Merge branch 'master' of https://gitea.lyc-lecastel.fr/gadmin/gsb2021

README.md

@@ -1,3 +1,15 @@
 # gsb2021
 
 Environnement et playbooks ansible pour le projet GSB 2021
+
+## Quickstart
+prérequis : une machine Debian buster
+
+
+## Les machines
+  * s-adm
+  * s-infra
+  * r-int
+  * r-ext
+  * s-proxy
+## Les playbooks

goss/s-proxy.yaml

@@ -10,6 +10,7 @@ port:
     listening: true
     ip:
     - '::'
+service:
   squid:
     enabled: true
     running: true
@@ -24,19 +25,17 @@ interface:
   enp0s3:
     exists: true
     addrs:
-    - 192.168.99.1/24
+    - 192.168.99.2/24
-  enp0s8
+    mtu: 1500
-    exists:  true
-    addrs:
-    - 192.168.99.1/24
   enp0s8:
-    exists:  true
+    exists: true
     addrs:
-    - 172.16.0.1/24
+    - 172.16.0.2/24
+    mtu: 1500
 http:
   http://localhost/wpad.dat:
     status: 200
     allow-insecure: false
     no-follow-redirects: false
     timeout: 5000
-    body:  []	
+    body: []

pre/Vagrantfile-s-adm

@@ -0,0 +1,77 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box = "debian/buster64"
+  config.vm.hostname = "s-adm"
+  config.vm.define "s-adm"
+  config.vm.provider :virtualbox do |vb|
+     vb.name = "s-adm"
+  end
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+   config.vm.network "public_network", ip: "192.168.1.91"
+   config.vm.network "private_network", ip: "192.168.99.99"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+   config.vm.provision "shell", inline: <<-SHELL
+     apt-get update
+     apt-get upgrade
+     apt-get install -y vim wget curl
+    # apt-get install -y apache2
+   SHELL
+end

pre/pull-config

@@ -1,5 +1,12 @@
 #!/bin/bash
 
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
+else 
+	echo "var is set to '$var'" 
+fi
+REPO=$(basename ${UREP})
+
 dir=/root/tools/ansible
 host=depl
 hostf=$host.sio.lan
@@ -7,7 +14,7 @@ repo=gsb
 
 [ -e $dir ] || mkdir -p $dir
 
-grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
 
 cd  $dir
 
@@ -15,10 +22,11 @@ hostname  > hosts
 
 #git clone http://$host/$repo.git
 
-cd $repo
+#cd $repo
-git pull
+#git pull
 
-ansible-playbook -c local -i 'localhost,' $(hostname).yml
+#ansible-playbook -c local -i 'localhost,' $(hostname).yml
-#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
+#ansible-pull -i $dir/hosts -d $repo -U "${UREP}"
+ansible-pull -i $dir/hosts  -U "${UREP}"
 
 exit 0

pull-config

@@ -1,24 +1,21 @@
 #!/bin/bash
 
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
+fi
+REPO=$(basename ${UREP})
+
 dir=/root/tools/ansible
 host=depl
 hostf=$host.sio.lan
-repo=gsb
 
-[ -e $dir ] || mkdir -p $dir
+[ -e ${dir} ] || mkdir -p ${dir}
 
-grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
 
-cd  $dir
+cd  ${dir}
 
 hostname  > hosts
-
+ansible-pull -i ${dir}/hosts  -U "${UREP}"
-#git clone http://$host/$repo.git
-
-cd $repo
-git pull
-
-ansible-playbook -c local -i 'localhost,' $(hostname).yml
-#ansible-pull -i $dir/hosts -d $repo -U http://$host/$repo.git
 
 exit 0

roles/apache2/tasks/main.yml

@@ -6,7 +6,7 @@
   apt: name={{ item }} state=present
   with_items:
     - apache2
-    - mysql-server
+    - mariadb-server
     - php-mysql
     - php
     - libapache2-mod-php

roles/docker-nextcloud/files/docker-compose.yml

@@ -0,0 +1,33 @@
+version: '2'
+
+volumes:
+  nextcloud:
+  db:
+
+services:
+  db:
+    image: mariadb
+    restart: always
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=root
+      - MYSQL_PASSWORD=root
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+
+  app:
+    image: nextcloud
+    restart: always
+    ports:
+      - 5678:80
+    links:
+      - db
+    volumes:
+      - ./nextcloud:/var/www/html
+    environment:
+      - MYSQL_PASSWORD=root
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=db

