Merge branch 'main' of https://gitea.lyc-lecastel.fr/gadmin/gsb2023

goss/list-goss

@@ -0,0 +1,12 @@
+cd goss/
+goss -g r-vp1.yaml v
+goss  -g r-vp1.yaml aa wireguard
+goss add interface enp0s3
+goss add interface enp0s8
+goss add interface enp0s9
+goss add interface wg0
+goss aa wireguard
+goss add package wireguard-tools
+goss add service wg-quick@wg0
+goss add command "ping -c4  10.0.0.2"
+goss add file "/etc/wireguard/wg0.conf"

roles/fw-ferm-1/README.md

@@ -0,0 +1,16 @@
+[Ferm]:http://ferm.foo-projects.org/ 
+
+Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
+```bash
+update-alternatives --set iptables /usr/sbin/iptables-legacy```
+
+Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
+```bash
+sudo nmap -p51820  192.168.0.51```(r-vp1)
+```bash
+sudo nmap -p51820  192.168.0.52```(r-vp2)
+
+Sortie :
+`PORT      STATE    SERVICE
+51820/tcp filtered unknown`
+Faire des ping!

roles/fw-ferm-1/ferm.conf

@@ -0,0 +1,63 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp1
+
+@def $DEV_PRIVATE = enp0s8;
+@def $DEV_WORLD = enp0s9;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;  
+       
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;            
+        }
+
+        # interface réseau 
+        interface $DEV_WORLD {
+            
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/fw-ferm-2/README.md

@@ -0,0 +1,16 @@
+[Ferm]:http://ferm.foo-projects.org/ 
+
+Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
+```bash
+update-alternatives --set iptables /usr/sbin/iptables-legacy```
+
+Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
+```bash
+sudo nmap -p51820  192.168.0.51```(r-vp1)
+```bash
+sudo nmap -p51820  192.168.0.52```(r-vp2)
+
+Sortie :
+`PORT      STATE    SERVICE
+51820/tcp filtered unknown`
+Faire des ping!

roles/fw-ferm-2/ferm.conf

@@ -0,0 +1,62 @@
+# -*- shell-script -*-
+#
+# Ferm script r-vp2
+
+@def $DEV_PRIVATE = enp0s9;
+@def $DEV_WORLD = enp0s8;
+
+@def $NET_PRIVATE = 172.16.0.0/24;
+
+table filter {
+    chain (INPUT OUTPUT){
+        # allow VPN
+	proto udp dport 51820 ACCEPT;
+}
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections from the private network and from some
+        # well-known internet hosts
+        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+
+        # we provide DNS and SMTP services for the internal net
+        interface $DEV_PRIVATE saddr $NET_PRIVATE {
+            proto (udp tcp) dport domain ACCEPT;
+            proto udp dport bootps ACCEPT;
+        }
+
+        # interface réseau
+        interface $DEV_WORLD {
+
+        }
+
+        # the rest is dropped by the above policy
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}

roles/lb-nfs-server/tasks/main.yml

@@ -44,7 +44,7 @@
 
 - name: 40 ajuste variable dbusername dans fichier de config wp-config.php
   replace:
-    path: /exports/wordpress/wp-config.php
+    path: /home/wordpress/wp-config.php
     regexp: "votre_utilisateur_de_bdd"
     replace: "wordpressuser"
     backup: yes