smauro/prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update ansible

Browse Source
This commit is contained in:
Home1 2025-10-30 11:12:14 +01:00
parent 87f58019b2
commit 06cff81336
8 changed files with 658 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
ansible-prod/ansible/playbooks/apt-upgrade.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Upgrade Debian avec become_pass dynamique
hosts: all
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Définir le mot de passe sudo
ansible.builtin.set_fact:
ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}"
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
- name: Mise à jour du cache APT
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
- name: Upgrade des paquets
ansible.builtin.apt:
upgrade: dist
autoremove: yes
autoclean: yes

53
ansible-prod/ansible/playbooks/apt-upgrade_v2.yml Normal file
View File

@ -0,0 +1,53 @@
---
- name: Upgrade Debian avec become_pass dynamique (v2)
hosts: all
gather_facts: false
become: true
become_method: sudo
pre_tasks:
- name: Charger les variables vault (become_passwords)
ansible.builtin.include_vars:
file: "../group_vars/all/vault.yml"
name: vault_secrets
- name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
ansible.builtin.set_fact:
_become_map: >-
{{ vault_secrets.become_passwords
if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
else vault_secrets }}
- name: Vérifier que le mot de passe existe pour lhôte courant
ansible.builtin.assert:
that:
- _become_map is mapping
- inventory_hostname in _become_map
fail_msg: >-
Mot de passe manquant pour {{ inventory_hostname }}.
Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}
- name: Définir le mot de passe sudo (variable officielle)
ansible.builtin.set_fact:
ansible_become_password: "{{ _become_map[inventory_hostname] }}"
no_log: true
- name: Charger les facts système (setup)
ansible.builtin.setup:
tasks:
- name: Mise à jour du cache APT
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
- name: Upgrade des paquets (dist-upgrade) + nettoyage
ansible.builtin.apt:
upgrade: dist
autoremove: true
autoclean: true
# Optionnel : pour limiter le run à ton groupe via la CLI:
# Exécution conseillée :
# ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians

187
ansible-prod/ansible/playbooks/debian_fullserver_web.yml Normal file
View File

@ -0,0 +1,187 @@
- hosts: server_web
vars:
user: "smauro"
root_password: "testtest"
tasks:
# 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter)
- name: Supprimer les lignes cdrom dans /etc/apt/sources.list
lineinfile:
path: /etc/apt/sources.list
regexp: '^deb cdrom:'
state: absent
become: yes
# 1. Mettre à jour le fichier sources.list (sources HTTP officielles)
- name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm
copy:
dest: /etc/apt/sources.list
content: |
deb http://deb.debian.org/debian/ bookworm main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware
deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
become: yes
# 2. Mettre à jour les paquets (apt update)
- name: Mettre à jour le cache apt
apt:
update_cache: yes
become: yes
# 3. Collecter la liste des paquets installés
- name: Récupérer la liste des paquets installés
package_facts:
manager: apt
become: yes
# 4. Installer sudo si non présent
- name: Installer sudo si non présent
apt:
name: sudo
state: present
become: yes
when: "'sudo' not in ansible_facts.packages"
# 5. Ajouter l'utilisateur au groupe sudo
- name: Ajouter l'utilisateur au groupe sudo
user:
name: "{{ user }}"
groups: sudo
append: yes
become: yes
when: "'sudo' in ansible_facts.packages"
# 6. Configurer le hostname
- name: Configurer le hostname
hostname:
name: "{{ ansible_hostname }}"
become: yes
# 7. Changer le mot de passe root
- name: Changer le mot de passe root
user:
name: root
password: "{{ root_password | password_hash('sha512') }}"
become: yes
# 8. Configurer l'utilisateur smauro
- name: Configurer l'utilisateur smauro
user:
name: "{{ user }}"
password: "{{ user_password | password_hash('sha512') }}"
shell: /bin/bash
groups: sudo
state: present
become: yes
# 9. Installer les paquets nécessaires
- name: Installer les paquets nécessaires
apt:
name: ["sudo", "vim", "curl", "git", "htop", "gnupg", "apache2", "net-tools"]
state: present
become: yes
# 10. Installer les dépendances requises pour ajouter un dépôt
- name: Installer les dépendances requises pour ajouter un dépôt
apt:
name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"]
state: present
become: yes
# 11. Ajouter le dépôt Sury pour PHP 8.3
- name: Ajouter le dépôt Sury pour PHP 8.3
shell: echo "deb https://packages.sury.org/php/ bookworm main" | tee /etc/apt/sources.list.d/sury-php.list
become: yes
- name: Ajouter la clé GPG du dépôt Sury
shell: curl -fsSL https://packages.sury.org/php/apt.gpg | tee /etc/apt/trusted.gpg.d/sury-php.gpg > /dev/null
become: yes
# 12. Mettre à jour et upgrader le système
- name: Mettre à jour et upgrader le système
apt:
update_cache: yes
upgrade: dist
become: yes
# 13. Installer PHP 8.3 et modules requis
- name: Installer PHP 8.3 et modules requis
apt:
name:
- php8.3-cli
- php8.3-fpm
- php8.3-common
- php8.3-mbstring
- php8.3-xml
- php8.3-curl
- php8.3-zip
- php8.3-gd
- php8.3-mysql
state: present
become: yes
- name: Redémarrer PHP 8.3-FPM
systemd:
name: php8.3-fpm
state: restarted
become: yes
# 14. Redémarrer Apache
- name: Redémarrer Apache
systemd:
name: apache2
state: restarted
become: yes
# 15. Activer les modules rewrite et expires dans Apache
- name: Activer les modules rewrite et expires dans Apache
command: a2enmod rewrite expires
become: yes
# 16. Redémarrer Apache après activation des modules
- name: Redémarrer Apache après activation des modules
systemd:
name: apache2
state: restarted
become: yes
# 17. Mettre à jour /etc/hosts avec le hostname
- name: Mettre à jour /etc/hosts avec le hostname
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1\s+'
line: "127.0.0.1 localhost {{ ansible_hostname }}"
state: present
become: yes
# 18. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config
- name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin\s+yes'
line: 'PermitRootLogin no'
state: present
become: yes
# 19. Déployer le script MOTD personnalisé
- name: Déployer le script MOTD personnalisé
copy:
src: ../sources/99-motd
dest: /etc/update-motd.d/99-motd
owner: root
group: root
mode: '0755'
become: yes
# 20. Redémarrer la machine (non bloquant)
- name: Redémarrer la machine
command: "nohup bash -c 'sleep 5 && reboot' &"
async: 1
poll: 0
ignore_errors: yes
become: yes

