From 06cff81336104b0d65726476f9e873fc6b6edca8 Mon Sep 17 00:00:00 2001 From: Home1 Date: Thu, 30 Oct 2025 11:12:14 +0100 Subject: [PATCH] update ansible --- .../ansible/playbooks/apt-upgrade.yml | 32 +++ .../ansible/playbooks/apt-upgrade_v2.yml | 53 +++++ .../playbooks/debian_fullserver_web.yml | 187 ++++++++++++++++++ .../debian_fullserver_without_web.yml | 137 +++++++++++++ .../ansible/playbooks/debian_setup.yml | 88 +++++++++ ansible-prod/ansible/playbooks/fail2ban.yml | 60 ++++++ ansible-prod/ansible/playbooks/motd.yml | 27 +++ .../ansible/playbooks/node_explorer.yml | 74 +++++++ 8 files changed, 658 insertions(+) create mode 100644 ansible-prod/ansible/playbooks/apt-upgrade.yml create mode 100644 ansible-prod/ansible/playbooks/apt-upgrade_v2.yml create mode 100644 ansible-prod/ansible/playbooks/debian_fullserver_web.yml create mode 100644 ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml create mode 100644 ansible-prod/ansible/playbooks/debian_setup.yml create mode 100644 ansible-prod/ansible/playbooks/fail2ban.yml create mode 100644 ansible-prod/ansible/playbooks/motd.yml create mode 100644 ansible-prod/ansible/playbooks/node_explorer.yml diff --git a/ansible-prod/ansible/playbooks/apt-upgrade.yml b/ansible-prod/ansible/playbooks/apt-upgrade.yml new file mode 100644 index 000000000..a437394fa --- /dev/null +++ b/ansible-prod/ansible/playbooks/apt-upgrade.yml @@ -0,0 +1,32 @@ +--- +- name: Upgrade Debian avec become_pass dynamique + hosts: all + gather_facts: false + become: true + become_method: sudo + + pre_tasks: + - name: Charger les variables vault (become_passwords) + ansible.builtin.include_vars: + file: "../group_vars/all/vault.yml" + name: vault_secrets + + - name: Définir le mot de passe sudo + ansible.builtin.set_fact: + ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}" + + - name: Charger les facts système (setup) + ansible.builtin.setup: + + tasks: + - name: Mise à jour du cache APT + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 3600 + + - name: Upgrade des paquets + ansible.builtin.apt: + upgrade: dist + autoremove: yes + autoclean: yes + diff --git a/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml b/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml new file mode 100644 index 000000000..fdec4ac5d --- /dev/null +++ b/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml @@ -0,0 +1,53 @@ +--- +- name: Upgrade Debian avec become_pass dynamique (v2) + hosts: all + gather_facts: false + become: true + become_method: sudo + + pre_tasks: + - name: Charger les variables vault (become_passwords) + ansible.builtin.include_vars: + file: "../group_vars/all/vault.yml" + name: vault_secrets + + - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) + ansible.builtin.set_fact: + _become_map: >- + {{ vault_secrets.become_passwords + if (vault_secrets is mapping and 'become_passwords' in vault_secrets) + else vault_secrets }} + + - name: Vérifier que le mot de passe existe pour l’hôte courant + ansible.builtin.assert: + that: + - _become_map is mapping + - inventory_hostname in _become_map + fail_msg: >- + Mot de passe manquant pour {{ inventory_hostname }}. + Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} + + - name: Définir le mot de passe sudo (variable officielle) + ansible.builtin.set_fact: + ansible_become_password: "{{ _become_map[inventory_hostname] }}" + no_log: true + + - name: Charger les facts système (setup) + ansible.builtin.setup: + + tasks: + - name: Mise à jour du cache APT + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + + - name: Upgrade des paquets (dist-upgrade) + nettoyage + ansible.builtin.apt: + upgrade: dist + autoremove: true + autoclean: true + + # Optionnel : pour limiter le run à ton groupe via la CLI: + # Exécution conseillée : + # ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians + diff --git a/ansible-prod/ansible/playbooks/debian_fullserver_web.yml b/ansible-prod/ansible/playbooks/debian_fullserver_web.yml new file mode 100644 index 000000000..a01f6f9e3 --- /dev/null +++ b/ansible-prod/ansible/playbooks/debian_fullserver_web.yml @@ -0,0 +1,187 @@ +- hosts: server_web + vars: + user: "smauro" + root_password: "testtest" + tasks: + + # 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter) + - name: Supprimer les lignes cdrom dans /etc/apt/sources.list + lineinfile: + path: /etc/apt/sources.list + regexp: '^deb cdrom:' + state: absent + become: yes + + # 1. Mettre à jour le fichier sources.list (sources HTTP officielles) + - name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm + copy: + dest: /etc/apt/sources.list + content: | + deb http://deb.debian.org/debian/ bookworm main non-free-firmware + deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware + + deb http://security.debian.org/debian-security bookworm-security main non-free-firmware + deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware + + deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware + deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware + become: yes + + # 2. Mettre à jour les paquets (apt update) + - name: Mettre à jour le cache apt + apt: + update_cache: yes + become: yes + + # 3. Collecter la liste des paquets installés + - name: Récupérer la liste des paquets installés + package_facts: + manager: apt + become: yes + + # 4. Installer sudo si non présent + - name: Installer sudo si non présent + apt: + name: sudo + state: present + become: yes + when: "'sudo' not in ansible_facts.packages" + + # 5. Ajouter l'utilisateur au groupe sudo + - name: Ajouter l'utilisateur au groupe sudo + user: + name: "{{ user }}" + groups: sudo + append: yes + become: yes + when: "'sudo' in ansible_facts.packages" + + # 6. Configurer le hostname + - name: Configurer le hostname + hostname: + name: "{{ ansible_hostname }}" + become: yes + + # 7. Changer le mot de passe root + - name: Changer le mot de passe root + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + become: yes + + # 8. Configurer l'utilisateur smauro + - name: Configurer l'utilisateur smauro + user: + name: "{{ user }}" + password: "{{ user_password | password_hash('sha512') }}" + shell: /bin/bash + groups: sudo + state: present + become: yes + + # 9. Installer les paquets nécessaires + - name: Installer les paquets nécessaires + apt: + name: ["sudo", "vim", "curl", "git", "htop", "gnupg", "apache2", "net-tools"] + state: present + become: yes + + # 10. Installer les dépendances requises pour ajouter un dépôt + - name: Installer les dépendances requises pour ajouter un dépôt + apt: + name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"] + state: present + become: yes + + # 11. Ajouter le dépôt Sury pour PHP 8.3 + - name: Ajouter le dépôt Sury pour PHP 8.3 + shell: echo "deb https://packages.sury.org/php/ bookworm main" | tee /etc/apt/sources.list.d/sury-php.list + become: yes + + - name: Ajouter la clé GPG du dépôt Sury + shell: curl -fsSL https://packages.sury.org/php/apt.gpg | tee /etc/apt/trusted.gpg.d/sury-php.gpg > /dev/null + become: yes + + # 12. Mettre à jour et upgrader le système + - name: Mettre à jour et upgrader le système + apt: + update_cache: yes + upgrade: dist + become: yes + + # 13. Installer PHP 8.3 et modules requis + - name: Installer PHP 8.3 et modules requis + apt: + name: + - php8.3-cli + - php8.3-fpm + - php8.3-common + - php8.3-mbstring + - php8.3-xml + - php8.3-curl + - php8.3-zip + - php8.3-gd + - php8.3-mysql + state: present + become: yes + + - name: Redémarrer PHP 8.3-FPM + systemd: + name: php8.3-fpm + state: restarted + become: yes + + # 14. Redémarrer Apache + - name: Redémarrer Apache + systemd: + name: apache2 + state: restarted + become: yes + + # 15. Activer les modules rewrite et expires dans Apache + - name: Activer les modules rewrite et expires dans Apache + command: a2enmod rewrite expires + become: yes + + # 16. Redémarrer Apache après activation des modules + - name: Redémarrer Apache après activation des modules + systemd: + name: apache2 + state: restarted + become: yes + + # 17. Mettre à jour /etc/hosts avec le hostname + - name: Mettre à jour /etc/hosts avec le hostname + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.0\.1\s+' + line: "127.0.0.1 localhost {{ ansible_hostname }}" + state: present + become: yes + + # 18. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config + - name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin\s+yes' + line: 'PermitRootLogin no' + state: present + become: yes + + # 19. Déployer le script MOTD personnalisé + - name: Déployer le script MOTD personnalisé + copy: + src: ../sources/99-motd + dest: /etc/update-motd.d/99-motd + owner: root + group: root + mode: '0755' + become: yes + + # 20. Redémarrer la machine (non bloquant) + - name: Redémarrer la machine + command: "nohup bash -c 'sleep 5 && reboot' &" + async: 1 + poll: 0 + ignore_errors: yes + become: yes diff --git a/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml b/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml new file mode 100644 index 000000000..4b8219e32 --- /dev/null +++ b/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml @@ -0,0 +1,137 @@ +- hosts: server_web + vars: + user: "smauro" + root_password: "testtest" + tasks: + + # 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter) + - name: Supprimer les lignes cdrom dans /etc/apt/sources.list + lineinfile: + path: /etc/apt/sources.list + regexp: '^deb cdrom:' + state: absent + become: yes + + # 1. Mettre à jour le fichier sources.list (sources HTTP officielles) + - name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm + copy: + dest: /etc/apt/sources.list + content: | + deb http://deb.debian.org/debian/ bookworm main non-free-firmware + deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware + + deb http://security.debian.org/debian-security bookworm-security main non-free-firmware + deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware + + deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware + deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware + become: yes + + # 2. Mettre à jour les paquets (apt update) + - name: Mettre à jour le cache apt + apt: + update_cache: yes + become: yes + + # 3. Collecter la liste des paquets installés + - name: Récupérer la liste des paquets installés + package_facts: + manager: apt + become: yes + + # 4. Installer sudo si non présent + - name: Installer sudo si non présent + apt: + name: sudo + state: present + become: yes + when: "'sudo' not in ansible_facts.packages" + + # 5. Ajouter l'utilisateur au groupe sudo + - name: Ajouter l'utilisateur au groupe sudo + user: + name: "{{ user }}" + groups: sudo + append: yes + become: yes + when: "'sudo' in ansible_facts.packages" + + # 6. Configurer le hostname + - name: Configurer le hostname + hostname: + name: "{{ ansible_hostname }}" + become: yes + + # 7. Changer le mot de passe root + - name: Changer le mot de passe root + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + become: yes + + # 8. Configurer l'utilisateur smauro + - name: Configurer l'utilisateur smauro + user: + name: "{{ user }}" + password: "{{ user_password | password_hash('sha512') }}" + shell: /bin/bash + groups: sudo + state: present + become: yes + + # 9. Installer les paquets nécessaires + - name: Installer les paquets nécessaires + apt: + name: ["sudo", "vim", "curl", "git", "htop", "cifs-utils", "net-tools"] + state: present + become: yes + + # 10. Installer