Mise à jour de 'roles/dns-master/files/db.gsb.lan'

README.md

@@ -12,4 +12,48 @@ prérequis : une machine Debian buster
   * r-int
   * r-ext
   * s-proxy
+
+
 ## Les playbooks
+
+
+## Installation
+
+On utilisera l'image de machine virtuelle suivante : 
+  * **debian-buster-gsb-2021b.ova** (2021-03-31)
+    * Bebian Buster 10.9 - 2 cartes - 1 Go - stockage 20 Go
+
+
+### Machine s-adm
+  * créer la machine virtuelle **s-adm** en important l'image ova décrite plus haut
+  * renommer la machine puis redémarrer
+  * taper :
+```shell
+    mkdir -p tools/ansible ; cd tools/ansible
+    git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git
+    cd gsb2021/pre
+    bash inst-depl
+    cd /var/www/html/gsbstore
+    bash getall
+    cd /root/tools/ansible/gsb021/pre
+    bash gsbboot
+    cd .. ; bash pull-config/pre
+```
+  - redémarrer
+  
+### Pour chaque machine
+
+  - importer la machine à partir du fichier **.ova**
+  - définir les cartes réseau en accord avec le plan d'adressage et le schéma
+  - donner le nom adapté (avec sed -i …)
+  - redémarrer
+  - mettre à jour les paquets : apt update && apt upgrade
+  - cloner le dépot : 
+```shell
+mkdir -p tools/ansible ; cd tools/ansible
+git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git
+cd gsb2021/pre
+export DEPL=192.168.99.99
+bash gsbboot
+bash pull-config
+```

goss/s-agence.yaml

@@ -0,0 +1,39 @@
+command:
+  ip r:
+    exit-status: 0
+    stdout:
+    - default via 172.16.128.254 dev enp0s8
+    - 172.16.128.0/24
+    - 192.168.99.0/24
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.128.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.2:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000

pre/gsbboot

@@ -0,0 +1,54 @@
+#!/bin/bash
+version="1.8"
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+__file="${__dir}/$(basename "${BASH_SOURCE[0]}")"
+__base="$(basename ${__file})"
+__root="$(cd "$(dirname "${__dir}")" && pwd)" 
+echo "dir : ${__dir}"
+echo "file : ${__file}"
+echo "base : ${__base}"
+echo "root : ${__root}"
+
+# version 1.8
+# install git si besoin
+# install ansible si besoin + backports si wheezy
+
+readonly base=/root/tools/ansible
+readonly slist=/etc/apt/sources.list
+readonly host=depl
+if [[ -z ${DEPL+x} ]]; then
+  echo "erreur : DEPL indefini"
+  echo " DEPL : adresse serveur deploiement"
+  echo "export DEPL=xyzt ; ./$0"
+  exit 1
+fi
+
+hostf="${host}.local" 
+prj=gsb
+APT=apt
+
+which git >> /dev/null
+if [[ $? != 0 ]]; then
+	${APT} update
+	echo "installation de git ..."
+	${APT} install -y git-core
+fi
+${APT} update
+${APT} upgrade -y
+
+which ansible >> /dev/null
+if [[ $? != 0 ]]; then
+	echo "installation de ansible ..."
+	${APT} install -y ansible 
+fi
+
+[ -e "${base}" ] || mkdir -p "${base}"
+
+grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts
+cd "${base}"
+
+cp ${prj}/pull-config ${base}
+
+#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'"
+echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..."
+

pre/inst-depl

@@ -1,46 +1,39 @@
 #!/bin/bash
+## ps : 2021-04-01 15:25
+
 set -o errexit
 set -o pipefail
 GITUSR=gitgsb
-GITPRJ=gsb
+GITPRJ=gsb2021
 apt update && apt upgrade
 apt install -y apache2 git 
-getent passwd "${GITUSR}" >> /dev/null
+STOREREP="/var/www/html/gsbstore" 
-if [[ $? != 0 ]]; then
+[[ -d "${STOREREP}" ]]|| mkdir "${STOREREP}"
-  echo "creation utilisateur "${GITUSR}" ..."
-  /sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}" 
-  echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd 
-else
-  echo "utilisateur "${GITUSR}" existant..."
-fi
-su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}"
-su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}"
-[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git
-[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore
- 
-(cat <<EOT > /var/www/html/gsbstore/getall
  
+(cat <<EOT > "${STOREREP}/getall"
 #!/bin/bash
 
-set -o errexit
+LPIREL=9.5.3
-set -o pipefail
+wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
  
-GLPIREL=9.4.5
+FIREL=9.5+1.0
-wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz
+#wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.gz
+#https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
+wget -nc https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5.0%2B1.0/fusioninventory-9.5.0+1.0.tar.bz2
 
-FIREL=9.4+2.4
+FIAGREL=2.6 
-wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe
-#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe
  
-FIAGREL=2.5.2 
+FOGREL=1.5.9
-wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe
+wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz
 
-wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe
+WPREL=5.6
+wget -nc https://fr.wordpress.org/wordpress-5.6-fr_FR.tar.gz
 
-FOGREL=1.5.7
+GOSSVER=v0.3.16
-wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz
+curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss
- 
+chmod +x goss 
-wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
 
 EOT
 )

pre/inst-depl.old

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+GITUSR=gitgsb
+GITPRJ=gsb
+apt update && apt upgrade
+apt install -y apache2 git 
+getent passwd "${GITUSR}" >> /dev/null
+if [[ $? != 0 ]]; then
+  echo "creation utilisateur "${GITUSR}" ..."
+  /sbin/useradd -m -d /home/"${GITUSR}" -s /bin/bash "${GITUSR}" 
+  echo "${GITUSR}:${GITUSR}" | /sbin/chpasswd 
+else
+  echo "utilisateur "${GITUSR}" existant..."
+fi
+su -c "git init --share --bare /home/${GITUSR}/${GITPRJ}.git" "${GITUSR}"
+su -c "cd ${GITPRJ}.git/.git/hooks && mv post-update.sample post-update" "${GITUSR}"
+[[ -h /var/www/html/"${GITPRJ}".git ]]|| ln -s /home/"${GITUSR}"/"${GITPRJ}".git /var/www/html/"${GITPRJ}".git
+[[ -d /var/www/html/gsbstore ]]|| mkdir /var/www/html/gsbstore
+ 
+(cat <<EOT > /var/www/html/gsbstore/getall
+
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+
+GLPIREL=9.4.5
+wget -nc https://github.com/glpi-project/glpi/releases/download/\${GLPIREL}/glpi-\${GLPIREL}.tgz
+ 
+FIREL=9.4+2.4
+wget -nc -O fusioninventory-glpi\${FIREL}.tag.gz https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi\${FIREL}.tar.gz 
+#https://github.com/fusioninventory/fusioninventory-for-glpi/archive/glpi9.4+2.4.tar.g 
+ 
+FIAGREL=2.5.2 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\${FIAGREL}/fusioninventory-agent_windows-x64_\${FIAGREL}.exe
+ 
+wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/\$FIAGREL/fusioninventory-agent_windows-x86_\${FIAGREL}.exe
+ 
+FOGREL=1.5.7
+wget -nc https://github.com/FOGProject/fogproject/archive/\${FOGREL}.tar.gz -O fogproject-\${FOGREL}.tar.gz
+ 
+wget -nc https://fr.wordpress.org/wordpress-5.3.2-fr_FR.tar.gz
+
+EOT
+)
+cat /var/www/html/gsbstore/getall
+

