gsb/gsb2024
3
3
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases 3 Wiki Activity

Premier commit

Browse Source
This commit is contained in:
phil
2023-12-18 23:20:30 +01:00
parent ec25c6dba9
commit 62ef5fa4e9
577 changed files with 46490 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/old/docker-iredmail-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/old/docker-iredmail-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

14
roles/old/docker-iredmail-ab/files/iredmail.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
docker run --privileged -p 80:80 -p 443:443 \
-h s-mess.sio.lan \
-e "DOMAIN=sio.lan" \
-e "MYSQL_ROOT_PASSWORD=iredmail" \
-e "SOGO_WORKERS=1" \
-e "TIMEZONE=Europe/Paris" \
-e "POSTMASTER_PASSWORD=Azertyuiop1+" \
-e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
-v /root/mysql:/var/lib/mysql \
-v /root/vmail:/var/vmail \
-v /root/clamav:/var/lib/clamav \
--name=iredmail lejmr/iredmail:mysql-latest

3
roles/old/docker-iredmail-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

83
roles/old/docker-iredmail-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Copie du script bash Iredmail
copy: src=iredmail.sh dest=/root/tools/ansible
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Droit pour le script Iredmail
shell: chmod a+x /root/tools/ansible/iredmail.sh
- name: Création du répertoire mysql
shell: mkdir /root//mysql
- name: Création du répertoire vmail
shell: mkdir /root/vmail
- name: Création du répertoire clamav
shell: mkdir /root/clamav
- name: Exécution du script Iredmail
debug: msg="Exécuter le script iredmail.sh qui se trouve dans tools/ansible"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

48
roles/old/docker-nextcloud/files/config.php Normal file
View File

@@ -0,0 +1,48 @@
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'ocvc4q2htemf',
'passwordsalt' => 'stdJZMx4C5hz85Kqt8XdZIzx8kVOHI',
'secret' => 'II1BBgzlx70WUYCapAt/m/Bt1ZEk/n11n0DVq3zynyU8F/bU',
'trusted_domains' =>
array (
0 => '172.16.0.7:5678',
1 => '172.16.0.7:8080',
2 => 's-mess',
3 => 's-mess.gsb.lan',
4 => 'localhost:8080',
5 => 's-nxec.gsb.lan',
),
'trusted_proxies' => ['172.16.0.7'],
'overwriteprotocol' => 'http',
'overwritehost' => '172.16.0.7:8080',
'proxy' => '172.16.0.7:8080',
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '20.0.6.1',
'overwrite.cli.url' => 'http://172.16.0.7:5678',
'dbname' => 'nextcloud',
'dbhost' => 'db',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'root',
'installed' => true,
);

13
roles/old/docker-nextcloud/files/dhparam.pem Normal file
View File

@@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA9YcWlg90PgLB2PS31Tv8mxn6cyRZd4GvX6tkqwOfXhdBZYzgoEnJ
17U+hDqpT5utQpUbfR0//uXr53mpu3ufxCNJ9gSsCIAbmhTIT3qwLwUis3Etb8PA
4LCTbVHvua5W7/pdM0s8PIOAWK7ah09p+mzwZqx5tKZWtbdERQKIAGE6Xmd4845/
9oBWTj2g5t83Gt/fZDy+NVRy5ePb/KGix4bEmfnZ5htC/16VFPVrSZUALoxn8HtC
3nn4eqBrZeAxY6UHuW0ZPkRmpLs3GCILa+gze+wDlKlhC+RQU/f8Fijo6SsQPzNf
6BzJdoyeeE9OyyhhWu4Mihr39RnShk1ABO2eZrA1TE7L5X3YuCeIO09j99hkEsPr
mX1zh+v4sx2FFMZLebu+5KYf+ROOOYtMy6AJQq55avccTPrs0S+pxswypbzMD4ym
BYtPO46XYkRhrX47TfVHLW9oonDmMxPKNidNMrFtKW0b6f09iOcN9iEA/EM0s+3n
uQ2h+bQrwGqo5aMSUuJ3w8EjFySIqKgU5ZxJzPGSndsqS7zd2hUxNx7EZueHXX5N
CJ7kWRhIFv8YHHx0J/VFJieyr7DAUATu7chu4aGhwf2AoGYzmI0tjSh+3rQiDh7O
h+JtKr+wifr9P2vBqIWFQltOC2srRs+EB+5/qN1iIjYmq52MkUbFLfMCAQI=
-----END DH PARAMETERS-----

35
roles/old/docker-nextcloud/files/docker-compose.yml Executable file
View File

@@ -0,0 +1,35 @@
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_PASSWORD=root
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- TZ=Europe/Paris
app:
image: nextcloud
restart: always
ports:
- 5678:80
links:
- db
volumes:
- ./nextcloud:/var/www/html
environment:
- MYSQL_PASSWORD=root
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
- TZ=Europe/Paris

