suppresion utilisation role db-user

Mise à jour de 'r-vp1.yml'
Mise à jour de 'roles/firewall-vpn-r/tasks/main.yml'
2021-03-31 09:02:15 +02:00 · 2021-03-30 16:34:31 +02:00 · 2021-03-30 16:20:40 +02:00 · 2021-03-30 15:55:38 +02:00 · 2021-03-30 15:50:11 +02:00 · 2021-03-30 15:48:00 +02:00
21 changed files with 168 additions and 37 deletions
--- a/doc/pics/e4-dmz-tl.dia
+++ b/doc/pics/e4-dmz-tl.dia
--- a/doc/pics/e4-dmz-tl.png
+++ b/doc/pics/e4-dmz-tl.png
--- a/goss/s-agence.yaml
+++ b/goss/s-agence.yaml
@ -0,0 +1,39 @@
+command:
+  ip r:
+    exit-status: 0
+    stdout:
+    - default via 172.16.128.254 dev enp0s8
+    - 172.16.128.0/24
+    - 192.168.99.0/24
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.128.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.2:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
--- a/1
+++ b/1
@ -0,0 +1 @@
+/etc/nginx/sites-availables/proxy
--- a/r-vp1.yml
+++ b/r-vp1.yml
@ -12,9 +12,9 @@
   - base
   - goss
   - snmp-agent
-   - vpn-stg-r
-#   - x509-r
-#   - firewall-vpn-r
+   - firewall-vpn-r
+#  - vpn-stg-r
+   - x509-r
   - ssh-cli
   - syslog-cli
   - post
--- a/r-vp2.yml
+++ b/r-vp2.yml
@ -13,10 +13,11 @@
   - goss
   - dhcp-ag
   - dns-agence
+   - ssh-root-access
   - snmp-agent
-   - vpn-stg-l
-#   - x509-l
-#   - firewall-vpn-l
+   - firewall-vpn-l
+#  - vpn-stg-l
+   - x509-l
   - ssh-cli
   - syslog-cli
   - post
--- a/roles/dns-master/files/db.gsb.lan
+++ b/roles/dns-master/files/db.gsb.lan
@ -21,6 +21,8 @@ s-proxy         IN      A       172.16.0.2
 s-appli    	IN      A       172.16.0.3
 s-win    	IN      A       172.16.0.6
 s-mess   	IN      A       172.16.0.7
+s-nxec		IN	A	172.16.0.7
+s-docker	IN	A	172.16.0.7
 s-mon    	IN      A       172.16.0.8
 s-itil		IN	A	172.16.0.9
 r-int    	IN      A       172.16.0.254
--- a/roles/docker-nextcloud/files/config.php
+++ b/roles/docker-nextcloud/files/config.php
@ -0,0 +1,47 @@
+<?php
+$CONFIG = array (
+  'htaccess.RewriteBase' => '/',
+  'memcache.local' => '\\OC\\Memcache\\APCu',
+  'apps_paths' => 
+  array (
+    0 => 
+    array (
+      'path' => '/var/www/html/apps',
+      'url' => '/apps',
+      'writable' => false,
+    ),
+    1 => 
+    array (
+      'path' => '/var/www/html/custom_apps',
+      'url' => '/custom_apps',
+      'writable' => true,
+    ),
+  ),
+  'instanceid' => 'ocvc4q2htemf',
+  'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI',
+  'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU',
+  'trusted_domains' => 
+  array (
+    0 => '172.16.0.7:5678',
+    1 => '172.16.0.7:8080',
+    2 => 's-mess',
+    3 => 's-mess.gsb.lan',
+    4 => 'localhost:8080',
+  ),
+  'trusted_proxies' => ['172.16.0.7'],
+  'overwriteprotocol' => 'http',
+  'overwritehost' => '172.16.0.7:8080',
+  'proxy' => '172.16.0.7:8080',
+  'datadirectory' => '/var/www/html/data',
+  'dbtype' => 'mysql',
+  'version' => '20.0.6.1',
+  'overwrite.cli.url' => 'http://172.16.0.7:5678',
+  'dbname' => 'nextcloud',
+  'dbhost' => 'db',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'mysql.utf8mb4' => true,
+  'dbuser' => 'nextcloud',
+  'dbpassword' => 'root',
+  'installed' => true,
+);
--- a/roles/docker-nextcloud/files/docker-compose.yml
+++ b/roles/docker-nextcloud/files/docker-compose.yml
@ -16,6 +16,7 @@ services:
      - MYSQL_PASSWORD=root
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
+      - TZ=Europe/Paris

  app:
    image: nextcloud
@ -31,3 +32,4 @@ services:
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
+      - TZ=Europe/Paris
--- a/roles/docker-nextcloud/files/proxy
+++ b/roles/docker-nextcloud/files/proxy
@ -24,7 +24,7 @@ server {

