Compare commits
28 Commits
v0.0.3f-jl
...
v0.0.3x-aa
Author | SHA1 | Date | |
---|---|---|---|
0dbbaf0751 | |||
64f1b74ba7 | |||
5ddbedac97 | |||
05ddace1af | |||
9019c0dbe7 | |||
9fd18796a6 | |||
6e33ccce33 | |||
f38fca4561 | |||
01c2b76936 | |||
a6a35324ba | |||
70950f9e4e | |||
a7f366a124 | |||
143c3878a3 | |||
76b4ceabe3 | |||
0988c9729e | |||
9bcfcc6305 | |||
4cb8aa49b9 | |||
340333d5d1 | |||
82f6fdc9c9 | |||
17618a8c8e | |||
3dac065600 | |||
acb722461c | |||
6200de2cda | |||
0074367972 | |||
3aa4a58252 | |||
8fd183998e | |||
ab2cc8da96 | |||
44c8fc32a5 |
12
goss/list-goss
Normal file
12
goss/list-goss
Normal file
@ -0,0 +1,12 @@
|
||||
cd goss/
|
||||
goss -g r-vp1.yaml v
|
||||
goss -g r-vp1.yaml aa wireguard
|
||||
goss add interface enp0s3
|
||||
goss add interface enp0s8
|
||||
goss add interface enp0s9
|
||||
goss add interface wg0
|
||||
goss aa wireguard
|
||||
goss add package wireguard-tools
|
||||
goss add service wg-quick@wg0
|
||||
goss add command "ping -c4 10.0.0.2"
|
||||
goss add file "/etc/wireguard/wg0.conf"
|
@ -15,6 +15,7 @@
|
||||
# - firewall-vpn-r
|
||||
- wireguard-r
|
||||
# - x509-r
|
||||
- fw-ferm
|
||||
- ssh-cli
|
||||
- syslog-cli
|
||||
- post
|
||||
|
@ -18,6 +18,7 @@
|
||||
# - firewall-vpn-l
|
||||
- wireguard-l
|
||||
# - x509-l
|
||||
- fw-ferm
|
||||
- ssh-cli
|
||||
- syslog-cli
|
||||
- post
|
||||
|
23
roles/fw-ferm/README.md
Normal file
23
roles/fw-ferm/README.md
Normal file
@ -0,0 +1,23 @@
|
||||
[Ferm]:http://ferm.foo-projects.org/
|
||||
|
||||
Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
|
||||
```shell
|
||||
update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
```
|
||||
|
||||
Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
|
||||
### r-vp1
|
||||
```shell
|
||||
sudo nmap -p51820 192.168.0.51
|
||||
```
|
||||
### r-vp2
|
||||
```shell
|
||||
sudo nmap -p51820 192.168.0.52
|
||||
```
|
||||
### Sortie :
|
||||
```
|
||||
`PORT STATE SERVICE
|
||||
51820/tcp filtered unknown`
|
||||
```
|
||||
|
||||
Faire des ping!
