louis.depres/gsb2023
1
0
Fork 0
Code Pull Requests Activity

Premier commit

Browse Source
This commit is contained in:
“Albert
2023-01-05 11:44:26 +01:00
parent d46e9954ca
commit fb19dc24e5
554 changed files with 46045 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
roles/old/docker-iredmail-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/old/docker-iredmail-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

14
roles/old/docker-iredmail-ab/files/iredmail.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
docker run --privileged -p 80:80 -p 443:443 \
-h s-mess.sio.lan \
-e "DOMAIN=sio.lan" \
-e "MYSQL_ROOT_PASSWORD=iredmail" \
-e "SOGO_WORKERS=1" \
-e "TIMEZONE=Europe/Paris" \
-e "POSTMASTER_PASSWORD=Azertyuiop1+" \
-e "IREDAPD_PLUGINS=['reject_null_sender', 'reject_sender_login_mismatch', 'greylisting', 'throttle', 'amavisd_wblist', 'sql_alias_access_policy']" \
-v /root/mysql:/var/lib/mysql \
-v /root/vmail:/var/vmail \
-v /root/clamav:/var/lib/clamav \
--name=iredmail lejmr/iredmail:mysql-latest

3
roles/old/docker-iredmail-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

83
roles/old/docker-iredmail-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,83 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Copie du script bash Iredmail
copy: src=iredmail.sh dest=/root/tools/ansible
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Droit pour le script Iredmail
shell: chmod a+x /root/tools/ansible/iredmail.sh
- name: Création du répertoire mysql
shell: mkdir /root//mysql
- name: Création du répertoire vmail
shell: mkdir /root/vmail
- name: Création du répertoire clamav
shell: mkdir /root/clamav
- name: Exécution du script Iredmail
debug: msg="Exécuter le script iredmail.sh qui se trouve dans tools/ansible"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

13
roles/old/docker-openvas-ab/files/fstab Normal file
View File

@@ -0,0 +1,13 @@
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/stretch64--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=8f340ef0-94a1-4730-8da3-81ce5e38d666 /boot ext2 defaults 0 2
/dev/mapper/stretch64--vg-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/sdb1 /var/lib/containers ext4 defaults 0 0

2
roles/old/docker-openvas-ab/files/https_proxy.conf Normal file
View File

@@ -0,0 +1,2 @@
[Service]
Environment="HTTPS_PROXY=http://192.168.99.99:8080/"

3
roles/old/docker-openvas-ab/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart docker
service: name=docker state=restarted

77
roles/old/docker-openvas-ab/tasks/main.yml Normal file
View File

@@ -0,0 +1,77 @@
---
- name: Installation de apt-transport-https
apt: name=apt-transport-https state=present
- name: Installation de ca-certificates
apt: name=ca-certificates state=present
- name: Installation de gnupg2
apt: name=gnupg2 state=present
- name: Installation de software-properties-common
apt: name=software-properties-common state=present
- name: Installation de sudo
apt: name=sudo state=present
- name: Installation de docker
shell: export https_proxy=http://192.168.99.99:8080 && curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
- name: Récupération des paquets docker-ce et docker-compose
shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
- name: Création du répertoire docker.service.d
file:
path: /etc/systemd/system/docker.service.d
state: directory
owner: root
group: root
mode: 0775
recurse: yes
- name: Copie https_proxy.conf
copy: src=https_proxy.conf dest=/etc/systemd/system/docker.service.d/
notify:
- restart docker
- name: Vérification des nouveaux paquets
shell: sudo apt-get update
- name: Installation de docker-ce
shell: sudo apt-get install -y docker-ce
- name: Installation de docker-compose
shell: export https_proxy=http://192.168.99.99:8080 && curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- name: Modification des droits de docker-compose
shell: chmod +x /usr/local/bin/docker-compose
- name: Création du docker portainer_data
shell: docker volume create portainer_data
- name: Initialisation de portainer
shell: docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
- name: Copie du fichier fstab
copy: src=fstab dest=/etc/
- name: Changement du système de fichier de /dev/sdb1 en ext4
shell: mkfs.ext4 /dev/sdb1
- name: Montage /dev/sdb1 sur /var/lib/docker
shell: mount /dev/sdb1 /var/lib/docker
- name: Installation d'OpenVAS
debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name openvas mikesplain/openvas puis redémarrer docker avec service docker restart"
#- name: Installation d'IredMail
#debug: msg="Exécuter la commande suivante pour mettre en place openvas > docker run -d -p 443:443 -e PUBLIC_HOSTNAME=172.16.0.19 --name iredmail lejmr/iredmail puis redémarrer docker avec service docker restart"
- name: Montage /dev/sdb1
debug: msg="Pour vérifier que /dev/sdb1 est bien monté sur le répertoire /var/lib/docker, utiliser la commande df -h"
- name: Test docker
debug: msg="Effectuer la commande docker run hello-world pour vérifier l'installation de docker-ce et effectuer la commande docker-compose --version pour vérifier que la version est bien la 1.23.1"
- name: Démarrer le container
debug: msg="Pour démarrer le container openvas, utiliser la commande docker start nom_du_container_ (/var/lib/docker/containers), accéder à la page via l'adresse https://172.16.0.19:443"