502
roles/old/docker-nextcloud/files/get_docker.sh Executable file
View File

@@ -0,0 +1,502 @@
#!/bin/sh
set -e
# Docker CE for Linux installation script
#
# See https://docs.docker.com/install/ for the installation steps.
#
# This script is meant for quick & easy install via:
# $ curl -fsSL https://get.docker.com -o get-docker.sh
# $ sh get-docker.sh
#
# For test builds (ie. release candidates):
# $ curl -fsSL https://test.docker.com -o test-docker.sh
# $ sh test-docker.sh
#
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA="3d8fe77c2c46c5b7571f94b42793905e5b3e42e4"
# The channel to install from:
# * nightly
# * test
# * stable
# * edge (deprecated)
DEFAULT_CHANNEL_VALUE="stable"
if [ -z "$CHANNEL" ]; then
CHANNEL=$DEFAULT_CHANNEL_VALUE
fi
DEFAULT_DOWNLOAD_URL="https://download.docker.com"
if [ -z "$DOWNLOAD_URL" ]; then
DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL
fi
DEFAULT_REPO_FILE="docker-ce.repo"
if [ -z "$REPO_FILE" ]; then
REPO_FILE="$DEFAULT_REPO_FILE"
fi
mirror=''
DRY_RUN=${DRY_RUN:-}
while [ $# -gt 0 ]; do
case "$1" in
--mirror)
mirror="$2"
shift
;;
--dry-run)
DRY_RUN=1
;;
--*)
echo "Illegal option $1"
;;
esac
shift $(( $# > 0 ? 1 : 0 ))
done
case "$mirror" in
Aliyun)
DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce"
;;
AzureChinaCloud)
DOWNLOAD_URL="https://mirror.azure.cn/docker-ce"
;;
esac
command_exists() {
command -v "$@" > /dev/null 2>&1
}
is_dry_run() {
if [ -z "$DRY_RUN" ]; then
return 1
else
return 0
fi
}
is_wsl() {
case "$(uname -r)" in
*microsoft* ) true ;; # WSL 2
*Microsoft* ) true ;; # WSL 1
* ) false;;
esac
}
is_darwin() {
case "$(uname -s)" in
*darwin* ) true ;;
*Darwin* ) true ;;
* ) false;;
esac
}
deprecation_notice() {
distro=$1
date=$2
echo
echo "DEPRECATION WARNING:"
echo " The distribution, $distro, will no longer be supported in this script as of $date."
echo " If you feel this is a mistake please submit an issue at https://github.com/docker/docker-install/issues/new"
echo
sleep 10
}
get_distribution() {
lsb_dist=""
# Every system that we officially support has /etc/os-release
if [ -r /etc/os-release ]; then
lsb_dist="$(. /etc/os-release && echo "$ID")"
fi
# Returning an empty string here should be alright since the
# case statements don't act unless you provide an actual value
echo "$lsb_dist"
}
add_debian_backport_repo() {
debian_version="$1"
backports="deb http://ftp.debian.org/debian $debian_version-backports main"
if ! grep -Fxq "$backports" /etc/apt/sources.list; then
(set -x; $sh_c "echo \"$backports\" >> /etc/apt/sources.list")
fi
}
echo_docker_as_nonroot() {
if is_dry_run; then
return
fi
if command_exists docker && [ -e /var/run/docker.sock ]; then
(
set -x
$sh_c 'docker version'
) || true
fi
your_user=your-user
[ "$user" != 'root' ] && your_user="$user"
# intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output
echo "If you would like to use Docker as a non-root user, you should now consider"
echo "adding your user to the \"docker\" group with something like:"
echo
echo " sudo usermod -aG docker $your_user"
echo
echo "Remember that you will have to log out and back in for this to take effect!"
echo
echo "WARNING: Adding a user to the \"docker\" group will grant the ability to run"
echo " containers which can be used to obtain root privileges on the"
echo " docker host."
echo " Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface"
echo " for more information."
}
# Check if this is a forked Linux distro
check_forked() {
# Check for lsb_release command existence, it usually exists in forked distros
if command_exists lsb_release; then
# Check if the `-u` option is supported
set +e
lsb_release -a -u > /dev/null 2>&1
lsb_release_exit_code=$?
set -e
# Check if the command has exited successfully, it means we're in a forked distro
if [ "$lsb_release_exit_code" = "0" ]; then
# Print info about current distro
cat <<-EOF
You're using '$lsb_dist' version '$dist_version'.
EOF
# Get the upstream release info
lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]')
dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]')
# Print info about upstream distro
cat <<-EOF
Upstream release is '$lsb_dist' version '$dist_version'.
EOF
else
if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then
if [ "$lsb_dist" = "osmc" ]; then
# OSMC runs Raspbian
lsb_dist=raspbian
else
# We're Debian and don't even know it!
lsb_dist=debian
fi
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8|'Kali Linux 2')
dist_version="jessie"
;;
esac
fi
fi
fi
}
semverParse() {
major="${1%%.*}"
minor="${1#$major.}"
minor="${minor%%.*}"
patch="${1#$major.$minor.}"
patch="${patch%%[-.]*}"
}
do_install() {
echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA"
if command_exists docker; then
docker_version="$(docker -v | cut -d ' ' -f3 | cut -d ',' -f1)"
MAJOR_W=1
MINOR_W=10
semverParse "$docker_version"
shouldWarn=0
if [ "$major" -lt "$MAJOR_W" ]; then
shouldWarn=1
fi
if [ "$major" -le "$MAJOR_W" ] && [ "$minor" -lt "$MINOR_W" ]; then
shouldWarn=1
fi
cat >&2 <<-'EOF'
Warning: the "docker" command appears to already exist on this system.
If you already have Docker installed, this script can cause trouble, which is
why we're displaying this warning and provide the opportunity to cancel the
installation.
If you installed the current Docker package using this script and are using it
EOF
if [ $shouldWarn -eq 1 ]; then
cat >&2 <<-'EOF'
again to update Docker, we urge you to migrate your image store before upgrading
to v1.10+.
You can find instructions for this here:
https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
EOF
else
cat >&2 <<-'EOF'
again to update Docker, you can safely ignore this message.
EOF
fi
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
