gadmin/gsb2023
0
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Premier commit

Browse Source
This commit is contained in:
“Albert
2023-01-05 11:44:26 +01:00
parent d46e9954ca
commit fb19dc24e5
554 changed files with 46045 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/apache2/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

14
roles/apache2/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Update apt cache
apt: update_cache=yes cache_valid_time=3600
- name: Install required software
apt: name={{ item }} state=present
with_items:
- apache2
- mariadb-server
- php-mysql
- php
- libapache2-mod-php
- php-mcrypt
- python-mysqldb

4
roles/appli/README.md Normal file
View File

@@ -0,0 +1,4 @@
## Fonctionnement du rôle appli
Ce rôle permet de créer un serveur wordpress avec MariaDB et apache.
Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress.

4
roles/appli/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart apache
service: name=apache2 state=restarted
become: yes

72
roles/appli/tasks/main.yml Normal file
View File

@@ -0,0 +1,72 @@
---
- name: Installation des packets
apt:
state: present
name:
- php
- php-fpm
- php-mbstring
- php-ssh2
- php-gd
- php-mysql
- python3-mysqldb
- libapache2-mod-php
- mariadb-server
- apache2
- python3
- name: Création du répertoire pour wordpress
file:
path: /var/www/html/wordpress
state: directory
- name: Téléchargement de wordpress
get_url:
url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
- name: Création de la base de donnée mysql
mysql_db:
name: wordpress
state: present
- name: Création de l'utilisateur mysql
mysql_user:
name: wordpress
password: wp
priv: "*.*:ALL"

1
roles/base/files/apt.conf Normal file
View File

@@ -0,0 +1 @@
Acquire::http::Proxy "http://192.168.99.99:8080";

4
roles/base/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 192.168.99.99

10
roles/base/files/sources.list Normal file
View File

@@ -0,0 +1,10 @@
#
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
deb http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
deb http://http.debian.net/debian wheezy-backports main

4
roles/base/files/sources.list.Debian Normal file
View File

@@ -0,0 +1,4 @@
deb http://deb.debian.org/debian/ bullseye main non-free contrib
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free

13
roles/base/files/sources.list.Ubuntu Normal file
View File

@@ -0,0 +1,13 @@
#------------------------------------------------------------------------------#
# OFFICIAL UBUNTU REPOS #
#------------------------------------------------------------------------------#
###### Ubuntu Main Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe
###### Ubuntu Update Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe
deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe

9
roles/base/files/sources.list.buster Normal file
View File

@@ -0,0 +1,9 @@
#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
#deb http://security.debian.org/ stretch/updates main
#deb http://ftp.fr.debian.org/debian/ stretch-updates main
deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb http://deb.debian.org/debian/ buster-updates main contrib non-free

22
roles/base/files/sources.list.jessie Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main
deb http://ftp.fr.debian.org/debian/ jessie-updates main
#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
#deb http://backports.debian.org/debian-backports jessie-backports main
#deb http://packages.steve.org.uk/slaughter/jessie/ ./
#deb https://rex.linux-files.org/debian/ jessie rex
#deb http://http.debian.net/debian jessie-backports main

22
roles/base/files/sources.list.wheezy Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
#deb-src http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb http://backports.debian.org/debian-backports wheezy-backports main
#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
#deb https://rex.linux-files.org/debian/ wheezy rex
deb http://http.debian.net/debian wheezy-backports main

76
roles/base/tasks/main.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Copie sources.list
copy:
src: sources.list.{{ ansible_distribution }}
dest: /etc/apt/sources.list
- name: Copie apt.conf pour proxy
copy:
src: apt.conf
dest: /etc/apt/apt.conf
when: ansible_hostname != "s-adm"
#- name: Sysctl desactive ipv6
# sysctl:
# name: net.ipv6.conf.all.disable_ipv6
# value: 1
# sysctl_set: yes
# state: present
# reload: yes
- name: Update + Upgrade
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Install paquets
apt:
state: present
name:
- vim
- ntp
- mc
- tcpdump
- curl
- net-tools
- rsync
- sudo
- iptables
- name: Desinstall paquets
apt:
state: absent
name:
- nfs-common
- rpcbind
- bluetooth
- name: Configure Vim
alternatives:
name: editor
path: /usr/bin/vim
- name: Generation /etc/hosts
template:
src: hosts.j2
dest: /etc/hosts
when: ansible_hostname != "s-proxy"
- name: Generation /etc/hosts pour s-proxy
template:
src: hosts.s-proxy.j2
dest: /etc/hosts
when: ansible_hostname == "s-proxy"
- name: Desactive IPV6 avec sysctl
sysctl:
name: "{{ item }}"
value: 1
state: present
reload: yes
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6

27
roles/base/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,27 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
#10.121.38.10 depl.sio.lan depl
192.168.99.99 s-adm.gsb.adm depl.sio.lan depl
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-nxc.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.15 s-san.gsb.adm
192.168.99.16 s-fog.gsb.adm
192.168.99.8 syslog.gsb.adm

26
roles/base/templates/hosts.s-proxy.j2 Normal file
View File

@@ -0,0 +1,26 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
172.16.0.2 s-proxy.gsb.lan s-proxy
#10.121.38.10 depl
192.168.99.99 s-adm.gsb.adm depl
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-nxc.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-sspec.gsb.adm
192.168.99.11 s-web-ext.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.8 syslog.gsb.adm

3
roles/db-user/files/resolv.conf Normal file
View File

@@ -0,0 +1,3 @@
search gsb.lan
domain gsb.lan
nameserver 172.16.0.1

12
roles/db-user/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Create mysql user
mysql_user:
host: "{{ cli_ip }}"
name: "{{ maria_dbuser }}"
password: "{{ maria_dbpasswd }}"
priv: "*.*:ALL"
- name: Copie du fichier resolv.conf
copy:
src: resolv.conf
dest: /etc/resolv.conf

152
roles/dhcp-ag/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,152 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
#subnet 172.16.64.0 netmask 255.255.255.0 {
# range 172.16.64.20 172.16.64.120;
# option domain-name-servers 172.16.0.6, 172.16.0.1 ;
# option routers 172.16.64.254;
# option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau AGENCE
subnet 172.16.128.0 netmask 255.255.255.0 {
range 172.16.128.10 172.16.128.50;
option domain-name-servers 172.16.0.1;
option routers 172.16.128.254;
option broadcast-address 172.16.128.255;
default-lease-time 86400;
max-lease-time 86400;
}

18
roles/dhcp-ag/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s8"
INTERFACESv6=""

