role lb-web

Merge branch 'main' of https://gitea.lyc-lecastel.fr/gadmin/gsb2023

README.md

@@ -1,22 +1,40 @@
 # gsb2023
 
-2023-01-06 
+2023-01-30 ps 
 
 Environnement et playbooks ansible pour le projet GSB 2023
 
 ## Quickstart
-prérequis : 
+Prérequis : 
   * une machine Debian Bullseye
   * VirtualBox
+  * fichier machines viruelles **ova** :
+    * **debian-bullseye-gsb-2023a.ova**
+    * **debian-buster-gsb-2023a.ova**
 
 
 
-## Les machines
-  * s-adm
-  * s-infra
-  * r-int
-  * r-ext
-  * s-proxy
+  * **s-adm** : routeur adm, DHCP + NAT, deploiement, proxy squid 
+  * **s-infra** : DNS maitre, autoconfiguration navigateurs avec **wpad**
+  * **r-int** : routage, DHCP 
+  * **r-ext** : routage, NAT
+  * **s-proxy** : squid
+  * **s-itil** : serveur GLPI
+  * **s-backup** : DNS esclave + sauvegarde s-win (SMB)
+  * **s-mon** : supervision avec **Nagios4**, notifications et syslog
+  * **s-fog** : deploiement postes de travail avec **FOG**
+  * **s-win** : Windows Server 2019, AD, DNS, DHCP, partage fichiers
+  * **s-nxc** : NextCloud avec **docker** 
+  * **s-elk** : pile ELK dockerisée
+  * **s-lb**  : Load Balancer **HaProxy** pour application Wordpress (DMZ)
+  * **r-vp1** : Routeur VPN Wireguard coté siège
+  * **r-vp2** : Routeur VPN Wireguard coté agence, DHCP
+  * **s-agence** : Serveur agence
+  * **s-lb**  : Load Balancer **HaProxy** pour application Wordpress 
+  * **s-lb-web1** : Serveur Wordpress 1 Load Balancer
+  * **s-lb-web2** : Serveur Wordpress 2 Load Balancer
+  * **s-lb-db** : Serveur Mariadb pour Wordpress
+  * **s-nas** : Serveur NFS pour application Wordpress avec LB
 
 
 ## Les playbooks
@@ -26,7 +44,7 @@ prérequis :
 
 On utilisera l'image de machine virtuelle suivante : 
   * **debian-bullseye-2023a.ova** (2023-01-06)
-    * Debian Bullseye 11 - 2 cartes - 1 Go - stockage 20 Go
+    * Debian Bullseye 11.6 - 2 cartes - 1 Go - stockage 20 Go
 
 
 ### Machine s-adm

goss/list-goss

@@ -0,0 +1,12 @@
+cd goss/
+goss -g r-vp1.yaml v
+goss  -g r-vp1.yaml aa wireguard
+goss add interface enp0s3
+goss add interface enp0s8
+goss add interface enp0s9
+goss add interface wg0
+goss aa wireguard
+goss add package wireguard-tools
+goss add service wg-quick@wg0
+goss add command "ping -c4  10.0.0.2"
+goss add file "/etc/wireguard/wg0.conf"

goss/r-ext.yaml

@@ -34,8 +34,6 @@ interface:
     - 192.168.100.254/24
   enp0s9:
     exists: true
-    addrs:
-    - 192.168.0.38/24
   enp0s16:
     exists: true
     addrs:

goss/r-vp1.yaml

@@ -1,67 +1,56 @@
+file:
+  /etc/wireguard/wg0.conf:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+    filetype: file
+    contains:
+    - AllowedIPs = 10.0.0.2/32, 172.16.128.0/24
 package:
-#  ferm:
-#    installed: true
-  strongswan:
+  wireguard:
     installed: true
-port:
-  udp:68:
-    listening: true
+    versions:
+    - 1.0.20210223-1
+  wireguard-tools:
+    installed: true
+    versions:
+    - 1.0.20210223-1
 service:
-#  dnsmasq:
-#    enabled: true
-#    running: true
-  strongswan:
-    enabled: true
-    running: true
-  ssh:
+  wg-quick@wg0:
     enabled: true
     running: true
 command:
-  sysctl net.ipv4.ip_forward:
+  host 192.168.99.99:
     exit-status: 0
     stdout:
-    - net.ipv4.ip_forward = 1
+    - 99.99.168.192.in-addr.arpa domain name pointer s-adm.gsb.adm.
     stderr: []
     timeout: 10000
-command:  
-  ping -c 4 192.168.0.52:
+  ping -c4  10.0.0.2:
     exit-status: 0
     stdout:
-    - 4 received = 1
+    - 0% packet loss
     stderr: []
     timeout: 10000
-command:
-  ping -c 4 192.168.1.1:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-command:
-  ping -c 4 192.168.200.254:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-command:
-  ping -c 4 172.16.0.1:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-#process:
-#  dnsmasq:
-#    running: true
-#  squid:
-#    running: true
 interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.112/24
+    mtu: 1500
   enp0s8:
     exists: true
     addrs:
-    - 192.168.0.51/24
+    - 192.168.1.2/24
+    mtu: 1500
   enp0s9:
     exists: true
     addrs:
-    - 192.168.1.2/24
+    - 192.168.0.51/24
+    mtu: 1500
+  wg0:
+    exists: true
+    addrs:
+    - 10.0.0.1/32
+    mtu: 1420

