gsb/gsb2024
3
3
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases 3 Wiki Activity

Premier commit

Browse Source
This commit is contained in:
phil
2023-12-18 23:20:30 +01:00
parent ec25c6dba9
commit 62ef5fa4e9
577 changed files with 46490 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/apache2/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

14
roles/apache2/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Update apt cache
apt: update_cache=yes cache_valid_time=3600
- name: Install required software
apt: name={{ item }} state=present
with_items:
- apache2
- mariadb-server
- php-mysql
- php
- libapache2-mod-php
- php-mcrypt
- python-mysqldb

4
roles/appli/README.md Normal file
View File

@@ -0,0 +1,4 @@
## Fonctionnement du rôle appli
Ce rôle permet de créer un serveur wordpress avec MariaDB et apache.
Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress.

4
roles/appli/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart apache
service: name=apache2 state=restarted
become: yes

72
roles/appli/tasks/main.yml Normal file
View File

@@ -0,0 +1,72 @@
---
- name: Installation des packets
apt:
state: present
name:
- php
- php-fpm
- php-mbstring
- php-ssh2
- php-gd
- php-mysql
- python3-mysqldb
- libapache2-mod-php
- mariadb-server
- apache2
- python3
- name: Création du répertoire pour wordpress
file:
path: /var/www/html/wordpress
state: directory
- name: Téléchargement de wordpress
get_url:
url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
- name: Création de la base de donnée mysql
mysql_db:
name: wordpress
state: present
- name: Création de l'utilisateur mysql
mysql_user:
name: wordpress
password: wp
priv: "*.*:ALL"

1
roles/base/files/apt.conf Normal file
View File

@@ -0,0 +1 @@
Acquire::http::Proxy "http://192.168.99.99:8080";

4
roles/base/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 192.168.99.99

10
roles/base/files/sources.list Normal file
View File

@@ -0,0 +1,10 @@
#
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
deb http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
deb http://http.debian.net/debian wheezy-backports main

4
roles/base/files/sources.list.Debian Normal file
View File

@@ -0,0 +1,4 @@
deb http://deb.debian.org/debian/ bullseye main non-free contrib
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free

13
roles/base/files/sources.list.Ubuntu Normal file
View File

@@ -0,0 +1,13 @@
#------------------------------------------------------------------------------#
# OFFICIAL UBUNTU REPOS #
#------------------------------------------------------------------------------#
###### Ubuntu Main Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe
###### Ubuntu Update Repos
deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe
deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe

9
roles/base/files/sources.list.buster Normal file
View File

@@ -0,0 +1,9 @@
#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
#deb http://security.debian.org/ stretch/updates main
#deb http://ftp.fr.debian.org/debian/ stretch-updates main
deb http://deb.debian.org/debian/ buster main contrib non-free
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb http://deb.debian.org/debian/ buster-updates main contrib non-free

22
roles/base/files/sources.list.jessie Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
#deb-src http://security.debian.org/ jessie/updates main
deb http://ftp.fr.debian.org/debian/ jessie-updates main
#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
#deb http://backports.debian.org/debian-backports jessie-backports main
#deb http://packages.steve.org.uk/slaughter/jessie/ ./
#deb https://rex.linux-files.org/debian/ jessie rex
#deb http://http.debian.net/debian jessie-backports main

22
roles/base/files/sources.list.wheezy Normal file
View File

@@ -0,0 +1,22 @@
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
#deb-src http://ftp.fr.debian.org/debian/ wheezy main
deb http://security.debian.org/ wheezy/updates main
#deb-src http://security.debian.org/ wheezy/updates main
deb http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
#deb http://backports.debian.org/debian-backports wheezy-backports main
#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
#deb https://rex.linux-files.org/debian/ wheezy rex
deb http://http.debian.net/debian wheezy-backports main

76
roles/base/tasks/main.yml Normal file
View File

@@ -0,0 +1,76 @@
---
- name: Copie sources.list
copy:
src: sources.list.{{ ansible_distribution }}
dest: /etc/apt/sources.list
- name: Copie apt.conf pour proxy
copy:
src: apt.conf
dest: /etc/apt/apt.conf
when: ansible_hostname != "s-adm"
#- name: Sysctl desactive ipv6
# sysctl:
# name: net.ipv6.conf.all.disable_ipv6
# value: 1
# sysctl_set: yes
# state: present
# reload: yes
- name: Update + Upgrade
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Install paquets
apt:
state: present
name:
- vim
- ntp
- mc
- tcpdump
- curl
- net-tools
- rsync
- sudo
- iptables
- name: Desinstall paquets
apt:
state: absent
name:
- nfs-common
- rpcbind
- bluetooth
- name: Configure Vim
alternatives:
name: editor
path: /usr/bin/vim
- name: Generation /etc/hosts
template:
src: hosts.j2
dest: /etc/hosts
when: ansible_hostname != "s-proxy"
- name: Generation /etc/hosts pour s-proxy
template:
src: hosts.s-proxy.j2
dest: /etc/hosts
when: ansible_hostname == "s-proxy"
- name: Desactive IPV6 avec sysctl
sysctl:
name: "{{ item }}"
value: 1
state: present
reload: yes
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6

34
roles/base/templates/hosts.j2 Normal file
View File

@@ -0,0 +1,34 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
#10.121.38.10 depl.sio.lan depl
192.168.99.99 s-adm.gsb.adm depl.sio.lan depl
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-nxc.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-lb.gsb.adm
192.168.99.11 s-elk.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.15 s-san.gsb.adm
192.168.99.16 s-fog.gsb.adm
192.168.99.50 s-lb-bd.gsb.adm
192.168.99.101 s-lb-web1.gsb.adm
192.168.99.102 s-lb-web2.gsb.adm
192.168.99.103 s-lb-web3.gsb.adm
192.168.99.112 r-vp1.gsb.adm
192.168.99.102 r-vp2.gsb.adm
192.168.99.120 s-peertube.gsb.adm
192.168.99.8 syslog.gsb.adm

