louis.depres/gsb2023
1
0
Fork 0
Code Pull Requests Activity

Merge branch 'main' of http://gitea.lyc-lecastel.fr/gadmin/gsb2023

Browse Source
This commit is contained in:
root 2023-01-30 11:46:03 +01:00
commit 83f3d14c2a
15 changed files with 327 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
goss/list-goss Normal file
View File

@ -0,0 +1,12 @@
cd goss/
goss -g r-vp1.yaml v
goss -g r-vp1.yaml aa wireguard
goss add interface enp0s3
goss add interface enp0s8
goss add interface enp0s9
goss add interface wg0
goss aa wireguard
goss add package wireguard-tools
goss add service wg-quick@wg0
goss add command "ping -c4 10.0.0.2"
goss add file "/etc/wireguard/wg0.conf"

1
r-vp1.yml
View File

@ -15,6 +15,7 @@
# - firewall-vpn-r # - firewall-vpn-r
- wireguard-r - wireguard-r
# - x509-r # - x509-r
- fw-ferm
- ssh-cli - ssh-cli
- syslog-cli - syslog-cli
- post - post

1
r-vp2.yml
View File

@ -18,6 +18,7 @@
# - firewall-vpn-l # - firewall-vpn-l
- wireguard-l - wireguard-l
# - x509-l # - x509-l
- fw-ferm
- ssh-cli - ssh-cli
- syslog-cli - syslog-cli
- post - post

23
roles/fw-ferm/README.md Normal file
View File

@ -0,0 +1,23 @@
[Ferm]:http://ferm.foo-projects.org/
Modifier l'execution d'iptables [plus d'info ici]:https://wiki.debian.org/iptables
```shell
update-alternatives --set iptables /usr/sbin/iptables-legacy
```
Pour tester utiliser [Nmap]:https://nmap.org/man/fr/man-briefoptions.html
### r-vp1
```shell
sudo nmap -p51820 192.168.0.51
```
### r-vp2
```shell
sudo nmap -p51820 192.168.0.52
```
### Sortie :
```
`PORT STATE SERVICE
51820/tcp filtered unknown`
```
Faire des ping!

63
roles/fw-ferm/files/ferm.conf.r-vp1 Normal file
View File

@ -0,0 +1,63 @@
# -*- shell-script -*-
#
# Ferm script r-vp1
@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# interface réseau
interface $DEV_WORLD {
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
# the rest is dropped by the above policy
}
}

62
roles/fw-ferm/files/ferm.conf.r-vp2 Normal file
View File

@ -0,0 +1,62 @@
# -*- shell-script -*-
#
# Ferm script r-vp2
@def $DEV_PRIVATE = enp0s9;
@def $DEV_WORLD = enp0s8;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# interface réseau
interface $DEV_WORLD {
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
# the rest is dropped by the above policy
}
}

15
roles/fw-ferm/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: installation de ferm
apt:
name: ferm
state: present
- name: copie du ferm.conf
copy:
src: ferm.conf.{{ ansible_hostname }}
dest: /etc/ferm/ferm.conf
- name: redemarage service ferm
ansible.builtin.service:
name: ferm.service
state: restarted

