maj scipt python wireguard

README.md

@@ -1,2 +1,148 @@
 # gsb2024
 
+2024-01-17 18h04 ps
+
+Environnement et playbooks **ansible** pour le projet **GSB 2024**
+
+## Quickstart
+
+Prérequis : 
+  * une machine **Linux Debian Bookworm** ou **Windows**
+  * VirtualBox
+  * git 
+  * fichier machines virtuelles **ova** :
+    * **debian-bookworm-gsb-2023c.ova**
+    * **debian-bullseye-gsb-2024a.ova**
+
+
+## Les machines 
+
+  * **s-adm** : routeur adm, DHCP + NAT, déploiement, proxy squid 
+  * **s-infra** : DNS maitre, autoconfiguration navigateurs avec **wpad**
+  * **r-int** : routage, DHCP 
+  * **r-ext** : routage, NAT
+  * **s-proxy** : proxy **squid**
+  * **s-itil** : serveur GLPI
+  * **s-backup** : DNS esclave + sauvegarde s-win (SMB)
+  * **s-mon** : supervision avec **Nagios4**, notifications et syslog
+  * **s-fog** : deploiement postes de travail avec **FOG**
+  * **s-win** : Windows Server 2019, AD, DNS, DHCP, partage fichiers
+  * **s-nxc** : NextCloud avec **docker** via proxy inverse **traefik** et certificat auto-signé
+  * **s-elk** : pile **ELK** dockerisée
+  * **s-lb**  : Load Balancer **HaProxy** pour application Wordpress (DMZ)
+  * **r-vp1** : Routeur VPN Wireguard coté siège
+  * **r-vp2** : Routeur VPN Wireguard coté agence, DHCP
+  * **s-agence** : Serveur agence
+  * **s-lb**  : Load Balancer **HaProxy** pour application Wordpress 
+  * **s-lb-web1** : Serveur Wordpress 1 Load Balancer
+  * **s-lb-web2** : Serveur Wordpress 2 Load Balancer
+  * **s-lb-db** : Serveur Mariadb pour Wordpress
+  * **s-nas** : Serveur NFS pour application Wordpress avec LB
+  * **s-kea1** : Serveur DHCP Kea HA 1
+  * **s-kea2** : Serveur DHCP Kea HA 2
+
+
+## Les playbooks
+
+Il existe un playbook ansible pour chaque machine à installer, nommé comme la machine avec l'extension **.yml**
+
+## Installation
+
+On utilisera les images de machines virtuelle suivantes : 
+  * **debian-bookworm-gsb-2023c.ova** (2023-12-18)
+    * Debian Bookworm 12.4 - 2 cartes - 1 Go - Stockage 20 Go
+
+et pour **s-fog** : 
+  * **debian-bullseye-2024a.ova** (2024-01-06)
+    * Debian Bullseye 11.8 - 2 cartes - 1 Go - stockage 20 Go
+
+Les images **.ova** doivent etre stockées dans le répertoire habituel de téléchargement de l'utilisateur courant.
+
+### Création d'une VM
+
+Sur la machine physique, récupérer le dépot **gsb2024.git** avec :
+```shell
+   git clone https://gitea.lyc-lecastel.fr/gsb/gsb2024.git
+```
+
+On utilisera le script (bash) **mkvm** ou (PowerShell) **mkvm.ps1** pour créer une VM Virtualbox.
+
+```shell
+cd gsb2024/scripts
+mkvm -r s-adm
+
+```
+
+### Machine s-adm
+
+La machine **-sadm** est la première machine à installer.
+
+
+  * créer la machine virtuelle **s-adm** avec **mkvm** comme décrit plus haut.
+  * démarrer la VM puis ouvir une session
+  * utiliser le script de renommage comme suit :
+```shell
+bash chname <nouveau_nom_de_machine>` , puis redémarrer
+```
+  * utiliser le script **s-adm-start** : `bash s-adm-start` , puis redémarrer
+  * ou sinon :
+```shell
+    mkdir -p tools/ansible ; cd tools/ansible
+    git clone https://gitea.lyc-lecastel.fr/gsb/gsb2024.git
+    cd gsb2024/pre
+    bash inst-depl
+    cd /root/tools/ansible/gsb2024/pre
+    DEPL=192.168.99.99 bash gsbboot
+    cd ../.. ; bash pull-config
+```
+  - redémarrer
+  - la machine **s-adm** doit etre opérationnelle
+  
+### Pour chaque machine
+
+####  Etape 1 - Nommage machine
+
+  - créer la machine avec **mkvm -r**, les cartes réseau sont paramétrées par **mkvm** selon les spécifications 
+  - ouvrir une session sur la machine considérée
+  - renommer la machine soit
+     * en utilisant le script de renommage comme suit : 
+        ` /root/tools/ansible/gsb2024/scripts/chname <nouveau_nom_de_machine>`
+     * soit (ici on renomme la machine en **s-infra**) avec :  
+```shell
+export HOST=s-infra   
+curl 192.168.99.99/gsbstore/inst1|bash
+reboot # on redemarre
+``` 
+
+#### Etape 2 - installation outils, depot gsb2024 et lancement playbook
+
+  - utiliser le script **gsb-start** : `bash gsb-start`
+  - ou sinon:
+```shell
+curl 192.168.99.99/gsbstore/inst2|bash
+```
+  - le script recupere le dépot **gsb2024.git**
+  - il lance ensuite le script **pull-config** avec le script porant le nom de la machine
+  - on peut alors redémarrer
+
+#### Etape 3 - Redémarrage et tests
+
+  - redémarrer
+  - **Remarque** : une machine doit avoir été redémarrée pour prendre en charge la nouvelle configuration, en particulier la couche réseau et l'adressage.
+  - selon les situations, il est possible qu'un seul playbook ne soit pas suffisant pour installer complètement une machine. Dans ce cas de figure, le second playbook s'appelle **s-machine-post.yml**.
+Il est à lancer depuis ''tools/ansible/gsb2024'' :
+```shell
+ansible-playbook -i localhost, -c local s-machine-post.yml
+```
+
+## Les tests
+
+Il peuvent êtres mis en oeuvre avec **goss** de la façon suivante : chaque machine installée  dispose d'un fichier de test ad-hoc portant le nom de la machine elle-même (machine.yml).
+
+```
+cd tools/ansible/gsb2024
+bash agoss # lance le test portant le nom de la machine 
+```
+
+`bash agoss -f tap` permet de lancer le test avec le détail d'exécution
+

agoss

@@ -0,0 +1,11 @@
+#!/bin/bash
+HOST=$(hostname)
+FHOST=$(pwd)/goss/$HOST
+if [ -r "$FHOST".yaml ] ; then
+	#goss -gossfile "$FHOST".yaml v --no-color
+	goss -gossfile "$FHOST".yaml v "$@"
+else
+	echo $0 : erreur lecture fichier "$FHOST".yaml 
+	exit 1 
+fi
+

changelog

@@ -0,0 +1,7 @@
+v5.0.2.j : 2019-01-25 -kb
+  ejout role s-nas-cliet et s-nas-server
+v5.0.1 : 2019-01-24 - ps
+  reorganisation : anciens playbooks et roles deplaces dans repertoire old
+v3.2.0 : 2017-11-16 - ps 
+  ajout changelog
+

doc/Docker-openvas.txt

@@ -0,0 +1,38 @@
+Fichier de documentation fait par Adnan Baljic, le 31/01/2019
+
+Configuration machine:
+Système: Carte Mère: Mémoire Vive: 2048
+Stockage: Contrôleur SATA: Ajouter un disque dur VDI de 8Go
+Réseau 1: n-adm
+Réseau 2: n-infra
+USB: Décocher "Activer le contrôleur USB"
+
+Important: Avant exécution du playbook, veillez à ne pas oublier de créer une partition sur /dev/sdb:
+-fdisk /dev/sdb
+-o
+-n
+-p
+-1
+-w
+
+La configuration de docker se fait automatiquement via le playbook s-docker.yml
+De base, s-docker.yml installera seulement docker-openvas-ab. Cependant, vous pouvez aussi installer docker-iredmail-ab en décommentant sa ligne et en
+commentant la ligne docker-openvas-ab. (Tous les 2 sont accessible depuis le port 443, si les 2 sont installés en même temps, il pourrait y avoir conflit.
+
+Manipulation à faire pour la mise en place d'Openvas via Docker:
+Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
+les interfaces...) et exécuter la commande ci-dessous:
+docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas
+
+Manipulation à faire pour la mise en place d'Openvas via Docker:
+Après exécution de gsbboot et du pull-config, il faudra redémarrer la machine (prise en compte des modifications telles que
+les interfaces...) et exécuter la commande ci-dessous:
+docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas lejmr/iredmail
+
+Ensuite, il faudra faire: "docker start nom_du_container" pour le démarrer.
+L'accès au container se fait via une machine virtuelle windows 7 avec Mozilla Firefox à jour, via https://172.16.0.19:443.
+
+Le changement du système de fichier de /dev/sdb1 et le montage sur /var/lib/docker se fera automatiquement via le playbook.
+
+Les tests effectués:
+Jeudi 31 janvier 2019, 15:38 par Adnan Baljic= TEST OpenVAS OK