les dépendances requises pour ajouter un dépôt + - name: Installer les dépendances requises pour ajouter un dépôt + apt: + name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"] + state: present + become: yes + + # 11. Mettre à jour et upgrader le système + - name: Mettre à jour et upgrader le système + apt: + update_cache: yes + upgrade: dist + become: yes + + # 12. Mettre à jour /etc/hosts avec le hostname + - name: Mettre à jour /etc/hosts avec le hostname + lineinfile: + path: /etc/hosts + regexp: '^127\.0\.0\.1\s+' + line: "127.0.0.1 localhost {{ ansible_hostname }}" + state: present + become: yes + + # 13. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config + - name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin\s+yes' + line: 'PermitRootLogin no' + state: present + become: yes + + # 14. Déployer le script MOTD personnalisé + - name: Déployer le script MOTD personnalisé + copy: + src: ../sources/99-motd + dest: /etc/update-motd.d/99-motd + owner: root + group: root + mode: '0755' + become: yes + + # 15. Redémarrer la machine (non bloquant) + - name: Redémarrer la machine + command: "nohup bash -c 'sleep 5 && reboot' &" + async: 1 + poll: 0 + ignore_errors: yes + become: yes diff --git a/ansible-prod/ansible/playbooks/debian_setup.yml b/ansible-prod/ansible/playbooks/debian_setup.yml new file mode 100644 index 000000000..b1bf70c8b --- /dev/null +++ b/ansible-prod/ansible/playbooks/debian_setup.yml @@ -0,0 +1,88 @@ +--- +- hosts: debian_vm + vars: + user: "smauro" + root_password: "testtest" + tasks: + # 1. Passer à root et installer sudo + - name: Passer à root et installer sudo + become: yes + become_user: root + become_method: su + command: apt install sudo -y + vars: + ansible_become_pass: "{{ root_password }}" # Le mot de passe root est passé ici + register: result + + - name: Afficher le résultat de l'installation de sudo + debug: + var: result + + # 2. Ajouter l'utilisateur au groupe sudo + - name: Ajouter l'utilisateur au groupe sudo + user: + name: "{{ user }}" + groups: sudo + append: yes + become: yes + become_user: root + become_method: su + + # 3. Mettre à jour les paquets + - name: Mettre à jour les paquets + apt: + update_cache: yes + become: yes + become_user: root + become_method: su + + # 4. Configurer le hostname + - name: Configurer le hostname + hostname: + name: "ntp01deb" + become: yes + become_user: root + become_method: su + + # 5. Changer le mot de passe root + - name: Changer le mot de passe root + user: + name: root + password: "{{ root_password | password_hash('sha512') }}" + become: yes + become_user: root + become_method: su + + # 6. Configurer l'utilisateur smauro + - name: Configurer l'utilisateur smauro + user: + name: "{{ user }}" + password: "{{ root_password | password_hash('sha512') }}" + shell: /bin/bash + groups: sudo + state: present + become: yes + become_user: root + become_method: su + + - name: Installer les paquets nécessaires + apt: + name: "{{ item }}" + state: present + loop: + - sudo + - vim + - curl + - git + - htop + become: yes + become_user: root + become_method: su + + - name: Redémarrer la machine + reboot: + msg: "Redémarrage après configuration." + pre_reboot_delay: 5 + become: yes + become_user: root + become_method: su diff --git a/ansible-prod/ansible/playbooks/fail2ban.yml b/ansible-prod/ansible/playbooks/fail2ban.yml new file mode 100644 index 000000000..6c4bd63dc --- /dev/null +++ b/ansible-prod/ansible/playbooks/fail2ban.yml @@ -0,0 +1,60 @@ +--- +- name: Install and configure Fail2ban with Mattermost notifications + hosts: servers + become: yes + gather_facts: no + vars: + ssh_port: "{{ ssh_port }}" + mattermost_webhook: "{{ mattermost_webhook }}" + + tasks: + - name: Install Fail2ban + apt: + name: fail2ban + state: present + update_cache: yes + + - name: Install iptables + apt: + name: iptables + state: present + update_cache: yes + + - name: Ensure Fail2ban service is started and enabled + systemd: + name: fail2ban + state: started + enabled: yes + + - name: Configure Fail2ban jail.local + copy: + dest: /etc/fail2ban/jail.local + content: | + [sshd] + enabled = true + port = {{ ssh_port }} + filter = sshd + maxretry = 3 + findtime = 600 + bantime = 1800 + backend = systemd + action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost + notify: Restart Fail2ban + + - name: Create Mattermost action file + copy: + dest: /etc/fail2ban/action.d/mattermost.conf + content: | + [Definition] + actionstart = + actionstop = + actionban = curl -X POST -H "Content-Type: application/json" --data "{\"text\": \"🚨 *$(hostname -s)* : **Fail2ban** a banni l'IP **** après trop d'échecs SSH 🚨\"}" "https://mattermost.evotechsphere.fr/hooks/gexfyc1kdffpxfxmb8hrw3oxdo" + actionunban = + notify: Restart Fail2ban + + handlers: + - name: Restart Fail2ban + systemd: + name: fail2ban + state: restarted + diff --git a/ansible-prod/ansible/playbooks/motd.yml b/ansible-prod/ansible/playbooks/motd.yml new file mode 100644 index 000000000..0b065ab6d --- /dev/null +++ b/ansible-prod/ansible/playbooks/motd.yml @@ -0,0 +1,27 @@ +- hosts: server + vars: + user: "smauro" + become: yes + #root_password: "testtest" + tasks: + # 4. Mettre à jour les paquets + - name: Mettre à jour les paquets + apt: + update_cache: yes + become: yes + + # 11. Mettre à jour et upgrader le système + - name: Mettre à jour et upgrader le système + apt: + update_cache: yes + upgrade: dist + become: yes + + - name: Déployer le script MOTD personnalisé + copy: + src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook + dest: /etc/update-motd.d/99-motd + owner: root + group: root + mode: '0755' + become: yes diff --git a/ansible-prod/ansible/playbooks/node_explorer.yml b/ansible-prod/ansible/playbooks/node_explorer.yml new file mode 100644 index 000000000..0b08afb53 --- /dev/null +++ b/ansible-prod/ansible/playbooks/node_explorer.yml @@ -0,0 +1,74 @@ +--- +- name: Install and configure Node Explorer + hosts: grafana + become: yes + gather_facts: no + vars: + user_home: "/home/smauro" + tmp_dir: "/home/smauro/tmp" + node_exporter_version: "1.9.0" + node_exporter_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" + extract_dir: "/home/smauro/tmp/node_exporter-{{ node_exporter_version }}.linux-amd64" + + tasks: + - name: Créer le répertoire tmp s'il n'existe pas + file: + path: "{{ tmp_dir }}" + state: directory + owner: smauro + group: smauro + mode: '0755' + + - name: Télécharger Node Exporter + get_url: + url: "{{ node_exporter_url }}" + dest: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" + mode: '0644' + + - name: Extraire Node Exporter + ansible.builtin.unarchive: + src: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" + dest: "{{ tmp_dir }}" + remote_src: yes + + - name: Déplacer Node Exporter vers /usr/local/bin/ + command: mv {{ extract_dir }}/node_exporter /usr/local/bin/ + args: + creates: /usr/local/bin/node_exporter + + - name: Créer l'utilisateur prometheus + user: + name: prometheus + shell: /usr/sbin/nologin + system: yes + create_home: no + state: present + + - name: Créer le service systemd pour Node Exporter + copy: + dest: /etc/systemd/system/node_exporter.service + content: | + [Unit] + Description=Prometheus Node Exporter + Wants=network-online.target + After=network-online.target + + [Service] + User=prometheus + Group=prometheus + Type=simple + ExecStart=/usr/local/bin/node_exporter + + [Install] + WantedBy=multi-user.target + mode: '0644' + + - name: Recharger systemd + systemd: + daemon_reload: yes + + - name: Activer et démarrer Node Exporter + systemd: + name: node_exporter + enabled: yes + state: started