goss/r-vp2.yaml

@@ -0,0 +1,52 @@
+file:
+  /etc/wireguard/wg0.conf:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  wireguard:
+    installed: true
+    versions:
+    - 1.0.20210223-1
+  wireguard-tools:
+    installed: true
+    versions:
+    - 1.0.20210223-1
+service:
+  isc-dhcp-server:
+    enabled: true
+    running: true
+  wg-quick@wg0:
+    enabled: true
+    running: true
+command:
+  ping -c4 10.0.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.102/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+    mtu: 1500
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24
+    mtu: 1500
+  wg0:
+    exists: true
+    addrs:
+    - 10.0.0.2/32
+    mtu: 1420

goss/r-vp2goss.yaml

@@ -1,67 +0,0 @@
-package:
-  ferm:
-    installed: true
-  ipsec:
-    installed: true
-port:
-  tcp:53: 
-    listening: true
-  udp:67:
-    listening: true
-  udp:68:
-    listening: true
-service:
-  dnsmasq:
-    enabled: true
-    running: true
-  ferm:
-    enabled: true
-    running: true
-  ssh:
-    enabled: true
-    running: true
-command:
-  sysctl net.ipv4.ip_forward:
-    exit-status: 0
-    stdout:
-    - net.ipv4.ip_forward = 1
-    stderr: []
-    timeout: 10000
-  sysctl ping -c 4 192.168.0.51:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-  sysctl ping -c 4 192.168.1.1:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-  sysctl ping -c 4 192.168.200.254:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-  sysctl ping -c 4 172.16.0.1:
-    exit-status: 0
-    stdout:
-    - 4 received = 1
-    stderr: []
-    timeout: 10000
-process:
-  dnsmasq:
-    running: true
-  squid3:
-    running: true
-interface:
-  enp0s8:
-    exists: true
-    addrs:
-    - 172.16.128.254/24
-  enp0s9:
-    exists: true
-    addrs:
-    - 192.168.0.52/24

goss/s-agence.yaml

@@ -1,39 +1,19 @@
 command:
-  ip r:
+  ip route |grep default:
     exit-status: 0
     stdout:
     - default via 172.16.128.254 dev enp0s8
-    - 172.16.128.0/24
-    - 192.168.99.0/24
     stderr: []
     timeout: 10000
-  ping -c 2 172.16.128.254:
+  ping -c4 172.16.0.1:
     exit-status: 0
     stdout:
     - 0% packet loss
     stderr: []
     timeout: 10000
-  ping -c 2 192.168.1.2:
+  ping -c4 172.16.128.254:
     exit-status: 0
     stdout:
-    - 0% packet loss
-    stderr: []
-    timeout: 10000
-  ping -c 2 192.168.1.1:
-    exit-status: 0
-    stdout:
-    - 0% packet loss
-    stderr: []
-    timeout: 10000
-  ping -c 2 192.168.200.254:
-    exit-status: 0
-    stdout:
-    - 0% packet loss
-    stderr: []
-    timeout: 10000
-  ping -c 2 172.16.0.1:
-    exit-status: 0
-    stdout:
-    - 0% packet loss
+    -  0% packet loss
     stderr: []
     timeout: 10000

goss/s-backup.yaml

@@ -0,0 +1,41 @@
+package:
+  bind9:
+    installed: true
+  cifs-utils:
+    installed: true
+  rsync:
+    installed: true
+  smbclient:
+    installed: true
+service:
+  bind9:
+    enabled: true
+    running: true
+  rsync:
+    enabled: true
+    running: false
+command:
+  ping -c4 ns.gsb.lan:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+#check si partage windows accesible
+  smbclient -L //s-win --user=uBackup%Azerty1+ | grep 'public':
+    exit-status: 0
+    stdout:
+    - public
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.4/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.4/24
+    mtu: 1500

goss/s-mon.yaml

@@ -49,7 +49,7 @@ interface:
   enp0s3:
     exists: true
     addrs:
-    - 192.168.99.104/24
+    - 192.168.99.8/24
   enp0s8:
     exists: true
     addrs:

graylog-pont.yml

@@ -1,8 +0,0 @@
----
-- hosts: localhost
-  connection: local
-
-  roles:
-    - goss
-    - docker-graylog-pont
-    - post