doc/icinga.txt

@@ -0,0 +1,3 @@
+Roles fait par Adnan Baljic, le 17/01/2019
+Installation de icinga, nagios3-plugins, copie des fichiers de configuration vers /etc/icinga/ (=commands.cfg, hostgroups.cfg) 
+et /etc/icinga/objects/ (=namevm.cfg, services_icinga.cfg, contacts_icinga.cfg)

doc/r-vp.txt

@@ -0,0 +1,23 @@
+Fichier de documentation fait par Adnan Baljic, le 24/01/2019
+
+Manipulation à faire pour la mise en place de r-vp1 et r-vp2:
+Après exécution de gsbboot et du pull-config, il faudra désactiver l'interface 
+de n-adm pour éviter une boucle. Pour cela, il suffit de faire "ifdown enp0sx"
+
+Pour ce qui est des tests pour vérifier que l'agence passe bien par le tunnel 
+chiffré, vous pouvez stopper le service ipsec ou strongswan ("service 
+strongswan stop" ou "service ipsec stop", cela revient à faire la même chose)
+
+Important: sur r-vp2, si la route par défaut est celui de s-adm, veuillez 
+supprimer cette route en faisant "route del default" sinon l'agence ne passera
+pas par le tunnel chiffré mais vers s-adm 
+cf. Schéma GSB/E4 - VPN/Infra - Version 1.2 - 2019-01-23
+
+La mise en place de strongswan via les certificats se fait via le playbook
+r-vpx-x509.yml. La manipulation ci-dessus n'est pas à faire pour les vpn avec
+certificat si r-vp2-x509 et r-vp1-x509 n'ont pas de route par défaut. Si ils ont
+une route par défaut, veuillez effectuer la même manipulation que pour r-vp2.
+Il faudra tout de même désactiver l'interface de n-adm sur les 2 r-vpx-x509.
+
+Les tests effectués:
+Jeudi 24 janvier 2019, 14:45 par Adnan Baljic= TEST OK

doc/s-fog.txt

@@ -0,0 +1,11 @@
+fichier de documentation réalier par Olivier Soares et Gaetan Maillard, le 25/01/2019
+
+Pour mettre en oeuvre le serveur fog, il faut déployer une machine virtuel debian (une ova), de la mettre à jour, de la renommer (s-fog), puis de récupérer gsbboot et faire un bash pull-config.
+
+Après avoir avoir fait l'installation de base, il suffit d'éxécuter le playbook "s-fog.yml" avec la commande ansible-playbooks -i hosts s-fog.yml". Ce playbook va récupérer le fichier d'installation de fog, le décompacter et configurer les différentes cartes réseaux de s-fog sachant qu'il y en a trois:
+
+L'interface enp0s3 permet d'avoir accès internet via le réseau "n-adm"
+L'interface enp0s8 permet de communiquer avec le réseau "n-infra"
+L'interface enp0s9 permet d'avoir accès et deployer des postes sur le réseau "n-user"
+
+Maintenant le serveur fog est prêt à être installer, avant de commencer l'installation il faut tout d'abord vérifier que l'accès à tous les réseaux soit correcte. Pour ça il suffit d'éxécuter le fichier de test goss

goss/list-goss

@@ -0,0 +1,12 @@
+cd goss/
+goss -g r-vp1.yaml v
+goss  -g r-vp1.yaml aa wireguard
+goss add interface enp0s3
+goss add interface enp0s8
+goss add interface enp0s9
+goss add interface wg0
+goss aa wireguard
+goss add package wireguard-tools
+goss add service wg-quick@wg0
+goss add command "ping -c4  10.0.0.2"
+goss add file "/etc/wireguard/wg0.conf"

goss/r-ext.yaml

@@ -0,0 +1,40 @@
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+  ping -c 4 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 4 172.16.0.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c 4 192.168.200.254:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.13/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.254/24
+  enp0s9:
+    exists: true
+  enp0s16:
+    exists: true
+    addrs:
+    - 192.168.200.253/24

goss/r-int.yaml

@@ -0,0 +1,35 @@
+package:
+  isc-dhcp-server:
+    installed: true
+service:
+  isc-dhcp-server:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.12/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.200.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 172.16.65.254/24
+  enp0s10:
+    exists: true
+    addrs:
+    - 172.16.64.254/24
+  enp0s16:
+    exists: true
+    addrs:
+    - 172.16.0.254/24

goss/r-vp1-cs.yaml

@@ -0,0 +1,106 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    uid: 112
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.1.1 dev enp0s9
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.1.2/24

goss/r-vp1-old.yaml

@@ -0,0 +1,106 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    uid: 112
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.1.1 dev enp0s9
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.1.2/24

goss/r-vp1.yaml

@@ -0,0 +1,55 @@
+file:
+  /etc/wireguard/wg0.conf:
+    exists: true
+    mode: "0600"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  wireguard:
+    installed: true
+    versions:
+    - 1.0.20210914-1
+  wireguard-tools:
+    installed: true
+    versions:
+    - 1.0.20210914-1+b1
+service:
+  wg-quick@wg0:
+    enabled: true
+    running: true
+command:
+  host 192.168.99.99:
+    exit-status: 0
+    stdout:
+    - 99.99.168.192.in-addr.arpa domain name pointer s-adm.gsb.adm.
+    stderr: []
+    timeout: 10000
+  ping -c4  10.0.0.2:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.112/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.1.2/24
+    mtu: 1500
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.51/24
+    mtu: 1500
+  wg0:
+    exists: true
+    addrs:
+    - 10.0.0.1/32
+    mtu: 1420

goss/r-vp2-cs.yaml

@@ -0,0 +1,105 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.99.99 dev enp0s3
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24

goss/r-vp2-old.yaml

@@ -0,0 +1,105 @@
+file:
+  /etc/ipsec.d/cacerts/strongswanCert.pem:
+    exists: true
+    mode: "0644"
+    size: 1834
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp1Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/certs/r-vp2Cert.pem:
+    exists: true
+    mode: "0644"
+    size: 1509
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp1Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1675
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /etc/ipsec.d/private/r-vp2Key.pem:
+    exists: true
+    mode: "0600"
+    size: 1679
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  strongswan:
+    installed: true
+    versions:
+    - 5.2.1-6+deb8u2
+service:
+  strongswan:
+    enabled: true
+    running: true
+user:
+  strongswan:
+    exists: true
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/lib/strongswan
+    shell: /usr/sbin/nologin
+command:
+  Associations:
+    exit-status: 127
+    stdout: []
+    stderr:
+    - 'sh: 1: Associations: not found'
+    timeout: 10000
+  ip r|grep default:
+    exit-status: 0
+    stdout:
+    - default via 192.168.99.99 dev enp0s3
+    stderr: []
+    timeout: 10000
+  ipsec  listcacerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=Root CA"'
+    stderr: []
+    timeout: 10000
+  ipsec  listcerts|grep subject:
+    exit-status: 0
+    stdout:
+    - 'subject:  "C=CH, O=GSB, CN=r-vp2"'
+    - 'subject:  "C=CH, O=GSB, CN=r-vp1"'
+    stderr: []
+    timeout: 10000
+  ipsec statusall|grep Security:
+    exit-status: 0
+    stdout:
+    - 'Security Associations (1 up, 0 connecting):'
+    stderr: []
+    timeout: 10000
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 1
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24

