts Normal file
View File

@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

20
roles/dns-master/files/named.conf.local Normal file
View File

@ -0,0 +1,20 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "gsb.lan" {
type master;
file "/etc/bind/db.gsb.lan";
};
zone "16.172.in-addr.arpa"{
type master;
notify no;
file "/etc/bind/db.gsb.lan.rev";
};

25
roles/dns-master/files/named.conf.options Normal file
View File

@ -0,0 +1,25 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
};

4
roles/dns-master/files/resolv.conf Normal file
View File

@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-master/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

33
roles/dns-master/tasks/main.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy: src=named.conf.local dest=/etc/bind
notify:
- restart bind9
- name: Copie db.gsb.lan
copy: src=db.gsb.lan dest=/etc/bind
notify:
- restart bind9
- name: Copie db.gsb.lan.rev
copy: src=db.gsb.lan.rev dest=/etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy: src=resolv.conf dest=/etc
notify:
- restart bind9
- name: Copie page squidguard
copy: src=forbidden.html dest=/var/www/

Some files were not shown because too many files have changed in this diff Show More