ping-agence.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-ping -c3 172.16.128.254
-
-ping -c3 192.168.1.2
-
-ping -c3 192.168.1.1
-
-ping -c3 192.168.200.253
-
-ping -c3 192.168.200.254
-
-ping -c3 172.16.0.254
-
-ping -c3 172.16.0.1

ping-rext.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-ping -c3 172.16.0.1
-
-ping -c3 172.16.0.254
-
-ping -c3 192.168.200.254
-
-ping -c3 192.168.1.1
-
-ping -c3 192.168.1.2
-
-ping -c3 172.16.128.254
-
-ping -c3 172.16.128.10

ping-rint.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-ping -c3 172.16.0.1
-
-ping -c3 192.168.200.253
-
-ping -c3 192.168.1.1
-
-ping -c3 192.168.1.2
-
-ping -c3 172.16.128.254
-
-ping -c3 172.16.128.10

ping-sinfra.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-ping -c3 172.16.0.254
-
-ping -c3 192.168.200.254
-
-ping -c3 192.168.200.253
-
-ping -c3 192.168.1.1
-
-ping -c3 192.168.1.2
-
-ping -c3 172.16.125.254
-
-ping -c3 172.16.128.10

pre/inst-depl

@@ -1,5 +1,5 @@
 #!/bin/bash
-## ps : 2021-04-01 15:25
+## aa : 2023-04-18 15:25
 
 set -o errexit
 set -o pipefail
@@ -9,33 +9,42 @@ apt update && apt upgrade
 apt install -y apache2 git 
 STOREREP="/var/www/html/gsbstore" 
 
-GLPIREL=9.5.6
+GLPIREL=10.0.6
 str="wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz"
 
-FIREL=9.5 
-str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2"
 
-FIAGREL=2.6
-str31="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x64_${FIAGREL}.exe"
+#Fusion Inventory
+
+#FIREL=10.0.3+1.0
+#str2="https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi${FIREL}/fusioninventory-${FIREL}.tar.bz2"
+
+
+#GLPI Agent
+
+GLPIAGVER=1.4
+str31="wget -nc https://github.com/glpi-project/glpi-agent/releases/download/${GLPIAGVER}/GLPI-Agent-${GLPIAGVER}-x64.msi"
+
+str32="wget -nc https://github.com/glpi-project/glpi-agent/releases/download/${GLPIAGVER}/GLPI-Agent-${GLPIAGVER}-x86.msi"
 
-str32="wget -nc https://github.com/fusioninventory/fusioninventory-agent/releases/download/${FIAGREL}/fusioninventory-agent_windows-x86_${FIAGREL}.exe"
 
 FOGREL=1.5.9
 str4="wget -nc https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz"
 
-WPREL=5.8.2
-str5="wget -nc https://fr.wordpress.org/wordpress-${WPREL}-fr_FR.tar.gz"
+WPREL=6.1.1
+#v6.1.1 le 17/01/2023
+str5="wget -nc https://fr.wordpress.org/latest-fr_FR.tar.gz -O wordpress-6.1.1-fr_FR.tar.gz"
 
-GOSSVER=v0.3.16
+GOSSVER=v0.3.21
 str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/goss-linux-amd64 -o goss"
 
-DOCKERREL=1.29.2
-str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose"
+#DOCKERREL=1.29.2
+#str7="curl -L https://github.com/docker/compose/releases/download/${DOCKERREL}/docker-compose-$(uname -s)-$(uname -m) -o docker-compose"
 
-GESTSUPREL=3.2.15
-str8="wget -nc https://gestsup.fr/downloads/versions/current/version/gestsup_${GESTSUPREL}.zip"
+#GESTSUPREL=3.2.30
+#str8="wget -nc 'https://gestsup.fr/index.php?page=download&channel=stable&version=${GESTSUPREL}&type=gestsup' -O gestsup_${GESTSUPREL}.zip"
+str8="wget -nc 'https://gestsup.fr/index.php?page=download&channel=stable&version=3.2.30&type=gestsup' -O gestsup_3.2.30.zip"
 
-ELKREL=7.16.3
+ELKREL=8.6.0
 str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb"
 
 str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip"
@@ -70,12 +79,12 @@ curl -L https://get.docker.com -o getdocker.sh
 
 chmod +x ./getdocker.sh
 
-${str7}
+#${str7}
 
-chmod +x ./docker-compose
+#chmod +x ./docker-compose
 
 
-wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
+wget -nc https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64 -O mkcert
 
 chmod +x ./mkcert
 
@@ -90,4 +99,3 @@ EOT
 )
 
 cat "${STOREREP}/getall"
-

pre/pull-config

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+dir=/root/tools/ansible
+prj=gsb2023
+opt=""
+
 if [ -z ${UREP+x} ]; then 
 	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git 
 fi
@@ -11,6 +15,14 @@ dir=/root/tools/ansible
 cd  "${dir}" || exit 1
 
 hostname  > hosts
-ansible-pull -i "${dir}/hosts"  -C main -U "${UREP}"
+if [[ $# == 1 ]] ; then
+	opt=$1
+fi
+if [[ "${opt}" == '-l'  ]] ; then
+   cd "${dir}/${prj}" || exit 2	
+   ansible-playbook -i localhost, -c local  "$(hostname).yml"
+else
+   ansible-pull -i "${dir}/hosts"  -C main -U "${UREP}"
+fi
 
 exit 0

proxy

@@ -1 +0,0 @@
-/etc/nginx/sites-availables/proxy

pull-config

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-if [ -z ${UREP+x} ]; then
+if [ -z ${UREP+x} ]; then 
 	UREP=https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git 
 fi
 
