fix: changed the way peertube is installed for better comprehension

README.md

@@ -1,6 +1,6 @@
 # gsb2023
 
-2023-02-01 ps 
+2023-02-02 ps
 
 Environnement et playbooks ansible pour le projet GSB 2023
 
@@ -54,14 +54,15 @@ On utilsera le script (bash) **mkvm** ou (PowerShell) **mkvm.ps1** pour créeer
 ```shell
 gsb2023>
 cd pre
-$ mkvm s-adm
+$ mkvm -r s-adm
 
 ```
 
 ### Machine s-adm
-  * créer la machine virtuelle **s-adm** avec **mkvm * comme décrit plus haut.
-  * renommer la machine puis redémarrer
-  * taper :
+  * créer la machine virtuelle **s-adm** avec **mkvm** comme décrit plus haut.
+  * utiliser le script de renommage comme suit --> `bash chname <nouveau_nom_de_machine>` , puis redémarrer
+  * utiliser le script **s-adm-start** : `bash s-adm-start` , puis redémarrer
+  * ou sinon :
 ```shell
     mkdir -p tools/ansible ; cd tools/ansible
     git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git
@@ -77,11 +78,11 @@ $ mkvm s-adm
   
 ### Pour chaque machine
 
-  - créer la machine avec **mkvm**, les cartes réseau sont paramétrées par **mkvm** selon les spécifications 
-  - donner le nom adapté (avec sed -i …)
+  - créer la machine avec **mkvm -r**, les cartes réseau sont paramétrées par **mkvm** selon les spécifications 
+  - utiliser le script de renommage comme suit : `bash chname <nouveau_nom_de_machine>`
   - redémarrer
-  - mettre à jour les paquets : apt update 
-  - cloner le dépot : 
+  - utiliser le script **gsb-start** : `bash gsb-start`
+  - ou sinon:
 ```shell
 mkdir -p tools/ansible ; cd tools/ansible
 git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git
@@ -91,6 +92,18 @@ bash gsbboot
 cd ../..
 bash pull-config
 ```
+  - redémarrer
   - **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration
 
 
+## Les tests
+
+Il peuvent êtres mis en oeuvre avec **goss** de la façon suivante : chaque machine installée  dispose d'un fichier de test ad-hoc portant le nom de la machine elle-même (machine.yml).
+
+```
+cd tools/ansible/gsb2023
+bash agoss # lance le test portant le nom de la machine 
+```
+
+`bash agoss -f tap` permet de lancer le test avec le détail d'exécution
+

goss/s-elk.yaml

@@ -0,0 +1,26 @@
+port:
+  tcp:5044:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:5601:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:9200:
+    listening: true
+    ip:
+    - 0.0.0.0
+service:
+  docker:
+    enabled: true
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.11/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.11/24

pre/gsbboot

@@ -34,7 +34,7 @@ if [[ $? != 0 ]]; then
 	${APT} install -y git-core
 fi
 ${APT} update
-${APT} upgrade -y
+#${APT} upgrade -y
 
 which ansible >> /dev/null
 if [[ $? != 0 ]]; then

pre/inst-depl

@@ -45,7 +45,9 @@ str6="curl -L https://github.com/aelsabbahy/goss/releases/download/${GOSSVER}/go
 #str8="wget -nc 'https://gestsup.fr/index.php?page=download&channel=stable&version=${GESTSUPREL}&type=gestsup' -O gestsup_${GESTSUPREL}.zip"
 str8="wget -nc 'https://gestsup.fr/index.php?page=download&channel=stable&version=3.2.30&type=gestsup' -O gestsup_3.2.30.zip"
 
-ELKREL=8.6.0
+
+#METRICBEAT ET FILEBEAT
+ELKREL=8.5.3
 str81="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb"
 
 str82="wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip"

r-vp2.yml

@@ -18,7 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
-   - fw-ferm
+   - post
    - ssh-cli
    - syslog-cli
-   - post
+   - fw-ferm

roles/elk/README.md

@@ -1,8 +1,9 @@
 ## Principe du rôle elk
-  
-Ce rôle permet de créer un serveur ELK pour centraliser les logs et d'avoir des métriques pour simplifier la gestion du parc informatique GSB. 
-Le principe de se rôle est d'installer docker, les différentes tâches de se rôle est de :  
-Vérifier si ELK est déjà installé,  
-Installer ELK sur github,  
-Changer la configuration  
-Lancer ELK avec docker-compose   
+ELK 8.5.3
+
+Ce rôle permet de créer un serveur ELK pour centraliser les logs et de des métriques pour simplifier la gestion du parc informatique GSB. 
+Le principe de ce rôle est d'installer docker, les différentes tâches de ce rôle sont de :
+- Vérifier si ELK est déjà installé,
+- Importation un docker-compose depuis github,
+- Changement la configuration pour passer en version 'basic'
+- Lancement d'ELK avec docker-compose

roles/elk/files/get_docker.sh

@@ -1,502 +0,0 @@
-#!/bin/sh
-set -e
-# Docker CE for Linux installation script
-#
-# See https://docs.docker.com/install/ for the installation steps.
-#
-# This script is meant for quick & easy install via:
-#   $ curl -fsSL https://get.docker.com -o get-docker.sh
-#   $ sh get-docker.sh
-#
-# For test builds (ie. release candidates):
-#   $ curl -fsSL https://test.docker.com -o test-docker.sh
-#   $ sh test-docker.sh
-#
-# NOTE: Make sure to verify the contents of the script
-#       you downloaded matches the contents of install.sh
-#       located at https://github.com/docker/docker-install
-#       before executing.