roles/docker-nextcloud/files/get_docker.sh

@@ -0,0 +1,502 @@
+#!/bin/sh
+set -e
+# Docker CE for Linux installation script
+#
+# See https://docs.docker.com/install/ for the installation steps.
+#
+# This script is meant for quick & easy install via:
+#   $ curl -fsSL https://get.docker.com -o get-docker.sh
+#   $ sh get-docker.sh
+#
+# For test builds (ie. release candidates):
+#   $ curl -fsSL https://test.docker.com -o test-docker.sh
+#   $ sh test-docker.sh
+#
+# NOTE: Make sure to verify the contents of the script
+#       you downloaded matches the contents of install.sh
+#       located at https://github.com/docker/docker-install
+#       before executing.
+#
+# Git commit from https://github.com/docker/docker-install when
+# the script was uploaded (Should only be modified by upload job):
+SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
+
+
+# The channel to install from:
+#   * nightly
+#   * test
+#   * stable
+#   * edge (deprecated)
+DEFAULT_CHANNEL_VALUE="stable"
+if [ -z "$CHANNEL" ]; then
+	CHANNEL=$DEFAULT_CHANNEL_VALUE
+fi
+
+DEFAULT_DOWNLOAD_URL="https://download.docker.com"
+if [ -z "$DOWNLOAD_URL" ]; then
+	DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
+fi
+
+DEFAULT_REPO_FILE="docker-ce.repo"
+if [ -z "$REPO_FILE" ]; then
+	REPO_FILE="$DEFAULT_REPO_FILE"
+fi
+
+mirror=''
+DRY_RUN=${DRY_RUN:-}
+while [ $# -gt 0 ]; do
+	case "$1" in
+		--mirror)
+			mirror="$2"
+			shift
+			;;
+		--dry-run)
+			DRY_RUN=1
+			;;
+		--*)
+			echo "Illegal option $1"
+			;;
+	esac
+	shift $(( $# > 0 ? 1 : 0 ))
+done
+
+case "$mirror" in
+	Aliyun)
+		DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
+		;;
+	AzureChinaCloud)
+		DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
+		;;
+esac
+
+command_exists() {
+	command -v "$@" > /dev/null 2>&1
+}
+
+is_dry_run() {
+	if [ -z "$DRY_RUN" ]; then
+		return 1
+	else
+		return 0
+	fi
+}
+
+is_wsl() {
+	case "$(uname -r)" in
+	*microsoft* ) true ;; # WSL 2
+	*Microsoft* ) true ;; # WSL 1
+	* ) false;;
+	esac
+}
+
+is_darwin() {
+	case "$(uname -s)" in
+	*darwin* ) true ;;
+	*Darwin* ) true ;;
+	* ) false;;
+	esac
+}
+
+deprecation_notice() {
+	distro=$1
+	date=$2
+	echo
+	echo "DEPRECATION WARNING:"
+	echo "    The distribution, $distro, will no longer be supported in this script as of $date."
+	echo "    If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
+	echo
+	sleep 10
+}
+
+get_distribution() {
+	lsb_dist=""
+	# Every system that we officially support has /etc/os-release
+	if [ -r /etc/os-release ]; then
+		lsb_dist="$(. /etc/os-release && echo "$ID")"
+	fi
+	# Returning an empty string here should be alright since the
+	# case statements don't act unless you provide an actual value
+	echo "$lsb_dist"
+}
+
+add_debian_backport_repo() {
+	debian_version="$1"
+	backports="deb http://ftp.debian.org/debian $debian_version-backports main"
+	if ! grep -Fxq "$backports" /etc/apt/sources.list; then
+		(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
+	fi
+}
+
+echo_docker_as_nonroot() {
+	if is_dry_run; then
+		return
+	fi
+	if command_exists docker && [ -e /var/run/docker.sock ]; then
+		(
+			set -x
+			$sh_c 'docker version'
+		) || true
+	fi
+	your_user=your-user
+	[ "$user" != 'root' ] && your_user="$user"
+	# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
+	echo "If you would like to use Docker as a non-root user, you should now consider"
+	echo "adding your user to the \"docker\" group with something like:"
+	echo
+	echo "  sudo usermod -aG docker $your_user"
+	echo
+	echo "Remember that you will have to log out and back in for this to take effect!"
+	echo
+	echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
+	echo "         containers which can be used to obtain root privileges on the"
+	echo "         docker host."
+	echo "         Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
+	echo "         for more information."
+
+}
+
+# Check if this is a forked Linux distro
+check_forked() {
+
+	# Check for lsb_release command existence, it usually exists in forked distros
+	if command_exists lsb_release; then
+		# Check if the `-u` option is supported
+		set +e
+		lsb_release -a -u > /dev/null 2>&1
+		lsb_release_exit_code=$?
+		set -e
+
+		# Check if the command has exited successfully, it means we're in a forked distro
+		if [ "$lsb_release_exit_code" = "0" ]; then
+			# Print info about current distro
+			cat <<-EOF
+			You're using '$lsb_dist' version '$dist_version'.
+			EOF
+
+			# Get the upstream release info
+			lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
+			dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
+
+			# Print info about upstream distro
+			cat <<-EOF
+			Upstream release is '$lsb_dist' version '$dist_version'.
+			EOF
+		else
+			if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
+				if [ "$lsb_dist" = "osmc" ]; then
+					# OSMC runs Raspbian
+					lsb_dist=raspbian
+				else
+					# We're Debian and don't even know it!
+					lsb_dist=debian
+				fi
+				dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
+				case "$dist_version" in
+					10)
+						dist_version="buster"
+					;;
+					9)
+						dist_version="stretch"
+					;;
+					8|'Kali Linux 2')
+						dist_version="jessie"
+					;;
+				esac
+			fi
+		fi
+	fi
+}
+
+semverParse() {
+	major="${1%%.*}"
+	minor="${1#$major.}"
+	minor="${minor%%.*}"
+	patch="${1#$major.$minor.}"
+	patch="${patch%%[-.]*}"
+}
+
+do_install() {
+	echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
+
+	if command_exists docker; then
+		docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
+		MAJOR_W=1
+		MINOR_W=10
+
+		semverParse "$docker_version"
+
+		shouldWarn=0
+		if [ "$major" -lt "$MAJOR_W" ]; then
+			shouldWarn=1
+		fi
+
+		if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
+			shouldWarn=1
+		fi
+
+		cat >&2 <<-'EOF'
+			Warning: the "docker" command appears to already exist on this system.
+
+			If you already have Docker installed, this script can cause trouble, which is
+			why we're displaying this warning and provide the opportunity to cancel the
+			installation.
+
+			If you installed the current Docker package using this script and are using it
+		EOF
+
+		if [ $shouldWarn -eq 1 ]; then
+			cat >&2 <<-'EOF'
+			again to update Docker, we urge you to migrate your image store before upgrading
+			to v1.10+.
+
+			You can find instructions for this here:
+			https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
+			EOF
+		else
+			cat >&2 <<-'EOF'
+			again to update Docker, you can safely ignore this message.
+			EOF
+		fi
+
+		cat >&2 <<-'EOF'