@@ -11,6 +11,6 @@ dir=/root/tools/ansible
 cd  "${dir}" || exit 1
 
 hostname  > hosts
-ansible-pull -i "${dir}/hosts"  -U "${UREP}"
+ansible-pull -i "${dir}/hosts"  -C main -U "${UREP}"
 
 exit 0

r-vp1.yml

@@ -15,6 +15,7 @@
 #   - firewall-vpn-r
    - wireguard-r
 #   - x509-r
+   - fw-ferm
    - ssh-cli
    - syslog-cli
    - post

r-vp2.yml

@@ -18,6 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
+   - fw-ferm
    - ssh-cli
    - syslog-cli
    - post

roles/base/templates/hosts.j2

@@ -10,18 +10,23 @@
 192.168.99.3	s-appli.gsb.adm
 192.168.99.4	s-backup.gsb.adm
 192.168.99.5	s-puppet.gsb.adm
-192.168.99.6 	s-win.gsb.adm 
+192.168.99.6	s-win.gsb.adm 
 192.168.99.7	s-nxc.gsb.adm
 192.168.99.8	s-mon.gsb.adm
 192.168.99.9	s-itil.gsb.adm
-192.168.99.10	s-sspec.gsb.adm
-192.168.99.11	s-web-ext.gsb.adm
+192.168.99.10	s-lb.gsb.adm
+192.168.99.11	s-elk.gsb.adm
 192.168.99.10	s-dns.gsb.adm
 192.168.99.12	r-int.gsb.adm
 192.168.99.13	r-ext.gsb.adm
 192.168.99.14	s-nas.gsb.adm
 192.168.99.15	s-san.gsb.adm
 192.168.99.16	s-fog.gsb.adm
+192.168.99.50	s-lb-bd.gsb.adm
+192.168.99.101	s-lb-web1.gsb.adm
+192.168.99.102	s-lb-web2.gsb.adm
+192.168.99.103	s-lb-web3.gsb.adm
+192.168.99.112  r-vp1.gsb.adm
 
 192.168.99.8	syslog.gsb.adm
 

roles/base/templates/hosts.s-proxy.j2

@@ -11,16 +11,21 @@
 192.168.99.3	s-appli.gsb.adm
 192.168.99.4	s-backup.gsb.adm
 192.168.99.5	s-puppet.gsb.adm
-192.168.99.6 	s-win.gsb.adm 
+192.168.99.6	s-win.gsb.adm 
 192.168.99.7	s-nxc.gsb.adm
 192.168.99.8	s-mon.gsb.adm
 192.168.99.9	s-itil.gsb.adm
-192.168.99.10	s-sspec.gsb.adm
-192.168.99.11	s-web-ext.gsb.adm
+192.168.99.10	s-lb.gsb.adm
+192.168.99.11	s-elk.gsb.adm
 192.168.99.10	s-dns.gsb.adm
 192.168.99.12	r-int.gsb.adm
 192.168.99.13	r-ext.gsb.adm
 192.168.99.14	s-nas.gsb.adm
+192.168.99.50	s-lb-bd.gsb.adm
+192.168.99.101	s-lb-web1.gsb.adm
+192.168.99.102	s-lb-web2.gsb.adm
+192.168.99.103	s-lb-web3.gsb.adm
+192.168.99.112  r-vp1.gsb.adm
 
 192.168.99.8	syslog.gsb.adm
 

roles/dns-master/files/db.gsb.lan

@@ -5,7 +5,7 @@
 ;
 $TTL    604800
 @       IN      SOA     s-infra.gsb.lan. root.s-infra.gsb.lan. (
-                        2022041200      ; Serial
+                        2023012500      ; Serial
                         7200	        ; Refresh
                         86400           ; Retry
                         8419200         ; Expire
@@ -25,7 +25,7 @@ s-nxc		IN	A	172.16.0.7
 s-docker	IN	A	172.16.0.7
 s-mon    	IN      A       172.16.0.8
 s-itil		IN	A	172.16.0.9
-s-elk		IN	A	172.16.0.10
+s-elk		IN	A	172.16.0.11
 s-gestsup	IN	A	172.16.0.17
 r-int    	IN      A       172.16.0.254
 r-int-lnk    	IN      A       192.168.200.254