goss/r-vp2.yaml

@@ -0,0 +1,53 @@
+file:
+  /etc/wireguard/wg0.conf:
+    exists: true
+    mode: "0600"
+    size: 374
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  wireguard:
+    installed: true
+    versions:
+    - 1.0.20210914-1
+  wireguard-tools:
+    installed: true
+    versions:
+    - 1.0.20210914-1+b1
+service:
+  isc-dhcp-server:
+    enabled: true
+    running: true
+  wg-quick@wg0:
+    enabled: true
+    running: true
+command:
+  ping -c4 10.0.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.102/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.128.254/24
+    mtu: 1500
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.0.52/24
+    mtu: 1500
+  wg0:
+    exists: true
+    addrs:
+    - 10.0.0.2/32
+    mtu: 1420

goss/s-adm.yaml

@@ -0,0 +1,95 @@
+file:
+    /var/www/html/gsbstore/getall:
+        exists: true
+        mode: "0644"
+        owner: root
+        group: root
+        filetype: file
+        contents: []
+package:
+    dnsmasq:
+        installed: true
+    lighttpd:
+        installed: true
+        versions:
+            - 1.4.69-1
+    squid:
+        installed: true
+addr:
+    tcp://depl.sio.lan:80:
+        reachable: true
+        timeout: 500
+port:
+    tcp:53:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp:80:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp6:53:
+        listening: true
+        ip:
+            - '::'
+    tcp6:80:
+        listening: true
+        ip:
+            - '::'
+    udp:53:
+        listening: true
+        ip:
+            - 0.0.0.0
+    udp:67:
+        listening: true
+        ip:
+            - 0.0.0.0
+    udp6:53:
+        listening: true
+        ip:
+            - '::'
+service:
+    dnsmasq:
+        enabled: true
+        running: true
+    lighttpd:
+        enabled: true
+        running: true
+    squid:
+        enabled: true
+        running: true
+    ssh:
+        enabled: true
+        running: true
+user:
+    dnsmasq:
+        exists: true
+        gid: 65534
+        groups:
+            - nogroup
+        home: /var/lib/misc
+        shell: /usr/sbin/nologin
+command:
+    /sbin/sysctl net.ipv4.ip_forward:
+        exit-status: 0
+        stdout:
+            - net.ipv4.ip_forward = 1
+        stderr: []
+        timeout: 10000
+dns:
+    depl.sio.lan:
+        resolveable: true
+        resolvable: null
+        timeout: 500
+process:
+    dnsmasq:
+        running: true
+    lighttpd:
+        running: true
+    squid:
+        running: true
+interface:
+    enp0s8:
+        exists: true
+        addrs:
+            - 192.168.99.99/24

goss/s-agence.yaml

@@ -0,0 +1,19 @@
+command:
+  ip route |grep default:
+    exit-status: 0
+    stdout:
+    - default via 172.16.128.254 dev enp0s8
+    stderr: []
+    timeout: 10000
+  ping -c4 172.16.0.1:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+  ping -c4 172.16.128.254:
+    exit-status: 0
+    stdout:
+    -  0% packet loss
+    stderr: []
+    timeout: 10000

goss/s-appli.yaml

@@ -0,0 +1,35 @@
+service:
+  mariadb:
+    enabled: true
+    running: true
+
+  apache2:
+    enabled: true
+    running: true
+
+file:
+  /var/www/html/wordpress:
+    exists: true
+    owner: www-data
+    group: www-data
+    filetype: directory
+
+  /var/www/html/wordpress-5.8.2-fr_FR.tar.gz:
+    exists: true
+
+  /var/www/html/wordpress/wp-config-sample.php:
+    exists: true
+
+  /etc/apache2/sites-enabled/000-default.conf:
+    exists: true
+
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.3/24
+
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.3/24

goss/s-backup.yaml

@@ -0,0 +1,41 @@
+package:
+  bind9:
+    installed: true
+  cifs-utils:
+    installed: true
+  rsync:
+    installed: true
+  smbclient:
+    installed: true
+service:
+  bind9:
+    enabled: true
+    running: true
+  rsync:
+    enabled: true
+    running: false
+command:
+  ping -c4 ns.gsb.lan:
+    exit-status: 0
+    stdout:
+    - 0% packet loss
+    stderr: []
+    timeout: 10000
+#check si partage windows accesible
+  smbclient -L //s-win --user=uBackup%Azerty1+ | grep 'public':
+    exit-status: 0
+    stdout:
+    - public
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.4/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.4/24
+    mtu: 1500

goss/s-elk.yaml

@@ -0,0 +1,26 @@
+port:
+  tcp:5044:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:5601:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:9200:
+    listening: true
+    ip:
+    - 0.0.0.0
+service:
+  docker:
+    enabled: true
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.11/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.11/24

goss/s-fog.yaml

@@ -0,0 +1,77 @@
+file:
+    /tftpboot/default.ipxe:
+        exists: true
+        mode: "0644"
+        owner: root
+        group: root
+        filetype: file
+        contains: []
+        contents: null
+package:
+    apache2:
+        installed: true
+        versions:
+            - 2.4.56-1~deb11u2
+    isc-dhcp-server:
+        installed: true
+        versions:
+            - 4.4.1-2.3+deb11u2
+    mariadb-server:
+        installed: true
+        versions:
+            - 1:10.5.21-0+deb11u1
+    tftpd-hpa:
+        installed: true
+        versions:
+            - 5.2+20150808-1.2
+port:
+    tcp:80:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp:443:
+        listening: true
+        ip:
+            - 0.0.0.0
+    udp:67:
+        listening: true
+        ip:
+            - 0.0.0.0
+    udp:69:
+        listening: true
+        ip:
+            - 0.0.0.0
+service:
+    apache2:
+        enabled: true
+        running: true
+    isc-dhcp-server:
+        enabled: true
+        running: true
+    nfs-server:
+        enabled: true
+        running: true
+    tftpd-hpa:
+        enabled: true
+        running: true
+command:
+    ping -c 4 192.168.99.99:
+        exit-status: 0
+        stdout:
+            - 0% packet loss
+        stderr: []
+        timeout: 10000
+    ping -c 4 google.fr:
+        exit-status: 0
+        stdout:
+            - 0% packet loss
+        stderr: []
+        timeout: 10000
+process:
+    apache2:
+        running: true
+interface:
+    enp0s9:
+        exists: true
+        addrs:
+            - 172.16.64.16/24

goss/s-infra.yaml

@@ -0,0 +1,90 @@
+package:
+  bind9:
+    installed: true
+  lighttpd:
+    installed: true
+addr:
+  tcp://192.168.99.99:8080:
+    reachable: true
+    timeout: 500
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  bind9:
+    enabled: true
+    running: true
+  lighttpd:
+    enabled: true
+    running: true
+command:
+  host 172.16.0.2:
+    exit-status: 0
+    stdout:
+    - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
+    stderr: []
+    timeout: 10000
+  host 172.16.0.9:
+    exit-status: 0
+    stdout:
+    - 9.0.16.172.in-addr.arpa domain name pointer s-itil.gsb.lan.
+    stderr: []
+    timeout: 10000
+  host free.fr:
+    exit-status: 0
+    stdout:
+    - free.fr has address 212.27.48.10
+    - free.fr has IPv6 address 2a01:e0c:1::1
+    - free.fr mail is handled by 10 mx1.free.fr.
+    - free.fr mail is handled by 20 mx2.free.fr.
+    stderr: []
+    timeout: 10000
+  host s-infra:
+    exit-status: 0
+    stdout:
+    - s-infra.gsb.lan has address 172.16.0.1
+    stderr: []
+    timeout: 10000
+  host s-infra.gsb.lan:
+    exit-status: 0
+    stdout:
+    - s-infra.gsb.lan has address 172.16.0.1
+    stderr: []
+    timeout: 10000
+  host s-mon:
+    exit-status: 0
+    stdout:
+    - s-mon.gsb.lan has address 172.16.0.8
+    stderr: []
+    timeout: 10000
+  host s-mon.gsb.lan:
+    exit-status: 0
+    stdout:
+    - s-mon.gsb.lan has address 172.16.0.8
+    stderr: []
+    timeout: 10000
+process:
+  lighttpd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.1/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.1/24
+http:
+  http://localhost/wpad.dat:
+    status: 200
+    allow-insecure: false
+    no-follow-redirects: false
+    timeout: 5000
+    body: []