-#
-# Git commit from https://github.com/docker/docker-install when
-# the script was uploaded (Should only be modified by upload job):
-SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
-
-
-# The channel to install from:
-#   * nightly
-#   * test
-#   * stable
-#   * edge (deprecated)
-DEFAULT_CHANNEL_VALUE="stable"
-if [ -z "$CHANNEL" ]; then
-	CHANNEL=$DEFAULT_CHANNEL_VALUE
-fi
-
-DEFAULT_DOWNLOAD_URL="https://download.docker.com"
-if [ -z "$DOWNLOAD_URL" ]; then
-	DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
-fi
-
-DEFAULT_REPO_FILE="docker-ce.repo"
-if [ -z "$REPO_FILE" ]; then
-	REPO_FILE="$DEFAULT_REPO_FILE"
-fi
-
-mirror=''
-DRY_RUN=${DRY_RUN:-}
-while [ $# -gt 0 ]; do
-	case "$1" in
-		--mirror)
-			mirror="$2"
-			shift
-			;;
-		--dry-run)
-			DRY_RUN=1
-			;;
-		--*)
-			echo "Illegal option $1"
-			;;
-	esac
-	shift $(( $# > 0 ? 1 : 0 ))
-done
-
-case "$mirror" in
-	Aliyun)
-		DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
-		;;
-	AzureChinaCloud)
-		DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
-		;;
-esac
-
-command_exists() {
-	command -v "$@" > /dev/null 2>&1
-}
-
-is_dry_run() {
-	if [ -z "$DRY_RUN" ]; then
-		return 1
-	else
-		return 0
-	fi
-}
-
-is_wsl() {
-	case "$(uname -r)" in
-	*microsoft* ) true ;; # WSL 2
-	*Microsoft* ) true ;; # WSL 1
-	* ) false;;
-	esac
-}
-
-is_darwin() {
-	case "$(uname -s)" in
-	*darwin* ) true ;;
-	*Darwin* ) true ;;
-	* ) false;;
-	esac
-}
-
-deprecation_notice() {
-	distro=$1
-	date=$2
-	echo
-	echo "DEPRECATION WARNING:"
-	echo "    The distribution, $distro, will no longer be supported in this script as of $date."
-	echo "    If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
-	echo
-	sleep 10
-}
-
-get_distribution() {
-	lsb_dist=""
-	# Every system that we officially support has /etc/os-release
-	if [ -r /etc/os-release ]; then
-		lsb_dist="$(. /etc/os-release && echo "$ID")"
-	fi
-	# Returning an empty string here should be alright since the
-	# case statements don't act unless you provide an actual value
-	echo "$lsb_dist"
-}
-
-add_debian_backport_repo() {
-	debian_version="$1"
-	backports="deb http://ftp.debian.org/debian $debian_version-backports main"
-	if ! grep -Fxq "$backports" /etc/apt/sources.list; then
-		(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
-	fi
-}
-
-echo_docker_as_nonroot() {
-	if is_dry_run; then
-		return
-	fi
-	if command_exists docker && [ -e /var/run/docker.sock ]; then
-		(
-			set -x
-			$sh_c 'docker version'
-		) || true
-	fi
-	your_user=your-user
-	[ "$user" != 'root' ] && your_user="$user"
-	# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
-	echo "If you would like to use Docker as a non-root user, you should now consider"
-	echo "adding your user to the \"docker\" group with something like:"
-	echo
-	echo "  sudo usermod -aG docker $your_user"
-	echo
-	echo "Remember that you will have to log out and back in for this to take effect!"
-	echo
-	echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
-	echo "         containers which can be used to obtain root privileges on the"
-	echo "         docker host."
-	echo "         Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
-	echo "         for more information."
-
-}
-
-# Check if this is a forked Linux distro
-check_forked() {
-
-	# Check for lsb_release command existence, it usually exists in forked distros
-	if command_exists lsb_release; then
-		# Check if the `-u` option is supported
-		set +e
-		lsb_release -a -u > /dev/null 2>&1
-		lsb_release_exit_code=$?
-		set -e
-
-		# Check if the command has exited successfully, it means we're in a forked distro
-		if [ "$lsb_release_exit_code" = "0" ]; then
-			# Print info about current distro
-			cat <<-EOF
-			You're using '$lsb_dist' version '$dist_version'.
-			EOF
-
-			# Get the upstream release info
-			lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
-			dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
-
-			# Print info about upstream distro
-			cat <<-EOF
-			Upstream release is '$lsb_dist' version '$dist_version'.
-			EOF
-		else
-			if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
-				if [ "$lsb_dist" = "osmc" ]; then
-					# OSMC runs Raspbian
-					lsb_dist=raspbian
-				else
-					# We're Debian and don't even know it!
-					lsb_dist=debian
-				fi
-				dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
-				case "$dist_version" in
-					10)
-						dist_version="buster"
-					;;
-					9)
-						dist_version="stretch"
-					;;
-					8|'Kali Linux 2')
-						dist_version="jessie"
-					;;
-				esac
-			fi
-		fi
-	fi
-}
-
-semverParse() {
-	major="${1%%.*}"
-	minor="${1#$major.}"
-	minor="${minor%%.*}"
-	patch="${1#$major.$minor.}"
-	patch="${patch%%[-.]*}"
-}
-
-do_install() {
-	echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
-
-	if command_exists docker; then
-		docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
-		MAJOR_W=1
-		MINOR_W=10
-
-		semverParse "$docker_version"
-
-		shouldWarn=0
-		if [ "$major" -lt "$MAJOR_W" ]; then
-			shouldWarn=1
-		fi
-
-		if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
-			shouldWarn=1
-		fi
-
-		cat >&2 <<-'EOF'
-			Warning: the "docker" command appears to already exist on this system.
-
-			If you already have Docker installed, this script can cause trouble, which is
-			why we're displaying this warning and provide the opportunity to cancel the
-			installation.
-
-			If you installed the current Docker package using this script and are using it
-		EOF
-
-		if [ $shouldWarn -eq 1 ]; then
-			cat >&2 <<-'EOF'
-			again to update Docker, we urge you to migrate your image store before upgrading
-			to v1.10+.
-
-			You can find instructions for this here:
-			https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
-			EOF
-		else
-			cat >&2 <<-'EOF'
-			again to update Docker, you can safely ignore this message.
-			EOF
-		fi
-
-		cat >&2 <<-'EOF'
-
-			You may press Ctrl+C now to abort this script.
-		EOF
-		( set -x; sleep 20 )
-	fi
-
-	user="$(id -un 2>/dev/null || true)"
-
-	sh_c='sh -c'
-	if [ "$user" != 'root' ]; then
-		if command_exists sudo; then
-			sh_c='sudo -E sh -c'
-		elif command_exists su; then
-			sh_c='su -c'
-		else
-			cat >&2 <<-'EOF'
-			Error: this installer needs the ability to run commands as root.
-			We are unable to find either "sudo" or "su" available to make this happen.
-			EOF
-			exit 1
-		fi
-	fi
-
-	if is_dry_run; then
-		sh_c="echo"
-	fi
-
-	# perform some very rudimentary platform detection
-	lsb_dist=$( get_distribution )
-	lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
-
-	if is_wsl; then
-		echo
-		echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
-		echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
-		echo
-		cat >&2 <<-'EOF'
-
-			You may press Ctrl+C now to abort this script.