32
roles/base/templates/hosts.s-proxy.j2 Normal file
View File

@@ -0,0 +1,32 @@
127.0.0.1 localhost
127.0.1.1 {{ ansible_nodename }} {{ ansible_hostname }}
127.0.0.1 localhost ip6-localhost ip6-loopback
172.16.0.2 s-proxy.gsb.lan s-proxy
#10.121.38.10 depl
192.168.99.99 s-adm.gsb.adm depl
192.168.99.1 s-infra.gsb.adm
192.168.99.2 s-proxy.gsb.adm
192.168.99.3 s-appli.gsb.adm
192.168.99.4 s-backup.gsb.adm
192.168.99.5 s-puppet.gsb.adm
192.168.99.6 s-win.gsb.adm
192.168.99.7 s-nxc.gsb.adm
192.168.99.8 s-mon.gsb.adm
192.168.99.9 s-itil.gsb.adm
192.168.99.10 s-lb.gsb.adm
192.168.99.11 s-elk.gsb.adm
192.168.99.10 s-dns.gsb.adm
192.168.99.12 r-int.gsb.adm
192.168.99.13 r-ext.gsb.adm
192.168.99.14 s-nas.gsb.adm
192.168.99.50 s-lb-bd.gsb.adm
192.168.99.101 s-lb-web1.gsb.adm
192.168.99.102 s-lb-web2.gsb.adm
192.168.99.103 s-lb-web3.gsb.adm
192.168.99.112 r-vp1.gsb.adm
192.168.99.102 r-vp2.gsb.adm
192.168.99.120 s-peertube.gsb.adm
192.168.99.8 syslog.gsb.adm

3
roles/db-user/files/resolv.conf Normal file
View File

@@ -0,0 +1,3 @@
search gsb.lan
domain gsb.lan
nameserver 172.16.0.1

12
roles/db-user/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Create mysql user
mysql_user:
host: "{{ cli_ip }}"
name: "{{ maria_dbuser }}"
password: "{{ maria_dbpasswd }}"
priv: "*.*:ALL"
- name: Copie du fichier resolv.conf
copy:
src: resolv.conf
dest: /etc/resolv.conf

152
roles/dhcp-ag/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,152 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
#subnet 172.16.64.0 netmask 255.255.255.0 {
# range 172.16.64.20 172.16.64.120;
# option domain-name-servers 172.16.0.6, 172.16.0.1 ;
# option routers 172.16.64.254;
# option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau AGENCE
subnet 172.16.128.0 netmask 255.255.255.0 {
range 172.16.128.10 172.16.128.50;
option domain-name-servers 172.16.0.1;
option routers 172.16.128.254;
option broadcast-address 172.16.128.255;
default-lease-time 86400;
max-lease-time 86400;
}

18
roles/dhcp-ag/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s8"
INTERFACESv6=""

3
roles/dhcp-ag/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dhcp
service: name=isc-dhcp-server state=restarted

11
roles/dhcp-ag/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation serveur dhcp
apt: name=isc-dhcp-server state=present update_cache=yes
- name: copie dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp
# notify: restart dhcp
- name: copie conf isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server
# notify: restart dhcp

142
roles/dhcp-fog/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
#subnet 172.16.65.0 netmask 255.255.255.0 {
# range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
#subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

18
roles/dhcp-fog/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9"
INTERFACESv6=""

3
roles/dhcp-fog/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

12
roles/dhcp-fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Installation du dhcp
apt: name=isc-dhcp-server state=present
- name: Copie du fichier isc-dhcp-server
copy: src=isc-dhcp-server dest=/etc/default/
- name: Copie du fichier dhcpd.conf
copy: src=dhcpd.conf dest=/etc/dhcp/
notify:
- restart isc-dhcp-server

142
roles/dhcp/files/dhcpd.conf Normal file
View File

@@ -0,0 +1,142 @@
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "gsb.lan";
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
#DHCP pour le réseau wifi
subnet 172.16.65.0 netmask 255.255.255.0 {
range 172.16.65.1 172.16.65.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau USER
subnet 172.16.64.0 netmask 255.255.255.0 {
range 172.16.64.20 172.16.64.120;
option domain-name-servers 172.16.0.1 ;
option routers 172.16.64.254;
option broadcast-address 172.16.64.255;
# default-lease-time 600;
# max-lease-time 7200;
}
#DHCP pour le réseau INFRA
subnet 172.16.0.0 netmask 255.255.255.0 {
# range 172.16.0.1 172.16.0.100;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
}

18
roles/dhcp/files/isc-dhcp-server Normal file
View File

@@ -0,0 +1,18 @@
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp0s9 enp0s10"
INTERFACESv6=""

3
roles/dhcp/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted

20
roles/dhcp/tasks/main.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Installation serveur DHCP - isc-dhcp-server
apt:
name: isc-dhcp-server
state: present
- name: Copie du fichier isc-dhcp-server dans /etc/default
copy:
src: isc-dhcp-server
dest: /etc/default/
- name: Copie du fichier dhcpd.conf dans /etc
copy:
src: dhcpd.conf
dest: /etc/dhcp/
notify:
- restart isc-dhcp-server

23
roles/dns-agence/files/named.conf.options Normal file
View File

@@ -0,0 +1,23 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
172.16.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

4
roles/dns-agence/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

11
roles/dns-agence/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation bind9
apt: name=bind9 state=present update_cache=yes
- name: Copie named.conf.options
copy: src=named.conf.options dest=/etc/bind
notify:
- restart bind9