+
+			You may press Ctrl+C now to abort this script.
+		EOF
+		( set -x; sleep 20 )
+	fi
+
+	user="$(id -un 2>/dev/null || true)"
+
+	sh_c='sh -c'
+	if [ "$user" != 'root' ]; then
+		if command_exists sudo; then
+			sh_c='sudo -E sh -c'
+		elif command_exists su; then
+			sh_c='su -c'
+		else
+			cat >&2 <<-'EOF'
+			Error: this installer needs the ability to run commands as root.
+			We are unable to find either "sudo" or "su" available to make this happen.
+			EOF
+			exit 1
+		fi
+	fi
+
+	if is_dry_run; then
+		sh_c="echo"
+	fi
+
+	# perform some very rudimentary platform detection
+	lsb_dist=$( get_distribution )
+	lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
+
+	if is_wsl; then
+		echo
+		echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
+		echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
+		echo
+		cat >&2 <<-'EOF'
+
+			You may press Ctrl+C now to abort this script.
+		EOF
+		( set -x; sleep 20 )
+	fi
+
+	case "$lsb_dist" in
+
+		ubuntu)
+			if command_exists lsb_release; then
+				dist_version="$(lsb_release --codename | cut -f2)"
+			fi
+			if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
+				dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
+			fi
+		;;
+
+		debian|raspbian)
+			dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
+			case "$dist_version" in
+				10)
+					dist_version="buster"
+				;;
+				9)
+					dist_version="stretch"
+				;;
+				8)
+					dist_version="jessie"
+				;;
+			esac
+		;;
+
+		centos|rhel)
+			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
+				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
+			fi
+		;;
+
+		*)
+			if command_exists lsb_release; then
+				dist_version="$(lsb_release --release | cut -f2)"
+			fi
+			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
+				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
+			fi
+		;;
+
+	esac
+
+	# Check if this is a forked Linux distro
+	check_forked
+
+	# Run setup for each distro accordingly
+	case "$lsb_dist" in
+		ubuntu|debian|raspbian)
+			pre_reqs="apt-transport-https ca-certificates curl"
+			if [ "$lsb_dist" = "debian" ]; then
+				# libseccomp2 does not exist for debian jessie main repos for aarch64
+				if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
+					add_debian_backport_repo "$dist_version"
+				fi
+			fi
+
+			if ! command -v gpg > /dev/null; then
+				pre_reqs="$pre_reqs gnupg"
+			fi
+			apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				$sh_c 'apt-get update -qq >/dev/null'
+				$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
+				$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
+				$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
+				$sh_c 'apt-get update -qq >/dev/null'
+			)
+			pkg_version=""
+			if [ -n "$VERSION" ]; then
+				if is_dry_run; then
+					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
+				else
+					# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
+					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
+					search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
+					pkg_version="$($sh_c "$search_command")"
+					echo "INFO: Searching repository for VERSION '$VERSION'"
+					echo "INFO: $search_command"
+					if [ -z "$pkg_version" ]; then
+						echo
+						echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
+						echo
+						exit 1
+					fi
+					search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
+					# Don't insert an = for cli_pkg_version, we'll just include it later
+					cli_pkg_version="$($sh_c "$search_command")"
+					pkg_version="=$pkg_version"
+				fi
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				if [ -n "$cli_pkg_version" ]; then
+					$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
+				fi
+				$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
+			)
+			echo_docker_as_nonroot
+			exit 0
+			;;
+		centos|fedora|rhel)
+			yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
+			if ! curl -Ifs "$yum_repo" > /dev/null; then
+				echo "Error: Unable to curl repository file $yum_repo, is it valid?"
+				exit 1
+			fi
+			if [ "$lsb_dist" = "fedora" ]; then
+				pkg_manager="dnf"
+				config_manager="dnf config-manager"
+				enable_channel_flag="--set-enabled"
+				disable_channel_flag="--set-disabled"
+				pre_reqs="dnf-plugins-core"
+				pkg_suffix="fc$dist_version"
+			else
+				pkg_manager="yum"
+				config_manager="yum-config-manager"
+				enable_channel_flag="--enable"
+				disable_channel_flag="--disable"
+				pre_reqs="yum-utils"
+				pkg_suffix="el"
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				$sh_c "$pkg_manager install -y -q $pre_reqs"
+				$sh_c "$config_manager --add-repo $yum_repo"
+
+				if [ "$CHANNEL" != "stable" ]; then
+					$sh_c "$config_manager $disable_channel_flag docker-ce-*"
+					$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
+				fi
+				$sh_c "$pkg_manager makecache"
+			)
+			pkg_version=""
+			if [ -n "$VERSION" ]; then
+				if is_dry_run; then
+					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
+				else
+					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
+					search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
+					pkg_version="$($sh_c "$search_command")"
+					echo "INFO: Searching repository for VERSION '$VERSION'"
+					echo "INFO: $search_command"
+					if [ -z "$pkg_version" ]; then
+						echo
+						echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
+						echo
+						exit 1
+					fi
+					search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
+					# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
+					cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
+					# Cut out the epoch and prefix with a '-'
+					pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
+				fi
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				# install the correct cli version first
+				if [ -n "$cli_pkg_version" ]; then
+					$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
+				fi
+				$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
+			)
+			echo_docker_as_nonroot
+			exit 0
+			;;
+		*)
+			if [ -z "$lsb_dist" ]; then
+				if is_darwin; then
+					echo
+					echo "ERROR: Unsupported operating system 'macOS'"
+					echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
+					echo
+					exit 1
+				fi
+			fi
+			echo
+			echo "ERROR: Unsupported distribution '$lsb_dist'"
+			echo
+			exit 1
+			;;
+	esac
+	exit 1
+}
+
+# wrapped up in a function so that we have some protection against only getting
+# half the file during "curl | sh"
+do_install