pre/pull-config

@@ -2,31 +2,15 @@
 
 if [ -z ${UREP+x} ]; then 
 	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
-else 
-	echo "var is set to '$var'" 
 fi
-REPO=$(basename ${UREP})
 
 dir=/root/tools/ansible
-host=depl
-hostf=$host.sio.lan
-repo=gsb
 
-[ -e $dir ] || mkdir -p $dir
+[ -e "${dir}" ] || mkdir -p "${dir}"
 
-#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+cd  "${dir}" || exit 1
-
-cd  $dir
 
 hostname  > hosts
-
+ansible-pull -i "${dir}/hosts"  -U "${UREP}"
-#git clone http://$host/$repo.git
-
-#cd $repo
-#git pull
-
-#ansible-playbook -c local -i 'localhost,' $(hostname).yml
-#ansible-pull -i $dir/hosts -d $repo -U "${UREP}"
-ansible-pull -i $dir/hosts  -U "${UREP}"
 
 exit 0

proxy

@@ -0,0 +1 @@
+/etc/nginx/sites-availables/proxy

pull-config

@@ -3,19 +3,14 @@
 if [ -z ${UREP+x} ]; then 
 	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2021.git 
 fi
-REPO=$(basename ${UREP})
 
 dir=/root/tools/ansible
-host=depl
-hostf=$host.sio.lan
 
-[ -e ${dir} ] || mkdir -p ${dir}
+[ -e "${dir}" ] || mkdir -p "${dir}"
 
-#grep $hostf /etc/hosts > /dev/null || echo "10.121.38.10 $hostf $host" >> /etc/hosts
+cd  "${dir}" || exit 1
-
-cd  ${dir}
 
 hostname  > hosts
-ansible-pull -i ${dir}/hosts  -U "${UREP}"
+ansible-pull -i "${dir}/hosts"  -U "${UREP}"
 
 exit 0

r-vp1.yml

@@ -12,9 +12,9 @@
    - base
    - goss
    - snmp-agent
-   - vpn-stg-r
+   - firewall-vpn-r
-#   - x509-r
+#  - vpn-stg-r
-#   - firewall-vpn-r
+   - x509-r
    - ssh-cli
    - syslog-cli
    - post

r-vp2.yml

@@ -13,10 +13,11 @@
    - goss
    - dhcp-ag
    - dns-agence
+   - ssh-root-access
    - snmp-agent
-   - vpn-stg-l
+   - firewall-vpn-l
-#   - x509-l
+#  - vpn-stg-l
-#   - firewall-vpn-l
+   - x509-l
    - ssh-cli
    - syslog-cli
    - post

roles/base/tasks/main.yml

@@ -7,6 +7,14 @@
   copy: src=apt.conf dest=/etc/apt/apt.conf
   when: ansible_hostname != "s-adm"    
 
+#- name: Sysctl desactive ipv6
+#  sysctl:
+#    name: net.ipv6.conf.all.disable_ipv6
+#    value: 1
+#    sysctl_set: yes
+#    state: present
+#    reload: yes
+
 - name: Update + Upgrade
   apt:
     upgrade: yes

roles/base/templates/hosts.j2

@@ -2,9 +2,9 @@
 127.0.1.1       {{ ansible_nodename }} {{ ansible_hostname }}
 127.0.0.1       localhost ip6-localhost ip6-loopback
 
-10.121.38.10	depl.sio.lan depl
+#10.121.38.10	depl.sio.lan depl
 
-192.168.99.99	s-adm.gsb.adm
+192.168.99.99	s-adm.gsb.adm depl.sio.lan depl
 192.168.99.1	s-infra.gsb.adm
 192.168.99.2	s-proxy.gsb.adm
 192.168.99.3	s-appli.gsb.adm

roles/base/templates/hosts.s-proxy.j2

@@ -3,9 +3,9 @@
 127.0.0.1       localhost ip6-localhost ip6-loopback
 172.16.0.2	s-proxy.gsb.lan s-proxy
 
-10.121.38.10	depl
+#10.121.38.10	depl
 
-192.168.99.99	s-adm.gsb.adm
+192.168.99.99	s-adm.gsb.adm depl
 192.168.99.1	s-infra.gsb.adm
 192.168.99.2	s-proxy.gsb.adm
 192.168.99.3	s-appli.gsb.adm

roles/dns-master/files/db.gsb.lan

@@ -21,6 +21,8 @@ s-proxy         IN      A       172.16.0.2
 s-appli    	IN      A       172.16.0.3
 s-win    	IN      A       172.16.0.6
 s-mess   	IN      A       172.16.0.7
+s-nxc		IN	A	172.16.0.7
+s-docker	IN	A	172.16.0.7
 s-mon    	IN      A       172.16.0.8
 s-itil		IN	A	172.16.0.9
 r-int    	IN      A       172.16.0.254

