Ajout de README.md pour superviser s-win

README.md

@@ -1,3 +1,15 @@
 # gsb2021
 
 Environnement et playbooks ansible pour le projet GSB 2021
+
+## Quickstart
+prérequis : une machine Debian buster
+
+
+## Les machines
+  * s-adm
+  * s-infra
+  * r-int
+  * r-ext
+  * s-proxy
+## Les playbooks

goss/s-proxy.yaml

@@ -10,6 +10,7 @@ port:
     listening: true
     ip:
     - '::'
+service:
   squid:
     enabled: true
     running: true
@@ -24,15 +25,13 @@ interface:
   enp0s3:
     exists: true
     addrs:
-    - 192.168.99.1/24
+    - 192.168.99.2/24
-  enp0s8
+    mtu: 1500
-    exists:  true
-    addrs:
-    - 192.168.99.1/24
   enp0s8:
     exists: true
     addrs:
-    - 172.16.0.1/24
+    - 172.16.0.2/24
+    mtu: 1500
 http:
   http://localhost/wpad.dat:
     status: 200

pre/Vagrantfile-s-adm

@@ -0,0 +1,77 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/buster64"
+  config.vm.hostname = "s-adm"
+  config.vm.define "s-adm"
+  config.vm.provider :virtualbox do |vb|
+     vb.name = "s-adm"
+  end
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+   config.vm.network "public_network", ip: "192.168.1.91"
+   config.vm.network "private_network", ip: "192.168.99.99"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+   config.vm.provision "shell", inline: <<-SHELL
+     apt-get update
+     apt-get upgrade
+     apt-get install -y vim wget curl
+    # apt-get install -y apache2
+   SHELL
+end

pre/pull-config

@@ -1,5 +1,12 @@
 #!/bin/bash
 
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
+else 
+	echo "var is set to '$var'" 
+fi
+REPO=$(basename ${UREP})
+
 dir=/root/tools/ansible
 host=depl
 hostf=$host.sio.lan
@@ -7,7 +14,7 @@ repo=gsb
 
 [ -e $dir ] || mkdir -p $dir
 
-grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
 
 cd  $dir
 
@@ -15,10 +22,11 @@ hostname  > hosts
 
 #git clone http://$host/$repo.git
 
-cd $repo
+#cd $repo
-git pull
+#git pull
 
-ansible-playbook -c local -i 'localhost,' $(hostname).yml
+#ansible-playbook -c local -i 'localhost,' $(hostname).yml
-#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
+#ansible-pull -i $dir/hosts -d $repo -U "${UREP}"
+ansible-pull -i $dir/hosts  -U "${UREP}"
 
 exit 0

pull-config

@@ -1,24 +1,21 @@
 #!/bin/bash
 
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
+fi
+REPO=$(basename ${UREP})
+
 dir=/root/tools/ansible
 host=depl
 hostf=$host.sio.lan
-repo=gsb
 
-[ -e $dir ] || mkdir -p $dir
+[ -e ${dir} ] || mkdir -p ${dir}
 
-grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
 
-cd  $dir
+cd  ${dir}
 
 hostname  > hosts
-
+ansible-pull -i ${dir}/hosts  -U "${UREP}"
-#git clone http://$host/$repo.git
-
-cd $repo
-git pull
-
-ansible-playbook -c local -i 'localhost,' $(hostname).yml
-#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
 
 exit 0

roles/apache2/tasks/main.yml

@@ -6,7 +6,7 @@
   apt: name={{ item }} state=present
   with_items:
     - apache2
-    - mysql-server
+    - mariadb-server
     - php-mysql
     - php
     - libapache2-mod-php

roles/goss/defaults/main.yml

@@ -0,0 +1,3 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore"
+depl_goss: "goss"
+

roles/goss/tasks/main.yml

@@ -5,6 +5,9 @@
   register: gossbin
  
 - name: install goss
-  shell: export https_proxy=http://10.121.38.1:8080  && curl -fsSL https://goss.rocks/install | sh
+  get_url: 
+    url: "{{ depl_url }}/{{ depl_goss }}"
+    dest: /usr/local/bin/{{ depl_goss }}
+    mode: 0755
   when: gossbin.stat.exists == False
 