137
ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml Normal file
View File

@ -0,0 +1,137 @@
- hosts: server_web
vars:
user: "smauro"
root_password: "testtest"
tasks:
# 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter)
- name: Supprimer les lignes cdrom dans /etc/apt/sources.list
lineinfile:
path: /etc/apt/sources.list
regexp: '^deb cdrom:'
state: absent
become: yes
# 1. Mettre à jour le fichier sources.list (sources HTTP officielles)
- name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm
copy:
dest: /etc/apt/sources.list
content: |
deb http://deb.debian.org/debian/ bookworm main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware
deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
become: yes
# 2. Mettre à jour les paquets (apt update)
- name: Mettre à jour le cache apt
apt:
update_cache: yes
become: yes
# 3. Collecter la liste des paquets installés
- name: Récupérer la liste des paquets installés
package_facts:
manager: apt
become: yes
# 4. Installer sudo si non présent
- name: Installer sudo si non présent
apt:
name: sudo
state: present
become: yes
when: "'sudo' not in ansible_facts.packages"
# 5. Ajouter l'utilisateur au groupe sudo
- name: Ajouter l'utilisateur au groupe sudo
user:
name: "{{ user }}"
groups: sudo
append: yes
become: yes
when: "'sudo' in ansible_facts.packages"
# 6. Configurer le hostname
- name: Configurer le hostname
hostname:
name: "{{ ansible_hostname }}"
become: yes
# 7. Changer le mot de passe root
- name: Changer le mot de passe root
user:
name: root
password: "{{ root_password | password_hash('sha512') }}"
become: yes
# 8. Configurer l'utilisateur smauro
- name: Configurer l'utilisateur smauro
user:
name: "{{ user }}"
password: "{{ user_password | password_hash('sha512') }}"
shell: /bin/bash
groups: sudo
state: present
become: yes
# 9. Installer les paquets nécessaires
- name: Installer les paquets nécessaires
apt:
name: ["sudo", "vim", "curl", "git", "htop", "cifs-utils", "net-tools"]
state: present
become: yes
# 10. Installer les dépendances requises pour ajouter un dépôt
- name: Installer les dépendances requises pour ajouter un dépôt
apt:
name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"]
state: present
become: yes
# 11. Mettre à jour et upgrader le système
- name: Mettre à jour et upgrader le système
apt:
update_cache: yes
upgrade: dist
become: yes
# 12. Mettre à jour /etc/hosts avec le hostname
- name: Mettre à jour /etc/hosts avec le hostname
lineinfile:
path: /etc/hosts
regexp: '^127\.0\.0\.1\s+'
line: "127.0.0.1 localhost {{ ansible_hostname }}"
state: present
become: yes
# 13. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config
- name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin\s+yes'
line: 'PermitRootLogin no'
state: present
become: yes
# 14. Déployer le script MOTD personnalisé
- name: Déployer le script MOTD personnalisé
copy:
src: ../sources/99-motd
dest: /etc/update-motd.d/99-motd
owner: root
group: root
mode: '0755'
become: yes
# 15. Redémarrer la machine (non bloquant)
- name: Redémarrer la machine
command: "nohup bash -c 'sleep 5 && reboot' &"
async: 1
poll: 0
ignore_errors: yes
become: yes