roles/docker-nextcloud/files/config.php

@@ -0,0 +1,48 @@
+<?php
+$CONFIG = array (
+  'htaccess.RewriteBase' => '/',
+  'memcache.local' => '\\OC\\Memcache\\APCu',
+  'apps_paths' => 
+  array (
+    0 => 
+    array (
+      'path' => '/var/www/html/apps',
+      'url' => '/apps',
+      'writable' => false,
+    ),
+    1 => 
+    array (
+      'path' => '/var/www/html/custom_apps',
+      'url' => '/custom_apps',
+      'writable' => true,
+    ),
+  ),
+  'instanceid' => 'ocvc4q2htemf',
+  'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI',
+  'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU',
+  'trusted_domains' => 
+  array (
+    0 => '172.16.0.7:5678',
+    1 => '172.16.0.7:8080',
+    2 => 's-mess',
+    3 => 's-mess.gsb.lan',
+    4 => 'localhost:8080',
+    5 => 's-nxec.gsb.lan',
+  ),
+  'trusted_proxies' => ['172.16.0.7'],
+  'overwriteprotocol' => 'http',
+  'overwritehost' => '172.16.0.7:8080',
+  'proxy' => '172.16.0.7:8080',
+  'datadirectory' => '/var/www/html/data',
+  'dbtype' => 'mysql',
+  'version' => '20.0.6.1',
+  'overwrite.cli.url' => 'http://172.16.0.7:5678',
+  'dbname' => 'nextcloud',
+  'dbhost' => 'db',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'mysql.utf8mb4' => true,
+  'dbuser' => 'nextcloud',
+  'dbpassword' => 'root',
+  'installed' => true,
+);

roles/docker-nextcloud/files/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ
+17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA
+4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/
+9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC
+3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf
+6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr
+mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym
+BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n
+uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N
+CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O
+h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI=
+-----END DH PARAMETERS-----

roles/docker-nextcloud/files/docker-compose.yml

@@ -0,0 +1,35 @@
+version: '2'
+
+volumes:
+  nextcloud:
+  db:
+
+services:
+  db:
+    image: mariadb
+    restart: always
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=root
+      - MYSQL_PASSWORD=root
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - TZ=Europe/Paris
+
+  app:
+    image: nextcloud
+    restart: always
+    ports:
+      - 5678:80
+    links:
+      - db
+    volumes:
+      - ./nextcloud:/var/www/html
+    environment:
+      - MYSQL_PASSWORD=root
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=db
+      - TZ=Europe/Paris