roles/icinga/README.md

@@ -0,0 +1,117 @@
+# Instalation de NSClient++ sur la machine s-win
+
+En premier lieu, installer Mozilla Firefox via Internet Explorer.
+
+Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) 
+
+Puis choisir la version Windows
+
+# Etapes de l'installation 
+
+Sur l'étape **Select monitoring tool**, sélectionner **Generic**.
+
+Sur l'étape **Choose setup type**, sélectionner **Typical**.
+
+Sur l'étape **NSClient++ Configuration: 
+
+```
+
+Allowed hosts: 172.16.0.8
+
+Password: root
+
+```
+
+Activer **check plugins, check_nt et check_nrpe**.
+
+**Laisser NSCA client et web server désactivé**
+
+Cocher la case **Insecure legacy mode**
+
+
+Terminer l'installation.
+
+# Modification des fichiers
+
+Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage).
+
+Une fois ouvert, modifier tout le fichier avec ceci:
+
+```
+
+#If you want to fill this file with all available options run the following command:
+#nscp settings --generate --add-defaults --load-all
+#If you want to activate a module and bring in all its options use:
+#nscp settings --activate-module <MODULE NAME> --add-defaults
+#For details run: nscp settings --help
+
+
+; in flight - TODO
+[/settings/default]
+
+; Undocumented key
+password = root
+
+; Undocumented key
+allowed hosts = 172.16.0.8
+
+
+; in flight - TODO
+[/settings/NRPE/server]
+
+; Undocumented key
+verify mode = none
+
+; Undocumented key
+insecure = true
+
+
+; in flight - TODO
+[/modules]
+
+; Undocumented key
+CheckExternalScripts = enabled
+
+; Undocumented key
+CheckHelpers = enabled
+
+; Undocumented key
+CheckEventLog = enabled
+
+; Undocumented key
+CheckNSCP = enabled
+
+; Undocumented key
+CheckDisk = enabled
+
+; Undocumented key
+CheckSystem = enabled
+
+; Undocumented key
+NSClientServer = enabled
+
+; Undocumented key
+NRPEServer = enabled
+
+``` 
+
+Redémarrez le service NSClient++ via le **cmd**:
+
+```
+
+services.msc
+
+```
+
+Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer**
+
+
+Retourner sur le serveur nagios puis écrire:
+
+```
+
+systemctl restart icinga
+
+```
+
+Les services de la machine **srv-2012** apparaissent en **OK**.

roles/icinga/files/cfg/hostgroups_icinga.cfg

@@ -15,13 +15,13 @@ define hostgroup {
 define hostgroup { 
 	hostgroup_name debian-servers 
 	alias		Serveurs distant
-	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-test
+	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-itil
 } 
 
 define hostgroup { 
 	hostgroup_name ssh-servers 
 	alias 		acces SSH 
-	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, s-test, gwsio2	 
+	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil	 
 }
 
 define hostgroup { 
@@ -39,7 +39,7 @@ define hostgroup {
 define hostgroup {
         hostgroup_name  http-servers
 		alias           serveurs-web
-		members         localhost 
+		members         localhost, s-itil 
         }
 
 #define hostgroup {
@@ -69,6 +69,6 @@ define hostgroup{
 define hostgroup{
 	hostgroup_name	uptimegrp
 	alias		uptimegrp
-	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-test
+	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-itil
 }
 

roles/icinga/files/cfg/s-itil.cfg

@@ -6,8 +6,9 @@
 
 define host{
         use                     generic-host            ; Name of host template to use
-        host_name               s-test
+        host_name               s-itil
-        alias                   machine test
+        alias                   debian-servers
-        address                 172.16.0.18
+        address                 172.16.0.9
 	parents			r-int
         }
+

roles/icinga/tasks/main.yml

@@ -6,7 +6,7 @@
     - snmp
     - icinga 
     - nagios-snmp-plugins
-    - python-passlib
+    - python3-passlib
     state: present
 
 - name: Copie de fichier icinga.conf pour apache  
@@ -33,6 +33,13 @@
   notify:
     - restart icinga
 
+- name: python3 par defaut
+  alternatives:
+    link: /usr/bin/python
+    name: python
+    path: /usr/bin/python3
+    priority: 10
+    
 - name: Changement de mot de passe de icingaadmin
   htpasswd:
     path: /etc/icinga/htpasswd.users
@@ -50,6 +57,14 @@
   notify:
     - restart icinga
 
+- name: attribution des droits dossier icinga
+  file:
+    path: /var/lib/icinga
+    owner: nagios
+    mode: 751
+    recurse: yes
+  notify:
+    - restart icinga
 
 - name: attribution des droits dossier icinga rw
   file:
@@ -60,29 +75,32 @@
   notify:
     - restart icinga
 