3
roles/dhcp-ag/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dhcp
service: name=isc-dhcp-server state=restarted

11
roles/dhcp-ag/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation serveur dhcp
apt: name=isc-dhcp-server state=present update_cache=yes
- name: copie dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp
# notify: restart dhcp
- name: copie conf isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server
# notify: restart dhcp

142
roles/dhcp-fog/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

18
roles/dhcp-fog/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9"
INTERFACESv6=""

3
roles/dhcp-fog/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

14
roles/dhcp-fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

142
roles/dhcp/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
subnet 172.16.65.0 netmask 255.255.255.0 {
range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}

18
roles/dhcp/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9 enp0s10"
INTERFACESv6=""

3
roles/dhcp/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

20
roles/dhcp/tasks/main.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Installation serveur DHCP - isc-dhcp-server
apt:
name: isc-dhcp-server
state: present
- name: Copie du fichier isc-dhcp-server dans /etc/default
copy:
src: isc-dhcp-server
dest: /etc/default/
- name: Copie du fichier dhcpd.conf dans /etc
copy:
src: dhcpd.conf
dest: /etc/dhcp/
notify:
- restart isc-dhcp-server

23
roles/dns-ag-cs/files/named.conf.options Normal file
View File

@@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-ag-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-ag-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

23
roles/dns-agence/files/named.conf.options Normal file
View File

@@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-agence/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-agence/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

38
roles/dns-master/files/db.gsb.lan Normal file
View File

@@ -0,0 +1,38 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2022041200 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
@ IN A 127.0.0.1
@ IN AAAA ::1
s-infra IN A 172.16.0.1
s-backup IN A 172.16.0.4
s-proxy IN A 172.16.0.2
s-appli IN A 172.16.0.3
s-win IN A 172.16.0.6
s-mess IN A 172.16.0.7
s-nxc IN A 172.16.0.7
s-docker IN A 172.16.0.7
s-mon IN A 172.16.0.8
s-itil IN A 172.16.0.9
s-elk IN A 172.16.0.10
s-gestsup IN A 172.16.0.17
r-int IN A 172.16.0.254
r-int-lnk IN A 192.168.200.254
r-ext IN A 192.168.200.253
s-lb IN A 192.168.100.10
s-web1 IN A 192.168.101.1
s-web2 IN A 192.168.101.2
s-lb.gsb.lan IN A 192.168.100.10
ns IN CNAME s-infra.gsb.lan.
wpad IN CNAME s-infra.gsb.lan.

31
roles/dns-master/files/db.gsb.lan.rev Normal file
View File

@@ -0,0 +1,31 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2022041200 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
1.0 IN PTR s-infra.gsb.lan.
4.0 IN PTR s-backup.gsb.lan.
2.0 IN PTR s-proxy.gsb.lan.
3.0 IN PTR s-appli.gsb.lan.
6.0 IN PTR s-win.gsb.lan.
7.0 IN PTR s-nxc.gsb.lan.
8.0 IN PTR s-mon.gsb.lan.
9.0 IN PTR s-itil.gsb.lan.
101.1 IN PTR s-web1
101.2 IN PTR s-web2
100.10 IN PTR s-lb
100.10 IN PTR s-lb.gsb.lan
10.0 IN PTR s-elk.gsb.lan.
17.0 IN PTR s-gestsup.lan
254.0 IN PTR r-int.gsb.lan.

2
roles/dns-master/files/forbidden.html Normal file
View File

@@ -0,0 +1,2 @@
<center><img src="http://sio.lyc-lecastel.fr/~nicolas.denizot/warning.jpg" alt="Bloque"></img></center>
<center><h1>Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.</h1></center>

7
roles/dns-master/files/hosts Normal file
View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

20
roles/dns-master/files/named.conf.local Normal file
View File

@@ -0,0 +1,20 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "gsb.lan" {
type master;
file "/etc/bind/db.gsb.lan";
};
zone "16.172.in-addr.arpa"{
type master;
notify no;
file "/etc/bind/db.gsb.lan.rev";
};

26
roles/dns-master/files/named.conf.options Normal file
View File

@@ -0,0 +1,26 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
dnssec-validation no;
};

4
roles/dns-master/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-master/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

48
roles/dns-master/tasks/main.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Installation bind9
apt:
name: bind9
state: present
update_cache: yes
- name: Copie named.conf.options
copy:
src: named.conf.options
dest: /etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy:
src: named.conf.local
dest: /etc/bind
notify:
- restart bind9
- name: Copie fichier zone directe db.gsb.lan
copy:
src: db.gsb.lan
dest: /etc/bind
notify:
- restart bind9
- name: Copie fichier zone inverse db.gsb.lan.rev
copy:
src: db.gsb.lan.rev
dest: /etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy:
src: resolv.conf
dest: /etc
notify:
- restart bind9
- name: Copie page squidguard
copy:
src: forbidden.html
dest: /var/www/

7
roles/dns-slave/files/hosts Normal file
View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

28
roles/dns-slave/files/named.conf.local Normal file
View File

@@ -0,0 +1,28 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//zone direct
zone "gsb.lan" {
type slave;
file "/etc/bind/db.gsb.lan";
masters { 172.16.0.1; };
masterfile-format text;
};
//zone inverse
zone "16.172.in-addr.arpa" {
type slave;
notify no;
file "/etc/bind/db.gsb.lan.rev";
masters { 172.16.0.1; };
masterfile-format text;
};

26
roles/dns-slave/files/named.conf.options Normal file
View File

@@ -0,0 +1,26 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
dnssec-validation no;
};

4
roles/dns-slave/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-slave/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

38
roles/dns-slave/tasks/main.yml Normal file
View File

@@ -0,0 +1,38 @@
- name: Installation bind9
apt:
name: bind9
state: present
- name: Copie named.conf.options
copy:
src: named.conf.options
dest: /etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy:
src: named.conf.local
dest: /etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy:
src: resolv.conf
dest: /etc
notify:
- restart bind9
- name: Changement de droit pour le répertoire /etc/bind
ansible.builtin.lineinfile:
path: /etc/apparmor.d/usr.sbin.named
regexp: ' /etc/bind/\*\* r,'
line: ' /etc/bind/** rw,'
- name: Changement de permission pour le groupe de /etc/bind
ansible.builtin.file:
path: /etc/bind/
state: directory
mode: g=rwx

531
roles/dnsmasq/files/dnsmasq.conf Normal file
View File

@@ -0,0 +1,531 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via enp0s8
# server=10.1.2.3@enp0s8
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg enp0s3) here.
# Repeat the line for more than one interface.
interface=enp0s8
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=enp0s3
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
dhcp-range=192.168.99.100,192.168.99.120,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/*.conf