roles/docker-nextcloud/files/get_docker.sh

@@ -0,0 +1,502 @@
+#!/bin/sh
+set -e
+# Docker CE for Linux installation script
+#
+# See https://docs.docker.com/install/ for the installation steps.
+#
+# This script is meant for quick & easy install via:
+#   $ curl -fsSL https://get.docker.com -o get-docker.sh
+#   $ sh get-docker.sh
+#
+# For test builds (ie. release candidates):
+#   $ curl -fsSL https://test.docker.com -o test-docker.sh
+#   $ sh test-docker.sh
+#
+# NOTE: Make sure to verify the contents of the script
+#       you downloaded matches the contents of install.sh
+#       located at https://github.com/docker/docker-install
+#       before executing.
+#
+# Git commit from https://github.com/docker/docker-install when
+# the script was uploaded (Should only be modified by upload job):
+SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
+
+
+# The channel to install from:
+#   * nightly
+#   * test
+#   * stable
+#   * edge (deprecated)
+DEFAULT_CHANNEL_VALUE="stable"
+if [ -z "$CHANNEL" ]; then
+	CHANNEL=$DEFAULT_CHANNEL_VALUE
+fi
+
+DEFAULT_DOWNLOAD_URL="https://download.docker.com"
+if [ -z "$DOWNLOAD_URL" ]; then
+	DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
+fi
+
+DEFAULT_REPO_FILE="docker-ce.repo"
+if [ -z "$REPO_FILE" ]; then
+	REPO_FILE="$DEFAULT_REPO_FILE"
+fi
+
+mirror=''
+DRY_RUN=${DRY_RUN:-}
+while [ $# -gt 0 ]; do
+	case "$1" in
+		--mirror)
+			mirror="$2"
+			shift
+			;;
+		--dry-run)
+			DRY_RUN=1
+			;;
+		--*)
+			echo "Illegal option $1"
+			;;
+	esac
+	shift $(( $# > 0 ? 1 : 0 ))
+done
+
+case "$mirror" in
+	Aliyun)
+		DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
+		;;
+	AzureChinaCloud)
+		DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
+		;;
+esac
+
+command_exists() {
+	command -v "$@" > /dev/null 2>&1
+}
+
+is_dry_run() {
+	if [ -z "$DRY_RUN" ]; then
+		return 1
+	else
+		return 0
+	fi
+}
+
+is_wsl() {
+	case "$(uname -r)" in
+	*microsoft* ) true ;; # WSL 2
+	*Microsoft* ) true ;; # WSL 1
+	* ) false;;
+	esac
+}
+
+is_darwin() {
+	case "$(uname -s)" in
+	*darwin* ) true ;;
+	*Darwin* ) true ;;
+	* ) false;;
+	esac
+}
+
+deprecation_notice() {
+	distro=$1
+	date=$2
+	echo
+	echo "DEPRECATION WARNING:"
+	echo "    The distribution, $distro, will no longer be supported in this script as of $date."
+	echo "    If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
+	echo
+	sleep 10
+}
+
+get_distribution() {
+	lsb_dist=""
+	# Every system that we officially support has /etc/os-release
+	if [ -r /etc/os-release ]; then
+		lsb_dist="$(. /etc/os-release && echo "$ID")"
+	fi
+	# Returning an empty string here should be alright since the
+	# case statements don't act unless you provide an actual value
+	echo "$lsb_dist"
+}
+
+add_debian_backport_repo() {
+	debian_version="$1"
+	backports="deb http://ftp.debian.org/debian $debian_version-backports main"
+	if ! grep -Fxq "$backports" /etc/apt/sources.list; then
+		(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
+	fi
+}
+
+echo_docker_as_nonroot() {
+	if is_dry_run; then
+		return
+	fi
+	if command_exists docker && [ -e /var/run/docker.sock ]; then
+		(
+			set -x
+			$sh_c 'docker version'
+		) || true
+	fi
+	your_user=your-user
+	[ "$user" != 'root' ] && your_user="$user"
+	# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
+	echo "If you would like to use Docker as a non-root user, you should now consider"
+	echo "adding your user to the \"docker\" group with something like:"
+	echo
+	echo "  sudo usermod -aG docker $your_user"
+	echo
+	echo "Remember that you will have to log out and back in for this to take effect!"
+	echo
+	echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
+	echo "         containers which can be used to obtain root privileges on the"
+	echo "         docker host."
+	echo "         Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
+	echo "         for more information."
+
+}
+
+# Check if this is a forked Linux distro
+check_forked() {
+
+	# Check for lsb_release command existence, it usually exists in forked distros
+	if command_exists lsb_release; then
+		# Check if the `-u` option is supported
+		set +e
+		lsb_release -a -u > /dev/null 2>&1
+		lsb_release_exit_code=$?
+		set -e
+
+		# Check if the command has exited successfully, it means we're in a forked distro
+		if [ "$lsb_release_exit_code" = "0" ]; then
+			# Print info about current distro
+			cat <<-EOF
+			You're using '$lsb_dist' version '$dist_version'.
+			EOF
+
+			# Get the upstream release info
+			lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
+			dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
+
+			# Print info about upstream distro
+			cat <<-EOF
+			Upstream release is '$lsb_dist' version '$dist_version'.
+			EOF
+		else
+			if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
+				if [ "$lsb_dist" = "osmc" ]; then
+					# OSMC runs Raspbian
+					lsb_dist=raspbian
+				else
+					# We're Debian and don't even know it!
+					lsb_dist=debian
+				fi
+				dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
+				case "$dist_version" in
+					10)
+						dist_version="buster"
+					;;
+					9)
+						dist_version="stretch"
+					;;
+					8|'Kali Linux 2')
+						dist_version="jessie"
+					;;
+				esac
+			fi
+		fi
+	fi
+}
+
+semverParse() {
+	major="${1%%.*}"
+	minor="${1#$major.}"
+	minor="${minor%%.*}"
+	patch="${1#$major.$minor.}"
+	patch="${patch%%[-.]*}"
+}
+
+do_install() {
+	echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
+
+	if command_exists docker; then
+		docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
+		MAJOR_W=1
+		MINOR_W=10
+
+		semverParse "$docker_version"
+
+		shouldWarn=0
+		if [ "$major" -lt "$MAJOR_W" ]; then
+			shouldWarn=1
+		fi
+
+		if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
+			shouldWarn=1
+		fi
+
+		cat >&2 <<-'EOF'
+			Warning: the "docker" command appears to already exist on this system.
+
+			If you already have Docker installed, this script can cause trouble, which is
+			why we're displaying this warning and provide the opportunity to cancel the
+			installation.
+
+			If you installed the current Docker package using this script and are using it
+		EOF
+
+		if [ $shouldWarn -eq 1 ]; then
+			cat >&2 <<-'EOF'
+			again to update Docker, we urge you to migrate your image store before upgrading
+			to v1.10+.
+
+			You can find instructions for this here:
+			https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
+			EOF
+		else
+			cat >&2 <<-'EOF'
+			again to update Docker, you can safely ignore this message.
+			EOF
+		fi
+
+		cat >&2 <<-'EOF'
+
+			You may press Ctrl+C now to abort this script.
+		EOF
+		( set -x; sleep 20 )
+	fi
+
+	user="$(id -un 2>/dev/null || true)"
+
+	sh_c='sh -c'
+	if [ "$user" != 'root' ]; then
+		if command_exists sudo; then
+			sh_c='sudo -E sh -c'
+		elif command_exists su; then
+			sh_c='su -c'
+		else
+			cat >&2 <<-'EOF'
+			Error: this installer needs the ability to run commands as root.
+			We are unable to find either "sudo" or "su" available to make this happen.
+			EOF
+			exit 1
+		fi
+	fi
+
+	if is_dry_run; then
+		sh_c="echo"
+	fi
+
+	# perform some very rudimentary platform detection
+	lsb_dist=$( get_distribution )
+	lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
+
+	if is_wsl; then
+		echo
+		echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
+		echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
+		echo
+		cat >&2 <<-'EOF'
+
+			You may press Ctrl+C now to abort this script.
+		EOF
+		( set -x; sleep 20 )
+	fi
+
+	case "$lsb_dist" in
+
+		ubuntu)
+			if command_exists lsb_release; then
+				dist_version="$(lsb_release --codename | cut -f2)"
+			fi
+			if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
+				dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
+			fi
+		;;
+
+		debian|raspbian)
+			dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
+			case "$dist_version" in
+				10)
+					dist_version="buster"
+				;;
+				9)
+					dist_version="stretch"
+				;;
+				8)
+					dist_version="jessie"
+				;;
+			esac
+		;;
+
+		centos|rhel)
+			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
+				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
+			fi
+		;;
+
+		*)
+			if command_exists lsb_release; then
+				dist_version="$(lsb_release --release | cut -f2)"
+			fi
+			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
+				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
+			fi
+		;;
+
+	esac
+
+	# Check if this is a forked Linux distro
+	check_forked
+
+	# Run setup for each distro accordingly
+	case "$lsb_dist" in
+		ubuntu|debian|raspbian)
+			pre_reqs="apt-transport-https ca-certificates curl"
+			if [ "$lsb_dist" = "debian" ]; then
+				# libseccomp2 does not exist for debian jessie main repos for aarch64
+				if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
+					add_debian_backport_repo "$dist_version"
+				fi
+			fi
+
+			if ! command -v gpg > /dev/null; then
+				pre_reqs="$pre_reqs gnupg"
+			fi
+			apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				$sh_c 'apt-get update -qq >/dev/null'
+				$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
+				$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
+				$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
+				$sh_c 'apt-get update -qq >/dev/null'
+			)
+			pkg_version=""
+			if [ -n "$VERSION" ]; then
+				if is_dry_run; then
+					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
+				else
+					# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
+					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
+					search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
+					pkg_version="$($sh_c "$search_command")"
+					echo "INFO: Searching repository for VERSION '$VERSION'"
+					echo "INFO: $search_command"
+					if [ -z "$pkg_version" ]; then
+						echo
+						echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
+						echo
+						exit 1
+					fi
+					search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
+					# Don't insert an = for cli_pkg_version, we'll just include it later
+					cli_pkg_version="$($sh_c "$search_command")"
+					pkg_version="=$pkg_version"
+				fi
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				if [ -n "$cli_pkg_version" ]; then
+					$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
+				fi
+				$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
+			)
+			echo_docker_as_nonroot
+			exit 0
+			;;
+		centos|fedora|rhel)
+			yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
+			if ! curl -Ifs "$yum_repo" > /dev/null; then
+				echo "Error: Unable to curl repository file $yum_repo, is it valid?"
+				exit 1
+			fi
+			if [ "$lsb_dist" = "fedora" ]; then
+				pkg_manager="dnf"
+				config_manager="dnf config-manager"
+				enable_channel_flag="--set-enabled"
+				disable_channel_flag="--set-disabled"
+				pre_reqs="dnf-plugins-core"
+				pkg_suffix="fc$dist_version"
+			else
+				pkg_manager="yum"
+				config_manager="yum-config-manager"
+				enable_channel_flag="--enable"
+				disable_channel_flag="--disable"
+				pre_reqs="yum-utils"
+				pkg_suffix="el"
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				$sh_c "$pkg_manager install -y -q $pre_reqs"
+				$sh_c "$config_manager --add-repo $yum_repo"
+
+				if [ "$CHANNEL" != "stable" ]; then
+					$sh_c "$config_manager $disable_channel_flag docker-ce-*"
+					$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
+				fi
+				$sh_c "$pkg_manager makecache"
+			)
+			pkg_version=""
+			if [ -n "$VERSION" ]; then
+				if is_dry_run; then
+					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
+				else
+					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
+					search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
+					pkg_version="$($sh_c "$search_command")"
+					echo "INFO: Searching repository for VERSION '$VERSION'"
+					echo "INFO: $search_command"
+					if [ -z "$pkg_version" ]; then
+						echo
+						echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
+						echo
+						exit 1
+					fi
+					search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
+					# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
+					cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
+					# Cut out the epoch and prefix with a '-'
+					pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
+				fi
+			fi
+			(
+				if ! is_dry_run; then
+					set -x
+				fi
+				# install the correct cli version first
+				if [ -n "$cli_pkg_version" ]; then
+					$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
+				fi
+				$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
+			)
+			echo_docker_as_nonroot
+			exit 0
+			;;
+		*)
+			if [ -z "$lsb_dist" ]; then
+				if is_darwin; then
+					echo
+					echo "ERROR: Unsupported operating system 'macOS'"
+					echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
+					echo
+					exit 1
+				fi
+			fi
+			echo
+			echo "ERROR: Unsupported distribution '$lsb_dist'"
+			echo
+			exit 1
+			;;
+	esac
+	exit 1
+}
+
+# wrapped up in a function so that we have some protection against only getting
+# half the file during "curl | sh"
+do_install