roles/dns-master/files/db.gsb.lan.rev

@@ -5,7 +5,7 @@
 ;
 $TTL    604800
 @       IN      SOA     s-infra.gsb.lan. root.s-infra.gsb.lan. (
-                        2022041200      ; Serial
+                        2023012500      ; Serial
                         7200            ; Refresh
                         86400           ; Retry
                         8419200         ; Expire
@@ -20,12 +20,12 @@ $TTL    604800
 6.0       IN      PTR     s-win.gsb.lan.
 7.0       IN      PTR     s-nxc.gsb.lan.
 8.0       IN      PTR     s-mon.gsb.lan.
-9.0	  IN	  PTR 	  s-itil.gsb.lan.
+9.0	  IN	  PTR	  s-itil.gsb.lan.
 101.1     IN      PTR     s-web1
 101.2     IN      PTR     s-web2
 100.10   IN      PTR      s-lb
 100.10   IN      PTR      s-lb.gsb.lan
-10.0	  IN	  PTR	  s-elk.gsb.lan.
+11.0	  IN	  PTR	  s-elk.gsb.lan.
 17.0	  IN	  PTR	  s-gestsup.lan
 254.0     IN      PTR     r-int.gsb.lan.
 

roles/docker/tasks/main.yml

@@ -1,16 +1,16 @@
 ---
-- name: Téléchargement getdocker.sh
-  ansible.builtin.get_url:
-    url: http://s-adm.gsb.adm/gsbstore/getdocker.sh
-    dest: /tmp
-    mode: '0755'
+- name: Supprime le fichier getdocker.sh si déjà présent
+  file:
+    state: absent
+    path: /tmp/getdocker.sh
+
+- name: Télécharge le script d'installation de docker
+  uri:
+    url: 'https://get.docker.com'
+    method: GET
+    dest: /tmp/getdocker.sh
+    mode: a+x
+  register: result
 
 - name: Execution du script getdocker
-  ansible.builtin.script: 
-    cmd: /tmp/getdocker.sh
-
-- name: Téléchargement docker-compose
-  ansible.builtin.get_url:
-    url: http://s-adm.gsb.adm/gsbstore/docker-compose
-    dest: /usr/local/bin               
-    mode: '0755'
+  shell: bash /tmp/getdocker.sh

roles/fw-ferm/README.md

@@ -0,0 +1,23 @@
+[Ferm]:http://ferm.foo-projects.org/ 
+
+Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
+```shell
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+```
+
+Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
+### r-vp1
+```shell
+sudo nmap -p51820  192.168.0.51
+```
+### r-vp2
+```shell
+sudo nmap -p51820  192.168.0.52
+```
+### Sortie :
+```
+`PORT      STATE    SERVICE
+51820/tcp filtered unknown`
+```
+
+Faire des ping!

roles/fw-ferm/files/ferm.conf.r-vp1

@@ -0,0 +1,63 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp1
+
+@def $DEV_PRIVATE = enp0s8;
+@def $DEV_WORLD = enp0s9;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;  
+       
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;            
+        }
+
+        # interface réseau 
+        interface $DEV_WORLD {
+            
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/fw-ferm/files/ferm.conf.r-vp2

@@ -0,0 +1,62 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp2
+
+@def $DEV_PRIVATE = enp0s9;
+@def $DEV_WORLD = enp0s8;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;
+        }
+
+        # interface réseau
+        interface $DEV_WORLD {
+
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/fw-ferm/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: installation de ferm
+  apt:
+    name: ferm
+    state: present
+
+- name: copie du ferm.conf
+  copy:
+    src: ferm.conf.{{ ansible_hostname }}
+    dest: /etc/ferm/ferm.conf
+
+- name: redemarage service ferm
+  ansible.builtin.service:
+    name: ferm.service
+    state: restarted

roles/glpi/README.md

@@ -14,22 +14,6 @@ mot de passe : glpi
 Selectionner la base glpi  
 Ne pas envoyer de statistique d'usage  
 
-## Fusion Inventory :
-  
-Installer le plugin dans Configuration > Plugins  
-Activer le plugin  
-Pour que la remonter de l'agent se fasse, il faut ajouter une crontab (crontab -e) sur s-itil : * * * * * /usr/bin/php7.4 /var/www/glpi/front/cron.php &>/dev/null  
-Puis éxécuter le tasksheduler dans Configuration > Actions automatiques > taskscheduler  
-  
-Pour l'agent Windows, récuperer l'agent sur http://s-itil/ficlients  
-Il faut faire une installation à parti de 0  
-Selectionner comme type d'installation complète  
-Dans le mode serveur mettre l'url : http://s-itil/plugins/fusioninventory et cocher la case installation rapide  
-  
-Pour l'agent Debian il faut installer le paquet fusioninventory-agent  
-Ajouter la ligne server = http://s-itil/plugins/fusioninventory dans le fichier /etc/fusioninventory/agent.cfg  
-Redemarrer le service fusioninventory-agent puis faite un reload  
-Exécuter la commande pkill -USR1 -f -P 1 fusioninventory-agent  
   