roles/docker-nextcloud/files/proxy

@@ -0,0 +1,100 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 8080 default_server;
+	listen [::]:8080 default_server;
+
+	location / {
+		proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:5678;
+		proxy_connect_timeout 900;
+		proxy_send_timeout 900;
+		proxy_read_timeout 900;
+	}
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+#	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+#	index index.html index.htm index.nginx-debian.html;
+
+#	server_name _;
+
+#	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+#		try_files $uri $uri/ =404;
+#	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

roles/docker-nextcloud/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Creation du repertoire nextcloud
+  file:
+    path: /root/nextcloud
+    state: directory
+
+- name: Copie du script get_docker
+  copy: 
+    src: get_docker.sh
+    dest: /root/nextcloud
+
+- name: Execution du script get_docker
+  script: /root/nextcloud/get_docker.sh
+
+- name: Installation de docker-compose
+  shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+
+- name: Attribution des droits de docker compose
+  file:
+    path: /usr/local/bin/docker-compose
+    mode: '755'
+
+- name: Copie de docker-compose.yml
+  copy: 
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml
+    dest: /root/nextcloud
+
+- name: Execution du fichier docker-compose.yml
+  shell: docker-compose up -d
+  args:
+    chdir: /root/nextcloud

roles/fog/defaults/main.yml

@@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_fog: "fogproject-1.5.9.tar.gz"

roles/fog/tasks/main.yml

@@ -6,10 +6,10 @@
 
   - name: recuperation du fichier d'installation de fog
     get_url:
-      url: http://depl/gsbstore/fogproject-1.5.7.tar.gz
+      url: "{{ depl_url }}/{{ depl_fog }}"
       dest: /root/fog
 
   - name: decompression du fichier d'installation de fog
     unarchive:
-      src: /root/fog/fogproject-1.5.7.tar.gz
+      src: "/root/fog/{{ depl_fog }}"
       dest: /root/fog

roles/goss/defaults/main.yml

@@ -0,0 +1,3 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore"
+depl_goss: "goss"
+

roles/goss/tasks/main.yml

@@ -5,6 +5,9 @@
   register: gossbin
  
 - name: install goss
-  shell: export https_proxy=http://10.121.38.1:8080  && curl -fsSL https://goss.rocks/install | sh
+  get_url: 
+    url: "{{ depl_url }}/{{ depl_goss }}"
+    dest: /usr/local/bin/{{ depl_goss }}
+    mode: 0755
   when: gossbin.stat.exists == False
 

roles/icinga/README.md

@@ -0,0 +1,117 @@
+# Instalation de NSClient++ sur la machine s-win
+
+En premier lieu, installer Mozilla Firefox via Internet Explorer.
+
+Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/) 
+
+Puis choisir la version Windows
+
+# Etapes de l'installation 
+
+Sur l'étape **Select monitoring tool**, sélectionner **Generic**.
+
+Sur l'étape **Choose setup type**, sélectionner **Typical**.
+
+Sur l'étape **NSClient++ Configuration: 
+
+```
+
+Allowed hosts: 172.16.0.8
+
+Password: root
+
+```
+
+Activer **check plugins, check_nt et check_nrpe**.
+
+**Laisser NSCA client et web server désactivé**
+
+Cocher la case **Insecure legacy mode**
+
+
+Terminer l'installation.
+
+# Modification des fichiers
+
+Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage).
+
+Une fois ouvert, modifier tout le fichier avec ceci:
+
+```
+
+#If you want to fill this file with all available options run the following command:
+#nscp settings --generate --add-defaults --load-all
+#If you want to activate a module and bring in all its options use:
+#nscp settings --activate-module <MODULE NAME> --add-defaults
+#For details run: nscp settings --help
+
+
+; in flight - TODO
+[/settings/default]
+
+; Undocumented key
+password = root
+
+; Undocumented key
+allowed hosts = 172.16.0.8
+
+
+; in flight - TODO
+[/settings/NRPE/server]
+
+; Undocumented key
+verify mode = none
+
+; Undocumented key
+insecure = true
+
+
+; in flight - TODO
+[/modules]
+
+; Undocumented key
+CheckExternalScripts = enabled
+
+; Undocumented key
+CheckHelpers = enabled
+
+; Undocumented key
+CheckEventLog = enabled
+
+; Undocumented key
+CheckNSCP = enabled
+
+; Undocumented key
+CheckDisk = enabled
+
+; Undocumented key
+CheckSystem = enabled
+
+; Undocumented key
+NSClientServer = enabled
+
+; Undocumented key
+NRPEServer = enabled
+
+``` 
+
+Redémarrez le service NSClient++ via le **cmd**:
+
+```
+
+services.msc
+
+```
+
+Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer**
+
+
+Retourner sur le serveur nagios puis écrire:
+
+```
+
+systemctl restart icinga
+
+```
+
+Les services de la machine **srv-2012** apparaissent en **OK**.