40
roles/dns-master/files/db.gsb.lan Normal file
View File

@@ -0,0 +1,40 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2023051000 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
@ IN A 127.0.0.1
@ IN AAAA ::1
s-infra IN A 172.16.0.1
s-backup IN A 172.16.0.4
s-proxy IN A 172.16.0.2
s-appli IN A 172.16.0.3
s-win IN A 172.16.0.6
s-mess IN A 172.16.0.7
s-nxc IN A 172.16.0.7
s-docker IN A 172.16.0.7
s-mon IN A 172.16.0.8
s-itil IN A 172.16.0.9
s-elk IN A 172.16.0.11
s-gestsup IN A 172.16.0.17
r-int IN A 172.16.0.254
r-int-lnk IN A 192.168.200.254
r-ext IN A 192.168.200.253
s-lb IN A 192.168.100.10
s-web1 IN A 192.168.101.1
s-web2 IN A 192.168.101.2
s-lb.gsb.lan IN A 192.168.100.10
ns IN CNAME s-infra.gsb.lan.
wpad IN CNAME s-infra.gsb.lan.
s-peertube IN A 192.168.100.20
peertube IN CNAME s-peertube

30
roles/dns-master/files/db.gsb.lan.rev Normal file
View File

@@ -0,0 +1,30 @@
; 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA s-infra.gsb.lan. root.s-infra.gsb.lan. (
2023040501 ; Serial
7200 ; Refresh
86400 ; Retry
8419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS s-infra.gsb.lan.
@ IN NS s-backup.gsb.lan.
1.0 IN PTR s-infra.gsb.lan.
4.0 IN PTR s-backup.gsb.lan.
2.0 IN PTR s-proxy.gsb.lan.
3.0 IN PTR s-appli.gsb.lan.
6.0 IN PTR s-win.gsb.lan.
7.0 IN PTR s-nxc.gsb.lan.
8.0 IN PTR s-mon.gsb.lan.
9.0 IN PTR s-itil.gsb.lan.
101.1 IN PTR s-web1
101.2 IN PTR s-web2
100.10 IN PTR s-lb
100.10 IN PTR s-lb.gsb.lan
11.0 IN PTR s-elk.gsb.lan.
17.0 IN PTR s-gestsup.lan
254.0 IN PTR r-int.gsb.lan.

2
roles/dns-master/files/forbidden.html Normal file
View File

@@ -0,0 +1,2 @@
<center><img src="http://sio.lyc-lecastel.fr/~nicolas.denizot/warning.jpg" alt="Bloque"></img></center>
<center><h1>Vous n'avez pas les droits requis pour acceder a cette page, veuillez contacter votre Administrateur.</h1></center>

7
roles/dns-master/files/hosts Normal file
View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

20
roles/dns-master/files/named.conf.local Normal file
View File

@@ -0,0 +1,20 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "gsb.lan" {
type master;
file "/etc/bind/db.gsb.lan";
};
zone "16.172.in-addr.arpa"{
type master;
notify no;
file "/etc/bind/db.gsb.lan.rev";
};

26
roles/dns-master/files/named.conf.options Normal file
View File

@@ -0,0 +1,26 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
dnssec-validation no;
};

4
roles/dns-master/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-master/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

48
roles/dns-master/tasks/main.yml Normal file
View File

@@ -0,0 +1,48 @@
---
- name: Installation bind9
apt:
name: bind9
state: present
update_cache: yes
- name: Copie named.conf.options
copy:
src: named.conf.options
dest: /etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy:
src: named.conf.local
dest: /etc/bind
notify:
- restart bind9
- name: Copie fichier zone directe db.gsb.lan
copy:
src: db.gsb.lan
dest: /etc/bind
notify:
- restart bind9
- name: Copie fichier zone inverse db.gsb.lan.rev
copy:
src: db.gsb.lan.rev
dest: /etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy:
src: resolv.conf
dest: /etc
notify:
- restart bind9
- name: Copie page squidguard
copy:
src: forbidden.html
dest: /var/www/

7
roles/dns-slave/files/hosts Normal file
View File

@@ -0,0 +1,7 @@
127.0.0.1 localhost
127.0.1.1 s-infra
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

28
roles/dns-slave/files/named.conf.local Normal file
View File

@@ -0,0 +1,28 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
//zone direct
zone "gsb.lan" {
type slave;
file "/etc/bind/db.gsb.lan";
masters { 172.16.0.1; };
masterfile-format text;
};
//zone inverse
zone "16.172.in-addr.arpa" {
type slave;
notify no;
file "/etc/bind/db.gsb.lan.rev";
masters { 172.16.0.1; };
masterfile-format text;
};

26
roles/dns-slave/files/named.conf.options Normal file
View File

@@ -0,0 +1,26 @@
// 0.2 - putconf - vendredi 12 avril 2013, 08:54:33 (UTC+0200)
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.99.99;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
allow-query { 172.16.0.0/16; } ;
allow-recursion { 172.16.0.0/16; } ;
dnssec-validation no;
};

4
roles/dns-slave/files/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
domain gsb.lan
search gsb.lan
nameserver 127.0.0.1

4
roles/dns-slave/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart bind9
service: name=bind9 state=restarted

38
roles/dns-slave/tasks/main.yml Normal file
View File

@@ -0,0 +1,38 @@
- name: Installation bind9
apt:
name: bind9
state: present
- name: Copie named.conf.options
copy:
src: named.conf.options
dest: /etc/bind
notify:
- restart bind9
- name: Copie named.conf.local
copy:
src: named.conf.local
dest: /etc/bind
notify:
- restart bind9
- name: Copie resolv.conf
copy:
src: resolv.conf
dest: /etc
notify:
- restart bind9
- name: Changement de droit pour le répertoire /etc/bind
ansible.builtin.lineinfile:
path: /etc/apparmor.d/usr.sbin.named
regexp: ' /etc/bind/\*\* r,'
line: ' /etc/bind/** rw,'
- name: Changement de permission pour le groupe de /etc/bind
ansible.builtin.file:
path: /etc/bind/
state: directory
mode: g=rwx

531
roles/dnsmasq/files/dnsmasq.conf Normal file
View File

@@ -0,0 +1,531 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via enp0s8
# server=10.1.2.3@enp0s8
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg enp0s3) here.
# Repeat the line for more than one interface.
interface=enp0s8
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=enp0s3
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
dhcp-range=192.168.99.100,192.168.99.120,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/*.conf

3
roles/dnsmasq/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart dnsmasq
service: name=dnsmasq state=restarted

11
roles/dnsmasq/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Installation dnsmasq
apt: name=dnsmasq state=present
- name: Copie du fichier dnsmasq.conf
copy: src=dnsmasq.conf dest=/etc/
notify:
- restart dnsmasq

10
roles/docker/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Installation de docker
Pour assurer l'installation de docker il vous faut lancer le script getall depuis s-adm.
Chemin de getall : /var/www/html/gsbstore/
#### Fonctionnement du playbook
Le playbook va télécharger getdocker.sh et le placer dans tmp.
Il va donc lancer docker.sh et ensuite installer docker-compose, suite à cela, l'installation
est terminée.