-- name: attribution des droits dossier icinga
+- name: activation des commandes externes
+  replace:
+    dest: /etc/icinga/icinga.cfg
+    regexp: 'check_external_commands=0'
+    replace: 'check_external_commands=1'
+  notify:
+    - restart icinga
+
+- name: reconfiguration des droits avec dpkg statoverride
+  shell: dpkg-statoverride --update --force-all --add nagios www-data 2710 /var/lib/icinga/rw
+
+- name: reconfiguration des droits avec dpkg statoverride
+  shell: dpkg-statoverride --update --force-all --add nagios nagios 751 /var/lib/icinga
+
+- name: suppression de checkresults
   file:
-    path: /var/lib/icinga
+    path: /var/lib/icinga/spool/checkresults
+    state: absent
+
+- name: creation du dossier checkresults avec droits de lecture
+  file:
+    path: /var/lib/icinga/spool/checkresults
+    state: directory
     owner: nagios     
-    mode: 751
+    group: root
-    recurse: yes 
+    mode: '755'
-  notify:
-    - restart icinga 
-
-
-- name: attribution des droits dossier var lib icinga
-  shell: chmod 2770 /var/lib/icinga/rw 
-  notify:
-    - stop icinga
-
-- name: attribution des droits dossier var lib icinga
-  file:
-    path: /var/lib/icinga/rw
-    owner: www-data
-    mode: 2710
-    recurse: yes
-  notify:
-    - restart icinga 
 
       #- name: Changement droit notif
       #  shell: chmod 644 /var/log/icinga/icinga.log
@@ -101,4 +119,6 @@
   debug: msg="Pour superviser le Windows, il faut installer NSClient++"
 
 - name: redemarrage apache 
-  shell: service apache2 restart
+  service:
+    name: apache2
+    state: restarted

roles/itil/defaults/main.yml

@@ -0,0 +1,5 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_glpi: "glpi-9.5.3.tgz"
+depl_fusioninventory: "fusioninventory-9.5.0+1.0.tar.bz2"
+depl_fusioninventory_agentx64: "fusioninventory-agent_windows-x64_2.6.exe"
+depl_fusioninventory_agentx86: "fusioninventory-agent_windows-x86_2.6.exe"

roles/itil/tasks/main.yml

@@ -17,6 +17,8 @@
       - php-cas
       - python-mysqldb
       - mariadb-server
+      - python3-pymysql
+      - php-intl
 
   - name: Changement listen dans le fichier conf de php7.3
     replace:
@@ -29,7 +31,9 @@
     file: path=/etc/nginx/sites-enabled/default state=absent
 
   - name: Creation fichier block nginx
-    template: src=block.j2 dest=/etc/nginx/sites-enabled/glpi
+    template: 
+      src: block.j2 
+      dest: /etc/nginx/sites-enabled/glpi
 
   - name: Remplacement dans le fichier de conf php du timeout
     replace:
@@ -42,20 +46,32 @@
       - restart nginx
 
   - name: Creation de la base de donnee mysql
-    mysql_db: name={{ glpi_dbname }} state=present
+    mysql_db:
+      name: "{{ glpi_dbname }}"
+      state: present
+      login_unix_socket: /var/run/mysqld/mysqld.sock
 
   - name: Creation de l'utilisateur mysql avec tous les privileges
     mysql_user:
-           name={{ glpi_dbuser }}
+      name: "{{ glpi_dbuser }}"
-           password={{ glpi_dbpasswd }}
+      password: "{{ glpi_dbpasswd }}"
-           priv=*.*:ALL
+      priv: "*.*:ALL,GRANT"
+      login_unix_socket: /var/run/mysqld/mysqld.sock
+    with_items:
+      - 127.0.0.1
+#      - ::1
+#      - localhost  
 
   - name: Creation du repertoire {{ glpi_dir }}
-    file: path={{ glpi_dir }} state=directory owner=www-data group=www-data
+    file: 
+      path: "{{ glpi_dir }}"
+      state: directory
+      owner: www-data
+      group: www-data
 
   - name: Installation de GLPI
     unarchive:
-      src: http://depl/gsbstore/glpi-{{ glpi_version }}.tgz
+      src: "{{ depl_url }}/{{ depl_glpi }}"
       dest: /var/www/html
       remote_src: yes
       owner: www-data
@@ -68,6 +84,8 @@
     file:
       path: "{{ glpi_dir }}/plugins"
       mode: 0777
+      owner: www-data
+      group: www-data
       recurse: yes
 