3
roles/dnsmasq/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dnsmasq
service: name=dnsmasq state=restarted

11
roles/dnsmasq/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation dnsmasq
apt: name=dnsmasq state=present
- name: Copie du fichier dnsmasq.conf
copy: src=dnsmasq.conf dest=/etc/
notify:
- restart dnsmasq

48
roles/docker-nextcloud/files/config.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'ocvc4q2htemf',
'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI',
'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU',
'trusted_domains' =>
array (
0 => '172.16.0.7:5678',
1 => '172.16.0.7:8080',
2 => 's-mess',
3 => 's-mess.gsb.lan',
4 => 'localhost:8080',
5 => 's-nxec.gsb.lan',
),
'trusted_proxies' => ['172.16.0.7'],
'overwriteprotocol' => 'http',
'overwritehost' => '172.16.0.7:8080',
'proxy' => '172.16.0.7:8080',
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '20.0.6.1',
'overwrite.cli.url' => 'http://172.16.0.7:5678',
'dbname' => 'nextcloud',
'dbhost' => 'db',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'root',
'installed' => true,
);

13
roles/docker-nextcloud/files/dhparam.pem Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ
17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA
4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/
9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC
3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf
6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr
mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym
BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n
uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N
CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O
h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI=
-----END DH PARAMETERS-----

35
roles/docker-nextcloud/files/docker-compose.yml Executable file
View File

@@ -0,0 +1,35 @@
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_PASSWORD=root
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- TZ=Europe/Paris
app:
image: nextcloud
restart: always
ports:
- 5678:80
links:
- db
volumes:
- ./nextcloud:/var/www/html
environment:
- MYSQL_PASSWORD=root
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
- TZ=Europe/Paris

502
roles/docker-nextcloud/files/get_docker.sh Executable file
View File

@@ -0,0 +1,502 @@
#!/bin/sh
set -e
# Docker CE for Linux installation script
#
# See https://docs.docker.com/install/ for the installation steps.
#
# This script is meant for quick & easy install via:
# $ curl -fsSL https://get.docker.com -o get-docker.sh
# $ sh get-docker.sh
#
# For test builds (ie. release candidates):
# $ curl -fsSL https://test.docker.com -o test-docker.sh
# $ sh test-docker.sh
#
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
# The channel to install from:
# * nightly
# * test
# * stable
# * edge (deprecated)
DEFAULT_CHANNEL_VALUE="stable"
if [ -z "$CHANNEL" ]; then
CHANNEL=$DEFAULT_CHANNEL_VALUE
fi
DEFAULT_DOWNLOAD_URL="https://download.docker.com"
if [ -z "$DOWNLOAD_URL" ]; then
DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
fi
DEFAULT_REPO_FILE="docker-ce.repo"
if [ -z "$REPO_FILE" ]; then
REPO_FILE="$DEFAULT_REPO_FILE"
fi
mirror=''
DRY_RUN=${DRY_RUN:-}
while [ $# -gt 0 ]; do
case "$1" in
--mirror)
mirror="$2"
shift
;;
--dry-run)
DRY_RUN=1
;;
--*)
echo "Illegal option $1"
;;
esac
shift $(( $# > 0 ? 1 : 0 ))
done
case "$mirror" in
Aliyun)
DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
;;
AzureChinaCloud)
DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
;;
esac
command_exists() {
command -v "$@" > /dev/null 2>&1
}
is_dry_run() {
if [ -z "$DRY_RUN" ]; then
return 1
else
return 0
fi
}
is_wsl() {
case "$(uname -r)" in
*microsoft* ) true ;; # WSL 2
*Microsoft* ) true ;; # WSL 1
* ) false;;
esac
}
is_darwin() {
case "$(uname -s)" in
*darwin* ) true ;;
*Darwin* ) true ;;
* ) false;;
esac
}
deprecation_notice() {
distro=$1
date=$2
echo
echo "DEPRECATION WARNING:"
echo " The distribution, $distro, will no longer be supported in this script as of $date."
echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
echo
sleep 10
}
get_distribution() {
lsb_dist=""
# Every system that we officially support has /etc/os-release
if [ -r /etc/os-release ]; then
lsb_dist="$(. /etc/os-release && echo "$ID")"
fi
# Returning an empty string here should be alright since the
# case statements don't act unless you provide an actual value
echo "$lsb_dist"
}
add_debian_backport_repo() {
debian_version="$1"
backports="deb http://ftp.debian.org/debian $debian_version-backports main"
if ! grep -Fxq "$backports" /etc/apt/sources.list; then
(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
fi
}
echo_docker_as_nonroot() {
if is_dry_run; then
return
fi
if command_exists docker && [ -e /var/run/docker.sock ]; then
(
set -x
$sh_c 'docker version'
) || true
fi
your_user=your-user
[ "$user" != 'root' ] && your_user="$user"
# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
echo "If you would like to use Docker as a non-root user, you should now consider"
echo "adding your user to the \"docker\" group with something like:"
echo
echo " sudo usermod -aG docker $your_user"
echo
echo "Remember that you will have to log out and back in for this to take effect!"
echo
echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
echo " containers which can be used to obtain root privileges on the"
echo " docker host."
echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
echo " for more information."
}
# Check if this is a forked Linux distro
check_forked() {
# Check for lsb_release command existence, it usually exists in forked distros
if command_exists lsb_release; then
# Check if the `-u` option is supported
set +e
lsb_release -a -u > /dev/null 2>&1
lsb_release_exit_code=$?
set -e
# Check if the command has exited successfully, it means we're in a forked distro
if [ "$lsb_release_exit_code" = "0" ]; then
# Print info about current distro
cat <<-EOF
You're using '$lsb_dist' version '$dist_version'.
EOF
# Get the upstream release info
lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
# Print info about upstream distro
cat <<-EOF
Upstream release is '$lsb_dist' version '$dist_version'.
EOF
else
if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
if [ "$lsb_dist" = "osmc" ]; then
# OSMC runs Raspbian
lsb_dist=raspbian
else
# We're Debian and don't even know it!
lsb_dist=debian
fi
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8|'Kali Linux 2')
dist_version="jessie"
;;
esac
fi
fi
fi
}
semverParse() {
major="${1%%.*}"
minor="${1#$major.}"
minor="${minor%%.*}"
patch="${1#$major.$minor.}"
patch="${patch%%[-.]*}"
}
do_install() {
echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
if command_exists docker; then
docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
MAJOR_W=1
MINOR_W=10
semverParse "$docker_version"
shouldWarn=0
if [ "$major" -lt "$MAJOR_W" ]; then
shouldWarn=1
fi
if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
shouldWarn=1
fi
cat >&2 <<-'EOF'
Warning: the "docker" command appears to already exist on this system.
If you already have Docker installed, this script can cause trouble, which is
why we're displaying this warning and provide the opportunity to cancel the
installation.
If you installed the current Docker package using this script and are using it
EOF
if [ $shouldWarn -eq 1 ]; then
cat >&2 <<-'EOF'
again to update Docker, we urge you to migrate your image store before upgrading
to v1.10+.
You can find instructions for this here:
https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
EOF
else
cat >&2 <<-'EOF'
again to update Docker, you can safely ignore this message.
EOF
fi
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
user="$(id -un 2>/dev/null || true)"
sh_c='sh -c'
if [ "$user" != 'root' ]; then
if command_exists sudo; then
sh_c='sudo -E sh -c'
elif command_exists su; then
sh_c='su -c'
else
cat >&2 <<-'EOF'
Error: this installer needs the ability to run commands as root.
We are unable to find either "sudo" or "su" available to make this happen.
EOF
exit 1
fi
fi
if is_dry_run; then
sh_c="echo"
fi
# perform some very rudimentary platform detection
lsb_dist=$( get_distribution )
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
if is_wsl; then
echo
echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
case "$lsb_dist" in
ubuntu)
if command_exists lsb_release; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
esac
;;
centos|rhel)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
*)
if command_exists lsb_release; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
# Check if this is a forked Linux distro
check_forked
# Run setup for each distro accordingly
case "$lsb_dist" in
ubuntu|debian|raspbian)
pre_reqs="apt-transport-https ca-certificates curl"
if [ "$lsb_dist" = "debian" ]; then
# libseccomp2 does not exist for debian jessie main repos for aarch64
if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
add_debian_backport_repo "$dist_version"
fi
fi
if ! command -v gpg > /dev/null; then
pre_reqs="$pre_reqs gnupg"
fi
apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
(
if ! is_dry_run; then
set -x
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
$sh_c 'apt-get update -qq >/dev/null'
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
echo
exit 1
fi
search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
# Don't insert an = for cli_pkg_version, we'll just include it later
cli_pkg_version="$($sh_c "$search_command")"
pkg_version="=$pkg_version"
fi
fi
(
if ! is_dry_run; then
set -x
fi
if [ -n "$cli_pkg_version" ]; then
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
fi
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
)
echo_docker_as_nonroot
exit 0
;;
centos|fedora|rhel)
yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
if ! curl -Ifs "$yum_repo" > /dev/null; then
echo "Error: Unable to curl repository file $yum_repo, is it valid?"
exit 1
fi
if [ "$lsb_dist" = "fedora" ]; then
pkg_manager="dnf"
config_manager="dnf config-manager"
enable_channel_flag="--set-enabled"
disable_channel_flag="--set-disabled"
pre_reqs="dnf-plugins-core"
pkg_suffix="fc$dist_version"
else
pkg_manager="yum"
config_manager="yum-config-manager"
enable_channel_flag="--enable"
disable_channel_flag="--disable"
pre_reqs="yum-utils"
pkg_suffix="el"
fi
(
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pre_reqs"
$sh_c "$config_manager --add-repo $yum_repo"
if [ "$CHANNEL" != "stable" ]; then
$sh_c "$config_manager $disable_channel_flag docker-ce-*"
$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
fi
$sh_c "$pkg_manager makecache"
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
echo
exit 1
fi
search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
# Cut out the epoch and prefix with a '-'
pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
fi
fi
(
if ! is_dry_run; then
set -x
fi
# install the correct cli version first
if [ -n "$cli_pkg_version" ]; then
$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
fi
$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
)
echo_docker_as_nonroot
exit 0
;;
*)
if [ -z "$lsb_dist" ]; then
if is_darwin; then
echo
echo "ERROR: Unsupported operating system 'macOS'"
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
exit 1
fi
fi
echo
echo "ERROR: Unsupported distribution '$lsb_dist'"
echo
exit 1
;;
esac
exit 1
}
# wrapped up in a function so that we have some protection against only getting
# half the file during "curl | sh"
do_install