16
roles/docker/tasks/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Supprime le fichier getdocker.sh si déjà présent
file:
state: absent
path: /tmp/getdocker.sh
- name: Télécharge le script d'installation de docker
uri:
url: 'https://get.docker.com'
method: GET
dest: /tmp/getdocker.sh
mode: a+x
register: result
- name: Execution du script getdocker
shell: bash /tmp/getdocker.sh

9
roles/elk/README.md Normal file
View File

@@ -0,0 +1,9 @@
## Principe du rôle elk
ELK 8.5.3
Ce rôle permet de créer un serveur ELK pour centraliser les logs et de des métriques pour simplifier la gestion du parc informatique GSB.
Le principe de ce rôle est d'installer docker, les différentes tâches de ce rôle sont de :
- Vérifier si ELK est déjà installé,
- Importation un docker-compose depuis github,
- Changement la configuration pour passer en version 'basic'
- Lancement d'ELK avec docker-compose

27
roles/elk/tasks/main.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Création répertoire docker
file:
path: /root/elk
state: directory
- name: Vérification d'ELK
stat:
path: /root/elk/docker-compose.yml
register: elk
- name: Installation d'ELK
ansible.builtin.git:
repo: https://github.com/deviantony/docker-elk.git
dest: /root/elk/
when: not elk.stat.exists
- name: Configuration d'ELK
replace:
path: /root/elk/elasticsearch/config/elasticsearch.yml
regexp: 'xpack.license.self_generated.type: trial'
replace: 'xpack.license.self_generated.type: basic'
- name: Execution du fichier docker-compose.yml
shell: docker compose up -d
args:
chdir: /root/elk

7
roles/filebeat-cli/README.md Normal file
View File

@@ -0,0 +1,7 @@
## Explication du rôle filebeat-cli
Filebeat permet de centraliser et simplifier la gestion de logs pour ELK.
Ce rôle fonctionne en faisant :
Une installation de filebeat
Une configuration de filebeat
Une activation du module system(Logs système)

1
roles/filebeat-cli/defaults/main.yml Normal file
View File

@@ -0,0 +1 @@
BEATVER: "8.5.3"

226
roles/filebeat-cli/files/filebeat.yml Normal file
View File

@@ -0,0 +1,226 @@
###################### Filebeat Configuration Example #########################
# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html
# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
# filestream is an input for collecting log messages from files.
- type: filestream
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "s-elk.gsb.lan:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["s-elk.gsb.lan:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "changeme"
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ============================== Instrumentation ===============================
# Instrumentation support for the filebeat.
#instrumentation:
# Set to true to enable instrumentation of filebeat.
#enabled: false
# Environment in which filebeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

5
roles/filebeat-cli/handlers/main.yml Normal file
View File

@@ -0,0 +1,5 @@
- name: restart filebeat
service:
name: filebeat
state: started
enabled: yes

23
roles/filebeat-cli/tasks/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Récupération de filebeat
get_url:
url: http://s-adm.gsb.adm/gsbstore/filebeat-${BEATVAR}-amd64.deb
dest: /tmp/
- name: Installation de filebeat
apt:
deb: /tmp/filebeat-${BEATVEAR}-amd64.deb
- name: Changement du fichier de conf
copy:
src: filebeat.yml
dest: /etc/filebeat/filebeat.yml
- name: Configuration de filebeat
shell: filebeat modules enable system
notify: restart filebeat
- name: Lancement de la configuration de filebeat
shell: filebeat setup -e
notify: restart filebeat

16
roles/fog/README.md Normal file
View File

@@ -0,0 +1,16 @@
# Fog
Ce rôle permet l'installation et la modification de Fog.
## Fog, c'est quoi ?
Fog permet le déploiement d'images disque tel que Windows ou bien Linux en utilisant PXE (Preboot Execution Environment).
## Comment l'installer ?
Avant toute chose, lancer le fichier goss de s-fog ( présent dans gsb2023/goss/s-fog.yaml ) pour vérifier que la configuration réseau est correct et opérationnel. Une fois l'installation principale effectuée, il faut lancer le playbook ansible s-fog.yaml.
Il faudra se rendre dans le dossier **fog** pour lancer le script **installfog.sh** ( fog/bin/ ). La configuration sera déjà établie via le fichier **.fogsettings**

3
roles/fog/defaults/main.yml Normal file
View File

@@ -0,0 +1,3 @@
depl_url: "http://s-adm.gsb.adm/gsbstore"
depl_fog: "fogproject-1.5.9.tar.gz"
instructions: "Pour lancer l'installateur Fog, faites : 'bash /root/tools/fog/bin/installfog.sh'. Suivez ensuite les instructions"