58
roles/old/firewall-vpn-l-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-l-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

68
roles/old/firewall-vpn-l/files/ferm.conf Normal file
View File

@@ -0,0 +1,68 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_AG = enp0s8;
@def $DEV_VPN = enp0s9;
@def $NET_ADM=192.168.99.102/24;
@def $NET_AG=172.16.128.254/24;
@def $NET_VPN=192.168.0.52/24;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow DNS connections
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
# allow IPsec
interface ($DEV_AG $DEV_VPN) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
# interface ($DEV_AG) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
# }
# allow DNS connections
#interface ($DEV_INT) {
proto (udp tcp) dport domain ACCEPT;
#}
# autoriser NTP
proto udp sport 123 ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
# mod state state INVALID DROP;
# mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}

58
roles/old/firewall-vpn-l/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s9
IFINT=enp0s8
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

8
roles/old/firewall-vpn-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name : installer ferm
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

58
roles/old/firewall-vpn-r-cs/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-r-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: fichier parefeu pour VPN
copy: src=iptables-vpn dest=/root/

67
roles/old/firewall-vpn-r/files/ferm.conf Normal file
View File

@@ -0,0 +1,67 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_VPN = enp0s8;
@def $DEV_EXT = enp0s9;
@def $NET_ADM=192.168.99.112/24;
@def $NET_VPN=192.168.0.51/24;
@def $NET_EXT=192.168.1.2/24;
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow DNS connections
proto udp sport domain ACCEPT;
proto udp dport domain ACCEPT;
# allow IPsec
interface ($DEV_VPN) {
proto udp sport 500 ACCEPT;
proto udp dport 500 ACCEPT;
proto esp ACCEPT;
}
# Autoriser nat-t-ike
interface ($DEV_VPN) {
proto udp sport 4500 ACCEPT;
proto udp dport 5500 ACCEPT;
}
# allow DNS connections
#interface ($DEV_INT) {
# proto (udp tcp) dport domain ACCEPT;
#}
# autoriser NTP
proto udp sport 123 ACCEPT;
}
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}

58
roles/old/firewall-vpn-r/files/iptables-vpn Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/bash
#renommage des interfaces
IFPUB=enp0s8
IFINT=enp0s9
iptables -F
#iptables -F -t nat
#bloquer tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo
iptables -A OUTPUT -o lo
#autorise l'acces SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Autorise les requete DNS en tant que client
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#autorise isakmp
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
#autorise nat-t-ike
iptables -A OUTPUT -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
# allow IPsec IKE negotiations
#iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
#iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
#autorise la supervision ( SNMP )
iptables -A OUTPUT -p udp --dport 161 -j ACCEPT
iptables -A INPUT -p udp --sport 161 -j ACCEPT
#autorise NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
#autoriser les ping sauf de l'exterieur
iptables -A INPUT -p icmp -m limit --limit 30/minute -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

3
roles/old/firewall-vpn-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: Restart ferm
service: name=ferm state=restarted

8
roles/old/firewall-vpn-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name : installer ferm
apt: name=ferm state=present
- name: fichier parefeu pour VPN
copy: src=ferm.conf dest=/etc/ferm/ferm.conf
notify:
- Restart ferm

3
roles/old/itil-cs/files/.my.cnf Normal file
View File

@@ -0,0 +1,3 @@
[client]
user=root
password=root

12
roles/old/itil-cs/files/glpi.conf Normal file
View File

@@ -0,0 +1,12 @@
DocumentRoot /var/www/glpi
<Directory /var/www/glpi>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
AuthType Basic
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog ${APACHE_LOG_DIR}/glpi_access.log combined
ErrorLog ${APACHE_LOG_DIR}/glpi_error.log

4
roles/old/itil-cs/files/script Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
chm= »/var/www/html/glpi/files/_dumps »
# Dump base GLPI
mysqldump -uroot -proot glpi |gzip > $chm/$(date +%Y-%m-%d).sql.gz