   - name: Attribution des permissions
@@ -78,7 +96,8 @@
 
   - name: Installation de Fusioninventory pour Linux
     unarchive:
-      src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
+      src: "{{ depl_url }}/{{ depl_fusioninventory }}"
+      #src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
       dest: /var/www/html/glpi/plugins
       remote_src: yes
 
@@ -99,14 +118,22 @@
 
   - name: Installation de FusionInventory windows x64
     get_url:
-      url: http://depl/gsbstore/fusioninventory-agent_windows-{{ fd_version64 }}.exe
+      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx64 }}"
       dest: "/var/www/html/ficlients"
 
   - name: Installation de FusionInventory windows x86
     get_url:
-      url: http://depl/gsbstore/fusioninventory-agent_windows-{{ fd_version86 }}.exe
+      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx86 }}"
       dest: "/var/www/html/ficlients"
 
+  - name: Attribution des permissions sur repertoire /plugins/fusioninventory
+    file:
+      path: /var/www/html/glpi/plugins/fusioninventory
+      owner: www-data
+      group: www-data
+      recurse: yes
+      state: directory
+
   - name: Copie du script dbdump
     copy: src=dbdump dest=/root/
 

roles/local-store/files/getall-2021

@@ -0,0 +1,25 @@
+#!/bin/bash
+GLPIREL=9.5.3
+wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
+ 
+FIREL=9.5+1.0
+#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz
+#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+
+FIAGREL=2.6 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe
+ 
+FOGREL=1.5.9
+wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz
+#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz
+
+#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz
+
+GOSSVER=v0.3.16
+curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss
+chmod +x goss 
+

roles/local-store/files/getall-latest

@@ -0,0 +1,25 @@
+#!/bin/bash
+GLPIREL=9.5.3
+wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
+ 
+FIREL=9.5+1.0
+#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz
+#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+
+FIAGREL=2.6 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe
+ 
+FOGREL=1.5.9
+wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz
+#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz
+
+#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz
+
+GOSSVER=v0.3.16
+curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss
+chmod +x goss 
+

roles/local-store/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Installation bind9
+  file:  
+    path: /var/www/html/gsbstore/
+    state: directory
+    mode: '0755'
+
+- name: Copie getall-latest
+  copy:
+    src: getall-latest
+    dest: /var/www/html/gsbstore
+
+- name: Copie getall-2021
+  copy:
+    src: getall-2021
+    dest: /var/www/html/gsbstore
+

roles/post/tasks/main.yml

@@ -6,11 +6,11 @@
 
 - name: Copie resolv.conf
   copy: src=resolv.conf dest=/etc/
-  when: ansible_hostname != "s-adm"
+  when: ansible_hostname != "s-adm" and ansible_hostname != "s-proxy"
 
-- name: Copie resolv.conf
+- name: pas de chgt resolv.conf pour r-vp2
-  copy: src=resolv.conf dest=/etc/
+  meta: end_play
-  when: ansible_hostname != "s-proxy"
+  when: ansible_hostname == "r-vp2"
 
 - name: Copie resolv.conf pour s-proxy
   copy: src=resolv.conf.s-proxy dest=/etc/resolv.conf

roles/postfix/README.md

@@ -0,0 +1,40 @@
+# Post-installation de Postfix
+
+Entrer votre adresse mail et votre mot de passe dans le fichier /etc/postfix/sasl_passwd
+
+``` 
+
+nano /etc/postfix/sasl_passwd
+
+[smpt.gmail.com]:587 votreadresse@domaine.fr:motdepasse
+
+``` 
+
+Entrer votre addresse mail dans le fichier /etc/icinga/objects/contacts_icinga.cfg
+
+``` 
+
+nano /etc/icinga/objects/contacts_icinga.cfg
+
+define contact...
+
+email 			votreadresse@domaine.fr
+
+``` 
+Lancer la commande suivante pour prendre en compte la modification:
+
+```
+
+/usr/sbin/postmap /etc/postfix/sasl_passwd
+
+```
+
+Activer l'**Accès moins sécurisé des applications** depuis son compte google
+
+Désactiver un service puis vérifier ses mails (attendre 5 minutes entre chaque test)
+
+```
+
+tail -f /var/log/icinga/icinga.log pour vérifier l'envoi de l'email
+
+```

roles/postfix/tasks/main.yml

@@ -24,7 +24,7 @@
   shell: chmod 400 /etc/postfix/sasl_passwd
 
 - name: postmap
-  shell: postmap /etc/postfix/sasl_passwd
+  shell: /usr/sbin/postmap /etc/postfix/sasl_passwd
 