24
roles/docker-nextcloud/files/nginx-selfsigned.crt Normal file
View File

@@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM
BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z
LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp
bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE
BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV
BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu
MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg
HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/
JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL
Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt
xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ
O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT
MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt
mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE
XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf
DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs
lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT
/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+
ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI=
-----END CERTIFICATE-----

28
roles/docker-nextcloud/files/nginx-selfsigned.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF
+gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO
FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU
aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+
+Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ
HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg
htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up
R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a
0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP
ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL
fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl
17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/
acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a
O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD
HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf
ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz
iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/
7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO
jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA
c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV
azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf
sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+
oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax
VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq
hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn
SwyeWd4Zkt/wvqmocF5KVqI=
-----END PRIVATE KEY-----

121
roles/docker-nextcloud/files/proxy Normal file
View File

@@ -0,0 +1,121 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name s-nxec.gsb.lan;
return 302 https://$server_name$request_uri;
}
# location / {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_pass http://localhost:5678;
# proxy_connect_timeout 900;
# proxy_send_timeout 900;
# proxy_read_timeout 900;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name s-nxec.gsb.lan;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:5678;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
}
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# root /var/www/html;
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
# server_name _;
# location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

100
roles/docker-nextcloud/files/proxy.bak Normal file
View File

@@ -0,0 +1,100 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 8080 default_server;
listen [::]:8080 default_server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:5678;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# root /var/www/html;
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
# server_name _;
# location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

2
roles/docker-nextcloud/files/self-signed.conf Normal file
View File

@@ -0,0 +1,2 @@
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

18
roles/docker-nextcloud/files/ssl-params.conf Normal file
View File

@@ -0,0 +1,18 @@
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 172.16.0.1 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