46
roles/fog/files/fogsettings Normal file
View File

@@ -0,0 +1,46 @@
## Start of FOG Settings
## Created by the FOG Installer
## Find more information about this file in the FOG Project wiki:
## https://wiki.fogproject.org/wiki/index.php?title=.fogsettings
## Version: 1.5.9
## Install time: jeu. 26 janv. 2023 11:41:05
ipaddress='172.16.64.16'
copybackold='0'
interface='enp0s9'
submask='255.255.255.0'
hostname='s-fog.gsb.lan'
routeraddress='192.168.99.99'
plainrouter='192.168.99.99'
dnsaddress='172.16.0.1'
username='fogproject'
password='/7ElC1OHrP47EN2w59xl'
osid='2'
osname='Debian'
dodhcp='y'
bldhcp='1'
dhcpd='isc-dhcp-server'
blexports='1'
installtype='N'
snmysqluser='fogmaster'
snmysqlpass='HHO5vSGqFiHE_9d2lja3'
snmysqlhost='localhost'
mysqldbname='fog'
installlang='0'
storageLocation='/images'
fogupdateloaded=1
docroot='/var/www/html/'
webroot='/fog/'
caCreated='yes'
httpproto='http'
startrange='172.16.64.10'
endrange='172.16.64.254'
bootfilename='undionly.kpxe'
packages='apache2 bc build-essential cpp curl g++ gawk gcc genisoimage git gzip htmldoc isc-dhcp-server isolinux lftp libapache2-mod-php7.4 libc6 libcurl4 li>
noTftpBuild=''
sslpath='/opt/fog/snapins/ssl/'
backupPath='/home/'
armsupport='0'
php_ver='7.4'
php_verAdds='-7.4'
sslprivkey='/opt/fog/snapins/ssl//.srvprivate.key'
## End of FOG Settings

26
roles/fog/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: creation d'un repertoire fog
file:
path: /root/tools/fog
state: directory
- name: recuperation de l'archive d'installation fog sur git
git:
repo: https://gitea.lyc-lecastel.fr/gadmin/fog.git
dest: /root/tools/fog/
clone: yes
update: yes
- name: Modification fichier bash (desac UDPCast)
ansible.builtin.lineinfile:
path: /root/tools/fog/lib/common/functions.sh
regexp: '^configureUDPCast\(\).*'
line: "configureUDPCast() {\nreturn"
backup: yes
- name: fichier config fogsettings
command: "cp /root/tools/ansible/roles/fog/files/fogsettings /opt/fog/"
- name: fichier fogsettings en .fogsettings
command: "mv /opt/fog/fogsettings /opt/fog/.fogsettings"

23
roles/fw-ferm/README.md Normal file
View File

@@ -0,0 +1,23 @@
# [Ferm](http://ferm.foo-projects.org/)
Modifier l'execution d'iptables [plus d'info ici](https://wiki.debian.org/iptables)
```shell
update-alternatives --set iptables /usr/sbin/iptables-legacy
```
Pour tester utiliser [Nmap](https://nmap.org/man/fr/man-briefoptions.html)
### r-vp1
```shell
sudo nmap -p51820 192.168.0.51
```
### r-vp2
```shell
sudo nmap -p51820 192.168.0.52
```
### Sortie :
```
`PORT STATE SERVICE
51820/tcp filtered unknown`
```
Faire des ping!

69
roles/fw-ferm/files/ferm.conf.r-vp1 Normal file
View File

@@ -0,0 +1,69 @@
# -*- shell-script -*-
#
# Ferm script r-vp1
@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
@def $DEV_WORLD = enp0s9;
@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT {
policy ACCEPT;
}#FIN OUTPUT
chain FORWARD {
policy ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
interface $DEV_VPN daddr $NET_PRIVATE {
proto tcp dport ssh DROP;
}
# the rest is dropped by the above policy
}
}

68
roles/fw-ferm/files/ferm.conf.r-vp2 Normal file
View File

@@ -0,0 +1,68 @@
# -*- shell-script -*-
#
# Ferm script r-vp2
@def $DEV_PRIVATE = enp0s9;
@def $DEV_WORLD = enp0s8;
@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# interface réseau
interface $DEV_WORLD {
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
interface $DEV_VPN daddr $NET_PRIVATE {
proto tcp dport ssh DROP;
}
# the rest is dropped by the above policy
}
}

15
roles/fw-ferm/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: installation de ferm
apt:
name: ferm
state: present
- name: copie du ferm.conf
copy:
src: ferm.conf.{{ ansible_hostname }}
dest: /etc/ferm/ferm.conf
- name: redemarage service ferm
ansible.builtin.service:
name: ferm.service
state: restarted

6
roles/gestsup/README.md Normal file
View File

@@ -0,0 +1,6 @@
# Rôle Gestsup
Ce playbook installe Gestsup et ses dépendances, et remplace certains fichier pour certaines
configurations. Avant de lancer ce playbook, lancez "getall" sur la machine s-adm.

234
roles/gestsup/files/apache2.conf Normal file
View File

@@ -0,0 +1,234 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#Mutex file:${APACHE_LOCK_DIR} default
#
# The directory where shm and other runtime files will be stored.
#
DefaultRuntimeDir ${APACHE_RUN_DIR}
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html>
Options -Indexes -ExecCGI
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

1947
roles/gestsup/files/php.ini Normal file
View File

File diff suppressed because it is too large Load Diff

73
roles/gestsup/files/security.conf Normal file
View File

@@ -0,0 +1,73 @@
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Require all denied
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#ServerSignature Off
ServerSignature On
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#TraceEnable On
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

6
roles/gestsup/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: redemarrage apache2
service:
name: apache2
state: restarted
enabled: yes