user="$(id -un 2>/dev/null || true)"
sh_c='sh -c'
if [ "$user" != 'root' ]; then
if command_exists sudo; then
sh_c='sudo -E sh -c'
elif command_exists su; then
sh_c='su -c'
else
cat >&2 <<-'EOF'
Error: this installer needs the ability to run commands as root.
We are unable to find either "sudo" or "su" available to make this happen.
EOF
exit 1
fi
fi
if is_dry_run; then
sh_c="echo"
fi
# perform some very rudimentary platform detection
lsb_dist=$( get_distribution )
lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')"
if is_wsl; then
echo
echo "WSL DETECTED: We recommend using Docker Desktop for Windows."
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
cat >&2 <<-'EOF'
You may press Ctrl+C now to abort this script.
EOF
( set -x; sleep 20 )
fi
case "$lsb_dist" in
ubuntu)
if command_exists lsb_release; then
dist_version="$(lsb_release --codename | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then
dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")"
fi
;;
debian|raspbian)
dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')"
case "$dist_version" in
10)
dist_version="buster"
;;
9)
dist_version="stretch"
;;
8)
dist_version="jessie"
;;
esac
;;
centos|rhel)
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
*)
if command_exists lsb_release; then
dist_version="$(lsb_release --release | cut -f2)"
fi
if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then
dist_version="$(. /etc/os-release && echo "$VERSION_ID")"
fi
;;
esac
# Check if this is a forked Linux distro
check_forked
# Run setup for each distro accordingly
case "$lsb_dist" in
ubuntu|debian|raspbian)
pre_reqs="apt-transport-https ca-certificates curl"
if [ "$lsb_dist" = "debian" ]; then
# libseccomp2 does not exist for debian jessie main repos for aarch64
if [ "$(uname -m)" = "aarch64" ] && [ "$dist_version" = "jessie" ]; then
add_debian_backport_repo "$dist_version"
fi
fi
if ! command -v gpg > /dev/null; then
pre_reqs="$pre_reqs gnupg"
fi
apt_repo="deb [arch=$(dpkg --print-architecture)] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL"
(
if ! is_dry_run; then
set -x
fi
$sh_c 'apt-get update -qq >/dev/null'
$sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null"
$sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | apt-key add -qq - >/dev/null"
$sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list"
$sh_c 'apt-get update -qq >/dev/null'
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
# Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/~ce~.*/g" | sed "s/-/.*/g").*-0~$lsb_dist"
search_command="apt-cache madison 'docker-ce' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst apt-cache madison results"
echo
exit 1
fi
search_command="apt-cache madison 'docker-ce-cli' | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3"
# Don't insert an = for cli_pkg_version, we'll just include it later
cli_pkg_version="$($sh_c "$search_command")"
pkg_version="=$pkg_version"
fi
fi
(
if ! is_dry_run; then
set -x
fi
if [ -n "$cli_pkg_version" ]; then
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce-cli=$cli_pkg_version >/dev/null"
fi
$sh_c "apt-get install -y -qq --no-install-recommends docker-ce$pkg_version >/dev/null"
)
echo_docker_as_nonroot
exit 0
;;
centos|fedora|rhel)
yum_repo="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE"
if ! curl -Ifs "$yum_repo" > /dev/null; then
echo "Error: Unable to curl repository file $yum_repo, is it valid?"
exit 1
fi
if [ "$lsb_dist" = "fedora" ]; then
pkg_manager="dnf"
config_manager="dnf config-manager"
enable_channel_flag="--set-enabled"
disable_channel_flag="--set-disabled"
pre_reqs="dnf-plugins-core"
pkg_suffix="fc$dist_version"
else
pkg_manager="yum"
config_manager="yum-config-manager"
enable_channel_flag="--enable"
disable_channel_flag="--disable"
pre_reqs="yum-utils"
pkg_suffix="el"
fi
(
if ! is_dry_run; then
set -x
fi
$sh_c "$pkg_manager install -y -q $pre_reqs"
$sh_c "$config_manager --add-repo $yum_repo"
if [ "$CHANNEL" != "stable" ]; then
$sh_c "$config_manager $disable_channel_flag docker-ce-*"
$sh_c "$config_manager $enable_channel_flag docker-ce-$CHANNEL"
fi
$sh_c "$pkg_manager makecache"
)
pkg_version=""
if [ -n "$VERSION" ]; then
if is_dry_run; then
echo "# WARNING: VERSION pinning is not supported in DRY_RUN"
else
pkg_pattern="$(echo "$VERSION" | sed "s/-ce-/\\\\.ce.*/g" | sed "s/-/.*/g").*$pkg_suffix"
search_command="$pkg_manager list --showduplicates 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
pkg_version="$($sh_c "$search_command")"
echo "INFO: Searching repository for VERSION '$VERSION'"
echo "INFO: $search_command"
if [ -z "$pkg_version" ]; then
echo
echo "ERROR: '$VERSION' not found amongst $pkg_manager list results"
echo
exit 1
fi
search_command="$pkg_manager list --showduplicates 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'"
# It's okay for cli_pkg_version to be blank, since older versions don't support a cli package
cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)"
# Cut out the epoch and prefix with a '-'
pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)"
fi
fi
(
if ! is_dry_run; then
set -x
fi
# install the correct cli version first
if [ -n "$cli_pkg_version" ]; then
$sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
fi
$sh_c "$pkg_manager install -y -q docker-ce$pkg_version"
)
echo_docker_as_nonroot
exit 0
;;
*)
if [ -z "$lsb_dist" ]; then
if is_darwin; then
echo
echo "ERROR: Unsupported operating system 'macOS'"
echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop"
echo
exit 1
fi
fi
echo
echo "ERROR: Unsupported distribution '$lsb_dist'"
echo
exit 1
;;
esac
exit 1
}
# wrapped up in a function so that we have some protection against only getting
# half the file during "curl | sh"
do_install