goss/s-itil.yaml

@@ -0,0 +1,87 @@
+file:
+    /etc/nginx/sites-enabled/default:
+        exists: false
+        contents: []
+    /etc/nginx/sites-enabled/glpi:
+        exists: true
+        mode: "0644"
+        owner: root
+        group: root
+        filetype: file
+        contents: []
+    /var/www/html/glpi:
+        exists: true
+        mode: "0755"
+        owner: www-data
+        group: www-data
+        filetype: directory
+        contents: []
+    /var/www/html/glpicli:
+        exists: true
+        mode: "0775"
+        owner: www-data
+        group: www-data
+        filetype: directory
+        contents: []
+    /var/www/html/glpicli/GLPI-Agent-1.7-x64.msi:
+        exists: true
+        mode: "0644"
+        owner: root
+        group: root
+        filetype: file
+        contents: []
+port:
+    tcp:22:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp:80:
+        listening: true
+        ip:
+            - 0.0.0.0
+    tcp:3306:
+        listening: true
+        ip:
+            - 127.0.0.1
+    tcp:9000:
+        listening: true
+        ip:
+            - 127.0.0.1
+    tcp:10050:
+        listening: true
+        ip:
+            - 0.0.0.0
+service:
+    mariadb.service:
+        enabled: true
+        running: true
+    nginx:
+        enabled: true
+        running: true
+    php8.2-fpm.service:
+        enabled: true
+        running: true
+    ssh:
+        enabled: true
+        running: true
+    systemd-journal-upload:
+        enabled: true
+        running: true
+    zabbix-agent:
+        enabled: true
+        running: true
+http:
+    http://s-itil.gsb.lan/:
+        status: 200
+        allow-insecure: false
+        no-follow-redirects: false
+        timeout: 5000
+        body: []
+        username: glpi
+        password: glpi
+    http://s-itil.gsb.lan/glpicli:
+        status: 200
+        allow-insecure: false
+        no-follow-redirects: false
+        timeout: 5000
+        body: []

goss/s-lb-bd.yaml

@@ -0,0 +1,21 @@
+package:
+  mysql-server:
+    installed: true
+    versions:
+    - 5.5.54-0+deb8u1
+command:
+  egrep "#bind-address" /etc/mysql/my.cnf:
+    exit-status: 0
+    stdout:
+    - "#bind-address\t\t= 127.0.0.1"
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.13/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.102.50/24

goss/s-lb-web1.yaml

@@ -0,0 +1,63 @@
+package:
+  apache2:
+    installed: true
+    versions:
+    - 2.4.10-10+deb8u7
+  php5:
+    installed: true
+    versions:
+    - 5.6.29+dfsg-0+deb8u1
+port:
+  tcp:22:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:22:
+    listening: true
+    ip:
+    - '::'
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  apache2:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+user:
+  sshd:
+    exists: true
+    uid: 105
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/run/sshd
+    shell: /usr/sbin/nologin
+command:
+  egrep 192.168.102.14:/export/www /etc/fstab:
+    exit-status: 0
+    stdout:
+    - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  sshd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.11/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.101.1/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.102.1/24

goss/s-lb-web2.yaml

@@ -0,0 +1,63 @@
+package:
+  apache2:
+    installed: true
+    versions:
+    - 2.4.10-10+deb8u7
+  php5:
+    installed: true
+    versions:
+    - 5.6.29+dfsg-0+deb8u1
+port:
+  tcp:22:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp6:22:
+    listening: true
+    ip:
+    - '::'
+  tcp6:80:
+    listening: true
+    ip:
+    - '::'
+service:
+  apache2:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+user:
+  sshd:
+    exists: true
+    uid: 105
+    gid: 65534
+    groups:
+    - nogroup
+    home: /var/run/sshd
+    shell: /usr/sbin/nologin
+command:
+  egrep 192.168.102.14:/export/www /etc/fstab:
+    exit-status: 0
+    stdout:
+    - 192.168.102.14:/export/www /var/www/html nfs _netdev rw 0 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  sshd:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.12/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.101.2/24
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.102.2/24

goss/s-lb.yaml

@@ -0,0 +1,28 @@
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 192.168.100.11
+service:
+  haproxy:
+    enabled: true
+    running: true
+  sshd:
+    enabled: true
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.100/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.11/24
+    mtu: 1500
+  enp0s9:
+    exists: true
+    addrs:
+    - 192.168.101.254/24
+    mtu: 1500

goss/s-lb.yaml.old

@@ -0,0 +1,65 @@
+file:
+  /etc/haproxy/haproxy.cfg:
+    exists: true
+    mode: "0644"
+    size: 1518
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  haproxy:
+    installed: true
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 192.168.100.10
+service:
+  haproxy:
+    enabled: true
+    running: true
+user:
+  haproxy:
+    exists: true
+    uid: 111
+    gid: 117
+    groups:
+    - haproxy
+    home: /var/lib/haproxy
+    shell: /bin/false
+group:
+  haproxy:
+    exists: true
+    gid: 117
+command:
+  egrep "balance\s+roundrobin" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - balance roundrobin
+    stderr: []
+    timeout: 10000
+  egrep "bind\s+192.168.100.10:80" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - bind 192.168.100.10:80
+    stderr: []
+    timeout: 10000
+  egrep "mode\s+http" /etc/haproxy/haproxy.cfg:
+    exit-status: 0
+    stdout:
+    - "mode\thttp"
+    stderr: []
+    timeout: 10000
+process:
+  haproxy:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.10/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 192.168.100.10/24

goss/s-mon.yaml

@@ -0,0 +1,92 @@
+package:
+  apache2:
+    installed: true
+  zabbix-server-mysql:
+    installed: true
+  zabbix-frontend-php:
+    installed: true
+  zabbix-apache-conf:
+    installed: true
+  zabbix-sql-scripts:
+    installed: true
+  zabbix-agent:
+    installed: true
+  mariadb-server:
+    installed: true
+  python3-pymysql:
+    installed: true
+  systemd-journal-remote:
+    installed: true
+file:
+  /etc/systemd/system/systemd-journal-remote.service:
+    exist: true
+    mode: "0777"
+    filetype: directory
+  /var/log/journal/remote:
+    exist: true
+    mode: "0777"
+    filetype: directory
+port:
+  tcp:80:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:3306:
+    listening: true
+    ip:
+    - 127.0.0.1
+  tcp:10050:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:10051:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:19532:
+    listening: true
+    ip:
+      - '*'
+service:
+  apache2:
+    enabled: true
+    running: true
+  zabbix-server:
+    enabled: true
+    running: true
+  zabbix-agent:
+    enabled: true
+    running: true
+  systemd-journal-remote.socket:
+    enabled: true
+    running: true
+command:
+  sysctl net.ipv4.ip_forward:
+    exit-status: 0
+    stdout:
+    - net.ipv4.ip_forward = 0
+    stderr: []
+    timeout: 10000
+process:
+  apache2:
+    running: true
+  zabbix_server:
+    running: true
+  mariadb:
+    running: true
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.8/24
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.8/24
+http:
+  http://localhost/zabbix:
+    status: 401
+    allow-insecure: false
+    no-follow-redirects: false
+    timeout: 5000
+    body: []

goss/s-proxy.yaml

@@ -0,0 +1,30 @@
+package:
+  squid:
+    installed: true
+port:
+  tcp:8080:
+    listening: true
+    ip:
+    - '0.0.0.0'
+service:
+  squid:
+    enabled: true
+    running: true
+command:
+  host 172.16.0.2:
+    exit-status: 0
+    stdout:
+    - 2.0.16.172.in-addr.arpa domain name pointer s-proxy.gsb.lan.
+    stderr: []
+    timeout: 10000
+interface:
+  enp0s3:
+    exists: true
+    addrs:
+    - 192.168.99.2/24
+    mtu: 1500
+  enp0s8:
+    exists: true
+    addrs:
+    - 172.16.0.2/24
+    mtu: 1500

gsbchk

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+filename=/root/tools/ansible/gsb/goss/$HOSTNAME.yaml
+
+if ! [ -e $filename ] ; then
+	echo gsbchk : erreur ouverture $filename
+	exit 1
+
+fi
+if [ $# == 1] ; then
+	goss -g $filename v
+else
+	goss $*
+fi