133
roles/lb-nfs-server/tasks/main.yml
View File

@ -1,77 +1,70 @@
- name: 00 - cree repertoire wordpress pour export nfs - name: 00 - cree repertoire wordpress pour export nfs
file: file:
path: /exports/wordpress path: /home/wordpress
state: directory state: directory
- name: 05 - Install nfs-server - name: 05 - Install nfs-server
apt: apt:
name: nfs-server name: nfs-server
state: present state: present
- name: 10 - creation fichier exports nfs - name: 10 - creation fichier exports nfs
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: /etc/exports path: /etc/exports
block: | block: |
/exports/wordpress 192.168.56.0/255.255.255.0 (rw,no_root_squash,subtree_check) /home/wordpress 192.168.102.0/255.255.255.0(rw,no_root_squash,subtree_check)
- name: 20 - decompresse wordpress
unarchive:
src: https://fr.wordpress.org/latest-fr_FR.tar.gz
dest: /home/
remote_src: yes
- name: 22 - change owner et group pour repertoire wordpress
file:
path: /home/wordpress
state: directory
recurse: yes
owner: www-data
group: www-data
- name: 30 - genere fichier de config wordpress
copy:
src: /home/wordpress/wp-config-sample.php
dest: /home/wordpress/wp-config.php
remote_src: yes
- name: 35 - ajuste variable dbname dans fichier de config wp-config.php
replace:
path: /home/wordpress/wp-config.php
regexp: "votre_nom_de_bdd"
replace: "wordpressdb"
backup: yes
- name: 15 - Recupere wordpress.tar.gz - name: 40 ajuste variable dbusername dans fichier de config wp-config.php
get_url: replace:
url: "https://fr.wordpress.org/latest-fr_FR.tar.gz" path: /home/wordpress/wp-config.php
dest: /tmp/wordpress-6.1.1-fr_FR.tar.gz regexp: "votre_utilisateur_de_bdd"
replace: "wordpressuser"
backup: yes
- name: 20 - decompresse wordpress - name: 45 - ajuste variable mdp dans fichier de config wp-config.php
unarchive: replace:
src: /tmp/wordpress-6.1.1-fr_FR.tar.gz path: /home/wordpress/wp-config.php
dest: /exports/ regexp: "votre_mdp_de_bdd"
remote_src: yes replace: "wordpresspasswd"
backup: yes
- name: 22 - change owner et group pour repertoire wordpress - name: 50 - ajuste hostname fichier wp-config.php
file: replace:
path: /exports/wordpress path: /home/wordpress/wp-config.php
state: directory regexp: "localhost"
recurse: yes replace: "192.168.102.253"
owner: www-data backup: yes
group: www-data
- name: 30 - genere fichier de config wordpress
copy:
src: /exports/wordpress/wp-config-sample.php
dest: /exports/wordpress/wp-config.php
remote_src: yes
- name: 35 - ajuste variable dbname dans fichier de config wp-config.php
replace:
path: /exports/wordpress/wp-config.php
regexp: "votre_nom_de_bdd"
replace: "wordpressdb"
backup: yes
- name: 40 ajuste variable dbusername dans fichier de config wp-config.php
replace:
path: /exports/wordpress/wp-config.php
regexp: "votre_utilisateur_de_bdd"
replace: "wordpressuser"
backup: yes
- name: 45 - ajuste variable mdp dans fichier de config wp-config.php
replace:
path: /exports/wordpress/wp-config.php
regexp: "votre_mdp_de_bdd"
replace: "wordpresspasswd"
backup: yes
- name: 50 - ajuste hostname fichier wp-config.php
replace:
path: /exports/wordpress/wp-config.php
regexp: "localhost"
replace: "192.168.102.253"
backup: yes
- name: 55 - relance nfs
service:
name: nfs-server
state: restarted
enabled: yes
- name: 55 - relance nfs
service:
name: nfs-server
state: restarted
enabled: yes

102
roles/lb-web/files/wp-config.php
View File

@ -1,102 +0,0 @@
<?php
/**
* La configuration de base de votre installation WordPress.
*
* Ce fichier est utilisé par le script de création de wp-config.php pendant
* le processus dinstallation. Vous navez pas à utiliser le site web, vous
* pouvez simplement renommer ce fichier en « wp-config.php » et remplir les
* valeurs.
*
* Ce fichier contient les réglages de configuration suivants :
*
* Réglages MySQL
* Préfixe de table
* Clés secrètes
* Langue utilisée
* ABSPATH
*
* @link https://fr.wordpress.org/support/article/editing-wp-config-php/.
*
* @package WordPress
*/
// ** Réglages MySQL - Votre hébergeur doit vous fournir ces informations. ** //
/** Nom de la base de données de WordPress. */
define( 'DB_NAME', 'wordpress' );
/** Utilisateur de la base de données MySQL. */
define( 'DB_USER', 'wp' );
/** Mot de passe de la base de données MySQL. */
define( 'DB_PASSWORD', 'wp' );
/** Adresse de lhébergement MySQL. */
define( 'DB_HOST', '192.168.102.254' );
/** Jeu de caractères à utiliser par la base de données lors de la création des tables. */
define( 'DB_CHARSET', 'utf8' );
/**
* Type de collation de la base de données.
* Ny touchez que si vous savez ce que vous faites.
*/
define( 'DB_COLLATE', '' );
/**#@+
* Clés uniques dauthentification et salage.
*
* Remplacez les valeurs par défaut par des phrases uniques !
* Vous pouvez générer des phrases aléatoires en utilisant
* {@link https://api.wordpress.org/secret-key/1.1/salt/ le service de clés secrètes de WordPress.org}.
* Vous pouvez modifier ces phrases à nimporte quel moment, afin dinvalider tous les cookies existants.
* Cela forcera également tous les utilisateurs à se reconnecter.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'mettez une phrase unique ici' );
define( 'SECURE_AUTH_KEY', 'mettez une phrase unique ici' );
define( 'LOGGED_IN_KEY', 'mettez une phrase unique ici' );
define( 'NONCE_KEY', 'mettez une phrase unique ici' );
define( 'AUTH_SALT', 'mettez une phrase unique ici' );
define( 'SECURE_AUTH_SALT', 'mettez une phrase unique ici' );
define( 'LOGGED_IN_SALT', 'mettez une phrase unique ici' );
define( 'NONCE_SALT', 'mettez une phrase unique ici' );
/**#@-*/
/**
* Préfixe de base de données pour les tables de WordPress.
*
* Vous pouvez installer plusieurs WordPress sur une seule base de données
* si vous leur donnez chacune un préfixe unique.
* Nutilisez que des chiffres, des lettres non-accentuées, et des caractères soulignés !
*/
$table_prefix = 'wp_';
/**
* Pour les développeurs : le mode déboguage de WordPress.
*
* En passant la valeur suivante à "true", vous activez laffichage des
* notifications derreurs pendant vos essais.
* Il est fortement recommandé que les développeurs dextensions et
* de thèmes se servent de WP_DEBUG dans leur environnement de
* développement.
*
* Pour plus dinformation sur les autres constantes qui peuvent être utilisées
* pour le déboguage, rendez-vous sur le Codex.
*
* @link https://fr.wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Cest tout, ne touchez pas à ce qui suit ! Bonne publication. */
/** Chemin absolu vers le dossier de WordPress. */
if ( ! defined( 'ABSPATH' ) )
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
/** Réglage des variables de WordPress et de ses fichiers inclus. */
require_once( ABSPATH . 'wp-settings.php' );
define('DB_NAME', 'wordpress');
define('DB_HOST', '192.168.102.254');
define('DB_USER', 'wp');
define('DB_PASSWORD', 'wp');