24
roles/old/docker-nextcloud/files/nginx-selfsigned.crt Normal file
View File

@@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUAr99SgfwQjW0wJSay5rL7I8V6G4wDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAkZSMRIwEAYDVQQIDAlCb3VyZ29nbmUxDjAMBgNVBAcM
BURpam9uMQwwCgYDVQQKDANHU0IxDjAMBgNVBAsMBWluZnJhMRcwFQYDVQQDDA5z
LW54ZWMuZ3NiLmxhbjEmMCQGCSqGSIb3DQEJARYXYXhlbC5tcmwuc2NvbEBnbWFp
bC5jb20wHhcNMjEwMzI5MDkzMTIxWhcNMjIwMzI5MDkzMTIxWjCBkDELMAkGA1UE
BhMCRlIxEjAQBgNVBAgMCUJvdXJnb2duZTEOMAwGA1UEBwwFRGlqb24xDDAKBgNV
BAoMA0dTQjEOMAwGA1UECwwFaW5mcmExFzAVBgNVBAMMDnMtbnhlYy5nc2IubGFu
MSYwJAYJKoZIhvcNAQkBFhdheGVsLm1ybC5zY29sQGdtYWlsLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+iB7H1clY8gwX6CQfBqU+V4gF4ZMmg
HMbnoPvWV0WOJlgyODh5xdE11iJBBby8VNdiruGNJCeLeI4WWUUkJJXMyeWNTM6/
JIZhVZI0UF042S/s8WdP+jls4aASkp0QH+XDs+758y5D9lRoX+At+bRZSC/Fz/tL
Y16e15F1+BxZeSWUEajHZIJZ79gm0UQxA9HdHAHpoWR05P74Fy6rnOsQNtBW4Jkt
xDb9CHRWNVjvbBuPsDwPTEOvMq94r5yWspHDhA3edvtAAJke5N9od4mN8KTJQouJ
O0ZzvOYIofr8iQM3981p9MuBUwtDNT7+ns22lDXeORoliOCG1gE25DsCAwEAAaNT
MFEwHQYDVR0OBBYEFJgtmIFxdyFe3vZ/a3UwxORCZiLiMB8GA1UdIwQYMBaAFJgt
mIFxdyFe3vZ/a3UwxORCZiLiMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAJm7oJOJev7hh/G1xCPPyASWn9s9C9sb5zbxyq1gF5P6Br8Xof9OJ1ZE
XJaH1MwxxR+2Qhok6gERBSqpwe6jnreImOpqhHEQGdMWJvIRlvTPQmEj/mCoLGKf
DsIvl3ug4OfNqMojwYlGhsfQH92Qz2pnE88pLIT13y85c8TJHti2+GOxOTSxYLrs
lt3fYYjnSZ2mm9fLBcP/XgdCSTeN6XwpJr2b56sVh0uehFXnkgzjDd+PTGkIgnfT
/eXtX8+VbQIOSEOrIt0GneBZ3n37FSgz/y9TR5HgNKyt74oxbLsYR0qWpbCcEjw+
ex/v7vE3bXgPGE56NzhlM1Pjh90R9hI=
-----END CERTIFICATE-----

28
roles/old/docker-nextcloud/files/nginx-selfsigned.key Normal file
View File

@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvogex9XJWPIMF
+gkHwalPleIBeGTJoBzG56D71ldFjiZYMjg4ecXRNdYiQQW8vFTXYq7hjSQni3iO
FllFJCSVzMnljUzOvySGYVWSNFBdONkv7PFnT/o5bOGgEpKdEB/lw7Pu+fMuQ/ZU
aF/gLfm0WUgvxc/7S2NenteRdfgcWXkllBGox2SCWe/YJtFEMQPR3RwB6aFkdOT+
+Bcuq5zrEDbQVuCZLcQ2/Qh0VjVY72wbj7A8D0xDrzKveK+clrKRw4QN3nb7QACZ
HuTfaHeJjfCkyUKLiTtGc7zmCKH6/IkDN/fNafTLgVMLQzU+/p7NtpQ13jkaJYjg
htYBNuQ7AgMBAAECggEAfyHLbi7cL74nnZjrFnlBpIE7EpNiaWyDyBr8ta7mh0up
R+g6N+81mQXeVfc5PvAYfbxKGKyBAjr77eYRgnHyJZkSgB5y/ajwuHEWbvl9Pq2a
0Q0zhPQojY7aF3O6OwTkAf5Sbebx94hsc5cF55GAEeMa1LHcpethJ6nVIs8A5QtP
ZgGlfFkgGXp1GQPmeX1jQePSp8nqCftIwFPOuLcuQnisc282NCRHl3M+VlnUIZNL
fgRxalurrnaKf5P9DRvxiGlUJzoH1h0tgYbfUMpoRXdYYK3wjVbWWPROrS1c1yrl
17W004k8Fb++rUmQucQEtsiID/ymAMZPtiCG2IqvwQKBgQDjQGf8GFt04ypvoux/
acOMtHXaA1k1Fa6Gtvr3dCfhlm4dCxvHfAqWawW2GXrSajhVRe+vcqBMyKAY5G3a
O3nZNpFliMqbftzKkF6AThIgaDaGAzfr+I88urvX0od1+wzjzievOHOlbil3OriD
HrGmfO/xnnXkgHCQK2YjmhFeoQKBgQDF2fEp5HZAZFWy55LVlS6DIDFfK2DShCNf
ENcDp1YWz/PCbHTY0xXZ6T4TOX14YYmeZVZFCUcpWGQrfL+ogJhoM9iQFuzYrzMz
iYjgICeTJPLGQawC6CKVFcE7i6kjNie66IjEIZj1rS2zG/+WVTl95M8JxJO2U7a/
7JiYJiehWwKBgQCqxb6euisYJpHAPL3ebbtO5Fnf0D5cXwO9JopoJHjH1ITA/JUO
jo9iQ+CR3Inoz3uv0RNyVABUUzvEGPzYT3OcoJ4Yn/gpa+c9rcnmP0Tt54J5qLeA
c1QofeclI4c6SMOB+WznBtQZEDTG7XC0z/8OLrsdZkgPw9lS7doejOvaoQKBgGbV
azp561h2jfBp2nC2lDFFN0Qe2LkyQuwzZX4ZqG488ZZZJrZXqGDVkRUO6X77Ozsf
sqI5O0prDc1ojnk3NX/birEBqWLKVRNxZboQHGGnb6PKGGx+WRMh9ohLg8KwcB/+
oq9GQylWNI2GfOaXL0WW+mE6UggPJMpGX92c3zZHAoGAMOFoxUjjzsB0oJLTuYax
VKE7Jno24o5JeDRm69WS3E6boSZsIY/9r4jWtYiTbhwlTZpZMqad3h/zM/swHvVq
hh1BaHXBik/9rpnyTMZ9vo6UNyYo/TJPH3yrKwZbF4Cn2uWQoJCfDeo9VXdIEbEn
SwyeWd4Zkt/wvqmocF5KVqI=
-----END PRIVATE KEY-----