 	location / {
 		proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Real-IP $remote_addr;
 		proxy_pass http://localhost:5678;
 		proxy_connect_timeout 900;
 		proxy_send_timeout 900;
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@ -29,3 +29,36 @@
  shell: docker-compose up -d
  args:
    chdir: /root/nextcloud
+
+- name: Installation de Nginx
+  package:
+    name: nginx
+    state: present
+
+- name: Copie de /etc/nginx/site-availables/proxy
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
+    dest: /etc/nginx/sites-available
+
+- name: Supression de /etc/nginx/sites-enabled/default
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/nginx/sites-enabled/proxy
+  file:
+    src: /etc/nginx/sites-available/proxy
+    dest: /etc/nginx/sites-enabled/proxy
+    owner: root
+    group: root
+    state: link
+
+- name: Redemmarage de Nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: Copie de config.php dans /root/nextcloud/nextcloud/config
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
+    dest: /root/nextcloud/nextcloud/config 
--- a/roles/firewall-vpn-l/files/ferm.conf
+++ b/roles/firewall-vpn-l/files/ferm.conf
@ -7,9 +7,9 @@
@def $DEV_VPN	= enp0s8;
@def $DEV_EXT	= enp0s9;

-@def $NET_ADM=192.168.99.0/24;
-@def $NET_VPN=192.168.0.0/24;
-@def $NET_EXT=192.168.1.0/30;
+@def $NET_ADM=192.168.99.102/24;
+@def $NET_VPN=172.16.128.254/24;
+@def $NET_EXT=192.168.0.52/30;

 table filter {
    chain INPUT {
--- a/roles/firewall-vpn-r/files/ferm.conf
+++ b/roles/firewall-vpn-r/files/ferm.conf
@ -7,9 +7,9 @@
@def $DEV_VPN	= enp0s8;
@def $DEV_EXT	= enp0s9;

-@def $NET_ADM=192.168.99.0/24;
-@def $NET_VPN=192.168.0.0/24;
-@def $NET_EXT=192.168.1.0/30;
+@def $NET_ADM=192.168.99.112/24;
+@def $NET_VPN=192.168.0.51/24;
+@def $NET_EXT=192.168.1.2/30;

 table filter {
    chain INPUT {
--- a/roles/firewall-vpn-r/tasks/main.yml
+++ b/roles/firewall-vpn-r/tasks/main.yml
@ -1,15 +1,10 @@
 ---
-  - name: redemarrer interfaces
-    command: ifdown enp0s8
-  - name: redemarrer interfaces
-    command: ifup enp0s8
-  - name: redemarrer interfaces
-    command: ifdown enp0s9
-  - name: redemarrer interfaces
-    command: ifup enp0s9
-  - name: redemarrer interfaces
+- name : installer ferm
    apt: name=ferm state=present
+
  - name: fichier parefeu pour VPN
    copy: src=ferm.conf dest=/etc/ferm/ferm.conf
-    notify:
-      - Restart ferm
+  
+  - name: Restart ferm
+      name: ferm
+      state: restarted
--- a/roles/fog/defaults/main.yml
+++ b/roles/fog/defaults/main.yml
@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore"
+depl_fog: "fogproject-1.5.9.tar.gz"
--- a/roles/fog/tasks/main.yml
+++ b/roles/fog/tasks/main.yml
@ -6,10 +6,10 @@

  - name: recuperation du fichier d'installation de fog
    get_url:
-      url: http://depl/gsbstore/fogproject-1.5.7.tar.gz
+      url: "{{ depl_url }}/{{ depl_fog }}"
      dest: /root/fog