34
roles/lb-web/tasks/main.yml
View File

@ -1,10 +1,26 @@
--- ---
- name: installation php et apache ... - name:
apt: - apache2
name: - php
- apache2 - php-mbstring
- php - php-mysql
- php-mbstring - mariadb-client
- php-mysql state: present
- mariadb-client
state: present - name: install nfs-common
apt:
name: nfs-common
state: present
- name: montage nfs pour word press
blockinfile:
path: /etc/fstab
block: |
192.168.56.6:/exports/wordpress /var/www/html nfs soft,timeo=5,intr,rsize=8192,wsize=8192,wsize=8192 0 0
- name: monte export wordpress
ansible.posix.mount:
path: /var/www/html
state: mounted
fstype: nfs
src: 192.168.56.6:/exports/wordpress

10
roles/wireguard-l/tasks/main.yml
View File

@ -4,16 +4,16 @@
name: wireguard name: wireguard
state: present state: present
- name: installation de ferm
apt:
name: ferm
state: present
- name: installation de wireguard-tools - name: installation de wireguard-tools
apt: apt:
name: wireguard-tools name: wireguard-tools
state: present state: present
#- name: installation de sshpass
# apt:
# name: sshpass
# state: present
#- name: copie du fichier de configuration depuis r-vp1 #- name: copie du fichier de configuration depuis r-vp1
# command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/" # command: "sshpass -p 'root' scp -r root@192.168.99.112:/root/confwg/wg0-b.conf /etc/wireguard/"

19
roles/wireguard-r/tasks/main.yml
View File

@ -4,6 +4,11 @@
name: wireguard name: wireguard
state: present state: present
- name: installation de ferm
apt:
name: ferm
state: present
- name: installation de wireguard-tools - name: installation de wireguard-tools
apt: apt:
name: wireguard-tools name: wireguard-tools
@ -27,12 +32,10 @@
- name: copie du fichier de configuration - name: copie du fichier de configuration
copy: copy:
src: /root/confwg/wg0-a.conf src: /root/confwg/wg0-a.conf
dest: /etc/wireguard dest: /etc/wireguard/wg0.conf
- name: renommage fichier de configuration - name: Restart service httpd, in all cases
command: "mv /etc/wireguard/wg0-a.conf /etc/wireguard/wg0.conf" ansible.builtin.service:
name: wg-quick@wg0
- name: demarrage du service wireguard enabled: yes
tags: aaaa state: restarted
command: "systemctl enable wg-quick@wg0"
command: "systemctl restart wg-quick@wg0"

67
s-lb-bd.yml
View File

@ -1,24 +1,49 @@
--- ---
- hosts: localhost - hosts: all
connection: local become: true
vars: tasks:
maria_dbhost: "192.168.102.254"
maria_dbname: "wordpress"
maria_dbuser: "wp"
maria_dbpasswd: "wp"
- name: modules python pour
apt:
name: python3-pymysql
state: present
roles: - name: install mariadb-server
- base apt:
- goss name: mariadb-server
- post state: present
#- s-lb-bd-ab
- mariadb-ab - name: Cree Bd wordpress
# - role: db-user mysql_db:
# cli_ip: "192.168.102.1" db: wordpressdb
# - role: db-user login_unix_socket: /var/run/mysqld/mysqld.sock
# cli_ip: "192.168.102.2" state: present
# - role: db-user
# cli_ip: "192.168.102.3" - name: Ouvre port 3306 mariadb-server
- snmp-agent replace:
# - post path: /etc/mysql/mariadb.conf.d/50-server.cnf
regexp: '^bind-address.*'
replace: '#bind-adress = 127.0.0.1'
backup: yes
notify: restart mariadb
- name: Create MySQL user for wordpress
mysql_user:
name: wordpressuser
password: wordpresspasswd
priv: "wordpressdb.*:ALL"
host: '%'
state: present
login_unix_socket: /var/run/mysqld/mysqld.sock
handlers:
- name: restart mariadb
ansible.builtin.service:
name: mariadb
state: restarted
roles:
- base
- goss
- post
- snmp-agent

1
s-lb-web1.yml
View File

@ -6,5 +6,4 @@
- base - base
- lb-web - lb-web
- snmp-agent - snmp-agent
- lb-nfs-client
- post - post

1
s-lb-web2.yml
View File

@ -6,5 +6,4 @@
- base - base
- lb-web - lb-web
- snmp-agent - snmp-agent
- lb-nfs-client
- post - post