121
roles/old/docker-nextcloud/files/proxy Normal file
View File

@@ -0,0 +1,121 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name s-nxec.gsb.lan;
return 302 https://$server_name$request_uri;
}
# location / {
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_pass http://localhost:5678;
# proxy_connect_timeout 900;
# proxy_send_timeout 900;
# proxy_read_timeout 900;
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name s-nxec.gsb.lan;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:5678;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
}
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# root /var/www/html;
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
# server_name _;
# location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

100
roles/old/docker-nextcloud/files/proxy.bak Normal file
View File

@@ -0,0 +1,100 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 8080 default_server;
listen [::]:8080 default_server;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:5678;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
}
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# root /var/www/html;
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
# server_name _;
# location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# }
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.3-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

2
roles/old/docker-nextcloud/files/self-signed.conf Normal file
View File

@@ -0,0 +1,2 @@
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

18
roles/old/docker-nextcloud/files/ssl-params.conf Normal file
View File

@@ -0,0 +1,18 @@
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 172.16.0.1 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

89
roles/old/docker-nextcloud/tasks/main.yml Normal file
View File

@@ -0,0 +1,89 @@
---
- name: Creation du repertoire nextcloud
file:
path: /root/nextcloud
state: directory
- name: Copie du script get_docker
copy:
src: get_docker.sh
dest: /root/nextcloud
- name: Execution du script get_docker
script: /root/nextcloud/get_docker.sh
- name: Installation de docker-compose
shell: curl -L "https://github.com/docker/compose/releases/download/1.28.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Attribution des droits de docker compose
file:
path: /usr/local/bin/docker-compose
mode: '755'
- name: Copie de docker-compose.yml
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/docker-compose.yml
dest: /root/nextcloud
- name: Execution du fichier docker-compose.yml
shell: docker-compose up -d
args:
chdir: /root/nextcloud
- name: Installation de Nginx
package:
name: nginx
state: present
- name: Copie de config.php dans /root/nextcloud/nextcloud/config
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/config.php
dest: /root/nextcloud/nextcloud/config
- name: Copie de nginx-selfsigned.key
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.key
dest: /etc/ssl/private
- name: Copie nginx-selfsigned.crt
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/nginx-selfsigned.crt
dest: /etc/ssl/certs
- name: Copie de dhparam.pem
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/dhparam.pem
dest: /etc/nginx
- name: Copie de self-signed.conf
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/self-signed.conf
dest: /etc/nginx/snippets
- name: Copie de ssl-params.conf
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/ssl-params.conf
dest: /etc/nginx/snippets
- name: Copie de /etc/nginx/site-availables/proxy
copy:
src: /root/tools/ansible/gsb2021/roles/docker-nextcloud/files/proxy
dest: /etc/nginx/sites-available
- name: Suppression de /etc/nginx/sites-enabled/default
file:
path: /etc/nginx/sites-enabled/default
state: absent
- name: Creation de lien symbolique avec /etc/nginx/sites-available/proxy dans /etc/n$
file:
src: /etc/nginx/sites-available/proxy
dest: /etc/nginx/sites-enabled/proxy
owner: root
group: root
state: link
- name: Redemarage de Nginx
service:
name: nginx
state: restarted

13
roles/old/docker-openvas-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/old/docker-openvas-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

3
roles/old/docker-openvas-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

77
roles/old/docker-openvas-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,77 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Création du docker portainer_data
shell: docker volume create portainer_data
- name: Initialisation de portainer
shell: docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Installation d'OpenVAS
debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas puis redémarrer docker avec service docker restart"
#- name: Installation d'IredMail
#debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name iredmail lejmr/iredmail puis redémarrer docker avec service docker restart"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

58
roles/old/firewall-vpn-l-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-l-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