122
roles/gestsup/tasks/main.yml Normal file
View File

@@ -0,0 +1,122 @@
- name: Installation des dépendances
apt:
name:
- apache2
- mariadb-server
- python3-pip
- php
- php-mysql
- php-xml
- php-curl
- php-imap
- php-zip
- php-mbstring
- php-gd
- php-intl
- php-ldap
- snapd
- unzip
state: present
- name: Install pymysql
become: true
pip:
name: pymysql
state: present
- name: Copie de php.ini
copy:
src: php.ini
dest: /etc/php/7.4/apache2
- name: Copie de apache2.conf
copy:
src: apache2.conf
dest: /etc/apache2
- name: Suppression de l'ancien security.conf
file:
path: /etc/apache2/conf-available/security.conf
state: absent
- name: Suppression de l'ancien lien symbolique
file:
path: /etc/apache2/conf-enabled/security.conf
state: absent
- name: Copie de security.conf pour apache2
copy:
src: security.conf
dest: /etc/apache2/conf-available
- name: Création d'un lien symbolique pour security.conf
ansible.builtin.shell: ln -s /etc/apache2/conf-available/security.conf /etc/apache2/conf-enabled/
- name: mariadb en mode enabled
service:
name: mysql
enabled: yes
- name: Création de l'utilisateur gestsup
mysql_user:
name: gestsup
password: gestsup
priv: '*.*:ALL,GRANT'
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Decompression du fichier gestsup.zip
ansible.builtin.unarchive:
src: http://s-adm.gsb.adm/gsbstore/gestsup_3.2.15.zip
dest: /var/www/html/
remote_src: yes
- name: Suppression de index.html
ansible.builtin.file:
path: /var/www/html/index.html
state: absent
- name: Création de l'utilisateur et attribution au groupe www-data
ansible.builtin.shell: adduser gestsup --ingroup www-data
- name: Attribution des repertoires a www-data et gestsup
ansible.builtin.file:
path: /var/www/html
owner: gestsup
group: www-data
recurse: yes
- name: Attribution de droit 750
ansible.builtin.shell: find /var/www/html/ -type d -exec chmod 750 {} \;
- name: Attribution de droit en 640
ansible.builtin.shell: find /var/www/html/ -type f -exec chmod 640 {} \;
- name: Droit 770 pour le repertoire upload
ansible.builtin.file:
path: /var/www/html/upload
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire images/model
ansible.builtin.file:
path: /var/www/html/images/model
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire backup
ansible.builtin.file:
path: /var/www/html/backup
mode: '0770'
recurse: yes
- name: Droit 770 pour le repertoire _SQL
ansible.builtin.file:
path: /var/www/html/_SQL
mode: '0770'
recurse: yes
- name: Droit 660 pour connect.php
ansible.builtin.file:
path: /var/www/html/connect.php
mode: '0660'

44
roles/glpi/README.md Normal file
View File

@@ -0,0 +1,44 @@
## Comment marche le rôle
Le rôle installe un serveur GLPI fonctionnant graĉe à php et à nginx.
Ce rôle permet aussi d'installer FusionInventory sur glpi.
Le rôle permet aussi de sauvegarde la BDD de glpi.
## Comment utiliser GLPI
Après le pull-config, aller sur une machine du réseau n-user et aller sur http://s-itil/install/install.php
Puis lancer l'installation, les paramètres sql à fournir sont :
serveur : localhost
utilisateur : glpi
mot de passe : glpi
Selectionner la base glpi
Ne pas envoyer de statistique d'usage
## Postfix :
Aller dans Configuration > Notification, activer le suivi et les notification
Aller dans Configuration des notifications par courriels
Mettre l'adresse mail de supervision dans : Courriel de l'administrateur, Courriel expéditeur et comme adresse de réponse
Le mode d'envoie des courriels est SMTP
l'hôte SMTP est localhost
## LDAP :
Aller dans Configuration > Authentification > Annuaires LDAP.
Ajouter un serveur en cliquant sur le +
Remplisser les cases:
Nom : s-win
Serveur par défaut : oui
Actif : oui
Serveur : s-win.gsb.lan
Filtre de connexion : (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
BaseDN : DC=gsb,DC=lan
DN du compte : GSB\Administrateur
Mot de passe : Azerty1+
Champ de l'identifiant : samaccountname
Pour importer les utilisateurs allez dans Administration > Utilisateur > Liaison annuaire LDAP > Importation de nouveau utilisateurs
Appuyer sur rechercher
Puis sélectionner les utilisateurs afficher, allez dans action et sélectionnez importer.

6
roles/glpi/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
depl_url: "http://s-adm.gsb.adm/gsbstore"
#depl_glpi: "glpi-9.5.6.tgz"
depl_glpi: "glpi-10.0.6.tgz"
#depl_fusioninventory: "fusioninventory-9.5+3.0.tar.bz2"
depl_glpi_agentx64: "GLPI-Agent-1.4-x64.msi"
depl_glpi_agentx86: "GLPI-Agent-1.4-x86.msi"

3
roles/glpi/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

4
roles/glpi/files/dbdump Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
chm="/var/www/html/glpi/files/_dumps"
# Dump base GLPI
mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz

12
roles/glpi/files/glpi.conf Normal file
View File

@@ -0,0 +1,12 @@
DocumentRoot /var/www/glpi
<Directory /var/www/glpi>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
AuthType Basic
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log

9
roles/glpi/handlers/main.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: restart php-fpm
service: name=php7.0-fpm state=restarted
- name: restart nginx
service: name=nginx state=restarted
- name: restart mariadb-server
service: name=mariadb-server state=restarted