-		EOF
-		( set -x; sleep 20 )
-	fi
-
-	case "$lsb_dist" in
-
-		ubuntu)
-			if command_exists lsb_release; then
-				dist_version="$(lsb_release --codename | cut -f2)"
-			fi
-			if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
-				dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
-			fi
-		;;
-
-		debian|raspbian)
-			dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
-			case "$dist_version" in
-				10)
-					dist_version="buster"
-				;;
-				9)
-					dist_version="stretch"
-				;;
-				8)
-					dist_version="jessie"
-				;;
-			esac
-		;;
-
-		centos|rhel)
-			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
-				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
-			fi
-		;;
-
-		*)
-			if command_exists lsb_release; then
-				dist_version="$(lsb_release --release | cut -f2)"
-			fi
-			if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
-				dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
-			fi
-		;;
-
-	esac
-
-	# Check if this is a forked Linux distro
-	check_forked
-
-	# Run setup for each distro accordingly
-	case "$lsb_dist" in
-		ubuntu|debian|raspbian)
-			pre_reqs="apt-transport-https ca-certificates curl"
-			if [ "$lsb_dist" = "debian" ]; then
-				# libseccomp2 does not exist for debian jessie main repos for aarch64
-				if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
-					add_debian_backport_repo "$dist_version"
-				fi
-			fi
-
-			if ! command -v gpg > /dev/null; then
-				pre_reqs="$pre_reqs gnupg"
-			fi
-			apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
-			(
-				if ! is_dry_run; then
-					set -x
-				fi
-				$sh_c 'apt-get update -qq >/dev/null'
-				$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
-				$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
-				$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
-				$sh_c 'apt-get update -qq >/dev/null'
-			)
-			pkg_version=""
-			if [ -n "$VERSION" ]; then
-				if is_dry_run; then
-					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
-				else
-					# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
-					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
-					search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
-					pkg_version="$($sh_c "$search_command")"
-					echo "INFO: Searching repository for VERSION '$VERSION'"
-					echo "INFO: $search_command"
-					if [ -z "$pkg_version" ]; then
-						echo
-						echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
-						echo
-						exit 1
-					fi
-					search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
-					# Don't insert an = for cli_pkg_version, we'll just include it later
-					cli_pkg_version="$($sh_c "$search_command")"
-					pkg_version="=$pkg_version"
-				fi
-			fi
-			(
-				if ! is_dry_run; then
-					set -x
-				fi
-				if [ -n "$cli_pkg_version" ]; then
-					$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
-				fi
-				$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
-			)
-			echo_docker_as_nonroot
-			exit 0
-			;;
-		centos|fedora|rhel)
-			yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
-			if ! curl -Ifs "$yum_repo" > /dev/null; then
-				echo "Error: Unable to curl repository file $yum_repo, is it valid?"
-				exit 1
-			fi
-			if [ "$lsb_dist" = "fedora" ]; then
-				pkg_manager="dnf"
-				config_manager="dnf config-manager"
-				enable_channel_flag="--set-enabled"
-				disable_channel_flag="--set-disabled"
-				pre_reqs="dnf-plugins-core"
-				pkg_suffix="fc$dist_version"
-			else
-				pkg_manager="yum"
-				config_manager="yum-config-manager"
-				enable_channel_flag="--enable"
-				disable_channel_flag="--disable"
-				pre_reqs="yum-utils"
-				pkg_suffix="el"
-			fi
-			(
-				if ! is_dry_run; then
-					set -x
-				fi
-				$sh_c "$pkg_manager install -y -q $pre_reqs"
-				$sh_c "$config_manager --add-repo $yum_repo"
-
-				if [ "$CHANNEL" != "stable" ]; then
-					$sh_c "$config_manager $disable_channel_flag docker-ce-*"
-					$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
-				fi
-				$sh_c "$pkg_manager makecache"
-			)
-			pkg_version=""
-			if [ -n "$VERSION" ]; then
-				if is_dry_run; then
-					echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
-				else
-					pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
-					search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
-					pkg_version="$($sh_c "$search_command")"
-					echo "INFO: Searching repository for VERSION '$VERSION'"
-					echo "INFO: $search_command"
-					if [ -z "$pkg_version" ]; then
-						echo
-						echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
-						echo
-						exit 1
-					fi
-					search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
-					# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
-					cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
-					# Cut out the epoch and prefix with a '-'
-					pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
-				fi
-			fi
-			(
-				if ! is_dry_run; then
-					set -x
-				fi
-				# install the correct cli version first
-				if [ -n "$cli_pkg_version" ]; then
-					$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
-				fi
-				$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
-			)
-			echo_docker_as_nonroot
-			exit 0
-			;;
-		*)
-			if [ -z "$lsb_dist" ]; then
-				if is_darwin; then
-					echo
-					echo "ERROR: Unsupported operating system 'macOS'"
-					echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
-					echo
-					exit 1
-				fi
-			fi
-			echo
-			echo "ERROR: Unsupported distribution '$lsb_dist'"
-			echo
-			exit 1
-			;;
-	esac
-	exit 1
-}
-
-# wrapped up in a function so that we have some protection against only getting
-# half the file during "curl | sh"
-do_install

roles/elk/tasks/main.yml

@@ -22,6 +22,6 @@
       replace: 'xpack.license.self_generated.type: basic'
      
   - name: Execution du fichier docker-compose.yml
-    shell: docker-compose up -d
+    shell: docker compose up -d
     args:
       chdir: /root/elk

roles/filebeat-cli/defaults/main.yml

@@ -0,0 +1 @@
+BEATVER: "8.5.3"

roles/filebeat-cli/handlers/main.yml

@@ -1,4 +1,4 @@
-- name: start filebeat
+- name: restart filebeat
   service:
     name: filebeat
     state: started

roles/filebeat-cli/tasks/main.yml

@@ -1,12 +1,12 @@
 ---
 - name: Récupération de filebeat
   get_url:
-    url: http://s-adm.gsb.adm/gsbstore/filebeat-7.16.3-amd64.deb
+    url: http://s-adm.gsb.adm/gsbstore/filebeat-${BEATVAR}-amd64.deb
     dest: /tmp/
 
 - name: Installation de filebeat
   apt:
-    deb: /tmp/filebeat-7.16.3-amd64.deb
+    deb: /tmp/filebeat-${BEATVEAR}-amd64.deb
 
 - name: Changement du fichier de conf
   copy:
@@ -15,9 +15,9 @@
 
 - name: Configuration de filebeat
   shell: filebeat modules enable system  
-  notify: start filebeat
+  notify: restart filebeat
  
 - name: Lancement de la configuration de filebeat
   shell: filebeat setup -e
-  notify: start filebeat
+  notify: restart filebeat
 

roles/fog/README.md

@@ -0,0 +1,16 @@
+# Fog
+
+Ce rôle permet l'installation et la modification de Fog.