roles/icinga/files/cfg/hostgroups_icinga.cfg

@@ -15,13 +15,13 @@ define hostgroup {
 define hostgroup { 
 	hostgroup_name debian-servers 
 	alias		Serveurs distant
-	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-test
+	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess
 } 
 
 define hostgroup { 
 	hostgroup_name ssh-servers 
 	alias 		acces SSH 
-	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, s-test, gwsio2	 
+	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb
 }
 
 define hostgroup { 
@@ -39,7 +39,7 @@ define hostgroup {
 define hostgroup {
         hostgroup_name  http-servers
 		alias           serveurs-web
-		members         localhost 
+		members         localhost, s-itil, s-adm
         }
 
 #define hostgroup {
@@ -69,6 +69,7 @@ define hostgroup{
 define hostgroup{
 	hostgroup_name	uptimegrp
 	alias		uptimegrp
-	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-test
+	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb
 }
 
+

roles/icinga/files/cfg/s-itil.cfg

@@ -6,8 +6,9 @@
 
 define host{
         use                     generic-host            ; Name of host template to use
-        host_name               s-test
+        host_name               s-itil
-        alias                   machine test
+        alias                   debian-servers
-        address                 172.16.0.18
+        address                 172.16.0.9
 	parents			r-int
         }
+

roles/icinga/files/cfg/s-lb.cfg

@@ -0,0 +1,14 @@
+# A simple configuration file for monitoring the local host
+# This can serve as an example for configuring other servers;
+# Custom services specific to this host are added here, but services
+# defined in nagios2-common_services.cfg may also apply.
+# 
+
+define host{
+        use                     generic-host            ; Name of host template$
+        host_name               s-lb
+        alias                   debian-servers
+        address                 192.168.100.10
+        parents                 r-int
+        }
+

roles/icinga/files/cfg/s-mess.cfg

@@ -0,0 +1,14 @@
+# A simple configuration file for monitoring the local host
+# This can serve as an example for configuring other servers;
+# Custom services specific to this host are added here, but services
+# defined in nagios2-common_services.cfg may also apply.
+# 
+
+define host{
+        use                     generic-host            ; Name of host template$
+        host_name               s-mess
+        alias                   nextcloud
+        address                 172.16.0.7
+        parents                 r-int
+        }
+

roles/icinga/tasks/main.yml

@@ -6,7 +6,7 @@
     - snmp
     - icinga 
     - nagios-snmp-plugins
-    - python-passlib
+    - python3-passlib
     state: present
 
 - name: Copie de fichier icinga.conf pour apache  
@@ -33,6 +33,13 @@
   notify:
     - restart icinga
 
+- name: python3 par defaut
+  alternatives:
+    link: /usr/bin/python
+    name: python
+    path: /usr/bin/python3
+    priority: 10
+    
 - name: Changement de mot de passe de icingaadmin
   htpasswd:
     path: /etc/icinga/htpasswd.users
@@ -50,6 +57,14 @@
   notify:
     - restart icinga
 
+- name: attribution des droits dossier icinga
+  file:
+    path: /var/lib/icinga
+    owner: nagios
+    mode: 751
+    recurse: yes
+  notify:
+    - restart icinga
 
 - name: attribution des droits dossier icinga rw
   file:
@@ -60,29 +75,32 @@
   notify:
     - restart icinga
 
-- name: attribution des droits dossier icinga
+- name: activation des commandes externes
+  replace:
+    dest: /etc/icinga/icinga.cfg
+    regexp: 'check_external_commands=0'
+    replace: 'check_external_commands=1'
+  notify:
+    - restart icinga
+
+- name: reconfiguration des droits avec dpkg statoverride
+  shell: dpkg-statoverride --update --force-all --add nagios www-data 2710 /var/lib/icinga/rw
+
+- name: reconfiguration des droits avec dpkg statoverride
+  shell: dpkg-statoverride --update --force-all --add nagios nagios 751 /var/lib/icinga
+
+- name: suppression de checkresults
   file:
-    path: /var/lib/icinga
+    path: /var/lib/icinga/spool/checkresults
+    state: absent
+
+- name: creation du dossier checkresults avec droits de lecture
+  file:
+    path: /var/lib/icinga/spool/checkresults
+    state: directory
     owner: nagios     
-    mode: 751
+    group: root
-    recurse: yes 
+    mode: '755'
-  notify:
-    - restart icinga 
-
-
-- name: attribution des droits dossier var lib icinga
-  shell: chmod 2770 /var/lib/icinga/rw 
-  notify:
-    - stop icinga
-
-- name: attribution des droits dossier var lib icinga
-  file:
-    path: /var/lib/icinga/rw
-    owner: www-data
-    mode: 2710
-    recurse: yes
-  notify:
-    - restart icinga 
 
       #- name: Changement droit notif
       #  shell: chmod 644 /var/log/icinga/icinga.log
@@ -101,4 +119,6 @@
   debug: msg="Pour superviser le Windows, il faut installer NSClient++"
 
