Merge branch 'main' of https://gitea.lyc-lecastel.fr/gadmin/gsb2023

goss/list-goss

@@ -0,0 +1,12 @@
+cd goss/
+goss -g r-vp1.yaml v
+goss  -g r-vp1.yaml aa wireguard
+goss add interface enp0s3
+goss add interface enp0s8
+goss add interface enp0s9
+goss add interface wg0
+goss aa wireguard
+goss add package wireguard-tools
+goss add service wg-quick@wg0
+goss add command "ping -c4  10.0.0.2"
+goss add file "/etc/wireguard/wg0.conf"

r-vp1.yml

@@ -15,6 +15,7 @@
 #   - firewall-vpn-r
    - wireguard-r
 #   - x509-r
+   - fw-ferm
    - ssh-cli
    - syslog-cli
    - post

r-vp2.yml

@@ -18,6 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
+   - fw-ferm
    - ssh-cli
    - syslog-cli
    - post

roles/fw-ferm/README.md

@@ -0,0 +1,19 @@
+[Ferm]:http://ferm.foo-projects.org/ 
+
+Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
+```bash
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+```
+
+Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
+```bash
+sudo nmap -p51820  192.168.0.51
+```(r-vp1)
+```bash
+sudo nmap -p51820  192.168.0.52
+```(r-vp2)
+
+Sortie :
+`PORT      STATE    SERVICE
+51820/tcp filtered unknown`
+Faire des ping!

roles/fw-ferm/files/ferm.conf.r-vp1

@@ -0,0 +1,63 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp1
+
+@def $DEV_PRIVATE = enp0s8;
+@def $DEV_WORLD = enp0s9;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;  
+       
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;            
+        }
+
+        # interface réseau 
+        interface $DEV_WORLD {
+            
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/fw-ferm/files/ferm.conf.r-vp2

@@ -0,0 +1,62 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp2
+
+@def $DEV_PRIVATE = enp0s9;
+@def $DEV_WORLD = enp0s8;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;
+        }
+
+        # interface réseau
+        interface $DEV_WORLD {
+
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/fw-ferm/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- name: installation de ferm
+  apt:
+    name: ferm
+    state: present
+
+- name: copie du ferm.conf
+  copy:
+    src: ferm.conf.{{ ansible_hostname }}
+    dest: /etc/ferm/ferm.conf
+
+- name: redemarage service ferm
+  ansible.builtin.service:
+    name: ferm.service
+    state: restarted

roles/lb-nfs-server/README.md

@@ -5,6 +5,6 @@ Ce rôle :
   * installe **nfs-server**
   * copie le fichier de configuration **exports**  pour exporter le répertoire **/home/wordpress** 
   * relance le service **nfs-server**
-
+  * décompresse wordpress
 ### Objectif
 Le répertoire **/home/wordpress** est exporté par **nfs** sur le réseau **n-dmz-db**

roles/lb-nfs-server/tasks/main.yml

@@ -1,18 +1,70 @@
----
- - name: installation des paquets 
-   apt:
-     name: 
-     - nfs-kernel-server
-     state: latest
+- name: 00 - cree repertoire wordpress pour export nfs
+  file:
+    path: /home/wordpress
+    state: directory
 
- - name: copie exports pour partage nfs wordpress
-   copy:
-    src: exports
-    dest: /etc
+- name: 05 - Install nfs-server
+  apt:
+    name: nfs-server
+    state: present
 
- - name: redemarrage du service rpcbind requis pour le service nfs
-   shell: service rpcbind restart
+- name: 10 - creation fichier exports nfs
+  ansible.builtin.blockinfile:
+    path: /etc/exports
+    block: |
+      /home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)
 
- - name: redemarrage du service nfs-kernel-server
-   shell: service nfs-kernel-server restart
+- name: 20 - decompresse wordpress
+  unarchive:
+    src: https://fr.wordpress.org/latest-fr_FR.tar.gz
+    dest: /home/
+    remote_src: yes
 
+- name: 22 - change owner et group pour repertoire wordpress
+  file:
+    path: /home/wordpress
+    state: directory
+    recurse: yes
+    owner: www-data
+    group: www-data
+
+- name: 30 - genere fichier de config wordpress
+  copy:
+    src: /home/wordpress/wp-config-sample.php
+    dest: /home/wordpress/wp-config.php
+    remote_src: yes
+
+- name: 35 - ajuste variable dbname dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_nom_de_bdd"
+    replace: "wordpressdb"
+    backup: yes
+
+
+- name: 40 ajuste variable dbusername dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_utilisateur_de_bdd"
+    replace: "wordpressuser"
+    backup: yes
+
+- name: 45 - ajuste variable mdp dans fichier de config wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "votre_mdp_de_bdd"
+    replace: "wordpresspasswd"
+    backup: yes
+
+- name: 50 - ajuste hostname fichier wp-config.php
+  replace:
+    path: /home/wordpress/wp-config.php
+    regexp: "localhost"
+    replace: "192.168.102.253"
+    backup: yes
+
+- name: 55 - relance nfs
+  service:
+    name: nfs-server
+    state: restarted
+    enabled: yes

roles/smb-backup/README.md

@@ -6,6 +6,13 @@ s-backup permet de récupérer les dossiers et fichiers présent dans le répert
 # Lancement du script backup.sh
 