68
roles/old/firewall-vpn-l/files/ferm.conf Normal file
View File

@@ -0,0 +1,68 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_AG = enp0s8;
@def $DEV_VPN = enp0s9;
@def $NET_ADM=192.168.99.102/24;
@def $NET_AG=172.16.128.254/24;
@def $NET_VPN=192.168.0.52/24;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow DNS connections
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
# allow IPsec
interface ($DEV_AG $DEV_VPN) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
# interface ($DEV_AG) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
# }
# allow DNS connections
#interface ($DEV_INT) {
proto (udp tcp) dport domain ACCEPT;
#}
# autoriser NTP
proto udp sport 123 ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
# mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}

58
roles/old/firewall-vpn-l/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

8
roles/old/firewall-vpn-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name : installer ferm
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

58
roles/old/firewall-vpn-r-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-r-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

67
roles/old/firewall-vpn-r/files/ferm.conf Normal file
View File

@@ -0,0 +1,67 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_VPN = enp0s8;
@def $DEV_EXT = enp0s9;
@def $NET_ADM=192.168.99.112/24;
@def $NET_VPN=192.168.0.51/24;
@def $NET_EXT=192.168.1.2/24;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow DNS connections
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
# allow IPsec
interface ($DEV_VPN) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
interface ($DEV_VPN) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
}
# allow DNS connections
#interface ($DEV_INT) {
# proto (udp tcp) dport domain ACCEPT;
#}
# autoriser NTP
proto udp sport 123 ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}

58
roles/old/firewall-vpn-r/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

8
roles/old/firewall-vpn-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name : installer ferm
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

3
roles/old/itil-cs/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

12
roles/old/itil-cs/files/glpi.conf Normal file
View File

@@ -0,0 +1,12 @@
DocumentRoot /var/www/glpi
<Directory /var/www/glpi>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
AuthType Basic
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log

4
roles/old/itil-cs/files/script Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
chm= »/var/www/html/glpi/files/_dumps »
# Dump base GLPI
mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz

6
roles/old/itil-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

65
roles/old/itil-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Install apache2
apt: name=apache2 state=present update_cache=yes
notify:
- restart apache2
- name: Install php5
apt: name=php5 state=present update_cache=yes
- name: Install php5-mysql
apt: name=php5-mysql state=present update_cache=yes
- name: Install php5-gd
apt: name=php5-gd state=present update_cache=yes
- name: Install php5-curl
apt: name=php5-curl state=present update_cache=yes
- name: Install php5-imap
apt: name=php5-imap state=present update_cache=yes
- name: Install php5-ldap
apt: name=php5-ldap state=present update_cache=yes
- name: Download GLPI from Internet
copy: src=glpi-9.1.3.tgz dest=/var/www/
- name: Instructions
debug: msg="En cas de problemes, relancez le playbook une seconde fois."
- name: unpack tarball
unarchive: src=/var/www/glpi-9.1.3.tgz dest=/var/www/
- name: Fix permissions
shell: chown -R www-data:www-data /var/www/glpi/
- name: copy .my.cnf file with root password credentials
copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600
- name: Print web instructions
debug: msg="/!\ Se rendre sur http://adresse_ip_de_votre_serveur/glpi et suivre l'installation"
- name: Download Fusioninventory from Internet
copy: src=fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins
- name: unpack tarball
unarchive: src=/var/www/glpi/plugins/fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins
- name: Print web instructions
debug: msg="(i) Fusioninventory plugin installed in /var/www/glpi/plugins"
- name: copy glpi.conf
copy: src=glpi.conf dest=/etc/apache2/sites-available/
- name: activation du site glpi
shell: a2ensite glpi.conf
notify:
- restart apache2
- name: copie script
copy: src=script dest=/root/
- name: chmod
shell: chmod +x /root/script

4
roles/old/s-lb-ab/README.md Normal file
View File

@@ -0,0 +1,4 @@
##Installation du load-balancer
Ce rôle sert à installer HAproxy et de mettre un fichier de configuration avec les serveur web à répartir.
Ce rôle est utilisé par s-lb

5
roles/old/s-lb-ab/files/actu.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
while true
do
curl 192.168.100.10
done

55
roles/old/s-lb-ab/files/haproxy.cfg Normal file
View File

@@ -0,0 +1,55 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend proxypublic
bind 192.168.100.10:80
default_backend fermeweb
backend fermeweb
balance roundrobin
option httpclose
#option httpchk HEAD / HTTP/1.0
server s-lb-web1 192.168.101.1:80 check
server s-lb-web2 192.168.101.2:80 check
server s-lb-web3 192.168.101.3:80 check
listen stats
bind *:8080
stats enable
stats uri /haproxy
stats auth admin:admin

3
roles/old/s-lb-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart haproxy
service: name=haproxy state=restarted

29
roles/old/s-lb-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Installation d'HAproxy
apt:
name:
- haproxy
state: present
- name: Copie du fichier de configuration
copy:
src: haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
notify:
- restart haproxy
- name:
file:
path: /root/script
state: directory
- name: Copie du fichier actu.sh
copy:
src: actu.sh
dest: /root/script/
- name: On rend exécutable le script actu.sh
file:
path: /root/script/actu.sh
mode: 0777

11
roles/old/s-lb-bd-ab/README.txt Normal file
View File

@@ -0,0 +1,11 @@
Apres avoir lancer le bash pull config:
Creer un utilisateur autre que root dans la base de donnee
CREATE USER 'admin'@'localhost'IDENTIFIED BY 'Azerty1+';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost';
Puis executer le script dans files/installmysql.sh qui bloquera les connexions root en localhost et distantes
Enfin se connecter en tant que admin et creer un autre compte pour les utilisateurs
CREATE USER 'user'@'192.168.102.%'IDENTIFIED BY 'password';
Le % permet d'autoriser la connexion de tous les postes du reseau 192.168.102.0/24