89
roles/docker-nextcloud/tasks/main.yml Normal file
View File

@@ -0,0 +1,89 @@
---
- name: Creation du repertoire nextcloud
file:
path: /root/nextcloud
state: directory
- name: Copie du script get_docker
copy:
src: get_docker.sh
dest: /root/nextcloud
- name: Execution du script get_docker
script: /root/nextcloud/get_docker.sh
- name: Installation de docker-compose
shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Attribution des droits de docker compose
file:
path: /usr/local/bin/docker-compose
mode: '755'
- name: Copie de docker-compose.yml
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml
dest: /root/nextcloud
- name: Execution du fichier docker-compose.yml
shell: docker-compose up -d
args:
chdir: /root/nextcloud
- name: Installation de Nginx
package:
name: nginx
state: present
- name: Copie de config.php dans /root/nextcloud/nextcloud/config
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
dest: /root/nextcloud/nextcloud/config
- name: Copie de nginx-selfsigned.key
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key
dest: /etc/ssl/private
- name: Copie nginx-selfsigned.crt
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt
dest: /etc/ssl/certs
- name: Copie de dhparam.pem
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem
dest: /etc/nginx
- name: Copie de self-signed.conf
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf
dest: /etc/nginx/snippets
- name: Copie de ssl-params.conf
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf
dest: /etc/nginx/snippets
- name: Copie de /etc/nginx/site-availables/proxy
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
dest: /etc/nginx/sites-available
- name: Suppression de /etc/nginx/sites-enabled/default
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/n$
file:
src: /etc/nginx/sites-available/proxy
dest: /etc/nginx/sites-enabled/proxy
owner: root
group: root
state: link
- name: Redemarage de Nginx
service:
name: nginx
state: restarted

10
roles/docker/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Installation de docker
Pour assurer l'installation de docker il vous faut lancer le script getall depuis s-adm.
Chemin de getall : /var/www/html/gsbstore/
#### Fonctionnement du playbook
Le playbook va télécharger getdocker.sh et le placer dans tmp.
Il va donc lancer docker.sh et ensuite installer docker-compose, suite à cela, l'installation
est terminée.

16
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Téléchargement getdocker.sh
ansible.builtin.get_url:
url: http://s-adm.gsb.adm/gsbstore/getdocker.sh
dest: /tmp
mode: '0755'
- name: Execution du script getdocker
ansible.builtin.script:
cmd: /tmp/getdocker.sh
- name: Téléchargement docker-compose
ansible.builtin.get_url:
url: http://s-adm.gsb.adm/gsbstore/docker-compose
dest: /usr/local/bin
mode: '0755'

8
roles/elk/README.md Normal file
View File

@@ -0,0 +1,8 @@
## Principe du rôle elk
Ce rôle permet de créer un serveur ELK pour centraliser les logs et d'avoir des métriques pour simplifier la gestion du parc informatique GSB.
Le principe de se rôle est d'installer docker, les différentes tâches de se rôle est de :
Vérifier si ELK est déjà installé,
Installer ELK sur github,
Changer la configuration
Lancer ELK avec docker-compose