gsbstart

@@ -0,0 +1,179 @@
+#!/usr/bin/perl
+
+#use strict;
+#use warnings;
+#SCRIPT PERMETTANT DE METTRE LES INTERFACES APPROPRIEES POUR LA MACHINE ENTREE EN PARAMETRE ET DE LA DEMARRER
+my %machines = (
+             's-infra' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-proxy' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-spec' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-mon' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-mess' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-itil' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-proxy' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-backup' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             's-appli' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-infra'
+             },
+             'r-int' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-link',
+		    netif3 => 'n-wifi',
+		    netif4 => 'n-user',
+		    netif5 => 'n-infra'
+             },
+             'r-ext' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz',
+		    netif3 => 'enp0s3',
+                    netif4 => 'n-linkv',
+                    netif5 => 'n-link'
+             },
+             'r-vp2' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-agence',
+                    netif3 => 'enp0s3'
+             },
+             'r-vp1' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'enp0s3',
+                    netif3 => 'n-linkv' 
+             },
+             's-lb' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz',
+                    netif3 => 'n-dmz-lb'
+             },
+             's-lb-bd' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-db'
+                    
+             },
+             's-lb-web1' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-lb',
+                    netif3 => 'n-dmz-db'
+             },
+             's-lb-web2' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-lb',
+                    netif3 => 'n-dmz-db'
+             },
+  	     's-nas' => {
+                    netif1 => 'n-adm',
+                    netif2 => 'n-dmz-db',
+             }
+
+
+
+
+
+
+
+);
+
+
+my ($net1, $net2, $net3, $net4, $net5);
+
+my $machine = shift;
+die "usage : gsbstart <machine>" unless ( $machine);
+
+#print $machines { $machine }  "\n";
+if (%{$machines{$machine}}) { 
+#	print $machines { $machine } {netif1}, "\n";
+        $net1   =  $machines { $machine } {netif1};
+        $net2   =  $machines { $machine } {netif2};
+	$net3   =  $machines { $machine } {netif3};
+        $net4   =  $machines { $machine } {netif4};
+        $net5   =  $machines { $machine } {netif5};
+
+	
+
+} else {
+	print "machine $machine inconnue\n";
+}
+#
+  
+my $ninfra = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\""; 
+
+my $rint = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
+
+my $rext = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\nVBoxManage modifyvm ".$machine. " --nic4 intnet\nVBoxManage modifyvm ".$machine. " --intnet4 \"". $net4."\"\nVBoxManage modifyvm ".$machine. " --nic5 intnet\nVBoxManage modifyvm ".$machine. " --intnet5 \"". $net5."\"";
+
+my $rvp2 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net3."\n";
+
+my $rvp1 = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 bridged\nVBoxManage modifyvm ".$machine. " --bridgeadapter1 ". $net2 ."\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n";
+
+my $lb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 ". $net3."\n";
+
+my $lbbd ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
+
+my $lbweb = "VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\nVBoxManage modifyvm ".$machine. " --nic3 intnet\nVBoxManage modifyvm ".$machine. " --intnet3 \"". $net3."\"\n"; 
+
+my $snas ="VBoxManage modifyvm ".$machine. " --nic1 intnet\nVBoxManage modifyvm ".$machine. " --intnet1 \"". $net1."\"\nVBoxManage modifyvm ".$machine. " --nic2 intnet\nVBoxManage modifyvm ".$machine. " --intnet2 \"". $net2."\"\n";
+
+#print $routeur;
+
+
+if ($machine eq "r-int") {
+		qx($rint);
+		print "la création des interfaces du routeur $machine a fonctionné!\n";
+}else{
+	if ($machine eq "r-ext") {
+		qx($rext);
+	}else{
+		qx($ninfra);
+		print "la création des interfaces de $machine a fonctionné!\n";
+	}	
+}
+if ($machine eq "r-vp2") {
+	qx($rvp2);
+}
+if ($machine eq "r-vp1") {
+        qx($rvp1);
+}
+if ($machine eq "s-lb"){
+	qx($lb);
+}
+if ($machine eq "s-lb-web1"){
+	qx($lbweb);
+}
+if ($machine eq "s-lb-web2"){
+        qx($lbweb);
+}
+if ($machine eq "s-lb-bd"){
+        qx($lbbd);
+}
+if ($machine eq "s-nas"){
+        qx($snas);
+}
+
+qx(VBoxManage startvm $machine);	
+	
+
+

gsbstartl

@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+while ($_ = shift @ARGV) {
+	if ($_ eq "-a"){
+		qx(./gsbstart s-infra);
+		qx(./gsbstart s-spec);
+		qx(./gsbstart s-proxy);
+                qx(./gsbstart s-mon);
+                qx(./gsbstart s-mess);
+                qx(./gsbstart s-itil);
+                qx(./gsbstart s-backup);
+                qx(./gsbstart s-appli);
+                qx(./gsbstart r-vp1);
+                qx(./gsbstart r-vp2);
+                qx(./gsbstart r-int);
+                qx(./gsbstart r-ext);
+                qx(./gsbstart s-lb);
+                qx(./gsbstart s-lb-web-1);
+                qx(./gsbstart s-lb-web-2);
+                qx(./gsbstart s-lb-bd);
+
+	}else{
+                qx(./gsbstart $_);
+	}	
+}

lisezmoi.txt

@@ -0,0 +1,14 @@
+lisezmoi.txt
+------------
+
+Ce document décrit les divers élements du projet GSB du BTS SIO utilisé pour l'Epreuve E4
+
+
+Le projet GSB décrit les diférents playbooks permttant d'installer les
+machines du projet GSB
+
+Les répertoires : 
+
+- roles : les roles
+- goss : les outils de test
+

old/s-bdd.yml

@@ -0,0 +1,23 @@
+---
+ - hosts: localhost
+   connection: local
+   vars:
+        maria_dbhost: "192.168.102.254"
+        maria_dbname: "wordpress"
+        maria_dbuser: "wp"
+        maria_dbpasswd: "wp"
+
+
+   roles:
+     - base
+     - goss
+#    - s-lb-bd
+     - mariadb
+     - role: db-user
+       cli_ip: "192.168.102.1"
+     - role: db-user
+       cli_ip: "192.168.102.2"
+     - role: db-user
+       cli_ip: "192.168.102.3"     
+     - snmp-agent
+     - post

old/s-gestsup.yml

@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - gestsup
+    - postfix-gestsup
+    - ssh-cli
+    # - syslog-cli
+    - snmp-agent
+    - post

old/s-graylog.yml

@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - goss
+    - docker-graylog
+    - ssh-cli
+    - syslog
+    - post
+

old/s-lb-wordpress.yml

@@ -0,0 +1,18 @@
+---
+ - hosts: localhost
+   connection: local
+   vars:
+         wp_mysql_db: "wordpress"
+         wp_mysql_user: "wp"
+         wp_mysql_password: "wp"
+         wp_mysql_host: "192.168.102.50"
+
+   roles:
+     - base
+     - goss
+     - apache2
+     - s-lb-wordpress
+     - snmp-agent
+     - post
+     - mysql
+     - php-fpm

old/s-lb-wordpress2.yml

@@ -0,0 +1,18 @@
+---
+ - hosts: localhost
+   connection: local
+   vars:
+         wp_mysql_db: "wordpress"
+         wp_mysql_user: "wp"
+         wp_mysql_password: "wp"
+         wp_mysql_host: "192.168.102.50"
+
+   roles:
+     - base
+     - goss
+     - apache2
+     - s-lb-wordpress
+     - snmp-agent
+     - post
+     - mysql
+     - php-fpm

old/s-web.yml

@@ -0,0 +1,14 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - apache2
+    - snmp-agent
+    - ssh-cli
+    - syslog-cli
+    - post
+    #- mysql
+    - wordpress
+

old/s-web1.yml

@@ -0,0 +1,11 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - s-lb-web
+    - snmp-agent
+    - s-nas-client
+    - post
+

old/s-web2.yml

@@ -0,0 +1,11 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - s-lb-web
+    - snmp-agent
+    - s-nas-client
+    - post
+

old/s-web3.yml

@@ -0,0 +1,11 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - s-lb-web
+    - snmp-agent
+    - s-nas-client
+    - post
+

old/user-yb.yml

@@ -0,0 +1,9 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+    - base
+    - syslog-cli
+    - post
+    - db-user