 - name: redemarrage apache 
-  shell: service apache2 restart
+  service:
+    name: apache2
+    state: restarted

roles/itil/defaults/main.yml

@@ -0,0 +1,5 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_glpi: "glpi-9.5.3.tgz"
+depl_fusioninventory: "fusioninventory-9.5.0+1.0.tar.bz2"
+depl_fusioninventory_agentx64: "fusioninventory-agent_windows-x64_2.6.exe"
+depl_fusioninventory_agentx86: "fusioninventory-agent_windows-x86_2.6.exe"

roles/itil/tasks/main.yml

@@ -17,6 +17,8 @@
       - php-cas
       - python-mysqldb
       - mariadb-server
+      - python3-pymysql
+      - php-intl
 
   - name: Changement listen dans le fichier conf de php7.3
     replace:
@@ -29,7 +31,9 @@
     file: path=/etc/nginx/sites-enabled/default state=absent
 
   - name: Creation fichier block nginx
-    template: src=block.j2 dest=/etc/nginx/sites-enabled/glpi
+    template: 
+      src: block.j2 
+      dest: /etc/nginx/sites-enabled/glpi
 
   - name: Remplacement dans le fichier de conf php du timeout
     replace:
@@ -42,20 +46,32 @@
       - restart nginx
 
   - name: Creation de la base de donnee mysql
-    mysql_db: name={{ glpi_dbname }} state=present
+    mysql_db:
+      name: "{{ glpi_dbname }}"
+      state: present
+      login_unix_socket: /var/run/mysqld/mysqld.sock
 
   - name: Creation de l'utilisateur mysql avec tous les privileges
     mysql_user:
-           name={{ glpi_dbuser }}
+      name: "{{ glpi_dbuser }}"
-           password={{ glpi_dbpasswd }}
+      password: "{{ glpi_dbpasswd }}"
-           priv=*.*:ALL
+      priv: "*.*:ALL,GRANT"
+      login_unix_socket: /var/run/mysqld/mysqld.sock
+    with_items:
+      - 127.0.0.1
+#      - ::1
+#      - localhost  
 
   - name: Creation du repertoire {{ glpi_dir }}
-    file: path={{ glpi_dir }} state=directory owner=www-data group=www-data
+    file: 
+      path: "{{ glpi_dir }}"
+      state: directory
+      owner: www-data
+      group: www-data
 
   - name: Installation de GLPI
     unarchive:
-      src: http://depl/gsbstore/glpi-{{ glpi_version }}.tgz
+      src: "{{ depl_url }}/{{ depl_glpi }}"
       dest: /var/www/html
       remote_src: yes
       owner: www-data
@@ -68,6 +84,8 @@
     file:
       path: "{{ glpi_dir }}/plugins"
       mode: 0777
+      owner: www-data
+      group: www-data
       recurse: yes
 
   - name: Attribution des permissions
@@ -78,7 +96,8 @@
 
   - name: Installation de Fusioninventory pour Linux
     unarchive:
-      src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
+      src: "{{ depl_url }}/{{ depl_fusioninventory }}"
+      #src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
       dest: /var/www/html/glpi/plugins
       remote_src: yes
 
@@ -99,14 +118,22 @@
 
   - name: Installation de FusionInventory windows x64
     get_url:
-      url: http://depl/gsbstore/fusioninventory-agent_windows-{{ fd_version64 }}.exe
+      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx64 }}"
       dest: "/var/www/html/ficlients"
 
   - name: Installation de FusionInventory windows x86
     get_url:
-      url: http://depl/gsbstore/fusioninventory-agent_windows-{{ fd_version86 }}.exe
+      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx86 }}"
       dest: "/var/www/html/ficlients"
 
+  - name: Attribution des permissions sur repertoire /plugins/fusioninventory
+    file:
+      path: /var/www/html/glpi/plugins/fusioninventory
+      owner: www-data
+      group: www-data
+      recurse: yes
+      state: directory
+
   - name: Copie du script dbdump
     copy: src=dbdump dest=/root/
 

roles/local-store/files/getall-2021

@@ -0,0 +1,25 @@
+#!/bin/bash
+GLPIREL=9.5.3
+wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
+ 
+FIREL=9.5+1.0
+#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz
+#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+
+FIAGREL=2.6 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe
+ 
+FOGREL=1.5.9
+wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz
+#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz
+
+#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz
+
+GOSSVER=v0.3.16
+curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss
+chmod +x goss 
+

roles/local-store/files/getall-latest

@@ -0,0 +1,25 @@
+#!/bin/bash
+GLPIREL=9.5.3
+wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
+ 
+FIREL=9.5+1.0
+#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz
+#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+
+FIAGREL=2.6 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe
+ 
+FOGREL=1.5.9
+wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz
+#https://github.com/FOGProject/fogproject/archive/1.5.9.tar.gz
+
+#wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz
+
+GOSSVER=v0.3.16
+curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss
+chmod +x goss 
+

roles/local-store/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Installation bind9
+  file:  
+    path: /var/www/html/gsbstore/
+    state: directory
+    mode: '0755'
+
+- name: Copie getall-latest
+  copy:
+    src: getall-latest
+    dest: /var/www/html/gsbstore
+
+- name: Copie getall-2021
+  copy:
+    src: getall-2021
+    dest: /var/www/html/gsbstore
+

roles/mariadb-ab/tasks/main.yml

@@ -2,15 +2,42 @@
 - name: Installation des paquets python-mysqldb mariadb-server
   apt: 
     name:
-    - python-mysqldb
+    - python3-mysqldb
     - mariadb-server
+    - python3-passlib
+    - python3-pymysql
     state: present
 