152
roles/glpi/tasks/main.yml Normal file
View File

@@ -0,0 +1,152 @@
---
- name: Installation des paquets
apt:
state: latest
name:
- nginx
- php-fpm
- php-mbstring
- php-mysql
- php-gd
- php-curl
- php-xml
- php-apcu
- php-ldap
- php-imap
- php-xmlrpc
- php-cas
- python3-mysqldb
- mariadb-server
- python3-pymysql
- php-intl
- php-bz2
- php-zip
- postfix
- mailutils
- name: Changement listen dans le fichier conf de php7.3
replace:
dest: /etc/php/7.4/fpm/pool.d/www.conf
regexp: 'listen = /run/php/php7.4-fpm.sock'
replace: 'listen = 127.0.0.1:9000'
backup: yes
- name: Effacement block nginx default
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Creation fichier block nginx
template:
src: block.j2
dest: /etc/nginx/sites-enabled/glpi
- name: Remplacement dans le fichier de conf php du timeout
replace:
dest: /etc/php/7.4/fpm/php.ini
regexp: 'max_execution_time = 30'
replace: 'max_execution_time = 600'
backup: yes
notify:
- restart nginx
- name: Creation de la base de donnee mysql
mysql_db:
name: "{{ glpi_dbname }}"
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Creation de l'utilisateur mysql avec tous les privileges
mysql_user:
name: "{{ glpi_dbuser }}"
password: "{{ glpi_dbpasswd }}"
priv: "*.*:ALL,GRANT"
login_unix_socket: /var/run/mysqld/mysqld.sock
with_items:
- 127.0.0.1
# - ::1
# - localhost
- name: Creation du repertoire {{ glpi_dir }}
file:
path: "{{ glpi_dir }}"
state: directory
owner: www-data
group: www-data
- name: Installation de GLPI
unarchive:
src: "{{ depl_url }}/{{ depl_glpi }}"
dest: /var/www/html
remote_src: yes
owner: www-data
group: www-data
- name: Changement des attributs {{ glpi_dir }}
file:
path: "{{ glpi_dir }}"
owner: www-data
group: www-data
mode: 0755
recurse: yes
- name: Changement des attributs {{ glpi_dir }}/plugins
file:
path: "{{ glpi_dir }}/plugins"
mode: 0777
owner: www-data
group: www-data
recurse: yes
# - name: Attribution des permissions
# shell: chown -R www-data:www-data /var/www/html/glpi/
# - name: copy .my.cnf file with root password credentials
# copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600
# - name: Installation de Fusioninventory pour Linux
# unarchive:
# src: "{{ depl_url }}/{{ depl_fusioninventory }}"
#src: http://depl/gsbstore/fusioninventory-{{ fd_version }}.tar.bz2
# dest: /var/www/html/glpi/plugins
# remote_src: yes
- name: Creation de ficlient
file:
path: /var/www/html/ficlients
state: directory
owner: www-data
group: www-data
mode: 0775
- name: Attribution des droits nginx.index
file:
path: /var/www/html/index.nginx-debian.html
owner: www-data
group: www-data
mode: 0775
- name: Installation de GLPI Agent windows x64
get_url:
url: "{{ depl_url }}/{{ depl_glpi_agentx64 }}"
dest: "/var/www/html/ficlients"
# - name: Installation de GLPI Agent windows x86
# get_url:
# url: "{{ depl_url }}/{{ depl_glpi_agentx86 }}"
# dest: "/var/www/html/ficlients"
- name: Copie du script dbdump
copy:
src: dbdump
dest: /root/
- name: chmod de dbdump
shell: chmod +x /root/dbdump
- debug:
msg: "Redemarrez le serveur GLPI"
- debug:
msg: "L'utilisateur mysql:ID:glpi et MDP:glpi"

23
roles/glpi/templates/block.j2 Normal file
View File

@@ -0,0 +1,23 @@
server {
listen 80 default_server;
root {{ glpi_dir }};
index index.php;
server_name localhost;
location / {try_files $uri $uri/ index.php;}
#prise en charge PHP
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param SERVER_NAME $host;
}
location /ficlients {
root /var/www/html;
autoindex on;
}
}

2
roles/goss/defaults/main.yml Normal file
View File

@@ -0,0 +1,2 @@
depl_url: "http://s-adm.gsb.adm/gsbstore"
depl_goss: "goss"

19
roles/goss/tasks/main.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: goss binary exists
stat: path=/usr/local/bin/goss
register: gossbin
- name: install goss sur machine standard
get_url:
url: "{{ depl_url }}/{{ depl_goss }}"
dest: /usr/local/bin/{{ depl_goss }}
mode: 0755
when: gossbin.stat.exists == false and ansible_hostname != "s-adm"
- name: install goss sur s-adm
copy:
src: "/var/www/html/gsbstore/{{ depl_goss }}"
dest: /usr/local/bin/{{ depl_goss }}
mode: 0755
remote_src: yes
when: gossbin.stat.exists == false and ansible_hostname == "s-adm"

117
roles/icinga/README.md Normal file
View File

@@ -0,0 +1,117 @@
# Instalation de NSClient++ sur la machine s-win
En premier lieu, installer Mozilla Firefox via Internet Explorer.
Une fois Mozilla intallé, installer NSClient++ avec ce lien: [NSClient++](https://nsclient.org/download/)
Puis choisir la version Windows
# Etapes de l'installation
Sur l'étape **Select monitoring tool**, sélectionner **Generic**.
Sur l'étape **Choose setup type**, sélectionner **Typical**.
Sur l'étape **NSClient++ Configuration:
```
Allowed hosts: 172.16.0.8
Password: root
```
Activer **check plugins, check_nt et check_nrpe**.
**Laisser NSCA client et web server désactivé**
Cocher la case **Insecure legacy mode**
Terminer l'installation.
# Modification des fichiers
Rendez vous dans le répertoire **C:\Programmes\NSClient++** puis ouvrez le fichier **nsclient** (celui avec un rouage).
Une fois ouvert, modifier tout le fichier avec ceci:
```
#If you want to fill this file with all available options run the following command:
#nscp settings --generate --add-defaults --load-all
#If you want to activate a module and bring in all its options use:
#nscp settings --activate-module <MODULE NAME> --add-defaults
#For details run: nscp settings --help
; in flight - TODO
[/settings/default]
; Undocumented key
password = root
; Undocumented key
allowed hosts = 172.16.0.8
; in flight - TODO
[/settings/NRPE/server]
; Undocumented key
verify mode = none
; Undocumented key
insecure = true
; in flight - TODO
[/modules]
; Undocumented key
CheckExternalScripts = enabled
; Undocumented key
CheckHelpers = enabled
; Undocumented key
CheckEventLog = enabled
; Undocumented key
CheckNSCP = enabled
; Undocumented key
CheckDisk = enabled
; Undocumented key
CheckSystem = enabled
; Undocumented key
NSClientServer = enabled
; Undocumented key
NRPEServer = enabled
```
Redémarrez le service NSClient++ via le **cmd**:
```
services.msc
```
Puis clique droit sur le service **NCLient++ Monitoring Agent** et appuyer sur **Redémarrer**
Retourner sur le serveur nagios puis écrire:
```
systemctl restart icinga
```
Les services de la machine **srv-2012** apparaissent en **OK**.