6
roles/old/itil-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart apache2
service: name=apache2 state=restarted
- name: restart mysql-server
service: name=mysql-server state=restarted

65
roles/old/itil-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Install apache2
apt: name=apache2 state=present update_cache=yes
notify:
- restart apache2
- name: Install php5
apt: name=php5 state=present update_cache=yes
- name: Install php5-mysql
apt: name=php5-mysql state=present update_cache=yes
- name: Install php5-gd
apt: name=php5-gd state=present update_cache=yes
- name: Install php5-curl
apt: name=php5-curl state=present update_cache=yes
- name: Install php5-imap
apt: name=php5-imap state=present update_cache=yes
- name: Install php5-ldap
apt: name=php5-ldap state=present update_cache=yes
- name: Download GLPI from Internet
copy: src=glpi-9.1.3.tgz dest=/var/www/
- name: Instructions
debug: msg="En cas de problemes, relancez le playbook une seconde fois."
- name: unpack tarball
unarchive: src=/var/www/glpi-9.1.3.tgz dest=/var/www/
- name: Fix permissions
shell: chown -R www-data:www-data /var/www/glpi/
- name: copy .my.cnf file with root password credentials
copy: src=.my.cnf dest=/root/tools/ansible/.my.cnf owner=root mode=0600
- name: Print web instructions
debug: msg="/!\ Se rendre sur http://adresse_ip_de_votre_serveur/glpi et suivre l'installation"
- name: Download Fusioninventory from Internet
copy: src=fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins
- name: unpack tarball
unarchive: src=/var/www/glpi/plugins/fusioninventory-for-glpi_0.85+1.3.tar.gz dest=/var/www/glpi/plugins
- name: Print web instructions
debug: msg="(i) Fusioninventory plugin installed in /var/www/glpi/plugins"
- name: copy glpi.conf
copy: src=glpi.conf dest=/etc/apache2/sites-available/
- name: activation du site glpi
shell: a2ensite glpi.conf
notify:
- restart apache2
- name: copie script
copy: src=script dest=/root/
- name: chmod
shell: chmod +x /root/script

193
roles/old/snmp-cs/files/snmpd.conf Normal file
View File

@@ -0,0 +1,193 @@
###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly activated
#
###############################################################################
#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only
#agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change the password"
# If you also change the usernames (which might be sensible),
# then remember to update the other occurances in this example config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# Full access from the local host
rocommunity public s-mon.gsb.adm
# Default access to basic system info
rocommunity public
# Full access from an example network
# Adjust this network address to match your local
# settings, change the community string,
# and check the 'agentAddress' setting above
#rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3
rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
#rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access' configuration
# r[ou]user and r[ow]community, together with suitable views, should cover most requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being 'read-only'
# See snmpd.conf(5) for more details
sysLocation Sitting on the Dock of the Bay
sysContact Me <me@example.org>
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK
proc ntalkd 4
# At least one 'sendmail' process, but no more than 10
proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output
# Note that this table will be empty if there are no "proc" entries in the snmpd.conf file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output
# Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output
# Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
###############################################################################
#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
#trap2sink localhost public
# send SNMPv2c INFORMs
#informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
#agentXSocket tcp:localhost:705

3
roles/old/snmp-cs/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart snmpd
service: name=snmpd state=restarted

14
roles/old/snmp-cs/tasks/main.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Installation snmpd
apt: name=snmpd state=present
- name: Installation snmp
apt: name=snmp state=present
- name: Copie du fichier snmpd.conf
copy: src=snmpd.conf dest=/etc/snmp/
notify:
- restart snmpd

47
roles/old/user-yb/tasks/main.yml Normal file
View File

@@ -0,0 +1,47 @@
---
- name: Installation des paquets
apt: name={{item}} state=present force=yes
with_items:
- dmidecode
- hwdata
- ucf
- hdparm
- perl
- libuniversal-require-perl
- libwww-perl
- libparse-edid-perl
- libproc-daemon-perl
- libfile-which-perl
- libhttp-daemon-perl
- libxml-treepp-perl
- libyaml-perl
- libnet-cups-perl
- libnet-ip-perl
- libdigest-sha-perl
- libsocket-getaddrinfo-perl
- libtext-template-perl
- name: Creation du repertoire fi
file: path=/root/fi state=directory owner=www-data group=www-data
- name: Installation de fusioninventory
get_url:
url: http://debian.fusioninventory.org/downloads/fusioninventory-agent_2.5-3_all.deb
dest: /root/fi
remote_src: yes
owner: www-data
group: www-data
- name: Installation du paquet .deb
apt:
deb: /root/fi/fusioninventory-agent_2.5-3_all.deb
- name: Configuration du fichier agent.cfg
replace:
dest: /etc/fusioninventory/agent.cfg
regexp: '#server = http://server.domain.com/glpi/plugins/fusioninventory/'
replace: 'server = http://172.16.0.9/plugins/fusioninventory/'
backup: yes
- debug:
msg: "Faire un systemectl restart fusioninventory-agent puis un reload"