+
+
+## Fog, c'est quoi ?
+
+
+Fog permet le déploiement d'images disque tel que Windows ou bien Linux en utilisant PXE (Preboot Execution Environment).
+
+
+## Comment l'installer ?
+
+
+Avant toute chose, lancer le fichier goss de s-fog ( présent dans gsb2023/goss/s-fog.yaml ) pour vérifier que la configuration réseau est correct et opérationnel. Une fois l'installation principale effectuée, il faut lancer le playbook ansible s-fog.yaml.
+Il faudra se rendre dans le dossier **fog** pour lancer le script **installfog.sh** ( fog/bin/ ). La configuration sera déjà établie via le fichier **.fogsettings**

roles/fog/files/fogsettings

@@ -0,0 +1,46 @@
+## Start of FOG Settings
+## Created by the FOG Installer
+## Find more information about this file in the FOG Project wiki:
+##     https://wiki.fogproject.org/wiki/index.php?title=.fogsettings
+## Version: 1.5.9
+## Install time: jeu. 26 janv. 2023 11:41:05
+ipaddress='172.16.64.16'
+copybackold='0'
+interface='enp0s9'
+submask='255.255.255.0'
+hostname='s-fog.gsb.lan'
+routeraddress='192.168.99.99'
+plainrouter='192.168.99.99'
+dnsaddress='172.16.0.1'
+username='fogproject'
+password='/7ElC1OHrP47EN2w59xl'
+osid='2'
+osname='Debian'
+dodhcp='y'
+bldhcp='1'
+dhcpd='isc-dhcp-server'
+blexports='1'
+installtype='N'
+snmysqluser='fogmaster'
+snmysqlpass='HHO5vSGqFiHE_9d2lja3'
+snmysqlhost='localhost'
+mysqldbname='fog'
+installlang='0'
+storageLocation='/images'
+fogupdateloaded=1
+docroot='/var/www/html/'
+webroot='/fog/'
+caCreated='yes'
+httpproto='http'
+startrange='172.16.64.10'
+endrange='172.16.64.254'
+bootfilename='undionly.kpxe'
+packages='apache2 bc build-essential cpp curl g++ gawk gcc genisoimage git gzip htmldoc isc-dhcp-server isolinux lftp libapache2-mod-php7.4 libc6 libcurl4 li>
+noTftpBuild=''
+sslpath='/opt/fog/snapins/ssl/'
+backupPath='/home/'
+armsupport='0'
+php_ver='7.4'
+php_verAdds='-7.4'
+sslprivkey='/opt/fog/snapins/ssl//.srvprivate.key'
+## End of FOG Settings

roles/fog/tasks/main.yml

@@ -1,11 +1,15 @@
 ---
+- name: creation d'un repertoire fog
+  file:
+    path: /root/tools/fog
+    state: directory
+
 - name: recuperation de l'archive d'installation fog sur git
   git:
     repo: https://gitea.lyc-lecastel.fr/gadmin/fog.git
     dest: /root/tools/fog/
     clone: yes
     update: yes
-    force: yes
 
 - name: Modification fichier bash (desac UDPCast)
   ansible.builtin.lineinfile:
@@ -13,3 +17,10 @@
     regexp: '^configureUDPCast\(\).*'
     line: "configureUDPCast() {\nreturn"
     backup: yes
+
+- name: fichier config fogsettings
+  command: "cp /root/tools/ansible/roles/fog/files/fogsettings /opt/fog/"
+
+- name: fichier fogsettings en .fogsettings
+command: "mv /opt/fog/fogsettings /opt/fog/.fogsettings"
+

roles/fw-ferm/files/ferm.conf.r-vp1

@@ -4,7 +4,7 @@
 
 @def $DEV_PRIVATE = enp0s8;
 @def $DEV_WORLD = enp0s9;
-
+@def $DEV_VPN= wg0;
 @def $NET_PRIVATE = 172.16.0.0/24;
 
 table filter {
@@ -33,23 +33,24 @@ table filter {
         # we provide DNS and SMTP services for the internal net
         interface $DEV_PRIVATE saddr $NET_PRIVATE {
             proto (udp tcp) dport domain ACCEPT;
-            proto udp dport bootps ACCEPT;            
-        }
-
-        # interface réseau 
-        interface $DEV_WORLD {
-            
+            proto udp dport bootps ACCEPT;
         }
+        # interface réseau
 
         # the rest is dropped by the above policy
     }#FIN INPUT
 
     # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
+    chain OUTPUT {
+        policy ACCEPT;
+#	interface $DEV_VPN proto ssh dport 22 ACCEPT;
+
+    }#FIN OUTPUT
 
     chain FORWARD {
         policy ACCEPT;
 
+        proto icmp icmp-type echo-request ACCEPT;
         # connection tracking
         mod state state INVALID DROP;
         mod state state (ESTABLISHED RELATED) ACCEPT;

roles/fw-ferm/files/ferm.conf.r-vp2

@@ -4,7 +4,7 @@
 
 @def $DEV_PRIVATE = enp0s9;
 @def $DEV_WORLD = enp0s8;
-
+@def $DEV_VPN= wg0;
 @def $NET_PRIVATE = 172.16.0.0/24;
 
 table filter {
@@ -34,7 +34,12 @@ table filter {
             proto (udp tcp) dport domain ACCEPT;
             proto udp dport bootps ACCEPT;
         }
-
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh ACCEPT;
+        }
         # interface réseau
         interface $DEV_WORLD {
 
@@ -44,8 +49,14 @@ table filter {
     }#FIN INPUT
 
     # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh DROP;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+}
     chain FORWARD {
         policy ACCEPT;
 

roles/fw-ferm/files/iptables.test.r-vp1

@@ -0,0 +1,43 @@
+# Définir la politique par défaut
+iptables -P INPUT DROP
+iptables -P OUTPUT ACCEPT
+iptables -P FORWARD ACCEPT
+
+# Autoriser le trafic pour le VPN
+iptables -A INPUT -p udp --dport 51820 -j ACCEPT
+
+# Autoriser les connexions établies et connexes
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Autoriser les connexions sur l'interface loopback
+iptables -A INPUT -i lo -j ACCEPT
+
+# Autoriser les requêtes ping
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# Autoriser les connexions SSH depuis le réseau privé et depuis certains hôtes internet
+iptables -A INPUT -p tcp -s 172.16.0.0/24,81.209.165.42 --dport ssh -j ACCEPT
+
+# Autoriser les connexions DNS et SMTP sur l'interface privée
+iptables -A INPUT -i enp0s9 -s 172.16.0.0/24 -p udp --dport domain -j ACCEPT
+iptables -A INPUT -i enp0s9 -s 172.16.0.0/24 -p tcp --dport domain -j ACCEPT
+iptables -A INPUT -i enp0s9 -s 172.16.0.0/24 -p udp --dport bootps -j ACCEPT
+
+# Autoriser les requêtes ping sur l'interface VPN
+iptables -A INPUT -i wg0 -p icmp --icmp-type echo-request -j ACCEPT
+
+# Interdire les connexions SSH sur l'interface VPN
+iptables -A INPUT -i wg0 -s 0.0.0.0/0 -p tcp --dport ssh -j DROP