 ## Postfix :
   

roles/glpi/defaults/main.yml

@@ -0,0 +1,6 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore"
+#depl_glpi: "glpi-9.5.6.tgz"
+depl_glpi: "glpi-10.0.6.tgz"
+#depl_fusioninventory: "fusioninventory-9.5+3.0.tar.bz2"
+depl_glpi_agentx64: "GLPI-Agent-1.4-x64.msi"
+depl_glpi_agentx86: "GLPI-Agent-1.4-x86.msi"

roles/glpi/tasks/main.yml

@@ -105,12 +105,12 @@
 #  - name: copy .my.cnf file with root password credentials
 #    copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600
 
-  - name: Installation de Fusioninventory pour Linux
-    unarchive:
-      src: "{{ depl_url }}/{{ depl_fusioninventory }}"
-      #src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
-      dest: /var/www/html/glpi/plugins
-      remote_src: yes
+#  - name: Installation de Fusioninventory pour Linux
+#    unarchive:
+#      src: "{{ depl_url }}/{{ depl_fusioninventory }}"
+#src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
+#      dest: /var/www/html/glpi/plugins
+#      remote_src: yes
 
   - name: Creation de ficlient
     file:
@@ -127,23 +127,15 @@
       group: www-data
       mode: 0775
 
-  - name: Installation de FusionInventory windows x64
+  - name: Installation de GLPI Agent windows x64
     get_url:
-      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx64 }}"
+      url: "{{ depl_url }}/{{ depl_glpi_agentx64 }}"
       dest: "/var/www/html/ficlients"
 
-  - name: Installation de FusionInventory windows x86
-    get_url:
-      url: "{{ depl_url }}/{{ depl_fusioninventory_agentx86 }}"
-      dest: "/var/www/html/ficlients"
-
-  - name: Attribution des permissions sur repertoire /plugins/fusioninventory
-    file:
-      path: /var/www/html/glpi/plugins/fusioninventory
-      owner: www-data
-      group: www-data
-      recurse: yes
-      state: directory
+#  - name: Installation de GLPI Agent windows x86
+#    get_url:
+#      url: "{{ depl_url }}/{{ depl_glpi_agentx86 }}"
+#      dest: "/var/www/html/ficlients"
 
   - name: Copie du script dbdump
     copy: 

roles/itil/defaults/main.yml

@@ -1,5 +0,0 @@
-depl_url: "http://s-adm.gsb.adm/gsbstore"
-depl_glpi: "glpi-9.5.6.tgz"
-depl_fusioninventory: "fusioninventory-9.5+3.0.tar.bz2"
-depl_fusioninventory_agentx64: "fusioninventory-agent_windows-x64_2.6.exe"
-depl_fusioninventory_agentx86: "fusioninventory-agent_windows-x86_2.6.exe"

roles/lb-front/files/haproxy.cfg

@@ -44,7 +44,6 @@ backend fermeweb
 	#option httpchk HEAD / HTTP/1.0
 	server s-lb-web1 192.168.101.1:80 check
 	server s-lb-web2 192.168.101.2:80 check
-	#server s-lb-web3 192.168.101.3:80 check
 
 
 listen stats

roles/lb-front/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: install haproxy
+  apt:
+    name: haproxy
+    state: present
+
+- name: parametre backend et fontend
+  blockinfile:
+    path: /etc/haproxy/haproxy.cfg
+    block: |
+      frontend proxypublic
+        bind 192.168.100.10:80
+        default_backend fermeweb
+      
+      backend fermeweb
+        balance roundrobin
+        option httpclose
+        #option httpchk HEAD / HTTP/1.0
+        server s-lb-web1 192.168.101.1:80 check
+        server s-lb-web2 192.168.101.2:80 check
+
+- name: redemarre haproxy
+  service:
+    name: haproxy
+#    state: restarted
+    enabled: yes

roles/lb-nfs-server/README.md

@@ -0,0 +1,10 @@
+# Role s-nas-server
+## Installation de nfs-server et mise en oeuvre du partage /home/wordpress
+  
+Ce rôle :
+  * installe **nfs-server**
+  * copie le fichier de configuration **exports**  pour exporter le répertoire **/home/wordpress** 
+  * relance le service **nfs-server**
+  * décompresse wordpress
+### Objectif
+Le répertoire **/home/wordpress** est exporté par **nfs** sur le réseau **n-dmz-db**

roles/lb-nfs-server/files/exports

@@ -7,4 +7,4 @@
 # Example for NFSv4:
 # /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
 # /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
-/home/wordpress 192.168.102.0/255.255.255.0 (rw,no_root_squash,subtree_check)
+/home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)