pre/gsbboot

@@ -0,0 +1,54 @@
+#!/bin/bash
+version="1.8"
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+__file="${__dir}/$(basename "${BASH_SOURCE[0]}")"
+__base="$(basename ${__file})"
+__root="$(cd "$(dirname "${__dir}")" && pwd)" 
+echo "dir : ${__dir}"
+echo "file : ${__file}"
+echo "base : ${__base}"
+echo "root : ${__root}"
+
+# version 1.8
+# install git si besoin
+# install ansible si besoin + backports si wheezy
+
+readonly base=/root/tools/ansible
+readonly slist=/etc/apt/sources.list
+readonly host=depl
+if [[ -z ${DEPL+x} ]]; then
+  echo "erreur : DEPL indefini"
+  echo " DEPL : adresse serveur deploiement"
+  echo "export DEPL=xyzt ; ./$0"
+  exit 1
+fi
+
+hostf="${host}.local" 
+prj=gsb2024
+APT=apt
+
+which git >> /dev/null
+if [[ $? != 0 ]]; then
+	${APT} update
+	echo "installation de git ..."
+	${APT} install -y git-core
+fi
+${APT} update
+#${APT} upgrade -y
+
+which ansible >> /dev/null
+if [[ $? != 0 ]]; then
+	echo "installation de ansible ..."
+	${APT} install -y ansible 
+fi
+
+[ -e "${base}" ] || mkdir -p "${base}"
+
+grep "${hostf}" /etc/hosts > /dev/null || echo "${DEPL} ${hostf} ${host}" >> /etc/hosts
+cd "${base}"
+
+cp ${prj}/pull-config ${base}
+
+#echo "N'oubliez pasz d'indiquer l'adresse DEPL dans '/root/tools/ansible/pull-config'"
+echo "Vous pouvez lancer 'bash pull-config' depuis ${base} ..."
+

pre/inst-depl

@@ -0,0 +1,113 @@
+#!/bin/bash
+## aa : 2023-01-18 15:25
+## ps : 2023-02-01 15:25
+## ps : 2023-12-18 15:25
+## ps : 2024-01-17 15:25
+
+set -o errexit
+set -o pipefail
+GITUSR=gitgsb
+GITPRJ=gsb2024
+apt-get update 
+apt-get install -y lighttpd git 
+STOREREP="/var/www/html/gsbstore" 
+
+
+GLPIREL=10.0.11
+str="wget -nc -4 https://github.com/glpi-project/glpi/releases/download/${GLPIREL}/glpi-${GLPIREL}.tgz"
+
+#GLPI Agent
+
+GLPIAGVER=1.7
+str31="wget -nc -4 https://github.com/glpi-project/glpi-agent/releases/download/${GLPIAGVER}/GLPI-Agent-${GLPIAGVER}-x64.msi"
+
+#str32="wget -nc -4 https://github.com/glpi-project/glpi-agent/releases/download/${GLPIAGVER}/GLPI-Agent-${GLPIAGVER}-x86.msi"
+
+FOGREL=1.5.10
+str4="wget -nc -4 https://github.com/FOGProject/fogproject/archive/${FOGREL}.tar.gz -O fogproject-${FOGREL}.tar.gz"
+
+WPREL=6.4.2
+#v6.1.1 le 17/01/2023
+str5="wget -nc -4 https://fr.wordpress.org/latest-fr_FR.tar.gz -O wordpress-6.4.2-fr_FR.tar.gz"
+
+str6="wget -nc -4 https://github.com/goss-org/goss/releases/latest/download/goss-linux-amd64 -O goss"
+
+str7="wget -nc -4 https://github.com/goss-org/goss/releases/latest/download/dgoss -O dgoss"
+
+#GESTSUPREL=3.2.30
+#str8="wget -nc -4 'https://gestsup.fr/index.php?page=download&channel=stable&version=${GESTSUPREL}&type=gestsup' -O gestsup_${GESTSUPREL}.zip"
+str8="wget -nc -4 'https://gestsup.fr/index.php?page=download&channel=stable&version=3.2.30&type=gestsup' -O gestsup_3.2.30.zip"
+
+#METRICBEAT ET FILEBEAT
+ELKREL=8.11.3
+str81="wget -nc -4 https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-amd64.deb"
+str82="wget -nc -4 https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${ELKREL}-windows-x86_64.zip"
+str83="wget -nc -4 https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-windows-x86_64.zip"
+str84="wget -nc -4 https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-${ELKREL}-amd64.deb"
+
+
+[[ -d "${STOREREP}" ]] || mkdir "${STOREREP}"
+
+(cat <<EOT > "${STOREREP}/getall"
+#!/bin/bash
+
+${str}
+${str31}
+${str4}
+${str5}
+${str6}
+${str7}
+
+chmod +x ./goss ./dgoss
+
+wget -nc -4 https://get.docker.com -O getdocker.sh 
+chmod +x ./getdocker.sh
+
+wget -nc -4 https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64 -O mkcert
+chmod +x ./mkcert
+
+#${str8}
+
+${str81} 
+${str82} 
+${str83} 
+${str84} 
+
+EOT
+)
+
+cat "${STOREREP}/getall"
+
+cd "${STOREREP}" || exit 2
+bash getall
+cp goss /usr/local/bin
+
+(cat <<'EOT' > "${STOREREP}/inst1"
+#!/bin/bash
+if [[ -z "${HOST+x}" ]]; then
+  echo "erreur : variable HOST indefinie"
+  echo " HOST : adresse serveur deploiement"
+  echo "export HOST=s-xyzt ; ./$0"
+  exit 1
+fi
+
+hostname=$(hostname)
+echo "${HOST}" > /etc/hostname
+hostnamectl set-hostname "${HOST}"
+sed -i "s/${hostname}/${HOST}/g" /etc/hosts
+echo "vous pouvez redemarrer ..."
+EOT
+)
+
+(cat <<'EOT' > "${STOREREP}/inst2"
+#!/bin/bash
+
+mkdir -p ~/tools/ansible ; cd ~/tools/ansible
+git clone https://gitea.lyc-lecastel.fr/gsb/gsb2024.git
+cd gsb2024/pre
+DEPL=192.168.99.99 bash gsbboot
+cd ../.. ; bash pull-config
+EOT
+)
+
+

pre/mkmaster.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+apt update
+apt install -y curl sudo wget vim git ansible
+timedatectl set-timezone Europe/Paris
+echo bookworm > /etc/hostname
+
+cat > /etc/hosts << EOT
+127.0.0.1       localhost
+127.0.1.1       bookworm 
+127.0.0.1       localhost ip6-localhost ip6-loopback
+EOT
+
+apt autoclean
+apt autoremove
+

pre/pull-config

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+dir=/root/tools/ansible
+prj=gsb2024
+opt=""
+
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gsb/gsb2024.git
+fi
+
+dir=/root/tools/ansible
+
+[ -e "${dir}" ] || mkdir -p "${dir}"
+
+cd  "${dir}" || exit 1
+
+if [[ $# == 1 ]] ; then
+	opt=$1
+fi
+if [[ "${opt}" == '-l'  ]] ; then
+	cd "${dir}/${prj}" || exit 2
+	echo "Execution locale ...."
+	ansible-playbook -i localhost, -c local  "$(hostname).yml"
+else
+	ansible-pull -i "$(hostname)," -U "${UREP}"
+fi
+
+exit 0

pull-config

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+dir=/root/tools/ansible
+prj=gsb2024
+opt=""
+
+if [ -z ${UREP+x} ]; then 
+	UREP=https://gitea.lyc-lecastel.fr/gsb/gsb2024.git
+fi
+
+dir=/root/tools/ansible
+
+[ -e "${dir}" ] || mkdir -p "${dir}"
+
+cd  "${dir}" || exit 1
+
+if [[ $# == 1 ]] ; then
+	opt=$1
+fi
+if [[ "${opt}" == '-l'  ]] ; then
+	cd "${dir}/${prj}" || exit 2
+	echo "Execution locale ...."
+	ansible-playbook -i localhost, -c local  "$(hostname).yml"
+else
+	ansible-pull -i "$(hostname)," -U "${UREP}"
+fi
+
+exit 0

r-ext.yml

@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+   - base
+   - goss
+   - r-ext
+   - snmp-agent
+   - ssh-cli
+   # - syslog-cli
+   - post

r-int.yml

@@ -0,0 +1,13 @@
+---
+- hosts: localhost
+  connection: local
+
+  roles:
+   - base
+   - goss
+   - r-int
+   - ssh-cli
+   # - syslog-cli
+   - dhcp
+   - snmp-agent
+   - post

r-vp1-fw.yml

@@ -0,0 +1,13 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.51
+   - remip: 192.168.0.52
+   - mynet: 192.168.1.0
+   - remnet: 172.16.128.0
+
+  roles:
+   - fw-ferm
+   