+
+# Interdire les connexions SSH sortantes sur l'interface VPN
+iptables -A OUTPUT -o wg0 -d 0.0.0.0/0 -p tcp --dport ssh -j DROP
+
+# Autoriser le trafic sur l'interface publique
+iptables -A INPUT -i enp0s8 -j ACCEPT
+
+# Autoriser les connexions depuis l'interface privée vers l'interface publique ou une autre interface privée
+iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
+iptables -A FORWARD -i enp0s9 -o enp0s9 -j ACCEPT
+
+# Interdire toutes les autres connexions de forwarding
+iptables -A FORWARD -j DROP

roles/fw-ferm/files/iptables.test.r-vp2

@@ -0,0 +1,50 @@
+# Politique par défaut : DROP
+iptables -P INPUT DROP
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+
+# Autoriser les connexions VPN entrantes
+iptables -A INPUT -p udp --dport 51820 -j ACCEPT
+
+# Autoriser les connexions établies et apparentées
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Autoriser les connexions depuis l'interface locale
+iptables -A INPUT -i lo -j ACCEPT
+
+# Autoriser les requêtes ping
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# Autoriser les connexions SSH depuis le réseau privé et depuis certains hôtes Internet
+iptables -A INPUT -s 172.16.0.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+iptables -A INPUT -s 81.209.165.42 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# Autoriser les connexions DNS et SMTP depuis le réseau privé
+iptables -A INPUT -i enp0s8 -s 172.16.0.0/24 -p udp --dport 53 -j ACCEPT
+iptables -A INPUT -i enp0s8 -s 172.16.0.0/24 -p tcp --dport 53 -j ACCEPT
+iptables -A INPUT -i enp0s8 -s 172.16.0.0/24 -p udp --dport 67 -j ACCEPT
+
+# Autoriser le trafic sortant
+iptables -A OUTPUT -j ACCEPT
+
+# Autoriser les requêtes ping sortantes
+iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# Autoriser les connexions SSH sortantes
+iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# Autoriser les connexions VPN sortantes
+iptables -A FORWARD -i wg0 -o enp0s9 -j ACCEPT
+iptables -A FORWARD -i enp0s9 -o wg0 -j ACCEPT
+
+# Interdire les connexions SSH entrantes depuis l'interface VPN
+iptables -A FORWARD -i wg0 -p tcp --dport 22 -j DROP
+
+# Autoriser les connexions SSH sortantes vers l'interface VPN
+iptables -A FORWARD -o wg0 -p tcp --dport 22 -j ACCEPT
+
+# Autoriser les connexions établies et apparentées
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Autoriser le trafic depuis le réseau privé
+iptables -A FORWARD -i enp0s8 -o enp0s9 -j ACCEPT

roles/goss/defaults/main.yml

@@ -1,3 +1,2 @@
 depl_url: "http://s-adm.gsb.adm/gsbstore"
 depl_goss: "goss"
-

roles/goss/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: goss binary exists
   stat: path=/usr/local/bin/goss
   register: gossbin
@@ -18,4 +17,3 @@
     mode: 0755
     remote_src: yes
   when: gossbin.stat.exists == false and ansible_hostname == "s-adm"
-

roles/lb-web/tasks/main.yml

@@ -13,16 +13,3 @@
   apt:
     name: nfs-common
     state: present
-
-- name: montage nfs pour word press
-  blockinfile:
-    path: /etc/fstab
-    block: |
-      192.168.102.253:/home/wordpress /var/www/html nfs soft,timeo=5,intr,rsize=8192,wsize=8192,wsize=8192 0 0
-
-      #- name: monte export wordpress
-      #  ansible.posix.mount:
-      #    path: /var/www/html
-      #    state: mounted
-      #    fstype: nfs
-      #    src: 192.168.102.253:/exports/wordpress

roles/metricbeat-cli/defaults/main.yml

@@ -0,0 +1 @@
+BEATVER: "8.5.3"

roles/metricbeat-cli/handlers/main.yml

@@ -1,5 +1,5 @@
-- name: start metricbeat
+- name: restart metricbeat
   service:
     name: metricbeat
-    state: started
+    state: restarted
     enabled: yes

roles/metricbeat-cli/tasks/main.yml

@@ -1,12 +1,12 @@
 ---
 - name: Récupération de metricbeat
   get_url:
-    url: http://s-adm.gsb.adm/gsbstore/metricbeat-7.16.3-amd64.deb
+    url: http://s-adm.gsb.adm/gsbstore/metricbeat-${BEATVER}-amd64.deb
     dest: /tmp/
 
 - name: Installation de metricbeat
   apt:
-    deb: /tmp/metricbeat-7.16.3-amd64.deb
+    deb: /tmp/metricbeat-${BEATVER}-amd64.deb
 
 - name: Changement du fichier de conf
   copy:
@@ -15,9 +15,9 @@
 
 - name: Configuration de metricbeat
   shell: metricbeat modules enable system  
-  notify: start metricbeat
+  notify: restart metricbeat
  
 - name: Lancement de la configuration de metricbeat
   shell: metricbeat setup -e
-  notify: start metricbeat
+  notify: restart metricbeat
 

roles/nagios/files/cfg/localhost.cfg

@@ -26,6 +26,7 @@ define host {
     host_name               localhost
     alias                   localhost
     address                 127.0.0.1
+    parents		    r-int
 }
 
 

roles/nagios/files/cfg/s-adm.cfg

@@ -9,5 +9,6 @@ define host{
         host_name               s-adm
         alias                   debian-servers
         address                 192.168.99.99
+	parents			r-int
         }
 

roles/nagios/files/cfg/s-appli.cfg

@@ -9,5 +9,6 @@ define host{
         host_name               s-appli
         alias                   debian-servers
         address                 172.16.0.3
+	parents			r-int
         }
 

roles/nagios/files/cfg/s-backup.cfg

@@ -9,5 +9,6 @@ define host{
         host_name               s-backup
         alias                   serveur proxy
         address                 172.16.0.4
+	parents			r-int
         }
 

roles/nagios/files/cfg/s-fog.cfg

@@ -9,6 +9,7 @@ define host{
         host_name               s-fog
         alias                   serveur proxy
         address                 172.16.0.16
+	parents			r-int
         }
 
 

roles/nagios/files/cfg/s-infra.cfg

@@ -9,5 +9,6 @@ define host{
         host_name               s-infra
         alias                   debian-servers
         address                 172.16.0.1
+	parents			r-int