23
roles/old/vpn-stg-l/files/ipsec.conf Normal file
View File

@@ -0,0 +1,23 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.52
leftsubnet=172.16.128.0/24
right=192.168.0.51
rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
#

8
roles/old/vpn-stg-l/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,8 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
192.168.0.52 192.168.0.51 : PSK 'root'

60
roles/old/vpn-stg-l/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/vpn-stg-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/vpn-stg-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté gauche pour le fichier de secret partagé
- name: install strongswan, fichier secret partagé
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

23
roles/old/vpn-stg-r/files/ipsec.conf Normal file
View File

@@ -0,0 +1,23 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.51
leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
right=192.168.0.52
rightsubnet=172.16.128.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
#

8
roles/old/vpn-stg-r/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,8 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
192.168.0.51 192.168.0.52 : PSK 'root'

60
roles/old/vpn-stg-r/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/vpn-stg-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/vpn-stg-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté droit pour le fichier de secret partagé
- name: install strongswan, fichier secret partagé
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

60
roles/old/vpn/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

6
roles/old/vpn/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart racoon
service: name=racoon state=restarted
- name: restart setkey
service: name=setkey state=restarted

23
roles/old/vpn/tasks/main.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Installation Racoon
apt: name=racoon state=present update_cache=yes
- name: install ipsec-tools
apt: name=ipsec-tools state=present update_cache=yes
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: generation racoon.conf
template: src=racoon.conf.j2 dest=/etc/racoon/racoon.conf
- name: generation ipsec-tools.conf
template: src=ipsec-tools.conf.j2 dest=/etc/ipsec-tools.conf
notify: restart setkey
- name: generation psk.txt
template: src=psk.txt.j2 dest=/etc/racoon/psk.txt
notify: restart racoon
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf

9
roles/old/vpn/templates/ipsec-tools.conf.j2 Executable file
View File

@@ -0,0 +1,9 @@
flush;
spdflush;
spdadd {{ mynet }}/24 {{ remnet }}/24 any -P out ipsec
esp/tunnel/{{ ip1 }}-{{ remip }}/require;
spdadd {{ remnet }}/24 {{ mynet }}/24 any -P in ipsec
esp/tunnel/{{ remip }}-{{ ip1 }}/require;

2
roles/old/vpn/templates/psk.txt.j2 Normal file
View File

@@ -0,0 +1,2 @@
{{ remip }} secret

19
roles/old/vpn/templates/racoon.conf.j2 Normal file
View File

@@ -0,0 +1,19 @@
path pre_shared_key "/etc/racoon/psk.txt";
remote {{ remip }} {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address {{ mynet }}/24 any address {{ remnet }}/24 any {
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

3
roles/old/wordpress/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
---
- name: restart apache2
service: name=apache2 state=restarted

40
roles/old/wordpress/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Téléchargement de wordpress
get_url:
url: http://depl/gsbstore/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Extraction du fichier wordpress
unarchive:
src: /var/www/html/wordpress-5.3.2-fr_FR.tar.gz
dest: /var/www/html
- name: Fix permissions owner
shell: chown -R www-data /var/www/html/wordpress
- name: Fix permissions groups
shell: chgrp -R www-data /var/www/html/wordpress
- name: Mettre à jour le site Apache par défaut
lineinfile:
dest: /etc/apache2/sites-enabled/000-default.conf
regexp: "(.)+DocumentRoot /var/www/html"
line: "DocumentRoot /var/www/html/wordpress"
- name: restart apache2
service:
name: apache2
state: restarted
- name: Mettre à jour le fichier de configuration WordPress
lineinfile:
dest: /var/www/html/wordpress/wp-config-sample.php
backup: yes
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- {'regexp': "define\\('DB_NAME', '(.)+'\\);", 'line': "define('DB_NAME', 'wordpress');"}
- {'regexp': "define\\('DB_HOST', '(.)+'\\);", 'line': "define('DB_HOST', 'localhost');"}
- {'regexp': "define\\('DB_USER', '(.)+'\\);", 'line': "define('DB_USER', 'wp');"}
- {'regexp': "define\\('DB_PASSWORD', '(.)+'\\);", 'line': "define('DB_PASSWORD', 'wp');"}