r-vp1.yml

@@ -0,0 +1,19 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.51
+   - remip: 192.168.0.52
+   - mynet: 192.168.1.0
+   - remnet: 172.16.128.0
+
+  roles:
+   - base
+   - goss
+#   - snmp-agent
+   - post
+   - wireguard-r
+   - ssh-cli
+   # - syslog-cli
+   

r-vp2-fw.yml

@@ -0,0 +1,12 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.52
+   - remip: 192.168.0.51
+   - mynet: 172.16.128.0
+   - remnet: 192.168.1.0
+
+  roles:
+   - fw-ferm

r-vp2.yml

@@ -0,0 +1,21 @@
+---
+- hosts: localhost
+  connection: local
+
+  vars:
+   - ip1: 192.168.0.52
+   - remip: 192.168.0.51
+   - mynet: 172.16.128.0
+   - remnet: 192.168.1.0
+
+  roles:
+   - base
+   - goss
+   - dhcp-ag
+   - dns-agence
+   - ssh-root-access
+#   - snmp-agent
+   - wireguard-l
+   - post
+   - ssh-cli
+   # - syslog-cli

roles/appli/README.md

@@ -0,0 +1,4 @@
+## Fonctionnement du rôle appli
+  
+Ce rôle permet de créer un serveur wordpress avec MariaDB et apache.  
+Ce rôle permet aussi de créer la base de donnée nécessaire pour wordpress.  

roles/appli/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: restart apache
+  service: name=apache2 state=restarted
+  become: yes

roles/appli/tasks/main.yml

@@ -0,0 +1,72 @@
+
+---
+- name: Installation des packets
+  apt:
+    state: present
+    name:
+    - php
+    - php-fpm
+    - php-mbstring
+    - php-ssh2
+    - php-gd
+    - php-mysql
+    - python3-mysqldb
+    - libapache2-mod-php
+    - mariadb-server
+    - apache2 
+    - python3
+
+- name: Création du répertoire pour wordpress
+  file:
+    path: /var/www/html/wordpress
+    state: directory
+
+- name: Téléchargement de wordpress
+  get_url:
+    url: http://s-adm.gsb.adm/gsbstore/wordpress-5.8.2-fr_FR.tar.gz
+    dest: /var/www/html
+
+- name: Extraction du fichier wordpress
+  unarchive:
+    src: /var/www/html/wordpress-5.8.2-fr_FR.tar.gz
+    dest: /var/www/html
+
+- name: Fix permissions owner
+  shell: chown -R www-data /var/www/html/wordpress
+
+- name: Fix permissions groups
+  shell: chgrp -R www-data /var/www/html/wordpress
+
+- name: Mettre à jour le site Apache par défaut
+  lineinfile:
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    regexp: "(.)+DocumentRoot /var/www/html"
+    line: "DocumentRoot /var/www/html/wordpress"
+
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
+
+- name: Mettre à jour le fichier de configuration WordPress
+  lineinfile:
+    dest: /var/www/html/wordpress/wp-config-sample.php
+    backup: yes
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
+    - {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
+    - {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
+    - {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}
+
+- name: Création de la base de donnée mysql
+  mysql_db:
+    name: wordpress
+    state: present
+
+- name: Création de l'utilisateur mysql
+  mysql_user:
+    name: wordpress
+    password: wp
+    priv: "*.*:ALL"

roles/base/files/apt.conf

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.99.99:8080";

roles/base/files/resolv.conf

@@ -0,0 +1,4 @@
+domain gsb.lan
+search gsb.lan
+nameserver 192.168.99.99
+

roles/base/files/sources.list

@@ -0,0 +1,4 @@
+deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+

roles/base/files/sources.list.Debian

@@ -0,0 +1,4 @@
+deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+

roles/base/files/sources.list.Ubuntu

@@ -0,0 +1,13 @@
+#------------------------------------------------------------------------------#
+#                            OFFICIAL UBUNTU REPOS                             #
+#------------------------------------------------------------------------------#
+
+
+###### Ubuntu Main Repos
+deb http://fr.archive.ubuntu.com/ubuntu/ wily main restricted universe 
+
+###### Ubuntu Update Repos
+deb http://fr.archive.ubuntu.com/ubuntu/ wily-security main restricted universe 
+deb http://fr.archive.ubuntu.com/ubuntu/ wily-updates main restricted universe 
+
+

roles/base/files/sources.list.bookworm

@@ -0,0 +1,4 @@
+deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+

roles/base/files/sources.list.bullseye

@@ -0,0 +1,4 @@
+deb http://deb.debian.org/debian/ bullseye main non-free contrib
+deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
+

roles/base/files/sources.list.buster

@@ -0,0 +1,9 @@
+
+#deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
+#deb http://security.debian.org/ stretch/updates main
+#deb http://ftp.fr.debian.org/debian/ stretch-updates main
+
+deb http://deb.debian.org/debian/ buster main contrib non-free
+deb http://security.debian.org/debian-security buster/updates main contrib non-free
+deb http://deb.debian.org/debian/ buster-updates main contrib non-free
+

roles/base/files/sources.list.jessie

@@ -0,0 +1,22 @@
+# 
+
+# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
+
+#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ jessie main
+
+
+deb http://ftp.fr.debian.org/debian/ jessie main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ jessie main
+
+deb http://security.debian.org/ jessie/updates main
+#deb-src http://security.debian.org/ jessie/updates main
+
+deb http://ftp.fr.debian.org/debian/ jessie-updates main
+#deb-src http://ftp.fr.debian.org/debian/ jessie-updates main
+#deb http://backports.debian.org/debian-backports jessie-backports main
+#deb http://packages.steve.org.uk/slaughter/jessie/ ./
+#deb https://rex.linux-files.org/debian/ jessie rex
+
+
+#deb http://http.debian.net/debian jessie-backports main
+

roles/base/files/sources.list.wheezy

@@ -0,0 +1,22 @@
+# 
+
+# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
+
+#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official i386 NETINST Binary-1 20110205-14:34]/ wheezy main
+
+
+deb http://ftp.fr.debian.org/debian/ wheezy main contrib non-free
+#deb-src http://ftp.fr.debian.org/debian/ wheezy main
+
+deb http://security.debian.org/ wheezy/updates main
+#deb-src http://security.debian.org/ wheezy/updates main
+
+deb http://ftp.fr.debian.org/debian/ wheezy-updates main
+#deb-src http://ftp.fr.debian.org/debian/ wheezy-updates main
+#deb http://backports.debian.org/debian-backports wheezy-backports main
+#deb http://packages.steve.org.uk/slaughter/wheezy/ ./
+#deb https://rex.linux-files.org/debian/ wheezy rex
+
+
+deb http://http.debian.net/debian wheezy-backports main
+

roles/base/tasks/main.yml

@@ -0,0 +1,83 @@
+---
+
+- name: desactive unatentted upgrade
+  ansible.builtin.service:
+    name: unattended-upgrades.service
+    state: stopped
+    enabled: false
+
+- name: Copie sources.list
+  copy:
+    src: sources.list.{{ ansible_distribution_release }}
+    dest: /etc/apt/sources.list
+
+- name: Copie apt.conf pour proxy 
+  copy:
+    src: apt.conf
+    dest: /etc/apt/apt.conf
+  when: ansible_hostname != "s-adm"    
+
+#- name: Sysctl desactive ipv6
+#  sysctl:
+#    name: net.ipv6.conf.all.disable_ipv6
+#    value: 1
+#    sysctl_set: yes
+#    state: present
+#    reload: yes
+
+- name: Update + Upgrade
+  apt:
+    upgrade: yes
+    update_cache: yes
+    cache_valid_time: 86400 #One day
+
+- name: Install paquets
+  apt:
+    state: present
+    name: 
+    - vim 
+    - ntp 
+    - mc
+    - tcpdump
+    - curl
+    - net-tools
+    - rsync
+    - sudo
+    - iptables
+
+- name: Desinstall paquets
+  apt:
+    state: absent
+    name: 
+    - nfs-common 
+    - rpcbind 
+    - bluetooth
+
+- name: Configure Vim
+  alternatives:
+    name: editor
+    path: /usr/bin/vim
+
+- name:  Generation /etc/hosts
+  template:
+    src: hosts.j2
+    dest: /etc/hosts
+  when: ansible_hostname != "s-proxy"
+
+- name:  Generation /etc/hosts pour s-proxy
+  template:
+    src: hosts.s-proxy.j2
+    dest: /etc/hosts
+  when: ansible_hostname == "s-proxy"
+
+- name: Desactive IPV6 avec sysctl
+  sysctl:
+    name: "{{ item }}"
+    value: 1
+    state: present
+    reload: yes
+  with_items:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+    - net.ipv6.conf.lo.disable_ipv6
+