502
roles/elk/files/get_docker.sh Executable file
View File

@@ -0,0 +1,502 @@
#!/bin/sh
set -e
# Docker CE for Linux installation script
#
# See https://docs.docker.com/install/ for the installation steps.
#
# This script is meant for quick & easy install via:
# $ curl -fsSL https://get.docker.com -o get-docker.sh
# $ sh get-docker.sh
#
# For test builds (ie. release candidates):
# $ curl -fsSL https://test.docker.com -o test-docker.sh
# $ sh test-docker.sh
#
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
# The channel to install from:
# * nightly
# * test
# * stable
# * edge (deprecated)
DEFAULT_CHANNEL_VALUE="stable"
if [ -z "$CHANNEL" ]; then
CHANNEL=$DEFAULT_CHANNEL_VALUE
fi
DEFAULT_DOWNLOAD_URL="https://download.docker.com"
if [ -z "$DOWNLOAD_URL" ]; then
DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
fi
DEFAULT_REPO_FILE="docker-ce.repo"
if [ -z "$REPO_FILE" ]; then
REPO_FILE="$DEFAULT_REPO_FILE"
fi
mirror=''
DRY_RUN=${DRY_RUN:-}
while [ $# -gt 0 ]; do
case "$1" in
--mirror)
mirror="$2"
shift
;;
--dry-run)
DRY_RUN=1
;;
--*)
echo "Illegal option $1"
;;
esac
shift $(( $# > 0 ? 1 : 0 ))
done
case "$mirror" in
Aliyun)
DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
;;
AzureChinaCloud)
DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
;;
esac
command_exists() {
command -v "$@" > /dev/null 2>&1
}
is_dry_run() {
if [ -z "$DRY_RUN" ]; then
return 1
else
return 0
fi
}
is_wsl() {
case "$(uname -r)" in
*microsoft* ) true ;; # WSL 2
*Microsoft* ) true ;; # WSL 1
* ) false;;
esac
}
is_darwin() {
case "$(uname -s)" in
*darwin* ) true ;;
*Darwin* ) true ;;
* ) false;;
esac
}
deprecation_notice() {
distro=$1
date=$2
echo
echo "DEPRECATION WARNING:"
echo " The distribution, $distro, will no longer be supported in this script as of $date."
echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
echo
sleep 10
}
get_distribution() {
lsb_dist=""
# Every system that we officially support has /etc/os-release
if [ -r /etc/os-release ]; then
lsb_dist="$(. /etc/os-release && echo "$ID")"
fi
# Returning an empty string here should be alright since the
# case statements don't act unless you provide an actual value
echo "$lsb_dist"
}
add_debian_backport_repo() {
debian_version="$1"
backports="deb http://ftp.debian.org/debian $debian_version-backports main"
if ! grep -Fxq "$backports" /etc/apt/sources.list; then
(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
fi
}
echo_docker_as_nonroot() {
if is_dry_run; then
return
fi
if command_exists docker && [ -e /var/run/docker.sock ]; then
(
set -x
$sh_c 'docker version'
) || true
fi
your_user=your-user
[ "$user" != 'root' ] && your_user="$user"
# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
echo "If you would like to use Docker as a non-root user, you should now consider"
echo "adding your user to the \"docker\" group with something like:"
echo
echo " sudo usermod -aG docker $your_user"
echo
echo "Remember that you will have to log out and back in for this to take effect!"
echo
echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
echo " containers which can be used to obtain root privileges on the"
echo " docker host."
echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
echo " for more information."
}
# Check if this is a forked Linux distro
check_forked() {
# Check for lsb_release command existence, it usually exists in forked distros
if command_exists lsb_release; then
# Check if the `-u` option is supported
set +e
lsb_release -a -u > /dev/null 2>&1
lsb_release_exit_code=$?
set -e
# Check if the command has exited successfully, it means we're in a forked distro
if [ "$lsb_release_exit_code" = "0" ]; then
# Print info about current distro
cat <<-EOF
You're using '$lsb_dist' version '$dist_version'.
EOF
# Get the upstream release info
lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
# Print info about upstream distro
cat <<-EOF
Upstream release is '$lsb_dist' version '$dist_version'.
EOF
else
if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
if [ "$lsb_dist" = "osmc" ]; then
# OSMC runs Raspbian
lsb_dist=raspbian
else
# We're Debian and don't even know it!
lsb_dist=debian
fi
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8|'Kali Linux 2')
dist_version="jessie"
;;
esac
fi
fi
fi
}
semverParse() {
major="${1%%.*}"
minor="${1#$major.}"
minor="${minor%%.*}"
patch="${1#$major.$minor.}"
patch="${patch%%[-.]*}"
}
do_install() {
echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
if command_exists docker; then
docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
MAJOR_W=1
MINOR_W=10
semverParse "$docker_version"
shouldWarn=0
if [ "$major" -lt "$MAJOR_W" ]; then
shouldWarn=1
fi
if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
shouldWarn=1
fi
cat >&2 <<-'EOF'
Warning: the "docker" command appears to already exist on this system.
If you already have Docker installed, this script can cause trouble, which is
why we're displaying this warning and provide the opportunity to cancel the
installation.
If you installed the current Docker package using this script and are using it
EOF
if [ $shouldWarn -eq 1 ]; then
cat >&2 <<-'EOF'
again to update Docker, we urge you to migrate your image store before upgrading
to v1.10+.
You can find instructions for this here:
https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
EOF
else
cat >&2 <<-'EOF'
again to update Docker, you can safely ignore this message.
EOF
fi
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
user="$(id -un 2>/dev/null || true)"
sh_c='sh -c'
if [ "$user" != 'root' ]; then
if command_exists sudo; then
sh_c='sudo -E sh -c'
elif command_exists su; then
sh_c='su -c'
else
cat >&2 <<-'EOF'
Error: this installer needs the ability to run commands as root.
We are unable to find either "sudo" or "su" available to make this happen.
EOF
exit 1
fi
fi
if is_dry_run; then
sh_c="echo"
fi
# perform some very rudimentary platform detection
lsb_dist=$( get_distribution )
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
if is_wsl; then
echo
echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
case "$lsb_dist" in
ubuntu)
if command_exists lsb_release; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
esac
;;
centos|rhel)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
*)
if command_exists lsb_release; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
# Check if this is a forked Linux distro
check_forked
# Run setup for each distro accordingly
case "$lsb_dist" in
ubuntu|debian|raspbian)
pre_reqs="apt-transport-https ca-certificates curl"
if [ "$lsb_dist" = "debian" ]; then
# libseccomp2 does not exist for debian jessie main repos for aarch64
if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
add_debian_backport_repo "$dist_version"
fi
fi
if ! command -v gpg > /dev/null; then
pre_reqs="$pre_reqs gnupg"
fi
apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
(
if ! is_dry_run; then
set -x
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
$sh_c 'apt-get update -qq >/dev/null'
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
echo
exit 1
fi
search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
# Don't insert an = for cli_pkg_version, we'll just include it later
cli_pkg_version="$($sh_c "$search_command")"
pkg_version="=$pkg_version"
fi
fi
(
if ! is_dry_run; then
set -x
fi
if [ -n "$cli_pkg_version" ]; then
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
fi
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
)
echo_docker_as_nonroot
exit 0
;;
centos|fedora|rhel)
yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
if ! curl -Ifs "$yum_repo" > /dev/null; then
echo "Error: Unable to curl repository file $yum_repo, is it valid?"
exit 1
fi
if [ "$lsb_dist" = "fedora" ]; then
pkg_manager="dnf"
config_manager="dnf config-manager"
enable_channel_flag="--set-enabled"
disable_channel_flag="--set-disabled"
pre_reqs="dnf-plugins-core"
pkg_suffix="fc$dist_version"
else
pkg_manager="yum"
config_manager="yum-config-manager"
enable_channel_flag="--enable"
disable_channel_flag="--disable"
pre_reqs="yum-utils"
pkg_suffix="el"
fi
(
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pre_reqs"
$sh_c "$config_manager --add-repo $yum_repo"
if [ "$CHANNEL" != "stable" ]; then
$sh_c "$config_manager $disable_channel_flag docker-ce-*"
$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
fi
$sh_c "$pkg_manager makecache"
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
echo
exit 1
fi
search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
# Cut out the epoch and prefix with a '-'
pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
fi
fi
(
if ! is_dry_run; then
set -x
fi
# install the correct cli version first
if [ -n "$cli_pkg_version" ]; then
$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
fi
$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
)
echo_docker_as_nonroot
exit 0
;;
*)
if [ -z "$lsb_dist" ]; then
if is_darwin; then
echo
echo "ERROR: Unsupported operating system 'macOS'"
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
exit 1
fi
fi
echo
echo "ERROR: Unsupported distribution '$lsb_dist'"
echo
exit 1
;;
esac
exit 1
}
# wrapped up in a function so that we have some protection against only getting
# half the file during "curl | sh"
do_install

27
roles/elk/tasks/main.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Création répertoire docker
file:
path: /root/elk
state: directory
- name: Vérification d'ELK
stat:
path: /root/elk/docker-compose.yml
register: elk
- name: Installation d'ELK
ansible.builtin.git:
repo: https://github.com/deviantony/docker-elk.git
dest: /root/elk/
when: not elk.stat.exists
- name: Configuration d'ELK
replace:
path: /root/elk/elasticsearch/config/elasticsearch.yml
regexp: 'xpack.license.self_generated.type: trial'
replace: 'xpack.license.self_generated.type: basic'
- name: Execution du fichier docker-compose.yml
shell: docker-compose up -d
args:
chdir: /root/elk

7
roles/filebeat-cli/README.md Normal file
View File

@@ -0,0 +1,7 @@
## Explication du rôle filebeat-cli
Filebeat permet de centraliser et simplifier la gestion de logs pour ELK.
Ce rôle fonctionne en faisant :
Une installation de filebeat
Une configuration de filebeat
Une activation du module system(Logs système)

226
roles/filebeat-cli/files/filebeat.yml Normal file
View File

@@ -0,0 +1,226 @@
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
# filestream is an input for collecting log messages from files.
- type: filestream
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "s-elk.gsb.lan:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["s-elk.gsb.lan:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "changeme"
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ============================== Instrumentation ===============================
# Instrumentation support for the filebeat.
#instrumentation:
# Set to true to enable instrumentation of filebeat.
#enabled: false
# Environment in which filebeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

5
roles/filebeat-cli/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: start filebeat
service:
name: filebeat
state: started
enabled: yes