         }
 

roles/nagios/files/cfg/s-itil.cfg

@@ -9,6 +9,7 @@ define host{
         host_name               s-itil
         alias                   serveur proxy
         address                 172.16.0.9
+	parents			r-int
         }
 
 

roles/nagios/files/cfg/s-nxc.cfg

@@ -9,5 +9,6 @@ define host{
         host_name               s-nxc
         alias                   debian-servers
         address                 172.16.0.7
+	parents			r-int
         }
 

roles/nagios/files/cfg/s-proxy.cfg

@@ -9,6 +9,7 @@ define host{
         host_name               s-proxy
         alias                   serveur proxy
         address                 172.16.0.2
+	parents			r-int
         }
 
 

roles/nagios/files/cfg/s-win.cfg

@@ -9,6 +9,7 @@ define host{
         host_name               s-win
         alias                   serveur proxy
         address                 172.16.0.6
+	parents			r-int
         }
 
 

roles/peertube/files/resolv.conf

@@ -0,0 +1 @@
+nameserver 192.168.99.99

roles/peertube/files/values.yaml

@@ -0,0 +1,139 @@
+replicaCount: 1
+image:
+  repository: chocobozzz/peertube
+  pullPolicy: IfNotPresent
+  tag: "v5.0.1-bullseye"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: false
+  annotations: {}
+  name: ""
+podAnnotations: {}
+podSecurityContext: {}
+securityContext: {}
+
+service:
+  type: ClusterIP
+  port: 9000
+  nginxPort: 9001
+
+## default config for postgresql should work, but feel free to modify it if required.
+# must stay consistent with peertube configuration, otherwise peertube will crash
+postgresql:
+  enabled: true
+  primary:
+    persistence:
+      enabled: true
+      existingClaim: "pvc-postgres"
+  global:
+    postgresql:
+      auth:
+        postgrePassword: "admin"
+        username: "user"
+        password: "user"
+        database: "peertube"
+
+## the main list of variables tha will be applied in the peertube container
+# any error or misconfiguration will make peertube crash.
+peertube:
+  env:
+    dbUser: user # must be consistent with postgresql configuration
+    dbPasswd: user # must be consistent with postgresql configuration
+    dbSsl: false # disabled by default WARNING: ssl connection feature not tested, use at your own risk
+    dbHostname: peertube-postgresql # must be consistent with postgresql configuration
+    webHostname: peertube # must be changed to your local setup
+    secret: b2753b0f37444974de0e81f04815e6a889fcf8960bd203a01b624d8fa8a37683
+    smtpHostname: peertube-mail # must be consistent with mail configuration
+    smtpPort: 587 # must be consistent with mail configuration
+    smtpFrom: noreply@lan.lan # not configured by default, add something meaningfull if you want
+    smtpTls: false # disabled by default WARNING: tls connection feature not tested, use at your own risk
+    smtpDisableStartTls: false # unless crashes related to tls/ssl, this should be unchanged
+    adminEmail: root@localhost.lan # use this if you want peopleto be able to reach you 
+    redisHostname: peertube-redis-master # must be consistent with redis configuration
+    redisAuth: peertube # must be consistent with redis configuration
+  app:
+    userCanRegister: true # control if people can register by themselves
+    rootPasswd: rootroot # CHANGE THIS! the default admin username is 'root' this variable define the password
+## the next section configure at wich quality videos will be transcoded 
+    transcoding360: true
+    transcoding480: true
+    transcoding720: true
+    transcoding1080: false
+    transcoding2160: false
+
+## the configuration of the postfix server called 'mail' here 
+# change these settings if you know what you are doing
+mail:
+  enbled: true
+  config:
+    general:
+      ALLOWED_SENDER_DOMAINS: # should be the same as your web domain
+      DKIM_AUTOGENERATE: "yes"
+    opendkim:
+      RequireSafeKeys: "no"
+    postfix:
+       smtp_tls_security_level: "secure" # works by default, any other tls level is untested
+  persistence:
+    enabled: false
+  service:
+    port: 587
+
+## the configuration of the redis server
+redis:
+  master:
+    persistence:
+      enabled: true
+      existingClaim: "pvc-redis"
+  replica:
+    persistence:
+      enabled: true
+      existingClaim: "pvc-redis"
+  auth:
+    enbled: true
+    password: "peertube"
+
+## ingress configuration is very specific this part must be configured or else you'll get 503 or 404 errors
+ingress:
+  enabled: false
+  className: ""
+  annotations: 
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 4G # this caps the size of imported videos, if set low this might prevent you from uploading videos
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: # your domain here
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: 
+  #  - secretName: chart-example-tls
+    - hosts:
+      -  # your domain here
+
+resources: {}
+autoscaling:
+  enabled: true
+  minimumReplicas: 3
+  maximumReplicas: 20
+  targetCPUUtilizationPercentage: 90
+  targetMemoryUtilizationPercentage: 75
+  windowSeconds: 120
+  minCPUPercentage: 20
+  minMemoryPercentage: 30
+
+## this section should be configured to match your needs and available ressources
+persistence:
+  enabled: true
+  reclaimPolicy: Retain
+  redisVolumeStorage: 1Gi
+  peertubeVolumeStorage: 5Gi
+  postgresqlVolumeStorage: 1Gi
+  accessMode: ReadWriteOnce 
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

roles/peertube/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+  - name: installation de docker...
+    shell: curl https://releases.rancher.com/install-docker/20.10.sh | sh
+
+  - name: installation de k3s...
+    shell: curl -sfL https://get.k3s.io | sh -s - --docker
+
+  - name: exposition du cluster...