+- name: python3 par defaut
+  alternatives:
+    link: /usr/bin/python
+    name: python
+    path: /usr/bin/python3
+    priority: 10
+
 - name: Create mysql database
-  mysql_db: name={{ maria_dbname }} state=present
+  mysql_db: 
+    name: "{{ maria_dbname }}" 
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Creation de l'utilisateur mysql avec tous les privileges
+  mysql_user:
+    name: "{{ maria_dbuser }}"
+    password: "{{ maria_dbpasswd }}"
+    priv: '*.*:ALL,GRANT'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  with_items:
+    - "127.0.0.1"
+#    - ::1
+#    - localhost
 
 - name: Copie du fichier my.cnf pour autorises toutes les adresses sur le port 3306
-  copy : src=my.cnf dest=/etc/mysql/
+  copy:
+    src: my.cnf
+    dest: /etc/mysql/
  
 - name: Redemarrage du service mariadb
-  shell: service mariadb restart
+  service: 
+    name: mariadb
+    state: restarted

roles/post/files/interfaces.r-vp1

@@ -1,6 +1,5 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
-
 # The loopback network interface
 #auto lo
 #iface lo inet loopback
@@ -22,7 +21,10 @@ allow-hotplug enp0s9
 iface enp0s9 inet static
 	address 192.168.1.2
 	netmask 255.255.255.0
-	up route add -net 172.16.128.0/24 gw 192.168.1.2
+	post-up /usr/sbin/ip route add 172.16.128.0/24 via 192.168.1.2
+	post-up /usr/sbin/ip route add 172.16.0.0/24 via 192.168.1.1
+	post-up /usr/sbin/ip route add 192.168.200.0/24 via 192.168.1.1
+
 #	up route add -net 172.16.128.0/24 gw 192.168.0.52
 #	up route add default gw 192.168.1.1
 #	post-up /bin/bash /root/iptables-vpn

roles/post/files/interfaces.r-vp2

@@ -1,6 +1,5 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
-
 # The loopback network interface
 #auto lo
 #iface lo inet loopback
@@ -22,7 +21,9 @@ allow-hotplug enp0s9
 iface enp0s9 inet static
 	address 192.168.0.52
 	netmask 255.255.255.0
-#	up route add -net 192.168.1.0/24 gw 172.16.128.254
+	post-up /usr/sbin/ip route add 192.168.1.0/24 via 172.16.128.254/24
-	up route add -net 192.168.1.0/24 gw 192.168.0.52
+	post-up /usr/sbin/ip route add 172.16.0.0/24 via 172.16.128.254/24
+
+#	up route add -net 192.168.1.0/24 gw 192.168.0.52
 #	post-up /bin/bash /root/iptables-vpn
 	post-up /etc/init.d/ipsec restart

roles/post/files/interfaces.s-agence

@@ -9,3 +9,6 @@ iface lo inet loopback
 allow-hotplug enp0s3
 iface enp0s3 inet dhcp
 
+allow-hotplug enp0s8
+iface enp0s8 inet dhcp
+

roles/post/tasks/main.yml

@@ -6,11 +6,11 @@
 
 - name: Copie resolv.conf
   copy: src=resolv.conf dest=/etc/
-  when: ansible_hostname != "s-adm"
+  when: ansible_hostname != "s-adm" and ansible_hostname != "s-proxy"
 
-- name: Copie resolv.conf
+- name: pas de chgt resolv.conf pour r-vp2
-  copy: src=resolv.conf dest=/etc/
+  meta: end_play
-  when: ansible_hostname != "s-proxy"
+  when: ansible_hostname == "r-vp2"
 
 - name: Copie resolv.conf pour s-proxy
   copy: src=resolv.conf.s-proxy dest=/etc/resolv.conf

roles/postfix/README.md

@@ -0,0 +1,40 @@
+# Post-installation de Postfix
+
+Entrer votre adresse mail et votre mot de passe dans le fichier /etc/postfix/sasl_passwd
+
+``` 
+
+nano /etc/postfix/sasl_passwd
+
+[smpt.gmail.com]:587 votreadresse@domaine.fr:motdepasse
+
+``` 
+
+Entrer votre addresse mail dans le fichier /etc/icinga/objects/contacts_icinga.cfg
+
+``` 
+
+nano /etc/icinga/objects/contacts_icinga.cfg
+
+define contact...
+
+email 			votreadresse@domaine.fr
+
+``` 
+Lancer la commande suivante pour prendre en compte la modification:
+
+```
+
+/usr/sbin/postmap /etc/postfix/sasl_passwd
+
+```
+
+Activer l'**Accès moins sécurisé des applications** depuis son compte google
+
+Désactiver un service puis vérifier ses mails (attendre 5 minutes entre chaque test)
+
+```
+
+tail -f /var/log/icinga/icinga.log pour vérifier l'envoi de l'email
+
+```

roles/postfix/tasks/main.yml

@@ -24,7 +24,7 @@
   shell: chmod 400 /etc/postfix/sasl_passwd
 
 - name: postmap
-  shell: postmap /etc/postfix/sasl_passwd
+  shell: /usr/sbin/postmap /etc/postfix/sasl_passwd
 
 - name: Copie thawte_Premium_Server_CA.pem
   copy: src=thawte_Premium_Server_CA.pem dest=/etc/ssl/certs/
@@ -34,3 +34,8 @@
   notify:
     - restart postfix
 