  - name: decompression du fichier d'installation de fog
    unarchive:
-      src: /root/fog/fogproject-1.5.7.tar.gz
+      src: "/root/fog/{{ depl_fog }}"
      dest: /root/fog
--- a/roles/ssh-root-access/tasks/main.yml
+++ b/roles/ssh-root-access/tasks/main.yml
@ -0,0 +1,7 @@
+- name: Activation acces ssh root pour vp-1 (certificat)
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin yes"
+    state: present
+
--- a/roles/x509-l/files/ipsec.conf
+++ b/roles/x509-l/files/ipsec.conf
@ -7,7 +7,7 @@ conn tunnel #
        left=192.168.0.52
        leftsubnet=172.16.128.0/24
        right=192.168.0.51
-        rightsubnet=192.168.0.0/16, 172.16.0.0/24
+        rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
@ -22,4 +22,4 @@ conn tunnel #
        type=tunnel
 	leftcert=r-vp2Cert.pem
        leftid="C=CH, O=GSB, CN=r-vp2"
-        rightid="C=CH, O=GSB, CN=r-vp1"
+        rightid="C=CH, O=GSB, CN=r-vp1"
--- a/roles/x509-r/files/ipsec.conf
+++ b/roles/x509-r/files/ipsec.conf
@ -5,7 +5,7 @@ config setup
 conn %default
 conn tunnel #
        left=192.168.0.51
-        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
        right=192.168.0.52
        rightsubnet=172.16.128.0/24
        ike=aes256-sha2_256-modp1024!
@ -22,4 +22,4 @@ conn tunnel #
        type=tunnel
 	leftcert=r-vp1Cert.pem
        leftid="C=CH, O=GSB, CN=r-vp1"
-        rightid="C=CH, O=GSB, CN=r-vp2"
+        rightid="C=CH, O=GSB, CN=r-vp2"
--- a/s-agence.yml
+++ b/s-agence.yml
@ -7,3 +7,4 @@
    - ssh-cli
    - syslog-cli
    - post
+    - goss
--- a/s-lb-bd.yml
+++ b/s-lb-bd.yml
@ -11,13 +11,14 @@
   roles:
     - base
     - goss
+     - post
     #- s-lb-bd-ab
     - mariadb-ab
-     - role: db-user
-       cli_ip: "192.168.102.1"
-     - role: db-user
-       cli_ip: "192.168.102.2"
-     - role: db-user
-       cli_ip: "192.168.102.3"     
+#     - role: db-user
+#       cli_ip: "192.168.102.1"
+#     - role: db-user
+#       cli_ip: "192.168.102.2"
+#     - role: db-user
+#       cli_ip: "192.168.102.3"     
     - snmp-agent
-     - post
+#     - post
Author	SHA1	Message	Date
TL	dab3b43db1	suppresion utilisation role db-user	2021-03-31 09:02:15 +02:00
gadmin	4f417a892e	Mise à jour de 'r-vp1.yml'	2021-03-30 16:34:31 +02:00
gadmin	bd89e3a964	Mise à jour de 'roles/firewall-vpn-r/tasks/main.yml'	2021-03-30 16:20:40 +02:00
gadmin	61ae1027a2	Mise à jour de 'roles/firewall-vpn-r/tasks/main.yml'	2021-03-30 15:55:38 +02:00
gadmin	d60dcb613b	Mise à jour de 'roles/firewall-vpn-r/tasks/main.yml'	2021-03-30 15:50:11 +02:00
gadmin	d9e0959cc4	Mise à jour de 'r-vp1.yml'	2021-03-30 15:48:00 +02:00
gadmin	4fe6f9f8f7	Mise à jour de 'r-vp2.yml'	2021-03-30 15:47:18 +02:00
gadmin	4db4c8e719	Mise à jour de 'r-vp2.yml'	2021-03-30 14:16:33 +02:00
gadmin	a0a8ec62bd	Mise à jour de 'r-vp1.yml'	2021-03-30 14:16:09 +02:00
gadmin	699ddddaba	Mise à jour de 'r-vp2.yml'	2021-03-30 13:45:43 +02:00
gadmin	1943b172d3	Mise à jour de 'r-vp1.yml'	2021-03-30 13:45:15 +02:00
gadmin	84c2e68cc8	Mise à jour de 'roles/firewall-vpn-r/files/ferm.conf'	2021-03-29 11:26:44 +02:00
gadmin	74e723896c	Mise à jour de 'roles/firewall-vpn-l/files/ferm.conf'	2021-03-29 11:26:16 +02:00
am	b8c681c4bb	ajout de s-nxec et s-docker	2021-03-29 11:03:36 +02:00
bb	28f1560add	Merge branch 'master' of https://gitea.lyc-lecastel.fr/gadmin/gsb2021	2021-02-01 11:50:32 +01:00
bb	b04bbbe7d1	secret partagé install en priorité	2021-02-01 11:49:54 +01:00
am	8e602c15a6	modif main.yml et docker compose	2021-02-01 11:32:56 +01:00
bb	20f8fcccbe	X509 install en priorité	2021-02-01 11:16:02 +01:00
am	a76aa215d3	modif main.yml	2021-02-01 11:02:16 +01:00
am	afdd827df3	ajout du proxy inverse	2021-02-01 09:40:04 +01:00
Theo Vallet	290e2866fe	ajout permitrootlogin	2021-02-01 09:35:18 +01:00
am	dc276e2c68	ajout de config.php	2021-01-28 17:54:55 +01:00
Thomas Lerallu	6c090e61f8	ajout schema dmz	2021-01-28 17:46:09 +01:00
Theo Vallet	1c036df5c4	modif routes ipsec.conf x509	2021-01-28 17:08:58 +01:00
root	a9b757dafa	Merge branch 'master' of https://gitea.lyc-lecastel.fr/gadmin/gsb2021	2021-01-28 15:37:16 +01:00
root	bb5521f0dc	ajout variable fog	2021-01-28 15:37:13 +01:00
bb	6201569f8a	Merge branch 'master' of https://gitea.lyc-lecastel.fr/gadmin/gsb2021	2021-01-28 15:32:29 +01:00
bb	b14c35a7aa	Ajout d'un fichier goss pour s-agence	2021-01-28 15:31:29 +01:00
root	3be4dd14d4	Merge branch 'master' of https://gitea.lyc-lecastel.fr/gadmin/gsb2021	2021-01-28 15:15:18 +01:00
root	7245538622	ajout variable fog	2021-01-28 15:14:59 +01:00
bb	c448fb3457	Ajout du role goss pour s-agence	2021-01-28 15:04:03 +01:00