+    shell: export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+
+  - name: mise a jour de resolv.conf...
+    copy:
+      src: /root/tools/ansible/gsb2023/roles/peertube/files/resolv.conf
+      dest: /etc/
+      mode: '0644'
+
+  - name: création du répertoire du dépot peertube...
+    file:
+      path: /root/tools/peertube
+      state: directory
+      mode: '0755'
+
+  - name: clonage du dépot peertube...
+    git:
+      repo: https://github.com/Elam-Monnot/Peertube-helm.git
+      dest: /root/tools/peertube
+      clone: yes
+      force: yes
+
+  - name: copie de values.yaml...
+    copy:
+      src: /root/tools/ansible/gsb2023/roles/peertube/files/values.yaml
+      dest: /root/tools/peertube/helm/
+      mode: '0644'
+
+  - name: installation de helm...
+    shell: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+  - name: installation de peertube...
+    shell: helm repo add postgresql https://charts.bitnami.com/bitnami && helm repo add redis https://charts.bitnami.com/bitnami && helm repo add mail https://bokysan.github.io/docker-postfix 
+
+  - name: lancement du helm chart peertube...
+    shell: helm install --create-namespace -n peertube peertube-gsb /root/tools/peertube/helm

roles/post-lb/README.md

@@ -0,0 +1,7 @@
+# Rôle Post
+
+Le rôle "post" copie la configuration des interfaces des cartes réseaux nécessaires selon la machine sur laquelle on exécute le rôle. Il place cette configuration dans /etc/network/interfaces.
+
+Ensuite, on copie le fichier "resolv.conf" dans /etc/ lorsque que la machine qui exécute le rôle n'est pas "s-adm", "s-proxy" ou "r-vp2".
+
+Cependant, si la machine qui exécute le rôle est "s-proxy", on copie le fichier "resolv.conf.s-proxy" dans /etc/resolv.conf

roles/post-lb/files/interfaces.s-lb-web1

@@ -0,0 +1,21 @@
+### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100)
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# carte n-adm
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.99.101/24
+
+# Réseau n-dmz-lb
+allow-hotplug enp0s8
+iface enp0s8 inet static
+        address 192.168.101.1/24
+
+# réseau n-dmz-db
+allow-hotplug enp0s9
+iface enp0s9 inet static
+        address 192.168.102.1/24
+	post-up mount -o rw 192.168.102.253:/home/wordpress /var/www/html

roles/post-lb/files/interfaces.s-lb-web2

@@ -0,0 +1,21 @@
+### 0.2 - putconf - jeudi 7 janvier 2016, 16:18:49 (UTC+0100)
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# carte n-adm
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.99.101/24
+
+# Réseau n-dmz-lb
+allow-hotplug enp0s8
+iface enp0s8 inet static
+        address 192.168.101.1/24
+
+# réseau n-dmz-db
+allow-hotplug enp0s9
+iface enp0s9 inet static
+        address 192.168.102.1/24
+	post-up mount -o rw 192.168.102.253:/home/wordpress /var/www/html

roles/post-lb/files/resolv.conf

@@ -0,0 +1,4 @@
+search gsb.lan
+domain gsb.lan
+nameserver 172.16.0.1
+

roles/post-lb/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+
+- name: Copie interfaces
+  copy: src=interfaces.{{ ansible_hostname }} dest=/etc/network/interfaces
+
+- name: Copie resolv.conf
+  copy: src=resolv.conf dest=/etc/
+  when: ansible_hostname != "s-adm" and ansible_hostname != "s-proxy"
+
+- name: pas de chgt resolv.conf pour r-vp2
+  meta: end_play
+  when: ansible_hostname == "r-vp2"
+
+- name: Copie resolv.conf pour s-proxy
+  copy: src=resolv.conf.s-proxy dest=/etc/resolv.conf
+  when: ansible_hostname == "s-proxy"
+
+#- name: Confirm
+#  prompt: "<Entree> pour redemarrer ..."
+
+#- name: Reboot
+#  shell: reboot
+

roles/post/files/interfaces.s-peertube

@@ -0,0 +1,17 @@
+### 0.1 - putconf - jeudi 30 mars 2023, 8:11:30 (UTC+0100)
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# carte n-adm
+allow-hotplug enp0s3
+iface enp0s3 inet static
+	address 192.168.99.120/24
+	gateway 192.168.99.99
+
+# Réseau n-dmz
+allow-hotplug enp0s8
+iface enp0s8 inet static
+        address 192.168.100.20/24
+	post-up systemctl start k3s && export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

roles/post/tasks/main.yml

@@ -21,4 +21,3 @@
 
 #- name: Reboot
 #  shell: reboot
-

roles/wireguard-r/README.md

@@ -1,19 +1,32 @@
-Procédure d'installation de **r-vp1** et de copie du fichier wg0-b.conf.
+
+# <p align="center">Procédure d'installation </p>
+  
+de **r-vp1** et de copie du fichier wg0-b.conf.
+
 ***
+## Sur **r-vp1**:
+Attendre la fin de l'installation. Ensuite lancer un serveur http avec python3 pour récuperer le fichier wg0-b.conf sur **r-vp2** . 
 
+### 🛠️ Lancer le script
+```bash
+cd /tools/ansible/gsb2023/Scripts
+```
+```bash
+bash r-vp1-post.sh
+```
+## Sur **r-vp2**:
 
-Depuis **r-vp1** se deplacer dans le repertoire **/tools/ansible/gsb2023** pour executer le playbook:
-**"ansible-playbook -i localhost, -c local r-vp1.yml"** puis reboot **r-vp1**.
-
-
-Sur **r-vp1**:
-
-Attendre la fin de l'installation. Ensuite lancer un serveur http avec python3 pour récuperer le fichier
-wg0-b.conf sur **r-vp2** . Lancer le script **r-vp1-post.sh** dans **/tools/ansible/gsb2023/Scripts**.
-
-
-Sur **r-vp2**:
-
-Lancer le script r-vp2-post.sh dans **/tools/ansible/gsb2023/Scripts** pour recuperer wg0-b.conf
-et qui renomme le fichier en **wg0.conf** . Il redémarre et active le service **wg-quick@wg0**.
+Lancer le script r-vp2-post.sh pour récuperer le fichier de configuration et activer l'interface wg0.