+- name: Changement des droits icinga.log
+  file:
+    path: /var/log/icinga/icinga.log
+    state: touch
+    mode: u=rw,g=w

roles/s-backup/files/backup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+BDIR=/home/backup
+SWIN=/tmp/s-win
+
+[ -d "${BDIR}" ] || mkdir "${BDIR}"
+[ -d "${BDIR}" ] || mkdir "${BDIR}/s-win"
+[ -d "${SWIN}" ] || mkdir "${SWIN}"
+
+mount -t cifs -o ro,vers=3.0,username=u-backup,password=Azerty1+ //s-win/commun "${SWIN}"
+if [ $? != 0 ] ; then
+	echo "$0 : erreur montage ${SWIN}"
+	exit 1
+fi
+rsync -av "${SWIN}/" "${BDIR}/s-win/commun"
+umount "${SWIN}"
+
+
+mount -t cifs -o ro,vers=3.0,username=u-backup,password=Azerty1+ //s-win/public "${SWIN}"
+if [ $? != 0 ] ; then
+	echo "$0 : erreur montage"
+	exit 2
+fi
+rsync -av "${SWIN}/" "${BDIR}/s-win/public"
+umount "${SWIN}"
+
+exit 0
+

roles/s-backup/files/delgsb.cmd

@@ -0,0 +1,4 @@
+rem azazazaz
+rmdir C:\gsb.lan /s /q
+net group g-compta /del
+net group g-prod /del

roles/s-backup/files/mkgsb.cmd

@@ -0,0 +1,11 @@
+rem regereger
+mkdir C:\gsb.lan\commun
+mkdir C:\gsb.lan\public
+net share commun=C:\gsb.lan\commun /grant:"utilisateurs DHCP",full
+net share public=C:\gsb.lan\public /grant:"utilisateurs DHCP",full
+net group g-compta /add
+net group g-prod /add
+icacls C:\gsb.lan\commun /grant Administrateurs:F
+icacls C:\gsb.lan\commun /grant g-compta:M
+icacls C:\gsb.lan\public /grant Administrateurs:F
+icacls C:\gsb.lan\public /grant g-prod:M

roles/s-backup/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: installation rsync et smbclient
+  apt:
+    name:
+    - rsync
+    - smbclient
+    - cifs-utils
+    state: present
+

roles/s-lb-ab/files/haproxy.cfg

@@ -44,7 +44,7 @@ backend fermeweb
 	#option httpchk HEAD / HTTP/1.0
 	server s-lb-web1 192.168.101.1:80 check
 	server s-lb-web2 192.168.101.2:80 check
-
+#	server s-lb-web3 192.168.101.3:80 check
 
 listen stats
 	bind	*:8080

roles/s-lb-wordpress/defaults/main.yml

@@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_wordpress: "wordpress-5.6-fr_FR.tar.gz"

roles/s-lb-wordpress/tasks/main.yml

@@ -5,9 +5,11 @@
     state: directory
  - name: download and extract wordpress
    unarchive: 
-    src: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
+    src: "{{ depl_url }}/{{ depl_wordpress }}"
     dest: /home/
     remote_src: yes
+    owner: www-data
+    group: www-data
 
  - name: Copy sample config file
    command: mv /home/wordpress/wp-config-sample.php /home/wordpress/wp-config.php creates=/home/wordpress/wp-config.php
@@ -23,6 +25,14 @@
      - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', '{{wp_mysql_user}}');"}        
      - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', '{{wp_mysql_password}}');"}
 
+
+ - name: Attributions des permissions
+   file:
+     path: /home/wordpress
+     recurse: yes
+     owner: 33
+     group: 33
+
 # - name: Fix permissions
 #   shell: chown -R www-data /var/www/wordpress/*
 #

roles/vpn-stg-l/files/ipsec.conf

@@ -7,7 +7,7 @@ conn tunnel #
         left=192.168.0.52
         leftsubnet=172.16.128.0/24
         right=192.168.0.51
-        rightsubnet=192.168.0.0/16, 172.16.0.0/24
+        rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0
@@ -20,3 +20,4 @@ conn tunnel #
         auto=start
         keyexchange=ikev2
         type=tunnel
+#

roles/vpn-stg-r/files/ipsec.conf

@@ -5,7 +5,7 @@ config setup
 conn %default
 conn tunnel #
         left=192.168.0.51
-        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         right=192.168.0.52
         rightsubnet=172.16.128.0/24
         ike=aes256-sha2_256-modp1024!
@@ -20,3 +20,4 @@ conn tunnel #
         auto=start
         keyexchange=ikev2
         type=tunnel
+#

s-adm.yml

@@ -8,7 +8,7 @@
     - s-ssh
     - dnsmasq
     - squid
- #  - webautoconf
+    - local-store
     - snmp-agent
     - syslog-cli
     - post

s-agence.yml

@@ -7,3 +7,4 @@
     - ssh-cli
     - syslog-cli
     - post
+    - goss

s-backup.yml

@@ -9,3 +9,4 @@
 #   - ssh-cli
     - syslog-cli
     - post
+    - s-backup

s-lb-bd.retry

@@ -0,0 +1 @@
+localhost

s-mess.retry

@@ -0,0 +1 @@
+localhost

s-mess.yml

@@ -4,7 +4,7 @@
 
   roles:
     - base
-    - docker-iredmail-ab
+    - docker-nextcloud
     - ssh-cli
     - syslog-cli
     - snmp-agent

s-mon.retry

@@ -0,0 +1 @@
+localhost

s-mon.yml

@@ -5,8 +5,8 @@
   roles:
     - base
     - goss
-    - icinga-fk
+    - icinga
-    - postfix-fk
+    - postfix
     - ssh-cli
     - syslog
     - post

s-nas.retry

@@ -0,0 +1 @@
+localhost