23
roles/filebeat-cli/tasks/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Récupération de filebeat
get_url:
url: http://s-adm.gsb.adm/gsbstore/filebeat-7.16.3-amd64.deb
dest: /tmp/
- name: Installation de filebeat
apt:
deb: /tmp/filebeat-7.16.3-amd64.deb
- name: Changement du fichier de conf
copy:
src: filebeat.yml
dest: /etc/filebeat/filebeat.yml
- name: Configuration de filebeat
shell: filebeat modules enable system
notify: start filebeat
- name: Lancement de la configuration de filebeat
shell: filebeat setup -e
notify: start filebeat

3
roles/fog/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
depl_url: "http://s-adm.gsb.adm/gsbstore"
depl_fog: "fogproject-1.5.9.tar.gz"
instructions: "Pour lancer l'installateur Fog, faites : 'bash /root/tools/fog/bin/installfog.sh'. Suivez ensuite les instructions"

17
roles/fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: creation d'un repertoire fog
file:
path: /root/tools/fog
state: directory
- name: recuperation de l'archive d'installation fog sur git
git:
repo: https://gitea.lyc-lecastel.fr/gadmin/fog.git
dest: /root/tools/fog/
clone: yes
update: yes
#- name: Instructions
# tags: msg
# debug: msg='{{instructions}}'

6
roles/gestsup/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Rôle Gestsup
Ce playbook installe Gestsup et ses dépendances, et remplace certains fichier pour certaines
configurations. Avant de lancer ce playbook, lancez "getall" sur la machine s-adm.

234
roles/gestsup/files/apache2.conf Normal file
View File

@@ -0,0 +1,234 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html>
Options -Indexes -ExecCGI
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

1947
roles/gestsup/files/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

73
roles/gestsup/files/security.conf Normal file
View File

@@ -0,0 +1,73 @@
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Require all denied
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#ServerSignature Off
ServerSignature On
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#TraceEnable On
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

6
roles/gestsup/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: redemarrage apache2
service:
name: apache2
state: restarted
enabled: yes

122
roles/gestsup/tasks/main.yml Normal file
View File

@@ -0,0 +1,122 @@
- name: Installation des dépendances
apt:
name:
- apache2
- mariadb-server
- python3-pip
- php
- php-mysql
- php-xml
- php-curl
- php-imap
- php-zip
- php-mbstring
- php-gd
- php-intl
- php-ldap
- snapd
- unzip
state: present
- name: Install pymysql
become: true
pip:
name: pymysql
state: present
- name: Copie de php.ini
copy:
src: php.ini
dest: /etc/php/7.4/apache2
- name: Copie de apache2.conf
copy:
src: apache2.conf
dest: /etc/apache2
- name: Suppression de l'ancien security.conf
file:
path: /etc/apache2/conf-available/security.conf
state: absent
- name: Suppression de l'ancien lien symbolique
file:
path: /etc/apache2/conf-enabled/security.conf
state: absent
- name: Copie de security.conf pour apache2
copy:
src: security.conf
dest: /etc/apache2/conf-available
- name: Création d'un lien symbolique pour security.conf
ansible.builtin.shell: ln -s /etc/apache2/conf-available/security.conf /etc/apache2/conf-enabled/
- name: mariadb en mode enabled
service:
name: mysql
enabled: yes
- name: Création de l'utilisateur gestsup
mysql_user:
name: gestsup
password: gestsup
priv: '*.*:ALL,GRANT'
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Decompression du fichier gestsup.zip
ansible.builtin.unarchive:
src: http://s-adm.gsb.adm/gsbstore/gestsup_3.2.15.zip
dest: /var/www/html/
remote_src: yes
- name: Suppression de index.html
ansible.builtin.file:
path: /var/www/html/index.html
state: absent
- name: Création de l'utilisateur et attribution au groupe www-data
ansible.builtin.shell: adduser gestsup --ingroup www-data
- name: Attribution des repertoires a www-data et gestsup
ansible.builtin.file:
path: /var/www/html
owner: gestsup
group: www-data
recurse: yes
- name: Attribution de droit 750
ansible.builtin.shell: find /var/www/html/ -type d -exec chmod 750 {} \;
- name: Attribution de droit en 640
ansible.builtin.shell: find /var/www/html/ -type f -exec chmod 640 {} \;
- name: Droit 770 pour le repertoire upload
ansible.builtin.file:
path: /var/www/html/upload
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire images/model
ansible.builtin.file:
path: /var/www/html/images/model
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire backup
ansible.builtin.file:
path: /var/www/html/backup
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire _SQL
ansible.builtin.file:
path: /var/www/html/_SQL
mode: '0770'
recurse: yes
- name: Droit 660 pour connect.php
ansible.builtin.file:
path: /var/www/html/connect.php
mode: '0660'

3
roles/goss/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
depl_url: "http://s-adm.gsb.adm/gsbstore"
depl_goss: "goss"

21
roles/goss/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: goss binary exists
stat: path=/usr/local/bin/goss
register: gossbin
- name: install goss sur machine standard
get_url:
url: "{{ depl_url }}/{{ depl_goss }}"
dest: /usr/local/bin/{{ depl_goss }}
mode: 0755
when: gossbin.stat.exists == False and ansible_hostname != "s-adm"
- name: install goss sur s-adm
copy:
src: "/var/www/html/gsbstore/{{ depl_goss }}"
dest: /usr/local/bin/{{ depl_goss }}
mode: 0755
remote_src: yes
when: gossbin.stat.exists == False and ansible_hostname == "s-adm"

117
roles/icinga/README.md Normal file
View File

@@ -0,0 +1,117 @@
# Instalation de NSClient++ sur la machine s-win
En premier lieu, installer Mozilla Firefox via Internet Explorer.
Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/)
Puis choisir la version Windows
# Etapes de l'installation
Sur l'étape **Select monitoring tool**, sélectionner **Generic**.
Sur l'étape **Choose setup type**, sélectionner **Typical**.
Sur l'étape **NSClient++ Configuration:
```
Allowed hosts: 172.16.0.8
Password: root
```
Activer **check plugins, check_nt et check_nrpe**.
**Laisser NSCA client et web server désactivé**
Cocher la case **Insecure legacy mode**
Terminer l'installation.
# Modification des fichiers
Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage).
Une fois ouvert, modifier tout le fichier avec ceci:
```
#If you want to fill this file with all available options run the following command:
#nscp settings --generate --add-defaults --load-all
#If you want to activate a module and bring in all its options use:
#nscp settings --activate-module <MODULE NAME> --add-defaults
#For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = root
; Undocumented key
allowed hosts = 172.16.0.8
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
verify mode = none
; Undocumented key
insecure = true
; in flight - TODO
[/modules]
; Undocumented key
CheckExternalScripts = enabled
; Undocumented key
CheckHelpers = enabled
; Undocumented key
CheckEventLog = enabled
; Undocumented key
CheckNSCP = enabled
; Undocumented key
CheckDisk = enabled
; Undocumented key
CheckSystem = enabled
; Undocumented key
NSClientServer = enabled
; Undocumented key
NRPEServer = enabled
```
Redémarrez le service NSClient++ via le **cmd**:
```
services.msc
```
Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer**
Retourner sur le serveur nagios puis écrire:
```
systemctl restart icinga
```
Les services de la machine **srv-2012** apparaissent en **OK**.