roles/docker-nextcloud/files/nginx-selfsigned.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL
+BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM
+BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z
+LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp
+bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE
+BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV
+BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu
+MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg
+HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/
+JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL
+Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt
+xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ
+O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT
+MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt
+mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE
+XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf
+DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs
+lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT
+/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+
+ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI=
+-----END CERTIFICATE-----

roles/docker-nextcloud/files/nginx-selfsigned.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF
++gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO
+FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU
+aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+
++Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ
+HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg
+htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up
+R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a
+0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP
+ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL
+fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl
+17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/
+acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a
+O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD
+HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf
+ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz
+iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/
+7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO
+jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA
+c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV
+azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf
+sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+
+oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax
+VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq
+hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn
+SwyeWd4Zkt/wvqmocF5KVqI=
+-----END PRIVATE KEY-----

roles/docker-nextcloud/files/proxy

@@ -0,0 +1,121 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 8080 default_server;
+	listen [::]:8080 default_server;
+	
+	server_name s-nxec.gsb.lan;
+
+	return 302 https://$server_name$request_uri;
+}
+#	location / {
+#		proxy_set_header Host $host;
+#		proxy_set_header X-Real-IP $remote_addr;
+#		proxy_pass http://localhost:5678;
+#		proxy_connect_timeout 900;
+#		proxy_send_timeout 900;
+#		proxy_read_timeout 900;
+
+server {
+	listen 443 ssl default_server;
+	listen [::]:443 ssl default_server;
+	server_name s-nxec.gsb.lan;
+
+	include snippets/self-signed.conf;
+	include snippets/ssl-params.conf;
+
+	location / {
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_pass http://localhost:5678;
+                proxy_connect_timeout 900;
+                proxy_send_timeout 900;
+                proxy_read_timeout 900;
+	}
+
+}
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+#	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+#	index index.html index.htm index.nginx-debian.html;
+
+#	server_name _;
+
+#	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+#		try_files $uri $uri/ =404;
+#	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

roles/docker-nextcloud/files/proxy.bak

@@ -0,0 +1,100 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 8080 default_server;
+	listen [::]:8080 default_server;
+
+	location / {
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass http://localhost:5678;
+		proxy_connect_timeout 900;
+		proxy_send_timeout 900;
+		proxy_read_timeout 900;
+	}
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+#	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+#	index index.html index.htm index.nginx-debian.html;
+
+#	server_name _;
+
+#	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+#		try_files $uri $uri/ =404;
+#	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}

roles/docker-nextcloud/files/self-signed.conf

@@ -0,0 +1,2 @@
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

roles/docker-nextcloud/files/ssl-params.conf

@@ -0,0 +1,18 @@
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off; # Requires nginx >= 1.5.9
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx => 1.3.7
+resolver 172.16.0.1 valid=300s;
+resolver_timeout 5s;
+# Disable strict transport security for now. You can uncomment the following
+# line if you understand the implications.
+# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

roles/docker-nextcloud/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: Creation du repertoire nextcloud
+  file:
+    path: /root/nextcloud
+    state: directory
+
+- name: Copie du script get_docker
+  copy: 
+    src: get_docker.sh
+    dest: /root/nextcloud
+
+- name: Execution du script get_docker
+  script: /root/nextcloud/get_docker.sh
+
+- name: Installation de docker-compose
+  shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+
+- name: Attribution des droits de docker compose
+  file:
+    path: /usr/local/bin/docker-compose
+    mode: '755'
+
+- name: Copie de docker-compose.yml
+  copy: 
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml
+    dest: /root/nextcloud
+
+- name: Execution du fichier docker-compose.yml
+  shell: docker-compose up -d
+  args:
+    chdir: /root/nextcloud
+
+- name: Installation de Nginx
+  package:
+    name: nginx
+    state: present
+
+- name: Copie de config.php dans /root/nextcloud/nextcloud/config
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
+    dest: /root/nextcloud/nextcloud/config 
+
+- name: Copie de nginx-selfsigned.key
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key
+    dest: /etc/ssl/private
+
+- name: Copie nginx-selfsigned.crt
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt
+    dest: /etc/ssl/certs
+
+- name: Copie de dhparam.pem
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem
+    dest: /etc/nginx
+
+- name: Copie de self-signed.conf
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf
+    dest: /etc/nginx/snippets
+
+- name: Copie de ssl-params.conf
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf
+    dest: /etc/nginx/snippets
+
+- name: Copie de /etc/nginx/site-availables/proxy
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
+    dest: /etc/nginx/sites-available
+
+- name: Suppression de /etc/nginx/sites-enabled/default
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/n$
+  file:
+    src: /etc/nginx/sites-available/proxy
+    dest: /etc/nginx/sites-enabled/proxy
+    owner: root
+    group: root
+    state: link
+
+- name: Redemarage de Nginx
+  service:
+    name: nginx
+    state: restarted

roles/firewall-vpn-l/files/ferm.conf

@@ -4,12 +4,12 @@
 #
 
 @def $DEV_ADM	= enp0s3;
-@def $DEV_VPN	= enp0s8;
+@def $DEV_AG	= enp0s8;
-@def $DEV_EXT	= enp0s9;
+@def $DEV_VPN	= enp0s9;
 