25
roles/old/x509-l/files/ipsec.conf Normal file
View File

@@ -0,0 +1,25 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.52
leftsubnet=172.16.128.0/24
right=192.168.0.51
rightsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
#authby=secret
auto=start
keyexchange=ikev2
type=tunnel
leftcert=r-vp2Cert.pem
leftid="C=CH, O=GSB, CN=r-vp2"
rightid="C=CH, O=GSB, CN=r-vp1"

9
roles/old/x509-l/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,9 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
#192.168.0.52 192.168.0.51 : PSK 'root'
: RSA r-vp2Key.pem

60
roles/old/x509-l/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/x509-l/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

21
roles/old/x509-l/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
#Installation ipsec strongswan côté gauche pour la communication via certificat
- name: 1. install strongswan, com via certificat
apt: name=strongswan state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"

19
roles/old/x509-r/files/generate.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
cd /etc/ipsec.d
ipsec pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
ipsec pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=CH, O=GSB, CN=Root CA" --outform pem > cacerts/strongswanCert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp1Key.pem
chmod 600 private/r-vp1Key.pem
ipsec pki --pub --in private/r-vp1Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp1" --san r-vp1 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp1Cert.pem
ipsec pki --gen --type rsa --size 2048 --outform pem > private/r-vp2Key.pem
chmod 600 private/r-vp2Key.pem
ipsec pki --pub --in private/r-vp2Key.pem --type rsa | ipsec pki --issue --lifetime 730 --cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn "C=CH, O=GSB, CN=r-vp2" --san r-vp2 --flag serverAuth --flag ikeIntermediate --outform pem > certs/r-vp2Cert.pem

25
roles/old/x509-r/files/ipsec.conf Normal file
View File

@@ -0,0 +1,25 @@
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.0.51
leftsubnet=192.168.1.0/24, 192.168.200.0/24, 172.16.0.0/24
right=192.168.0.52
rightsubnet=172.16.128.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
#authby=secret
auto=start
keyexchange=ikev2
type=tunnel
leftcert=r-vp1Cert.pem
leftid="C=CH, O=GSB, CN=r-vp1"
rightid="C=CH, O=GSB, CN=r-vp2"

9
roles/old/x509-r/files/ipsec.secrets Normal file
View File

@@ -0,0 +1,9 @@
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
#192.168.0.51 192.168.0.52 : PSK 'root'
: RSA r-vp1Key.pem

16
roles/old/x509-r/files/recupKey.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
REMH=192.168.0.52
cd /etc/ipsec.d
scp cacerts/strongswanCert.pem root@$REMH:/etc/ipsec.d/cacerts
scp certs/r-vp2Cert.pem root@$REMH:/etc/ipsec.d/certs
scp certs/r-vp1Cert.pem root@$REMH:/etc/ipsec.d/certs
scp private/r-vp2Key.pem root@$REMH:/etc/ipsec.d/private
scp private/r-vp1Key.pem root@$REMH:/etc/ipsec.d/private

60
roles/old/x509-r/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

4
roles/old/x509-r/handlers/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
- name: restart ipsec
service: name=ipsec state=restarted

36
roles/old/x509-r/tasks/main.yml Normal file
View File

@@ -0,0 +1,36 @@
---
#Installation ipsec strongswan côté droit pour la communication via certificat
- name: install strongswan, com via certificat
apt: name=strongswan state=present
- name: install strongswan-pki
apt: name=strongswan-pki state=present
- name: install tcpdump
apt: name=tcpdump state=present update_cache=yes
- name: activation du routage
copy: src=sysctl.conf dest=/etc/sysctl.conf
- name: Copie fichier ipsec.conf
copy: src=ipsec.conf dest=/etc/ipsec.conf
notify: restart ipsec
- name: Copie fichier ipsec.secrets
copy: src=ipsec.secrets dest=/etc/ipsec.secrets
notify: restart ipsec
- name: Copie fichier generate.sh
copy: src=generate.sh dest=/root/
- name: Generation de la CA et des certificats
shell: /bin/bash /root/generate.sh >> generate-log.txt
- name: Copie fichier recupKey.sh
copy: src=recupKey.sh dest=/root/
- name: Lancement recupKey.sh
shell: /bin/bash /root/recupKey.sh
- name: Message d'information
debug: msg="Veuillez consulter le document "r-vp.txt" dans ansible/gsb/doc"