roles/lb-nfs-server/tasks/main.yml

@@ -0,0 +1,70 @@
+- name: 00 - cree repertoire wordpress pour export nfs
+  file:
+    path: /home/wordpress
+    state: directory
+
+- name: 05 - Install nfs-server
+  apt:
+    name: nfs-server
+    state: present
+
+- name: 10 - creation fichier exports nfs
+  ansible.builtin.blockinfile:
+    path: /etc/exports
+    block: |
+      /home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)
+
+- name: 20 - decompresse wordpress
+  unarchive:
+    src: https://fr.wordpress.org/latest-fr_FR.tar.gz
+    dest: /home/
+    remote_src: yes
+
+- name: 22 - change owner et group pour repertoire wordpress
+  file:
+    path: /home/wordpress
+    state: directory
+    recurse: yes
+    owner: www-data
+    group: www-data
+
+- name: 30 - genere fichier de config wordpress
+  copy:
+    src: /home/wordpress/wp-config-sample.php
+    dest: /home/wordpress/wp-config.php
+    remote_src: yes
+
+- name: 35 - ajuste variable dbname dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_nom_de_bdd"
+    replace: "wordpressdb"
+    backup: yes
+
+
+- name: 40 ajuste variable dbusername dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_utilisateur_de_bdd"
+    replace: "wordpressuser"
+    backup: yes
+
+- name: 45 - ajuste variable mdp dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_mdp_de_bdd"
+    replace: "wordpresspasswd"
+    backup: yes
+
+- name: 50 - ajuste hostname fichier wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "localhost"
+    replace: "192.168.102.253"
+    backup: yes
+
+- name: 55 - relance nfs
+  service:
+    name: nfs-server
+    state: restarted
+    enabled: yes

roles/lb-web/defaults/main.yml

@@ -0,0 +1,2 @@
+depl_url: "http://s-adm.gsb.adm/gsbstore/"
+depl_wordpress: "wordpress-6.1.1-fr_FR.tar.gz"

roles/lb-web/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: installation des paquets web
+  apt:
+  - apache2
+  - php
+  - php-mbstring
+  - php-mysql
+  - mariadb-client
+  state: present
+
+- name: install nfs-common
+  apt:
+    name: nfs-common
+    state: present
+
+- name: montage nfs pour word press
+  blockinfile:
+    path: /etc/fstab
+    block: |
+      192.168.102.253:/exports/wordpress /var/www/html nfs soft,timeo=5,intr,rsize=8192,wsize=8192,wsize=8192 0 0
+
+- name: monte export wordpress
+  ansible.posix.mount:
+    path: /var/www/html
+    state: mounted
+    fstype: nfs
+    src: 192.168.102.253:/exports/wordpress

roles/local-store/files/getall-latest

@@ -1,5 +1,6 @@
 #!/bin/bash
-GLPIREL=9.5.3
+#GLPIREL=9.5.3
+GLPIREL=10.0.5
 wget -nc https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz
  
 FIREL=9.5+1.0

roles/nagios/defaults/main.yml

@@ -0,0 +1 @@
+MAIL_DEST: "anthony.arnoux@protonmail.ch"

roles/nagios/templates/contacts.cfg.j2

@@ -35,7 +35,7 @@ define contact {
     host_notification_options		d,r
     service_notification_commands	notify-service-by-email
     host_notification_commands		notify-host-by-email
-    email                   	 	nagios.gsb22@gmail.com	 	
+    email                   	 	{{ MAIL_DEST }}
 }
 
 

roles/nxc-traefik/README.md

@@ -2,34 +2,36 @@
 
 Nextcloud et Traefik fonctionnent grâce à docker. Pour pouvoir faire fonctionner ce playbook, docker doit être installé.
 
-## Premièrement 
+## 1.
 
-Le playbook va créer le dossier nxc à la racine de root. Deux fichier docker-compose "nextcloud.yml" et "traefik.yml" y seront copiés depuis le répertoire "files" du playbook.
-Enfin, dans le répertoire nxc, seront créé les dossier certs et config.
+Le playbook crée le dossier **nxc** à la racine de root.
 
-### Deuxièmement
+Les fichiers "nextcloud.yml" et "traefik.yml" y seront copiés depuis le répertoire "files" du playbook.
 
-Le playbook va copier les fichiers placés dans "files" et les placer dans les bons répertoires.
+Enfin, dans le répertoire nxc, sont créés les répertoires **certs** et **config**.
 
-#### Troisièmement
+## 2. Copie des fichiers 
 
-Le playbook va créer un certificat x509 grâce à mkcert, il s'agit d'une solution permettant de créer 
-des certificats auto-signés. Pour cela il télécharge mkcert sur s-adm (utiliser le getall).
+ Le playbook copie les fichiers placés dans "files" et les placer dans les bons répertoires.
 