-@def $NET_ADM=192.168.99.0/24;
+@def $NET_ADM=192.168.99.102/24;
-@def $NET_VPN=192.168.0.0/24;
+@def $NET_AG=172.16.128.254/24;
-@def $NET_EXT=192.168.1.0/30;
+@def $NET_VPN=192.168.0.52/24;
 
 table filter {
     chain INPUT {
@@ -23,28 +23,21 @@ table filter {
         interface lo ACCEPT;
 
         # allow SSH connections
-        #interface ($DEV_ADM) {
 	proto tcp dport ssh ACCEPT;
-	#}
 
         # allow DNS connections
-        #interface ($DEV_INT) {
 	proto udp sport domain ACCEPT;
 	proto udp dport domain ACCEPT;	
-	#}	
-
-        # DHCP
-        proto udp dport (67 68) ACCEPT;
 
         # allow IPsec
-        interface ($DEV_VPN $DEV_EXT) {
+        interface ($DEV_AG $DEV_VPN) {
         proto udp sport 500 ACCEPT;
         proto udp dport 500 ACCEPT;
         proto esp ACCEPT;
 	}
 
         # Autoriser nat-t-ike
- #       interface ($DEV_VPN) {
+ #       interface ($DEV_AG) {
         proto udp sport 4500 ACCEPT;
         proto udp dport 5500 ACCEPT;
 #	}
@@ -54,52 +47,16 @@ table filter {
 	proto (udp tcp) dport domain ACCEPT;
 	#}
 
-	# autoriser supervision
-	proto udp sport 161 ACCEPT;
-
 	# autoriser NTP
 	proto udp sport 123 ACCEPT;
 
-        # respond to ping
-        proto icmp mod limit limit 30/minut ACCEPT; 
-
     }
     chain OUTPUT {
-        policy DROP;
+        policy ACCEPT;
-#        interface ($DEV_PUB) {
-        
-	# Autoriser SSH
-        proto tcp sport ssh ACCEPT;
-
-	# Autoriser DNS
-        proto udp dport domain ACCEPT;
-        proto udp sport domain ACCEPT;
-
-        # DHCP
-        proto udp sport (67 68) ACCEPT;
-	
-	# Autoriser ipsec
-        proto udp dport 500 ACCEPT;
-        proto udp sport 500 ACCEPT;
-	
-	# Autoriser nat-t-ike
-        proto udp dport 4500 ACCEPT;
-        proto udp sport 4500 ACCEPT;
-        
-	# Autoriser supervision
-        proto udp dport 161 ACCEPT;
-	
-	# Autoriser NTP
-        proto udp dport 123 ACCEPT;
-
-        # respond to ping
-        proto icmp ACCEPT; 
-
-#	}
 
         # connection tracking
-        #mod state state INVALID DROP;
+        # mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
+        # mod state state (ESTABLISHED RELATED) ACCEPT;
     }
     chain FORWARD {
         policy ACCEPT;
@@ -109,14 +66,3 @@ table filter {
         mod state state (ESTABLISHED RELATED) ACCEPT;
     }
 }
-
-# IPv6:
-#domain ip6 {
-#    table filter {
-#        chain INPUT {
-#            policy ACCEPT;
-#            # ...
-#        }
-#        # ...
-#    }
-#}

roles/firewall-vpn-l/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
-  - name : installer ferm
+- name : installer ferm
   apt: name=ferm state=present
-  - name: fichier parefeu pour VPN
+  
+- name: fichier parefeu pour VPN
   copy: src=ferm.conf dest=/etc/ferm/ferm.conf
   notify:
     - Restart ferm
-    

roles/firewall-vpn-r/files/ferm.conf

@@ -7,9 +7,9 @@
 @def $DEV_VPN	= enp0s8;
 @def $DEV_EXT	= enp0s9;
 
-@def $NET_ADM=192.168.99.0/24;
+@def $NET_ADM=192.168.99.112/24;
-@def $NET_VPN=192.168.0.0/24;
+@def $NET_VPN=192.168.0.51/24;
-@def $NET_EXT=192.168.1.0/30;
+@def $NET_EXT=192.168.1.2/24;
 
 table filter {
     chain INPUT {
@@ -23,15 +23,13 @@ table filter {
         interface lo ACCEPT;
 
         # allow SSH connections
-        #interface ($DEV_ADM) {
 	proto tcp dport ssh ACCEPT;
-	#}
+	
 
         # allow DNS connections
-        #interface ($DEV_INT) {
 	proto udp sport domain ACCEPT;
 	proto udp dport domain ACCEPT;
-	#}	
+		
 
         # allow IPsec
         interface ($DEV_VPN) {
@@ -51,49 +49,13 @@ table filter {
 #	proto (udp tcp) dport domain ACCEPT;
 	#}
 
-	# autoriser supervision
-	proto udp sport 161 ACCEPT;
 
 	# autoriser NTP
 	proto udp sport 123 ACCEPT;
 
-        # respond to ping
-        proto icmp mod limit limit 30/minut ACCEPT; 
-
     }
     chain OUTPUT {
-        policy DROP;
+        policy ACCEPT;
-#        interface ($DEV_PUB) {
-        
-	# Autoriser SSH
-        proto tcp sport ssh ACCEPT;
-
-	# Autoriser DNS
-        proto udp dport domain ACCEPT;
-        proto udp sport domain ACCEPT;
-	
-	# Autoriser ipsec
-        proto udp dport 500 ACCEPT;
-        proto udp sport 500 ACCEPT;
-	
-	# Autoriser nat-t-ike
-        proto udp dport 4500 ACCEPT;
-        proto udp sport 4500 ACCEPT;
-        
-	# Autoriser supervision
-        proto udp dport 161 ACCEPT;
-	
-	# Autoriser NTP
-        proto udp dport 123 ACCEPT;
-
-        # respond to ping
-        proto icmp ACCEPT; 
-
-#	}
-
-        # connection tracking
-        #mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
     }
     chain FORWARD {
         policy ACCEPT;
@@ -103,14 +65,3 @@ table filter {
         mod state state (ESTABLISHED RELATED) ACCEPT;
     }
 }
-
-# IPv6:
-#domain ip6 {
-#    table filter {
-#        chain INPUT {
-#            policy ACCEPT;
-#            # ...
-#        }
-#        # ...
-#    }
-#}