3
roles/old/s-lb-bd-ab/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

16
roles/old/s-lb-bd-ab/files/installmysql.sh Executable file
View File

@@ -0,0 +1,16 @@
# Download and Install the Latest Updates for the OS
apt-get update && apt-get upgrade -y
# Install MySQL Server in a Non-Interactive mode. Default root password will be "root"
echo "mysql-server mysql-server/root_password password root" | debconf-set-selections
echo "mysql-server mysql-server/root_password_again password root" | debconf-set-selections
apt-get -y install mysql-server
# Run the MySQL Secure Installation wizard
mysql_secure_installation
sed -i 's/127\.0\.0\.1/0\.0\.0\.0/g' /etc/mysql/my.cnf
mysql -uroot -p -e 'USE mysql; UPDATE `user` SET `Host`="%" WHERE `User`="root" AND `Host`="localhost"; DELETE FROM `user` WHERE `Host` != "%" AND `User`="root"; FLUSH PRIVILEGES;'
service mysql restart

128
roles/old/s-lb-bd-ab/files/my.cnf Normal file
View File

@@ -0,0 +1,128 @@
#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
#
# * Fine Tuning
#
key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Here you can see queries with especially long duration
#slow_query_log_file = /var/log/mysql/mysql-slow.log
#slow_query_log = 1
#long_query_time = 2
#log_queries_not_using_indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completition
[isamchk]
key_buffer = 16M
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/

3
roles/old/s-lb-bd-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart mysql-server
service: name=mysql-server state=restarted

3
roles/old/s-lb-web-ab/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

4
roles/old/s-lb-web-ab/files/compter.bash Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
echo "" > /var/log/apache2/access.log
watch -n 0 wc -l /var/log/apache2/access.log

3
roles/old/s-lb-web-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart apache2
service: name=apache2 state=restarted

26
roles/old/s-lb-web-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Install apache2 php php5-mysql et autres modules php
apt:
name:
- apache2
- php
- php-mysql
- php-gd
- php-zip
- php-mbstring
- php-curl
- php-imagick
- php-xml
state: present
- name: copie exports pour partage nfs wordpress
copy: src=compter.bash dest=/root
- name: Changement de permission pour compter.bash
shell: chmod a+x /root/compter.bash
#- name: Envoi d'index dans /var/www/
# copy: src=index.html dest=/var/www/
#- name: Install glusterfs client
# apt: pkg=glusterfs-client state=present update_cache=yes

3
roles/old/s-lb-web/README.md Normal file
View File

@@ -0,0 +1,3 @@
##Installation des serveurs web
Ce rôle sert à installer les paquets nécessaire pour WordPress sur les serveurs webs.

3
roles/old/s-lb-web/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

4
roles/old/s-lb-web/files/compter.bash Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
echo "" > /var/log/apache2/access.log
watch -n 0 wc -l /var/log/apache2/access.log

3
roles/old/s-lb-web/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart apache2
service: name=apache2 state=restarted

12
roles/old/s-lb-web/tasks/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Installation des paquets
apt:
name :
- apache2
- php
- php-mysql
state: present

193
roles/old/snmp-cs/files/snmpd.conf Normal file
View File

@@ -0,0 +1,193 @@
###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly activated
#
###############################################################################
#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
#agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change the password"
# If you also change the usernames (which might be sensible),
# then remember to update the other occurances in this example config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# Full access from the local host
rocommunity public s-mon.gsb.adm
# Default access to basic system info
rocommunity public
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ou]user and r[ow]community, together with suitable views, should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me@example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705

3
roles/old/snmp-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart snmpd
service: name=snmpd state=restarted

14
roles/old/snmp-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Installation snmpd
apt: name=snmpd state=present
- name: Installation snmp
apt: name=snmp state=present
- name: Copie du fichier snmpd.conf
copy: src=snmpd.conf dest=/etc/snmp/
notify:
- restart snmpd

47
roles/old/user-yb/tasks/main.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- name: Installation des paquets
apt: name={{item}} state=present force=yes
with_items:
- dmidecode
- hwdata
- ucf
- hdparm
- perl
- libuniversal-require-perl
- libwww-perl
- libparse-edid-perl
- libproc-daemon-perl
- libfile-which-perl
- libhttp-daemon-perl
- libxml-treepp-perl
- libyaml-perl
- libnet-cups-perl
- libnet-ip-perl
- libdigest-sha-perl
- libsocket-getaddrinfo-perl
- libtext-template-perl
- name: Creation du repertoire fi
file: path=/root/fi state=directory owner=www-data group=www-data
- name: Installation de fusioninventory
get_url:
url: http://debian.fusioninventory.org/downloads/fusioninventory-agent_2.5-3_all.deb
dest: /root/fi
remote_src: yes
owner: www-data
group: www-data
- name: Installation du paquet .deb
apt:
deb: /root/fi/fusioninventory-agent_2.5-3_all.deb
- name: Configuration du fichier agent.cfg
replace:
dest: /etc/fusioninventory/agent.cfg
regexp: '#server = http://server.domain.com/glpi/plugins/fusioninventory/'
replace: 'server = http://172.16.0.9/plugins/fusioninventory/'
backup: yes
- debug:
msg: "Faire un systemectl restart fusioninventory-agent puis un reload"

23
roles/old/vpn-stg-l/files/ipsec.conf Normal file
View File

@@ -0,0 +1,23 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.52
leftsubnet=172.16.128.0/24
right=192.168.0.51
rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
#