 Après la fin de l'installation de s-backup et la fin de la configuration de s-win vous pouvez
-lancer le fichier backup.sh pour récuperer l'intégraliter du fichier partagé gsb.lan de s-win
+lancer le fichier backupsmb.sh pour récuperer l'intégraliter du fichier partagé gsb.lan de s-win
 sur la machine s-backup.
 
+# Crontab
+
+Une crontab a été ajoutée mais désactivée par défaut ( backupsmb.sh executée tout les jours à 5h00)
+
+# Pistes
+
+- Traps à consolider 

roles/smb-backup/tasks/main.yml

@@ -2,7 +2,22 @@
   apt:
     name:
       - rsync
-      - smbclient 
+      - smbclient
       - cifs-utils
     state: present
 
+- name: copie script backupsmb dans /usr/local/bin
+  copy:
+    src: backupsmb.sh
+    dest: /usr/local/bin
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: crontab backupsmb ( commentee par defaut )
+  cron:
+    name: backupsmb
+    disabled: true
+    minute: "0"
+    hour: "5"
+    job: "/usr/local/bin/backupsmb.sh"

roles/wireguard-l/tasks/main.yml

@@ -4,16 +4,16 @@
     name: wireguard
     state: present
 
+- name: installation de ferm
+  apt:
+    name: ferm
+    state: present
+
 - name: installation de wireguard-tools
   apt:
     name: wireguard-tools
     state: present
 
-#- name: installation de sshpass
-#  apt:
-#    name: sshpass
-#    state: present
-
 #- name: copie du fichier de configuration depuis r-vp1
 #  command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/"
 

roles/wireguard-r/tasks/main.yml

@@ -4,6 +4,11 @@
     name: wireguard
     state: present
 
+- name: installation de ferm
+  apt:
+    name: ferm
+    state: present
+
 - name: installation de wireguard-tools
   apt:
     name: wireguard-tools
@@ -27,12 +32,10 @@
 - name: copie du fichier de configuration
   copy:
     src: /root/confwg/wg0-a.conf
-    dest: /etc/wireguard
+    dest: /etc/wireguard/wg0.conf
 
-- name: renommage fichier de configuration
-  command: "mv /etc/wireguard/wg0-a.conf /etc/wireguard/wg0.conf"
-
-- name: demarrage du service wireguard
-  tags: aaaa
-  command: "systemctl enable wg-quick@wg0"
-  command: "systemctl restart wg-quick@wg0"
+- name: Restart service httpd, in all cases
+  ansible.builtin.service:
+    name: wg-quick@wg0
+    enabled: yes
+    state: restarted

s-lb-bd.yml

@@ -1,24 +1,49 @@
 ---
- - hosts: localhost
-   connection: local
-   vars:
-        maria_dbhost: "192.168.102.254"
-        maria_dbname: "wordpress"
-        maria_dbuser: "wp"
-        maria_dbpasswd: "wp"
+- hosts: all
+  become: true
+  tasks:
 
+  - name: modules python pour
+    apt:
+      name: python3-pymysql
+      state: present
 
-   roles:
-     - base
-     - goss
-     - post
-     #- s-lb-bd-ab
-     - mariadb-ab
-#     - role: db-user
-#       cli_ip: "192.168.102.1"
-#     - role: db-user
-#       cli_ip: "192.168.102.2"
-#     - role: db-user
-#       cli_ip: "192.168.102.3"     
-     - snmp-agent
-#     - post
+  - name: install mariadb-server
+    apt:
+      name: mariadb-server
+      state: present
+
+  - name: Cree Bd wordpress
+    mysql_db:
+      db: wordpressdb
+      login_unix_socket: /var/run/mysqld/mysqld.sock
+      state: present
+
+  - name: Ouvre port 3306 mariadb-server
+    replace:
+      path: /etc/mysql/mariadb.conf.d/50-server.cnf
+      regexp: '^bind-address.*'
+      replace: '#bind-adress = 127.0.0.1'
+      backup: yes
+    notify: restart mariadb
+
+  - name: Create MySQL user for wordpress
+    mysql_user:
+      name: wordpressuser
+      password: wordpresspasswd
+      priv: "wordpressdb.*:ALL"
+      host: '%'
+      state: present
+      login_unix_socket: /var/run/mysqld/mysqld.sock
+
+  handlers:
+    - name: restart mariadb
+      ansible.builtin.service:
+        name: mariadb
+        state: restarted
+
+  roles:
+    - base
+    - goss
+    - post
+    - snmp-agent