roles/base/templates/hosts.j2

@@ -0,0 +1,37 @@
+127.0.0.1       localhost
+127.0.1.1       {{ ansible_nodename }}.gsb.lan {{ ansible_hostname }}
+127.0.0.1       localhost ip6-localhost ip6-loopback
+
+#10.121.38.10	depl.sio.lan depl
+
+192.168.99.99	s-adm.gsb.adm depl.sio.lan depl
+192.168.99.1	s-infra.gsb.adm
+192.168.99.2	s-proxy.gsb.adm
+192.168.99.3	s-appli.gsb.adm
+192.168.99.4	s-backup.gsb.adm
+192.168.99.5	s-puppet.gsb.adm
+192.168.99.6	s-win.gsb.adm 
+192.168.99.7	s-nxc.gsb.adm
+192.168.99.8	s-mon.gsb.adm
+192.168.99.9	s-itil.gsb.adm
+192.168.99.10	s-lb.gsb.adm
+192.168.99.11	s-elk.gsb.adm
+192.168.99.10	s-dns.gsb.adm
+192.168.99.12	r-int.gsb.adm
+192.168.99.13	r-ext.gsb.adm
+192.168.99.14	s-nas.gsb.adm
+192.168.99.15	s-san.gsb.adm
+192.168.99.16	s-fog.gsb.adm
+192.168.99.20	s-kea1.gsb.adm
+192.168.99.21	s-kea2.gsb.adm
+192.168.99.22	s-awx.gsb.adm
+192.168.99.50	s-lb-bd.gsb.adm
+192.168.99.101	s-lb-web1.gsb.adm
+192.168.99.102	s-lb-web2.gsb.adm
+192.168.99.103	s-lb-web3.gsb.adm
+192.168.99.112  r-vp1.gsb.adm
+192.168.99.102  r-vp2.gsb.adm
+192.168.99.120  s-peertube.gsb.adm
+
+192.168.99.8	syslog.gsb.adm
+

roles/base/templates/hosts.s-proxy.j2

@@ -0,0 +1,35 @@
+127.0.0.1       localhost
+127.0.1.1       {{ ansible_nodename }} {{ ansible_hostname }}
+127.0.0.1       localhost ip6-localhost ip6-loopback
+172.16.0.2	s-proxy.gsb.lan s-proxy
+
+#10.121.38.10	depl
+
+192.168.99.99	s-adm.gsb.adm depl
+192.168.99.1	s-infra.gsb.adm
+192.168.99.2	s-proxy.gsb.adm
+192.168.99.3	s-appli.gsb.adm
+192.168.99.4	s-backup.gsb.adm
+192.168.99.5	s-puppet.gsb.adm
+192.168.99.6	s-win.gsb.adm 
+192.168.99.7	s-nxc.gsb.adm
+192.168.99.8	s-mon.gsb.adm
+192.168.99.9	s-itil.gsb.adm
+192.168.99.10	s-lb.gsb.adm
+192.168.99.11	s-elk.gsb.adm
+192.168.99.10	s-dns.gsb.adm
+192.168.99.12	r-int.gsb.adm
+192.168.99.13	r-ext.gsb.adm
+192.168.99.14	s-nas.gsb.adm
+192.168.99.20	s-kea1.gsb.adm
+192.168.99.21	s-kea2.gsb.adm
+192.168.99.22	s-awx.gsb.adm
+192.168.99.50	s-lb-bd.gsb.adm
+192.168.99.101	s-lb-web1.gsb.adm
+192.168.99.102	s-lb-web2.gsb.adm
+192.168.99.103	s-lb-web3.gsb.adm
+192.168.99.112  r-vp1.gsb.adm
+192.168.99.102  r-vp2.gsb.adm
+192.168.99.120  s-peertube.gsb.adm
+192.168.99.8	syslog.gsb.adm
+

roles/dhcp-ag/files/dhcpd.conf

@@ -0,0 +1,152 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option domain-name "gsb.lan";
+option domain-name-servers 172.16.0.1;
+
+default-lease-time 86400;
+max-lease-time 86400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
+
+#DHCP pour le réseau wifi
+#subnet 172.16.65.0 netmask 255.255.255.0 {
+#	range 172.16.65.1 172.16.65.100;
+#  	option domain-name-servers ns1.internal.example.org;
+#  	option domain-name "internal.example.org";
+#  	option routers 10.5.5.1;
+#  	option broadcast-address 10.5.5.31;
+#  	default-lease-time 600;
+#  	max-lease-time 7200;
+#}
+
+#DHCP pour le réseau USER
+
+#subnet 172.16.64.0 netmask 255.255.255.0 {
+#        range 172.16.64.20 172.16.64.120;
+#        option domain-name-servers 172.16.0.6, 172.16.0.1 ;
+#        option routers 172.16.64.254;
+#        option broadcast-address 172.16.64.255;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+#}
+
+#DHCP pour le réseau INFRA
+
+#subnet 172.16.0.0 netmask 255.255.255.0 {
+#        range 172.16.0.1 172.16.0.100;
+#       option domain-name-servers ns1.internal.example.org;
+#       option domain-name "internal.example.org";
+#       option routers 10.5.5.1;
+#       option broadcast-address 10.5.5.31;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+#}
+
+#DHCP pour le réseau AGENCE
+
+subnet 172.16.128.0 netmask 255.255.255.0 {
+	range 172.16.128.10 172.16.128.50;
+	option domain-name-servers 172.16.0.1;
+	option routers 172.16.128.254;
+	option broadcast-address 172.16.128.255;
+	default-lease-time 86400;
+	max-lease-time 86400;
+}

roles/dhcp-ag/files/isc-dhcp-server

@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s8"
+INTERFACESv6=""

roles/dhcp-ag/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+  - name: restart dhcp 
+    service: name=isc-dhcp-server state=restarted

roles/dhcp-ag/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+  - name: Installation serveur dhcp
+    apt: name=isc-dhcp-server state=present update_cache=yes
+
+  - name: copie dhcpd.conf
+    copy: src=dhcpd.conf dest=/etc/dhcp
+   # notify: restart dhcp
+
+  - name: copie conf isc-dhcp-server
+    copy: src=isc-dhcp-server dest=/etc/default/isc-dhcp-server
+   # notify: restart dhcp

roles/dhcp-fog/files/dhcpd.conf

@@ -0,0 +1,142 @@
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+option domain-name "gsb.lan";
+option domain-name-servers 172.16.0.1;
+
+default-lease-time 86400;
+max-lease-time 86400;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+#subnet 10.254.239.0 netmask 255.255.255.224 {
+#  range 10.254.239.10 10.254.239.20;
+#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
+#}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.fugue.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+#host fantasia {
+#  hardware ethernet 08:00:07:26:c0:a5;
+#  fixed-address fantasia.fugue.com;
+#}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}
+
+#DHCP pour le réseau wifi
+#subnet 172.16.65.0 netmask 255.255.255.0 {
+#	range 172.16.65.1 172.16.65.100;
+#	option domain-name-servers ns1.internal.example.org;
+#	option domain-name "internal.example.org";
+#	option routers 10.5.5.1;
+#	option broadcast-address 10.5.5.31;
+#	default-lease-time 600;
+#	max-lease-time 7200;
+#}
+
+#DHCP pour le réseau USER
+
+subnet 172.16.64.0 netmask 255.255.255.0 {
+        range 172.16.64.20 172.16.64.120;
+        option domain-name-servers 172.16.0.1 ;
+        option routers 172.16.64.254;
+        option broadcast-address 172.16.64.255;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+}
+
+#DHCP pour le réseau INFRA
+
+#subnet 172.16.0.0 netmask 255.255.255.0 {
+#        range 172.16.0.1 172.16.0.100;
+#       option domain-name-servers ns1.internal.example.org;
+#       option domain-name "internal.example.org";
+#       option routers 10.5.5.1;
+#       option broadcast-address 10.5.5.31;
+#       default-lease-time 600;
+#       max-lease-time 7200;
+#}
+

roles/dhcp-fog/files/isc-dhcp-server

@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s9"
+INTERFACESv6=""