|
63
roles/fw-ferm/files/ferm.conf.r-vp1
Normal file
63
roles/fw-ferm/files/ferm.conf.r-vp1
Normal file
@ -0,0 +1,63 @@
|
||||
# -*- shell-script -*-
|
||||
#
|
||||
# Ferm script r-vp1
|
||||
|
||||
@def $DEV_PRIVATE = enp0s8;
|
||||
@def $DEV_WORLD = enp0s9;
|
||||
|
||||
@def $NET_PRIVATE = 172.16.0.0/24;
|
||||
|
||||
table filter {
|
||||
chain (INPUT OUTPUT){
|
||||
# allow VPN
|
||||
proto udp dport 51820 ACCEPT;
|
||||
}
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# allow local connections
|
||||
interface lo ACCEPT;
|
||||
|
||||
# respond to ping
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
|
||||
|
||||
# allow SSH connections from the private network and from some
|
||||
# well-known internet hosts
|
||||
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
|
||||
|
||||
# we provide DNS and SMTP services for the internal net
|
||||
interface $DEV_PRIVATE saddr $NET_PRIVATE {
|
||||
proto (udp tcp) dport domain ACCEPT;
|
||||
proto udp dport bootps ACCEPT;
|
||||
}
|
||||
|
||||
# interface réseau
|
||||
interface $DEV_WORLD {
|
||||
|
||||
}
|
||||
|
||||
# the rest is dropped by the above policy
|
||||
}#FIN INPUT
|
||||
|
||||
# outgoing connections are not limited
|
||||
chain OUTPUT policy ACCEPT;
|
||||
|
||||
chain FORWARD {
|
||||
policy ACCEPT;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# connections from the internal net to the internet or to other
|
||||
# internal nets are allowed
|
||||
interface $DEV_PRIVATE ACCEPT;
|
||||
|
||||
# the rest is dropped by the above policy
|
||||
}
|
||||
}
|
62
roles/fw-ferm/files/ferm.conf.r-vp2
Normal file
62
roles/fw-ferm/files/ferm.conf.r-vp2
Normal file
@ -0,0 +1,62 @@
|
||||
# -*- shell-script -*-
|
||||
#
|
||||
# Ferm script r-vp2
|
||||
|
||||
@def $DEV_PRIVATE = enp0s9;
|
||||
@def $DEV_WORLD = enp0s8;
|
||||
|
||||
@def $NET_PRIVATE = 172.16.0.0/24;
|
||||
|
||||
table filter {
|
||||
chain (INPUT OUTPUT){
|
||||
# allow VPN
|
||||
proto udp dport 51820 ACCEPT;
|
||||
}
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# allow local connections
|
||||
interface lo ACCEPT;
|
||||
|
||||
# respond to ping
|
||||
proto icmp icmp-type echo-request ACCEPT;
|
||||
|
||||
# allow SSH connections from the private network and from some
|
||||
# well-known internet hosts
|
||||
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
|
||||
|
||||
# we provide DNS and SMTP services for the internal net
|
||||
interface $DEV_PRIVATE saddr $NET_PRIVATE {
|
||||
proto (udp tcp) dport domain ACCEPT;
|
||||
proto udp dport bootps ACCEPT;
|
||||
}
|
||||
|
||||
# interface réseau
|
||||
interface $DEV_WORLD {
|
||||
|
||||
}
|
||||
|
||||
# the rest is dropped by the above policy
|
||||
}#FIN INPUT
|
||||
|
||||
# outgoing connections are not limited
|
||||
chain OUTPUT policy ACCEPT;
|
||||
|
||||
chain FORWARD {
|
||||
policy ACCEPT;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# connections from the internal net to the internet or to other
|
||||
# internal nets are allowed
|
||||
interface $DEV_PRIVATE ACCEPT;
|
||||
|
||||
# the rest is dropped by the above policy
|
||||
}
|
||||
}
|
15
roles/fw-ferm/tasks/main.yml
Normal file
15
roles/fw-ferm/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
- name: installation de ferm