-mkcert sera placé dans : /usr/local/bin/ 
+## 3. Génération du certificat
 
-Pour créer le certificat le playbook va executer des lignes de commandes (lancé depuis nxc/) :
+Le playbook crée un certificat **x509** grâce à **mkcert**, il s'agit d'une solution permettant de créer des certificats auto-signés. Pour cela, il télécharge **mkcert** sur **s-adm** (utiliser le script **getall**).
+
+**mkcert** est placé dans : /usr/local/bin/ 
+
+Pour créer le certificat, le playbook exécute les commandes (lancé depuis nxc/) :
 ```
 /usr/local/bin/mkcert -install # Installe mkcert
 /usr/local/bin/mkcert -key-file key.pem -cert-file cert.pem "hôte.domaine.local" "*.domaine.local" #Crée le certificat le DNS spécifié
 ```
-##### Quatrièmement
+## 4. Lancement
 
-Le playbook va lancer les fichier "docker-compose" à savoir : nextcloud.yml et traefik.yml. 
-Cela va installer les solutions automatiquement. Nextcloud est alors fonctionnel avec
-un proxy inverse qui va rediriger en HTTPS.
+Le playbook lance les fichiers "docker-compose" à savoir : nextcloud.yml et traefik.yml qui démarrent les deux piles **docker**.
+
+Nextcloud est alors fonctionnel avec le proxy inverse **traefik** assurant la redirection vers HTTPS.
 
 
-ATTENTION : Après avoir relancé la VM, executez le script "nxc-start.sh" afin d'installer les piles applicatives. 
-Une fois le script fini, accedez au site :
-https://s-nxc.gsb.lan
+ATTENTION : Après avoir relancé la VM, executez le script "nxc-start.sh" afin d'installer les piles applicatives.
+ 
+Une fois le script terminé, le site est disponible ici : https://s-nxc.gsb.lan

roles/post/files/interfaces.r-int

@@ -8,37 +8,30 @@ iface lo inet loopback
 # Reseau N-adm
 allow-hotplug enp0s3
 iface enp0s3 inet static
-	address 192.168.99.12
-	netmask 255.255.255.0
+	address 192.168.99.12/24
 	
 
 # Reseau liaison avec r-ext
 allow-hotplug enp0s8
 iface enp0s8 inet static
-	address 192.168.200.254
-	netmask 255.255.255.0
+	address 192.168.200.254/24
 	gateway 192.168.200.253
-	up ip route add default via 192.168.200.253
 	
 
 # Reseau wifi
 allow-hotplug enp0s9
 iface enp0s9 inet static
-	address 172.16.65.254
-	netmask 255.255.255.0
+	address 172.16.65.254/24
 	
 
 # Reseau user
 allow-hotplug enp0s10
 iface enp0s10 inet static
-	address 172.16.64.254
-	netmask 255.255.255.0
+	address 172.16.64.254/24
 	
 
 # Reseau infra
 allow-hotplug enp0s16
 iface enp0s16 inet static
-	address 172.16.0.254
-	netmask 255.255.255.0
-        up /root/routagenat
+	address 172.16.0.254/24
 	

roles/post/files/interfaces.s-elk

@@ -8,13 +8,13 @@ iface lo inet loopback
 # cote N-adm
 allow-hotplug enp0s3
 iface enp0s3 inet static
-	address 192.168.99.10
+	address 192.168.99.11
 	netmask 255.255.255.0
 	gateway 192.168.99.99
 
 # cote N-infra
 allow-hotplug enp0s8
 iface enp0s8 inet static
-	address 172.16.0.10
+	address 172.16.0.11
 	netmask 255.255.255.0
 	post-up route add -net 172.16.64.0/24 gw 172.16.0.254

roles/post/files/interfaces.s-mon

@@ -1,7 +1,7 @@
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 
-source /etc/network/interfaces.d/*
+#source /etc/network/interfaces.d/*
 
 # The loopback network interface
 auto lo
@@ -10,7 +10,7 @@ iface lo inet loopback
 # cote n-adm
 allow-hotplug enp0s3
 iface enp0s3 inet static
-	address 192.168.99.104/24
+	address 192.168.99.8/24
 	gateway 192.168.99.99	 
 
 # Cote n-infra
@@ -20,4 +20,4 @@ iface enp0s8 inet static
 	up ip route add 172.16.64.0/24 via 172.16.0.254
 	up ip route add 172.16.128.0/24 via 172.16.0.254
 	up ip route add 192.168.0.0/16 via 172.16.0.254
-	up ip route add 192.168.200.0/24 via 172.16.0.254
+	up ip route add 192.168.200.0/24 via 172.16.0.254

roles/post/files/interfaces.s-nas

@@ -1,4 +1,4 @@
-source /etc/network/interfaces.d/*
+#source /etc/network/interfaces.d/*
 
 # The loopback network interface
 auto lo
@@ -14,4 +14,4 @@ iface enp0s3 inet static
 allow-hotplug enp0s8
 iface enp0s8 inet static
         address 192.168.102.253
-	netmask 255.255.255.0
+	netmask 255.255.255.0