59
roles/icinga/files/cfg/contacts_icinga.cfg Normal file
View File

@@ -0,0 +1,59 @@
###############################################################################
# contacts.cfg
###############################################################################
###############################################################################
###############################################################################
#
# CONTACTS
#
###############################################################################
###############################################################################
# In this simple config file, a single contact will receive all alerts.
#define contact{
# contact_name root
# alias Root
# service_notification_period 24x7
# host_notification_period 24x7
# service_notification_options w,u,c,r
# host_notification_options d,r
# service_notification_commands notify-service-by-email
# host_notification_commands notify-host-by-email
# email root@localhost
# }
define contact{
contact_name admin
alias Administrateur
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email icinga.ppe31@gmail.com
}
###############################################################################
###############################################################################
#
# CONTACT GROUPS
#
###############################################################################
###############################################################################
# We only have one contact in this simple configuration file, so there is
# no need to create more than one contact group.
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members admin
}

13
roles/icinga/files/cfg/extinfo_icinga.cfg Normal file
View File

@@ -0,0 +1,13 @@
##
## Extended Host and Service Information
##
define hostextinfo{
hostgroup_name debian-servers
notes Debian GNU/Linux servers
# notes_url http://webserver.localhost.localdomain/hostinfo.pl?host=netware1
icon_image base/debian.png
icon_image_alt Debian GNU/Linux
vrml_image debian.png
statusmap_image base/debian.gd2
}

19
roles/icinga/files/cfg/generic-host_icinga.cfg Normal file
View File

@@ -0,0 +1,19 @@
# Generic host definition template - This is NOT a real host, just a template!
define host{
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
check_command check-host-alive
max_check_attempts 10
notification_interval 0
notification_period 24x7
notification_options d,u,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}

26
roles/icinga/files/cfg/generic-service_icinga.cfg Normal file
View File

@@ -0,0 +1,26 @@
# generic service template definition
define service{
name generic-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
notification_interval 0 ; Only send notifications on status change by default.
is_volatile 0
check_period 24x7
normal_check_interval 5
retry_check_interval 1
max_check_attempts 4
notification_period 24x7
notification_options w,u,c,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

14
roles/icinga/files/cfg/gwsio2.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name gwsio2
alias Passerelle
address 192.168.0.1
icon_image cook/linux_server.gif
statusmap_image cook/linux_server.gd2
}

75
roles/icinga/files/cfg/hostgroups_icinga.cfg Normal file
View File

@@ -0,0 +1,75 @@
# Some generic hostgroup definitions
define hostgroup {
hostgroup_name all
alias All Servers
members *
}
define hostgroup {
hostgroup_name localhost
alias Debian GNU/Linux Servers
members localhost
}
define hostgroup {
hostgroup_name debian-servers
alias Serveurs distant
members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess
}
define hostgroup { 
hostgroup_name ssh-servers
alias acces SSH
members s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb
}
define hostgroup { 
hostgroup_name dns-servers
alias serveurs-dns
members s-infra, srv-2012
}
define hostgroup { 
hostgroup_name dhcp-servers
alias serveurs-dhcp
members r-int, srv-2012
}
define hostgroup {
hostgroup_name http-servers
alias serveurs-web
members localhost, s-itil, s-adm
}
#define hostgroup {
# hostgroup_name email-servers
# alias serveurs-email
# members s-mess
# }
define hostgroup { 
hostgroup_name proxy-servers
alias serveurs-proxy
members s-proxy
}
define hostgroup{
hostgroup_name windows-servers
alias windows-servers
members srv-2012
}
define hostgroup{
hostgroup_name dns-win
alias dns-win
members srv-2012
}
define hostgroup{
hostgroup_name uptimegrp
alias uptimegrp
members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb
}

60
roles/icinga/files/cfg/localhost_icinga.cfg Normal file
View File

@@ -0,0 +1,60 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in icinga-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name localhost
alias localhost
address 127.0.0.1
parents gwsio2
}
# Define a service to check the disk space of the root partition
# on the local machine. Warning if < 20% free, critical if
# < 10% free space on partition.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Disk Space
check_command check_all_disks!20%!10%
}
# Define a service to check the number of currently logged in
# users on the local machine. Warning if > 20 users, critical
# if > 50 users.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Users
check_command check_users!20!50
}
# Define a service to check the number of currently running procs
# on the local machine. Warning if > 250 processes, critical if
# > 400 processes.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Total Processes
check_command check_procs!250!400
}
# Define a service to check the load on the local machine.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Load
check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
}

16
roles/icinga/files/cfg/netgear.cfg Normal file
View File

@@ -0,0 +1,16 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name netgear
alias switch
address 192.168.0.2
#parents gwsio4
icon_image cook/switch.gif
statusmap_image cook/switch.gd2
}

13
roles/icinga/files/cfg/r-ext.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-ext
alias Routeur externe
address 192.168.200.253
parents localhost
}

13
roles/icinga/files/cfg/r-int.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-int
alias Routeur interne
address 172.16.0.254
parents r-ext
}

14
roles/icinga/files/cfg/s-adm.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-adm
alias debian-servers
address 192.168.99.99
parents r-int
}

14
roles/icinga/files/cfg/s-infra.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-infra
alias debian-servers
address 172.16.0.1
parents r-int
}

14
roles/icinga/files/cfg/s-itil.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-itil
alias debian-servers
address 172.16.0.9
parents r-int
}

14
roles/icinga/files/cfg/s-lb.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template$
host_name s-lb
alias debian-servers
address 192.168.100.10
parents r-int
}

14
roles/icinga/files/cfg/s-mess.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template$
host_name s-mess
alias nextcloud
address 172.16.0.7
parents r-int
}

Some files were not shown because too many files have changed in this diff Show More