|
||||
apt:
|
||||
name: ferm
|
||||
state: present
|
||||
|
||||
- name: copie du ferm.conf
|
||||
copy:
|
||||
src: ferm.conf.{{ ansible_hostname }}
|
||||
dest: /etc/ferm/ferm.conf
|
||||
|
||||
- name: redemarage service ferm
|
||||
ansible.builtin.service:
|
||||
name: ferm.service
|
||||
state: restarted
|
@ -137,14 +137,6 @@
|
||||
# url: "{{ depl_url }}/{{ depl_glpi_agentx86 }}"
|
||||
# dest: "/var/www/html/ficlients"
|
||||
|
||||
- name: Attribution des permissions sur repertoire /plugins/fusioninventory
|
||||
file:
|
||||
path: /var/www/html/glpi/plugins/fusioninventory
|
||||
owner: www-data
|
||||
group: www-data
|
||||
recurse: yes
|
||||
state: directory
|
||||
|
||||
- name: Copie du script dbdump
|
||||
copy:
|
||||
src: dbdump
|
||||
|
@ -5,6 +5,6 @@ Ce rôle :
|
||||
* installe **nfs-server**
|
||||
* copie le fichier de configuration **exports** pour exporter le répertoire **/home/wordpress**
|
||||
* relance le service **nfs-server**
|
||||
|
||||
* décompresse wordpress
|
||||
### Objectif
|
||||
Le répertoire **/home/wordpress** est exporté par **nfs** sur le réseau **n-dmz-db**
|
||||
|
@ -7,4 +7,4 @@
|
||||
# Example for NFSv4:
|
||||
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
|
||||
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
|
||||
/home/wordpress 192.168.102.0/255.255.255.0 (rw,no_root_squash,subtree_check)
|
||||
/home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)
|
||||
|
@ -1,18 +1,70 @@
|
||||
---
|
||||
- name: installation des paquets
|
||||
apt:
|
||||
name:
|
||||
- nfs-kernel-server
|
||||
state: latest
|
||||
- name: 00 - cree repertoire wordpress pour export nfs
|
||||
file:
|
||||
path: /home/wordpress
|
||||
state: directory
|
||||
|
||||
- name: copie exports pour partage nfs wordpress
|
||||
copy:
|
||||
src: exports
|
||||
dest: /etc
|
||||
- name: 05 - Install nfs-server
|
||||
apt:
|
||||
name: nfs-server
|
||||
state: present
|
||||
|
||||
- name: redemarrage du service rpcbind requis pour le service nfs
|
||||
shell: service rpcbind restart
|
||||
- name: 10 - creation fichier exports nfs
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/exports
|
||||
block: |
|
||||
/home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)
|
||||
|
||||
- name: redemarrage du service nfs-kernel-server
|
||||
shell: service nfs-kernel-server restart
|
||||
- name: 20 - decompresse wordpress
|
||||
unarchive:
|
||||
src: https://fr.wordpress.org/latest-fr_FR.tar.gz
|
||||
dest: /home/
|
||||
remote_src: yes
|
||||
|
||||
- name: 22 - change owner et group pour repertoire wordpress
|
||||
file:
|
||||
path: /home/wordpress
|
||||
state: directory
|
||||
recurse: yes
|
||||
owner: www-data
|
||||
group: www-data
|
||||
|
||||
- name: 30 - genere fichier de config wordpress
|
||||
copy:
|
||||
src: /home/wordpress/wp-config-sample.php
|
||||
dest: /home/wordpress/wp-config.php
|
||||
remote_src: yes
|
||||
|
||||
- name: 35 - ajuste variable dbname dans fichier de config wp-config.php
|
||||
replace:
|
||||
path: /home/wordpress/wp-config.php
|
||||
regexp: "votre_nom_de_bdd"
|
||||
replace: "wordpressdb"
|
||||
backup: yes
|
||||
|
||||
|
||||
- name: 40 ajuste variable dbusername dans fichier de config wp-config.php
|
||||
replace:
|
||||
path: /home/wordpress/wp-config.php
|
||||
regexp: "votre_utilisateur_de_bdd"
|
||||
replace: "wordpressuser"
|
||||
backup: yes
|
||||
|
||||
- name: 45 - ajuste variable mdp dans fichier de config wp-config.php
|
||||
replace:
|
||||
path: /home/wordpress/wp-config.php
|
||||
regexp: "votre_mdp_de_bdd"
|
||||
replace: "wordpresspasswd"
|
||||
backup: yes
|
||||
|
||||
- name: 50 - ajuste hostname fichier wp-config.php
|
||||
replace:
|
||||
path: /home/wordpress/wp-config.php
|
||||
regexp: "localhost"
|
||||
replace: "192.168.102.253"
|
||||
backup: yes
|
||||
|
||||
- name: 55 - relance nfs
|
||||
service:
|
||||
name: nfs-server
|
||||
state: restarted
|
||||
enabled: yes
|
||||
|
@ -8,22 +8,3 @@
|
||||
- php-mysql
|
||||
- mariadb-client
|
||||
state: present
|
||||
|
||||
- name: download and extract wordpress
|
||||
unarchive:
|
||||
src: https://fr.wordpress.org/latest-fr_FR.tar.gz
|
||||
dest: /home/
|
||||
remote_src: yes
|
||||
|
||||
- name: Copy sample config file
|
||||
command: mv /home/wordpress/wp-config-sample.php /home/wordpress/wp-config.php creates=/home/wordpress/wp-config.php
|
||||
|
||||
- name: Changement du fichier de conf
|
||||
copy:
|
||||
src: wp-config.php
|
||||
dest: /home/wordpress/wp-config.php
|
||||
|
||||
- name: Attributions des permissions
|
||||
file:
|
||||
path: /home/wordpress
|
||||
recurse: yes
|
||||
|
@ -6,6 +6,13 @@ s-backup permet de récupérer les dossiers et fichiers présent dans le répert
|
||||
# Lancement du script backup.sh
|
||||
|
||||
Après la fin de l'installation de s-backup et la fin de la configuration de s-win vous pouvez
|
||||
lancer le fichier backup.sh pour récuperer l'intégraliter du fichier partagé gsb.lan de s-win
|
||||
lancer le fichier backupsmb.sh pour récuperer l'intégraliter du fichier partagé gsb.lan de s-win
|
||||
sur la machine s-backup.
|
||||
|
||||
# Crontab
|
||||
|
||||
Une crontab a été ajoutée mais désactivée par défaut ( backupsmb.sh executée tout les jours à 5h00)
|
||||
|
||||
# Pistes
|
||||
|
||||
- Traps à consolider
|
||||
|
@ -2,7 +2,22 @@
|
||||
apt:
|
||||
name:
|
||||
- rsync
|
||||
- smbclient
|
||||
- smbclient
|
||||
- cifs-utils
|
||||
state: present
|
||||
|
||||
- name: copie script backupsmb dans /usr/local/bin
|
||||
copy:
|
||||
src: backupsmb.sh
|
||||
dest: /usr/local/bin
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
|
||||
- name: crontab backupsmb ( commentee par defaut )
|
||||
cron:
|
||||
name: backupsmb
|
||||
disabled: true
|
||||
minute: "0"
|
||||
hour: "5"
|
||||
job: "/usr/local/bin/backupsmb.sh"
|
||||
|
@ -4,16 +4,16 @@
|
||||
name: wireguard
|
||||
state: present
|
||||
|
||||
- name: installation de ferm
|
||||
apt:
|
||||
name: ferm
|
||||
state: present
|
||||
|
||||
- name: installation de wireguard-tools
|
||||
apt:
|
||||
name: wireguard-tools
|
||||
state: present
|
||||
|
||||
#- name: installation de sshpass
|
||||
# apt:
|
||||
# name: sshpass
|
||||
# state: present
|
||||
|
||||
#- name: copie du fichier de configuration depuis r-vp1
|
||||
# command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/"
|
||||
|
||||
|
@ -1,5 +1,3 @@
|
||||
#Installation de r-vp1 (Wireguard)
|
||||
|
||||
Procédure d'installation de r-vp1 et de copie du fichier wg0-b.conf.
