X509 install en priorité

goss/s-agence.yaml

@@ -0,0 +1,39 @@
+command:
+  ip r:
+    exit-status: 0
+    stdout:
+    - default via 172.16.128.254 dev enp0s8
+    - 172.16.128.0/24
+    - 192.168.99.0/24
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 172.16.128.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.1.2:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 2 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000

r-vp1.yml

@@ -12,8 +12,8 @@
    - base
    - goss
    - snmp-agent
-   - vpn-stg-r
-#   - x509-r
+#   - vpn-stg-r
+   - x509-r
 #   - firewall-vpn-r
    - ssh-cli
    - syslog-cli

r-vp2.yml

@@ -13,9 +13,10 @@
    - goss
    - dhcp-ag
    - dns-agence
+   - ssh-root-access
    - snmp-agent
-   - vpn-stg-l
-#   - x509-l
+#   - vpn-stg-l
+   - x509-l
 #   - firewall-vpn-l
    - ssh-cli
    - syslog-cli

roles/docker-nextcloud/files/config.php

@@ -0,0 +1,47 @@
+<?php
+$CONFIG = array (
+  'htaccess.RewriteBase' => '/',
+  'memcache.local' => '\\OC\\Memcache\\APCu',
+  'apps_paths' => 
+  array (
+    0 => 
+    array (
+      'path' => '/var/www/html/apps',
+      'url' => '/apps',
+      'writable' => false,
+    ),
+    1 => 
+    array (
+      'path' => '/var/www/html/custom_apps',
+      'url' => '/custom_apps',
+      'writable' => true,
+    ),
+  ),
+  'instanceid' => 'ocvc4q2htemf',
+  'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI',
+  'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU',
+  'trusted_domains' => 
+  array (
+    0 => '172.16.0.7:5678',
+    1 => '172.16.0.7:8080',
+    2 => 's-mess',
+    3 => 's-mess.gsb.lan',
+    4 => 'localhost:8080',
+  ),
+  'trusted_proxies' => ['172.16.0.7'],
+  'overwriteprotocol' => 'http',
+  'overwritehost' => '172.16.0.7:8080',
+  'proxy' => '172.16.0.7:8080',
+  'datadirectory' => '/var/www/html/data',
+  'dbtype' => 'mysql',
+  'version' => '20.0.6.1',
+  'overwrite.cli.url' => 'http://172.16.0.7:5678',
+  'dbname' => 'nextcloud',
+  'dbhost' => 'db',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'mysql.utf8mb4' => true,
+  'dbuser' => 'nextcloud',
+  'dbpassword' => 'root',
+  'installed' => true,
+);

roles/docker-nextcloud/files/docker-compose.yml

@@ -16,6 +16,7 @@ services:
       - MYSQL_PASSWORD=root
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
+      TZ: Europe/Paris
 
   app:
     image: nextcloud
@@ -31,3 +32,4 @@ services:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - MYSQL_HOST=db
+      TZ: Europe/Paris

roles/docker-nextcloud/files/proxy

@@ -24,7 +24,7 @@ server {
 
 	location / {
 		proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Real-IP $remote_addr;
 		proxy_pass http://localhost:5678;
 		proxy_connect_timeout 900;
 		proxy_send_timeout 900;

roles/docker-nextcloud/tasks/main.yml

@@ -29,3 +29,34 @@
   shell: docker-compose up -d
   args:
     chdir: /root/nextcloud
+
+- name: Installation de Nginx
+  package:
+    name: nginx
+    state: present
+
+- name: Copie de /etc/nginx/site-availables/proxy
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
+    dest: /etc/nginx/sites-available
+
+- name: Supression de /etc/nginx/sites-enabled/default
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+
+- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/nginx/sites-enabled/proxy
+  file:
+    src: /etc/nginx/sites-available/proxy
+    dest: /etc/nginx/sites-enabled
+    state: link
+
+- name: Redemmarage de Nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: Copie de config.php dans /root/nextcloud/nextcloud/config
+  copy:
+    src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
+    dest: /root/nextcloud/nextcloud/config 

roles/fog/defaults/main.yml

@@ -1,2 +1,2 @@
-depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_url: "http://s-adm.gsb.adm/gsbstore"
 depl_fog: "fogproject-1.5.9.tar.gz"

roles/ssh-root-access/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Activation acces ssh root pour vp-1 (certificat)
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PermitRootLogin"
+    line: "PermitRootLogin yes"
+    state: present
+

roles/x509-l/files/ipsec.conf

@@ -7,7 +7,7 @@ conn tunnel #
         left=192.168.0.52
         leftsubnet=172.16.128.0/24
         right=192.168.0.51
-        rightsubnet=192.168.0.0/16, 172.16.0.0/24
+        rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         ike=aes256-sha2_256-modp1024!
         esp=aes256-sha2_256!
         keyingtries=0
@@ -22,4 +22,4 @@ conn tunnel #
         type=tunnel
 	leftcert=r-vp2Cert.pem
         leftid="C=CH, O=GSB, CN=r-vp2"
-        rightid="C=CH, O=GSB, CN=r-vp1"
+        rightid="C=CH, O=GSB, CN=r-vp1"

roles/x509-r/files/ipsec.conf

@@ -5,7 +5,7 @@ config setup
 conn %default
 conn tunnel #
         left=192.168.0.51
-        leftsubnet=192.168.0.0/16, 172.16.0.0/24
+        leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
         right=192.168.0.52
         rightsubnet=172.16.128.0/24
         ike=aes256-sha2_256-modp1024!
@@ -22,4 +22,4 @@ conn tunnel #
         type=tunnel
 	leftcert=r-vp1Cert.pem
         leftid="C=CH, O=GSB, CN=r-vp1"
-        rightid="C=CH, O=GSB, CN=r-vp2"
+        rightid="C=CH, O=GSB, CN=r-vp2"