+### 🛠️ Lancer le script
+```bash
+cd /tools/ansible/gsb2023/Scripts
+```
+```bash
+bash r-vp2-post.sh
+```
+## Fin
 
+redemarer les machines
+```bash
+reboot
+```

s-adm.yml

@@ -4,7 +4,6 @@
 
   roles:
     - base
-    - goss
     - s-ssh
     - dnsmasq
     - squid
@@ -12,3 +11,4 @@
     - snmp-agent
     - syslog-cli
     - post
+#    - goss

s-lb-web1.yml

@@ -4,7 +4,7 @@
 
   roles:
     - base
-    - post
+    - post-lb
     - lb-web
     - snmp-agent
     - ssh-cli

s-lb-web2.yml

@@ -4,7 +4,8 @@
 
   roles:
     - base
-    - post
+    - post-lb
     - lb-web
     - snmp-agent
     - ssh-cli
+

s-peertube.yml

@@ -0,0 +1,10 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - post
+    - snmp-agent
+    - ssh-cli
+    - peertube

scripts/addint.s-peertube

@@ -0,0 +1,18 @@
+#!/bin/bash
+nom=s-peertube
+
+# N-adm (enp0s3)
+
+VBoxManage modifyvm $nom --nic1 intnet
+VBoxManage modifyvm $nom --intnet1 "n-adm"
+VBoxManage modifyvm $nom --nictype1 82540EM
+VBoxManage modifyvm $nom --cableconnected1 on
+VBoxManage modifyvm $nom --nicpromisc1 allow-all
+
+# N-dmz (enp0s8)
+
+VBoxManage modifyvm $nom --nic2 intnet
+VBoxManage modifyvm $nom --intnet2 "n-dmz"
+VBoxManage modifyvm $nom --nictype2 82540EM
+VBoxManage modifyvm $nom --cableconnected2 on
+VBoxManage modifyvm $nom --nicpromisc2 allow-all

scripts/debian11/chname

@@ -0,0 +1,14 @@
+#!/bin/bash
+if [[ $# != 1 ]] ; then
+	echo "$0 - renomme une VM"  
+	echo "usage : $0 <nouveaunom> "
+	exit 1
+fi
+if [[ $1 == "version" ]] ; then
+	echo 'chname v1.1 pour debian 11'
+	exit 0
+fi
+oldname=$(hostname)
+sed -i "s/${oldname}/$1/g" /etc/host{s,name}
+echo 'redemarrer pour finaliser le changement du nom'
+exit 0

scripts/debian11/gsb-start

@@ -0,0 +1,11 @@
+#!/bin/bash
+apt-get  update
+#upgrade -y
+mkdir -p /root/tools/ansible
+cd /root/tools/ansible
+git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git
+cd gsb2023/pre
+export DEPL=192.168.99.99
+bash gsbboot
+cd ../..
+bash pull-config

scripts/debian11/s-adm-start

@@ -0,0 +1,15 @@
+#!/bin/bash
+apt-get  update
+#apt upgrade -y;
+mkdir -p tools/ansible
+cd tools/ansible
+git clone https://gitea.lyc-lecastel.fr/gadmin/gsb2023.git;
+cd gsb2023/pre
+bash inst-depl
+cd /var/www/html/gsbstore
+bash getall
+cd /root/tools/ansible/gsb2023/pre
+bash gsbboot
+cd ..
+bash pull-config
+

scripts/mkvm

@@ -1,9 +1,9 @@
 #!/bin/bash
 
-mkvmrelease="v1.2.1"
+mkvmrelease="v1.2.2"
 
-ovarelease="2023a"
-ovafogrelease="2023a"
+ovarelease="2023b"
+ovafogrelease="2023b"
 ovafile="$HOME/Téléchargements/debian-bullseye-gsb-${ovarelease}.ova"
 ovafilefog="$HOME/Téléchargements/debian-buster-gsb-${ovafogrelease}.ova"
 deletemode=0
@@ -96,6 +96,8 @@ elif [[ "${vm}" == "s-web-ext" ]] ; then
         create_if "${vm}" "n-adm" "n-dmz"
 elif [[ "${vm}" == "s-nxc" ]] ; then
         create_if "${vm}" "n-adm" "n-infra"
+elif [[ "${vm}" == "s-elk" ]] ; then
+        create_if "${vm}" "n-adm" "n-infra"
 elif [[ "${vm}" == "s-lb" ]] ; then
         create_if "${vm}" "n-adm" "n-dmz" "n-dmz-lb"
 elif [[ "${vm}" == "s-lb-web1" ]] ; then
@@ -108,6 +110,8 @@ elif [[ "${vm}" == "s-lb-bd" ]] ; then
         create_if "${vm}" "n-adm" "n-dmz-db"
 elif [[ "${vm}" == "s-nas" ]] ; then
         create_if "${vm}" "n-adm" "n-dmz-db"
+elif [[ "${vm}" == "s-peertube" ]] ; then
+	./addint.s-peertube
 elif [[ "${vm}" == "r-vp1" ]] ; then
 	./addint.r-vp1
 elif [[ "${vm}" == "r-vp2" ]] ; then

scripts/mkvm.ps1

@@ -3,9 +3,9 @@
 
 #mkvm pour toutes les vms
 
-$mkvmrelease="v1.2"
-$ovarelease="2023a"
-$ovafogrelease="2023a"
+$mkvmrelease="v1.2.2"
+$ovarelease="2023b"
+$ovafogrelease="2023b"
 $ovafile="$HOME\Downloads\debian-bullseye-gsb-${ovarelease}.ova"
 $ovafilefog="$HOME\Downloads\debian-buster-gsb-${ovafogrelease}.ova"
 $vboxmanage="C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"
@@ -87,6 +87,11 @@ elseif (((((((($args[0] -eq "s-elk") `
 	create_vm $args[0]
 	create_if $args[0] "int" 1 "n-adm"
 	create_if $args[0] "int" 2 "n-infra"
+	if ($args[0] -eq "s-elk") {
+
+		& "$vboxmanage" modifyvm "$args[0]" --memory 4096
+		Write-Host "$args[0] : 4096 RAM OK"
+	}
 }
 
 elseif ($args[0] -eq "s-fog") {
@@ -153,4 +158,4 @@ elseif ($args[0] -eq "r-vp2") {
 
 else {
 	usage
-}
+}

scripts/r-vp2-post.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #recuperation du fichier de config
-wget http://r-vp1.gsb.adm:8000/wg0-b.qconf
+wget http://r-vp1.gsb.adm:8000/wg0-b.conf
 #renomage fichier et mv
 mv ./wg0-b.conf /etc/wireguard/wg0.conf
 #activation interface wg0