8
roles/old/vpn-stg-l/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,8 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
192.168.0.52 192.168.0.51 : PSK 'root'

60
roles/old/vpn-stg-l/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/vpn-stg-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/vpn-stg-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté gauche pour le fichier de secret partagé
- name: install strongswan, fichier secret partagé
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

23
roles/old/vpn-stg-r/files/ipsec.conf Normal file
View File

@@ -0,0 +1,23 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.51
leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
right=192.168.0.52
rightsubnet=172.16.128.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
#

8
roles/old/vpn-stg-r/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,8 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
192.168.0.51 192.168.0.52 : PSK 'root'

60
roles/old/vpn-stg-r/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/vpn-stg-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/vpn-stg-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté droit pour le fichier de secret partagé
- name: install strongswan, fichier secret partagé
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

60
roles/old/vpn/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

6
roles/old/vpn/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart racoon
service: name=racoon state=restarted
- name: restart setkey
service: name=setkey state=restarted

23
roles/old/vpn/tasks/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Installation Racoon
apt: name=racoon state=present update_cache=yes
- name: install ipsec-tools
apt: name=ipsec-tools state=present update_cache=yes
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: generation racoon.conf
template: src=racoon.conf.j2 dest=/etc/racoon/racoon.conf
- name: generation ipsec-tools.conf
template: src=ipsec-tools.conf.j2 dest=/etc/ipsec-tools.conf
notify: restart setkey
- name: generation psk.txt
template: src=psk.txt.j2 dest=/etc/racoon/psk.txt
notify: restart racoon
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf

9
roles/old/vpn/templates/ipsec-tools.conf.j2 Executable file
View File

@@ -0,0 +1,9 @@
flush;
spdflush;
spdadd {{ mynet }}/24 {{ remnet }}/24 any -P out ipsec
esp/tunnel/{{ ip1 }}-{{ remip }}/require;
spdadd {{ remnet }}/24 {{ mynet }}/24 any -P in ipsec
esp/tunnel/{{ remip }}-{{ ip1 }}/require;

2
roles/old/vpn/templates/psk.txt.j2 Normal file
View File

@@ -0,0 +1,2 @@
{{ remip }} secret

19
roles/old/vpn/templates/racoon.conf.j2 Normal file
View File

@@ -0,0 +1,19 @@
path pre_shared_key "/etc/racoon/psk.txt";
remote {{ remip }} {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address {{ mynet }}/24 any address {{ remnet }}/24 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

3
roles/old/wordpress/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart apache2
service: name=apache2 state=restarted

40
roles/old/wordpress/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Téléchargement de wordpress
get_url:
url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}

25
roles/old/x509-l/files/ipsec.conf Normal file
View File

@@ -0,0 +1,25 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.52
leftsubnet=172.16.128.0/24
right=192.168.0.51
rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
#authby=secret
auto=start
keyexchange=ikev2
type=tunnel
leftcert=r-vp2Cert.pem
leftid="C=CH, O=GSB, CN=r-vp2"
rightid="C=CH, O=GSB, CN=r-vp1"

9
roles/old/x509-l/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,9 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
#192.168.0.52 192.168.0.51 : PSK 'root'
: RSA r-vp2Key.pem

60
roles/old/x509-l/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/x509-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/x509-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté gauche pour la communication via certificat
- name: 1. install strongswan, com via certificat
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

19
roles/old/x509-r/files/generate.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=GSB, CN=Root CA" --outform pem > cacerts/strongswanCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp1Key.pem
chmod 600 private/r-vp1Key.pem
ipsec pki --pub --in private/r-vp1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp1" --san r-vp1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp1Cert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp2Key.pem
chmod 600 private/r-vp2Key.pem
ipsec pki --pub --in private/r-vp2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp2" --san r-vp2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp2Cert.pem

25
roles/old/x509-r/files/ipsec.conf Normal file
View File

@@ -0,0 +1,25 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.51
leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
right=192.168.0.52
rightsubnet=172.16.128.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
#authby=secret
auto=start
keyexchange=ikev2
type=tunnel
leftcert=r-vp1Cert.pem
leftid="C=CH, O=GSB, CN=r-vp1"
rightid="C=CH, O=GSB, CN=r-vp2"

9
roles/old/x509-r/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,9 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
#192.168.0.51 192.168.0.52 : PSK 'root'
: RSA r-vp1Key.pem

16
roles/old/x509-r/files/recupKey.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
REMH=192.168.0.52
cd /etc/ipsec.d
scp cacerts/strongswanCert.pem root@$REMH:/etc/ipsec.d/cacerts
scp certs/r-vp2Cert.pem root@$REMH:/etc/ipsec.d/certs
scp certs/r-vp1Cert.pem root@$REMH:/etc/ipsec.d/certs
scp private/r-vp2Key.pem root@$REMH:/etc/ipsec.d/private
scp private/r-vp1Key.pem root@$REMH:/etc/ipsec.d/private

60
roles/old/x509-r/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/x509-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

36
roles/old/x509-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,36 @@
---
#Installation ipsec strongswan côté droit pour la communication via certificat
- name: install strongswan, com via certificat
apt: name=strongswan state=present
- name: install strongswan-pki
apt: name=strongswan-pki state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Copie fichier generate.sh
copy: src=generate.sh dest=/root/
- name: Generation de la CA et des certificats
shell: /bin/bash /root/generate.sh >> generate-log.txt
- name: Copie fichier recupKey.sh
copy: src=recupKey.sh dest=/root/
- name: Lancement recupKey.sh
shell: /bin/bash /root/recupKey.sh
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"