|
||||
***
|
||||
|
||||
|
@ -4,6 +4,11 @@
|
||||
name: wireguard
|
||||
state: present
|
||||
|
||||
- name: installation de ferm
|
||||
apt:
|
||||
name: ferm
|
||||
state: present
|
||||
|
||||
- name: installation de wireguard-tools
|
||||
apt:
|
||||
name: wireguard-tools
|
||||
@ -27,12 +32,10 @@
|
||||
- name: copie du fichier de configuration
|
||||
copy:
|
||||
src: /root/confwg/wg0-a.conf
|
||||
dest: /etc/wireguard
|
||||
dest: /etc/wireguard/wg0.conf
|
||||
|
||||
- name: renommage fichier de configuration
|
||||
command: "mv /etc/wireguard/wg0-a.conf /etc/wireguard/wg0.conf"
|
||||
|
||||
- name: demarrage du service wireguard
|
||||
tags: aaaa
|
||||
command: "systemctl enable wg-quick@wg0"
|
||||
command: "systemctl restart wg-quick@wg0"
|
||||
- name: Restart service httpd, in all cases
|
||||
ansible.builtin.service:
|
||||
name: wg-quick@wg0
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
15
s-itil.yml
15
s-itil.yml
@ -2,14 +2,13 @@
|
||||
- hosts: localhost
|
||||
connection: local
|
||||
|
||||
#vars:
|
||||
|
||||
#glpi_version: "9.4.5"
|
||||
#glpi_dir: "/var/www/html/glpi"
|
||||
#glpi_dbhost: "127.0.0.1"
|
||||
#glpi_dbname: "glpi"
|
||||
#glpi_dbuser: "glpi"
|
||||
#glpi_dbpasswd: "glpi"
|
||||
vars:
|
||||
glpi_version: "10.0.6"
|
||||
glpi_dir: "/var/www/html/glpi"
|
||||
glpi_dbhost: "127.0.0.1"
|
||||
glpi_dbname: "glpi"
|
||||
glpi_dbuser: "glpi"
|
||||
glpi_dbpasswd: "glpi"
|
||||
|
||||
roles:
|
||||
- base
|
||||
|
67
s-lb-bd.yml
67
s-lb-bd.yml
@ -1,24 +1,49 @@
|
||||
---
|
||||
- hosts: localhost
|
||||
connection: local
|
||||
vars:
|
||||
maria_dbhost: "192.168.102.254"
|
||||
maria_dbname: "wordpress"
|
||||
maria_dbuser: "wp"
|
||||
maria_dbpasswd: "wp"
|
||||
- hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
|
||||
- name: modules python pour
|
||||
apt:
|
||||
name: python3-pymysql
|
||||
state: present
|
||||
|
||||
roles:
|
||||
- base
|
||||
- goss
|
||||
- post
|
||||
#- s-lb-bd-ab
|
||||
- mariadb-ab
|
||||
# - role: db-user
|
||||
# cli_ip: "192.168.102.1"
|
||||
# - role: db-user
|
||||
# cli_ip: "192.168.102.2"
|
||||
# - role: db-user
|
||||
# cli_ip: "192.168.102.3"
|
||||
- snmp-agent
|
||||
# - post
|
||||
- name: install mariadb-server
|
||||
apt:
|
||||
name: mariadb-server
|
||||
state: present
|
||||
|
||||
- name: Cree Bd wordpress
|
||||
mysql_db:
|
||||
db: wordpressdb
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
state: present
|
||||
|
||||
- name: Ouvre port 3306 mariadb-server
|
||||
replace:
|
||||
path: /etc/mysql/mariadb.conf.d/50-server.cnf
|
||||
regexp: '^bind-address.*'
|
||||
replace: '#bind-adress = 127.0.0.1'
|
||||
backup: yes
|
||||
notify: restart mariadb
|
||||
|
||||
- name: Create MySQL user for wordpress
|
||||
mysql_user:
|
||||
name: wordpressuser
|
||||
password: wordpresspasswd
|
||||
priv: "wordpressdb.*:ALL"
|
||||
host: '%'
|
||||
state: present
|
||||
login_unix_socket: /var/run/mysqld/mysqld.sock
|
||||
|
||||
handlers:
|
||||
- name: restart mariadb
|
||||
ansible.builtin.service:
|
||||
name: mariadb
|
||||
state: restarted
|
||||
|
||||
roles:
|
||||
- base
|
||||
- goss
|
||||
- post
|
||||
- snmp-agent
|
||||
|
@ -8,4 +8,3 @@
|
||||
- snmp-agent
|
||||
- lb-nfs-client
|
||||
- post
|
||||
|
||||
|
Reference in New Issue
Block a user