roles/firewall-vpn-r/tasks/main.yml

@@ -1,15 +1,8 @@
 ---
-  - name: redemarrer interfaces
+- name : installer ferm
-    command: ifdown enp0s8
-  - name: redemarrer interfaces
-    command: ifup enp0s8
-  - name: redemarrer interfaces
-    command: ifdown enp0s9
-  - name: redemarrer interfaces
-    command: ifup enp0s9
-  - name: redemarrer interfaces
   apt: name=ferm state=present
-  - name: fichier parefeu pour VPN
+
+- name: fichier parefeu pour VPN
   copy: src=ferm.conf dest=/etc/ferm/ferm.conf
   notify:
     - Restart ferm

roles/fog/defaults/main.yml

@@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore"
+depl_fog: "fogproject-1.5.9.tar.gz"

roles/fog/tasks/main.yml

@@ -6,10 +6,11 @@
 
   - name: recuperation du fichier d'installation de fog
     get_url:
-      url: http://depl/gsbstore/fogproject-1.5.7.tar.gz
+      url: "{{ depl_url }}/{{ depl_fog }}"
       dest: /root/fog
+      remote_src: yes
 
   - name: decompression du fichier d'installation de fog
     unarchive:
-      src: /root/fog/fogproject-1.5.7.tar.gz
+      src: "/root/fog/{{ depl_fog }}"
       dest: /root/fog

roles/icinga/README.md

@@ -95,7 +95,7 @@ NRPEServer = enabled
 
 ``` 
 
-Redémarrez le service NSClient++:
+Redémarrez le service NSClient++ via le **cmd**:
 