 - name: Copie thawte_Premium_Server_CA.pem
   copy: src=thawte_Premium_Server_CA.pem dest=/etc/ssl/certs/
@@ -34,3 +34,8 @@
   notify:
     - restart postfix
 
+- name: Changement des droits icinga.log
+  file:
+    path: /var/log/icinga/icinga.log
+    state: touch
+    mode: u=rw,g=w

roles/s-backup/files/backup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+BDIR=/home/backup
+SWIN=/tmp/s-win
+
+[ -d "${BDIR}" ] || mkdir "${BDIR}"
+[ -d "${BDIR}" ] || mkdir "${BDIR}/s-win"
+[ -d "${SWIN}" ] || mkdir "${SWIN}"
+
+mount -t cifs -o ro,vers=3.0,username=u-backup,password=Azerty1+ //s-win/commun "${SWIN}"
+if [ $? != 0 ] ; then
+	echo "$0 : erreur montage ${SWIN}"
+	exit 1
+fi
+rsync -av "${SWIN}/" "${BDIR}/s-win/commun"
+umount "${SWIN}"
+
+
+mount -t cifs -o ro,vers=3.0,username=u-backup,password=Azerty1+ //s-win/public "${SWIN}"
+if [ $? != 0 ] ; then
+	echo "$0 : erreur montage"
+	exit 2
+fi
+rsync -av "${SWIN}/" "${BDIR}/s-win/public"
+umount "${SWIN}"
+
+exit 0
+

roles/s-backup/files/delgsb.cmd

@@ -0,0 +1,4 @@
+rem azazazaz
+rmdir C:\gsb.lan /s /q
+net group g-compta /del
+net group g-prod /del

roles/s-backup/files/mkgsb.cmd

@@ -0,0 +1,11 @@
+rem regereger
+mkdir C:\gsb.lan\commun
+mkdir C:\gsb.lan\public
+net share commun=C:\gsb.lan\commun /grant:"utilisateurs DHCP",full
+net share public=C:\gsb.lan\public /grant:"utilisateurs DHCP",full
+net group g-compta /add
+net group g-prod /add
+icacls C:\gsb.lan\commun /grant Administrateurs:F
+icacls C:\gsb.lan\commun /grant g-compta:M
+icacls C:\gsb.lan\public /grant Administrateurs:F
+icacls C:\gsb.lan\public /grant g-prod:M

roles/s-backup/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: installation rsync et smbclient
+  apt:
+    name:
+    - rsync
+    - smbclient
+    - cifs-utils
+    state: present
+

roles/s-lb-wordpress/tasks/main.yml

@@ -5,7 +5,7 @@
     state: directory
  - name: download and extract wordpress
    unarchive: 
-    src: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
+    src: http://depl/gsbstore/wordpress-5.6-fr_FR.tar.gz
     dest: /home/
     remote_src: yes
 

s-adm.yml

@@ -8,7 +8,7 @@
     - s-ssh
     - dnsmasq
     - squid
- #  - webautoconf
+    - local-store
     - snmp-agent
     - syslog-cli
     - post

s-backup.yml

@@ -9,3 +9,4 @@
 #   - ssh-cli
     - syslog-cli
     - post
+    - s-backup

s-mon.retry

@@ -0,0 +1 @@
+localhost

s-mon.yml

@@ -5,8 +5,8 @@
   roles:
     - base
     - goss
-    - icinga-fk
+    - icinga
-    - postfix-fk
+    - postfix
     - ssh-cli
     - syslog
     - post

vagrant/Vagrantfile

@@ -0,0 +1,22 @@
+Vagrant.configure("2") do |config|
+
+  config.vm.define "s-adm" do |sadm|
+    sadm.vm.box = "bento/debian-10.7"
+    sadm.vm.hostname = 's-adm'
+   sadm.vm.network :public_network, ip: "dhcp"
+   sadm.vm.network :private_network, ip: "192.168.99.99", mask: "24"
+
+    config.vm.provider :virtualbox do |v|
+      v.memory = 512
+#      v.cpus = 2
+    end
+  end
+
+  config.vm.define "s-infra" do |v|
+    v.vm.box = "bento/debian-10.7"
+    v.vm.hostname = 's-infra'
+    v.vm.network :private_network, ip: "192.168.99.1", mask: "24"
+    v.vm.network :private_network, ip: "172.16.0.1", mask: "24"
+  end
+end
+