59
roles/icinga/files/cfg/contacts_icinga.cfg Normal file
View File

@@ -0,0 +1,59 @@
###############################################################################
# contacts.cfg
###############################################################################
###############################################################################
###############################################################################
#
# CONTACTS
#
###############################################################################
###############################################################################
# In this simple config file, a single contact will receive all alerts.
#define contact{
# contact_name root
# alias Root
# service_notification_period 24x7
# host_notification_period 24x7
# service_notification_options w,u,c,r
# host_notification_options d,r
# service_notification_commands notify-service-by-email
# host_notification_commands notify-host-by-email
# email root@localhost
# }
define contact{
contact_name admin
alias Administrateur
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email icinga.ppe31@gmail.com
}
###############################################################################
###############################################################################
#
# CONTACT GROUPS
#
###############################################################################
###############################################################################
# We only have one contact in this simple configuration file, so there is
# no need to create more than one contact group.
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members admin
}

13
roles/icinga/files/cfg/extinfo_icinga.cfg Normal file
View File

@@ -0,0 +1,13 @@
##
## Extended Host and Service Information
##
define hostextinfo{
hostgroup_name debian-servers
notes Debian GNU/Linux servers
# notes_url http://webserver.localhost.localdomain/hostinfo.pl?host=netware1
icon_image base/debian.png
icon_image_alt Debian GNU/Linux
vrml_image debian.png
statusmap_image base/debian.gd2
}

19
roles/icinga/files/cfg/generic-host_icinga.cfg Normal file
View File

@@ -0,0 +1,19 @@
# Generic host definition template - This is NOT a real host, just a template!
define host{
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
check_command check-host-alive
max_check_attempts 10
notification_interval 0
notification_period 24x7
notification_options d,u,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
}

26
roles/icinga/files/cfg/generic-service_icinga.cfg Normal file
View File

@@ -0,0 +1,26 @@
# generic service template definition
define service{
name generic-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
notification_interval 0 ; Only send notifications on status change by default.
is_volatile 0
check_period 24x7
normal_check_interval 5
retry_check_interval 1
max_check_attempts 4
notification_period 24x7
notification_options w,u,c,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

14
roles/icinga/files/cfg/gwsio2.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name gwsio2
alias Passerelle
address 192.168.0.1
icon_image cook/linux_server.gif
statusmap_image cook/linux_server.gd2
}

75
roles/icinga/files/cfg/hostgroups_icinga.cfg Normal file
View File

@@ -0,0 +1,75 @@
# Some generic hostgroup definitions
define hostgroup {
hostgroup_name all
alias All Servers
members *
}
define hostgroup {
hostgroup_name localhost
alias Debian GNU/Linux Servers
members localhost
}
define hostgroup {
hostgroup_name debian-servers
alias Serveurs distant
members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess
}
define hostgroup { 
hostgroup_name ssh-servers
alias acces SSH
members s-adm, s-infra, s-proxy, r-int, r-ext, localhost, gwsio2, s-itil, s-mess, s-lb
}
define hostgroup { 
hostgroup_name dns-servers
alias serveurs-dns
members s-infra, srv-2012
}
define hostgroup { 
hostgroup_name dhcp-servers
alias serveurs-dhcp
members r-int, srv-2012
}
define hostgroup {
hostgroup_name http-servers
alias serveurs-web
members localhost, s-itil, s-adm
}
#define hostgroup {
# hostgroup_name email-servers
# alias serveurs-email
# members s-mess
# }
define hostgroup { 
hostgroup_name proxy-servers
alias serveurs-proxy
members s-proxy
}
define hostgroup{
hostgroup_name windows-servers
alias windows-servers
members srv-2012
}
define hostgroup{
hostgroup_name dns-win
alias dns-win
members srv-2012
}
define hostgroup{
hostgroup_name uptimegrp
alias uptimegrp
members s-infra, s-proxy, r-int, r-ext, s-adm, s-itil, s-mess, s-lb
}

60
roles/icinga/files/cfg/localhost_icinga.cfg Normal file
View File

@@ -0,0 +1,60 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in icinga-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name localhost
alias localhost
address 127.0.0.1
parents gwsio2
}
# Define a service to check the disk space of the root partition
# on the local machine. Warning if < 20% free, critical if
# < 10% free space on partition.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Disk Space
check_command check_all_disks!20%!10%
}
# Define a service to check the number of currently logged in
# users on the local machine. Warning if > 20 users, critical
# if > 50 users.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Users
check_command check_users!20!50
}
# Define a service to check the number of currently running procs
# on the local machine. Warning if > 250 processes, critical if
# > 400 processes.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Total Processes
check_command check_procs!250!400
}
# Define a service to check the load on the local machine.
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description Current Load
check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
}

16
roles/icinga/files/cfg/netgear.cfg Normal file
View File

@@ -0,0 +1,16 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name netgear
alias switch
address 192.168.0.2
#parents gwsio4
icon_image cook/switch.gif
statusmap_image cook/switch.gd2
}

13
roles/icinga/files/cfg/r-ext.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-ext
alias Routeur externe
address 192.168.200.253
parents localhost
}

13
roles/icinga/files/cfg/r-int.cfg Normal file
View File

@@ -0,0 +1,13 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name r-int
alias Routeur interne
address 172.16.0.254
parents r-ext
}

14
roles/icinga/files/cfg/s-adm.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-adm
alias debian-servers
address 192.168.99.99
parents r-int
}

14
roles/icinga/files/cfg/s-infra.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-infra
alias debian-servers
address 172.16.0.1
parents r-int
}

14
roles/icinga/files/cfg/s-itil.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template to use
host_name s-itil
alias debian-servers
address 172.16.0.9
parents r-int
}

14
roles/icinga/files/cfg/s-lb.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template$
host_name s-lb
alias debian-servers
address 192.168.100.10
parents r-int
}

14
roles/icinga/files/cfg/s-mess.cfg Normal file
View File

@@ -0,0 +1,14 @@
# A simple configuration file for monitoring the local host
# This can serve as an example for configuring other servers;
# Custom services specific to this host are added here, but services
# defined in nagios2-common_services.cfg may also apply.
#
define host{
use generic-host ; Name of host template$
host_name s-mess
alias nextcloud
address 172.16.0.7
parents r-int
}

Some files were not shown because too many files have changed in this diff Show More