 ```
 
@@ -114,4 +114,4 @@ systemctl restart icinga
 
 ```
 
-Les services de la machine **srv-2012** apparaissent en **UP**.
+Les services de la machine **srv-2012** apparaissent en **OK**.

roles/icinga/files/cfg/hostgroups_icinga.cfg

@@ -15,13 +15,13 @@ define hostgroup {
 define hostgroup { 
 	hostgroup_name debian-servers 
 	alias		Serveurs distant
-	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-itil
+	members        s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess
 } 
 
 define hostgroup { 
 	hostgroup_name ssh-servers 
 	alias 		acces SSH 
-	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil	 
+	members		s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb
 }
 
 define hostgroup { 
@@ -39,7 +39,7 @@ define hostgroup {
 define hostgroup {
         hostgroup_name  http-servers
 		alias           serveurs-web
-		members         localhost, s-itil 
+		members         localhost, s-itil, s-adm
         }
 
 #define hostgroup {
@@ -60,15 +60,16 @@ define hostgroup{
 	members		srv-2012
 }
 
-#define hostgroup{
+define hostgroup{
-#	hostgroup_name	switch
+	hostgroup_name	dns-win
-#	alias		switch
+	alias		dns-win
-#	members		netgear
+	members		srv-2012
-#}
+}
 
 define hostgroup{
 	hostgroup_name	uptimegrp
 	alias		uptimegrp
-	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-itil
+	members		s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb
 }
 
+

roles/icinga/files/cfg/s-lb.cfg

@@ -0,0 +1,14 @@
+# A simple configuration file for monitoring the local host
+# This can serve as an example for configuring other servers;
+# Custom services specific to this host are added here, but services
+# defined in nagios2-common_services.cfg may also apply.
+# 
+
+define host{
+        use                     generic-host            ; Name of host template$
+        host_name               s-lb
+        alias                   debian-servers
+        address                 192.168.100.10
+        parents                 r-int
+        }
+

roles/icinga/files/cfg/s-mess.cfg

@@ -0,0 +1,14 @@
+# A simple configuration file for monitoring the local host
+# This can serve as an example for configuring other servers;
+# Custom services specific to this host are added here, but services
+# defined in nagios2-common_services.cfg may also apply.
+# 
+
+define host{
+        use                     generic-host            ; Name of host template$
+        host_name               s-mess
+        alias                   nextcloud
+        address                 172.16.0.7
+        parents                 r-int
+        }
+

roles/icinga/files/cfg/services_icinga.cfg

@@ -79,7 +79,7 @@ define service{
 
 define service{
 	use				generic-service
-	hostgroup_name			windows-servers
+	hostgroup_name			dns-win
 	service_description		Service DNS
 	check_command			check_nt!SERVICESTATE!-l W32Time,"Client DNS"
 }

roles/mariadb-ab/tasks/main.yml

@@ -2,15 +2,42 @@
 - name: Installation des paquets python-mysqldb mariadb-server
   apt: 
     name:
-    - python-mysqldb
+    - python3-mysqldb
     - mariadb-server
+    - python3-passlib
+    - python3-pymysql
     state: present
 
+- name: python3 par defaut
+  alternatives:
+    link: /usr/bin/python
+    name: python
+    path: /usr/bin/python3
+    priority: 10
+
 - name: Create mysql database
-  mysql_db: name={{ maria_dbname }} state=present
+  mysql_db: 
+    name: "{{ maria_dbname }}" 
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+
+- name: Creation de l'utilisateur mysql avec tous les privileges
+  mysql_user:
+    name: "{{ maria_dbuser }}"
+    password: "{{ maria_dbpasswd }}"
+    priv: '*.*:ALL,GRANT'
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  with_items:
+    - "127.0.0.1"
+#    - ::1
+#    - localhost
 
 - name: Copie du fichier my.cnf pour autorises toutes les adresses sur le port 3306
-  copy : src=my.cnf dest=/etc/mysql/
+  copy:
+    src: my.cnf
+    dest: /etc/mysql/
  
 - name: Redemarrage du service mariadb
-  shell: service mariadb restart
+  service: 
+    name: mariadb
+    state: restarted

roles/post/files/interfaces.r-vp1

@@ -1,6 +1,5 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
-
 # The loopback network interface
 #auto lo
 #iface lo inet loopback
@@ -22,7 +21,10 @@ allow-hotplug enp0s9
 iface enp0s9 inet static
 	address 192.168.1.2
 	netmask 255.255.255.0
-	up route add -net 172.16.128.0/24 gw 192.168.1.2
+	post-up /usr/sbin/ip route add 172.16.128.0/24 via 192.168.1.2
+	post-up /usr/sbin/ip route add 172.16.0.0/24 via 192.168.1.1
+	post-up /usr/sbin/ip route add 192.168.200.0/24 via 192.168.1.1
+
 #	up route add -net 172.16.128.0/24 gw 192.168.0.52
 #	up route add default gw 192.168.1.1
 #	post-up /bin/bash /root/iptables-vpn

roles/post/files/interfaces.r-vp2

@@ -1,6 +1,5 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
-
 # The loopback network interface
 #auto lo
 #iface lo inet loopback
@@ -22,7 +21,9 @@ allow-hotplug enp0s9
 iface enp0s9 inet static
 	address 192.168.0.52
 	netmask 255.255.255.0
-#	up route add -net 192.168.1.0/24 gw 172.16.128.254
+	post-up /usr/sbin/ip route add 192.168.1.0/24 via 172.16.128.254/24
-	up route add -net 192.168.1.0/24 gw 192.168.0.52
+	post-up /usr/sbin/ip route add 172.16.0.0/24 via 172.16.128.254/24
+
+#	up route add -net 192.168.1.0/24 gw 192.168.0.52
 #	post-up /bin/bash /root/iptables-vpn
 	post-up /etc/init.d/ipsec restart

roles/post/files/interfaces.s-agence

@@ -9,3 +9,6 @@ iface lo inet loopback
 allow-hotplug enp0s3
 iface enp0s3 inet dhcp
 
+allow-hotplug enp0s8
+iface enp0s8 inet dhcp
+

roles/s-lb-ab/files/haproxy.cfg

@@ -44,7 +44,7 @@ backend fermeweb
 	#option httpchk HEAD / HTTP/1.0
 	server s-lb-web1 192.168.101.1:80 check
 	server s-lb-web2 192.168.101.2:80 check
-
+	server s-lb-web3 192.168.101.3:80 check
 
 listen stats
 	bind	*:8080

roles/s-lb-web-ab/tasks/main.yml

@@ -1,10 +1,16 @@
 ---
-- name: Install apache2 php php5-mysql
+- name: Install apache2 php php5-mysql et autres modules php
   apt:
     name:
     - apache2
     - php
     - php-mysql
+    - php-gd
+    - php-zip
+    - php-mbstring
+    - php-curl
+    - php-imagick
+    - php-xml
     state: present
 
 - name: copie exports pour partage nfs wordpress

roles/s-lb-wordpress/defaults/main.yml

@@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_wordpress: "wordpress-5.6-fr_FR.tar.gz"

roles/s-lb-wordpress/tasks/main.yml

@@ -5,9 +5,11 @@
     state: directory
  - name: download and extract wordpress
    unarchive: 
-    src: http://depl/gsbstore/wordpress-5.6-fr_FR.tar.gz
+    src: "{{ depl_url }}/{{ depl_wordpress }}"
     dest: /home/
     remote_src: yes
+    owner: www-data
+    group: www-data
 
  - name: Copy sample config file
    command: mv /home/wordpress/wp-config-sample.php /home/wordpress/wp-config.php creates=/home/wordpress/wp-config.php
@@ -23,6 +25,14 @@
      - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', '{{wp_mysql_user}}');"}        
      - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', '{{wp_mysql_password}}');"}
 
+
+ - name: Attributions des permissions
+   file:
+     path: /home/wordpress
+     recurse: yes
+     owner: 33
+     group: 33
+
 # - name: Fix permissions
 #   shell: chown -R www-data /var/www/wordpress/*
 #

roles/ssh-root-access/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Activation acces ssh root pour r-vp1 (certificat)
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin yes"
+    state: present
+

roles/vpn-stg-l/files/ipsec.conf

@@ -7,7 +7,7 @@ conn tunnel #
         left=192.168.0.52
         leftsubnet=172.16.128.0/24
         right=192.168.0.51
-        rightsubnet=192.168.0.0/16, 172.16.0.0/24
+        rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0
@@ -20,3 +20,4 @@ conn tunnel #
         auto=start
         keyexchange=ikev2
         type=tunnel
+#

roles/vpn-stg-r/files/ipsec.conf

@@ -5,7 +5,7 @@ config setup
 conn %default
 conn tunnel #
         left=192.168.0.51
-        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         right=192.168.0.52
         rightsubnet=172.16.128.0/24
         ike=aes256-sha2_256-modp1024!
@@ -20,3 +20,4 @@ conn tunnel #
         auto=start
         keyexchange=ikev2
         type=tunnel
+#

roles/x509-l/files/ipsec.conf

@@ -7,7 +7,7 @@ conn tunnel #
         left=192.168.0.52
         leftsubnet=172.16.128.0/24
         right=192.168.0.51
-        rightsubnet=192.168.0.0/16, 172.16.0.0/24
+        rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0

roles/x509-r/files/ipsec.conf

@@ -5,7 +5,7 @@ config setup
 conn %default
 conn tunnel #
         left=192.168.0.51
-        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         right=192.168.0.52
         rightsubnet=172.16.128.0/24
         ike=aes256-sha2_256-modp1024!

s-agence.yml

@@ -7,3 +7,4 @@
     - ssh-cli
     - syslog-cli
     - post
+    - goss

s-lb-bd.retry

@@ -0,0 +1 @@
+localhost

s-lb-bd.yml

@@ -11,13 +11,14 @@
    roles:
      - base
      - goss
+     - post
      #- s-lb-bd-ab
      - mariadb-ab
-     - role: db-user
+#     - role: db-user
-       cli_ip: "192.168.102.1"
+#       cli_ip: "192.168.102.1"
-     - role: db-user
+#     - role: db-user
-       cli_ip: "192.168.102.2"
+#       cli_ip: "192.168.102.2"
-     - role: db-user
+#     - role: db-user
-       cli_ip: "192.168.102.3"     
+#       cli_ip: "192.168.102.3"     
      - snmp-agent
-     - post
+#     - post

s-mess.retry

@@ -0,0 +1 @@
+localhost

s-mess.yml

@@ -4,7 +4,7 @@
 
   roles:
     - base
-    - docker-iredmail-ab
+    - docker-nextcloud
     - ssh-cli
     - syslog-cli
     - snmp-agent

s-nas.retry

@@ -0,0 +1 @@
+localhost