88
ansible-prod/ansible/playbooks/debian_setup.yml Normal file
View File

@ -0,0 +1,88 @@
---
- hosts: debian_vm
vars:
user: "smauro"
root_password: "testtest"
tasks:
# 1. Passer à root et installer sudo
- name: Passer à root et installer sudo
become: yes
become_user: root
become_method: su
command: apt install sudo -y
vars:
ansible_become_pass: "{{ root_password }}" # Le mot de passe root est passé ici
register: result
- name: Afficher le résultat de l'installation de sudo
debug:
var: result
# 2. Ajouter l'utilisateur au groupe sudo
- name: Ajouter l'utilisateur au groupe sudo
user:
name: "{{ user }}"
groups: sudo
append: yes
become: yes
become_user: root
become_method: su
# 3. Mettre à jour les paquets
- name: Mettre à jour les paquets
apt:
update_cache: yes
become: yes
become_user: root
become_method: su
# 4. Configurer le hostname
- name: Configurer le hostname
hostname:
name: "ntp01deb"
become: yes
become_user: root
become_method: su
# 5. Changer le mot de passe root
- name: Changer le mot de passe root
user:
name: root
password: "{{ root_password | password_hash('sha512') }}"
become: yes
become_user: root
become_method: su
# 6. Configurer l'utilisateur smauro
- name: Configurer l'utilisateur smauro
user:
name: "{{ user }}"
password: "{{ root_password | password_hash('sha512') }}"
shell: /bin/bash
groups: sudo
state: present
become: yes
become_user: root
become_method: su
- name: Installer les paquets nécessaires
apt:
name: "{{ item }}"
state: present
loop:
- sudo
- vim
- curl
- git
- htop
become: yes
become_user: root
become_method: su
- name: Redémarrer la machine
reboot:
msg: "Redémarrage après configuration."
pre_reboot_delay: 5
become: yes
become_user: root
become_method: su

60
ansible-prod/ansible/playbooks/fail2ban.yml Normal file
View File

@ -0,0 +1,60 @@
---
- name: Install and configure Fail2ban with Mattermost notifications
hosts: servers
become: yes
gather_facts: no
vars:
ssh_port: "{{ ssh_port }}"
mattermost_webhook: "{{ mattermost_webhook }}"
tasks:
- name: Install Fail2ban
apt:
name: fail2ban
state: present
update_cache: yes
- name: Install iptables
apt:
name: iptables
state: present
update_cache: yes
- name: Ensure Fail2ban service is started and enabled
systemd:
name: fail2ban
state: started
enabled: yes
- name: Configure Fail2ban jail.local
copy:
dest: /etc/fail2ban/jail.local
content: |
[sshd]
enabled = true
port = {{ ssh_port }}
filter = sshd
maxretry = 3
findtime = 600
bantime = 1800
backend = systemd
action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost
notify: Restart Fail2ban
- name: Create Mattermost action file
copy:
dest: /etc/fail2ban/action.d/mattermost.conf
content: |
[Definition]
actionstart =
actionstop =
actionban = curl -X POST -H "Content-Type: application/json" --data "{\"text\": \"🚨 *$(hostname -s)* : **Fail2ban** a banni l'IP **<ip>** après trop d'échecs SSH 🚨\"}" "https://mattermost.evotechsphere.fr/hooks/gexfyc1kdffpxfxmb8hrw3oxdo"
actionunban =
notify: Restart Fail2ban
handlers:
- name: Restart Fail2ban
systemd:
name: fail2ban
state: restarted

27
ansible-prod/ansible/playbooks/motd.yml Normal file
View File

@ -0,0 +1,27 @@
- hosts: server
vars:
user: "smauro"
become: yes
#root_password: "testtest"
tasks:
# 4. Mettre à jour les paquets
- name: Mettre à jour les paquets
apt:
update_cache: yes
become: yes
# 11. Mettre à jour et upgrader le système
- name: Mettre à jour et upgrader le système
apt:
update_cache: yes
upgrade: dist
become: yes
- name: Déployer le script MOTD personnalisé
copy:
src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook
dest: /etc/update-motd.d/99-motd
owner: root
group: root
mode: '0755'
become: yes

74
ansible-prod/ansible/playbooks/node_explorer.yml Normal file
View File

@ -0,0 +1,74 @@
---
- name: Install and configure Node Explorer
hosts: grafana
become: yes
gather_facts: no
vars:
user_home: "/home/smauro"
tmp_dir: "/home/smauro/tmp"
node_exporter_version: "1.9.0"
node_exporter_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
extract_dir: "/home/smauro/tmp/node_exporter-{{ node_exporter_version }}.linux-amd64"
tasks:
- name: Créer le répertoire tmp s'il n'existe pas
file:
path: "{{ tmp_dir }}"
state: directory
owner: smauro
group: smauro
mode: '0755'
- name: Télécharger Node Exporter
get_url:
url: "{{ node_exporter_url }}"
dest: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
mode: '0644'
- name: Extraire Node Exporter
ansible.builtin.unarchive:
src: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
dest: "{{ tmp_dir }}"
remote_src: yes
- name: Déplacer Node Exporter vers /usr/local/bin/
command: mv {{ extract_dir }}/node_exporter /usr/local/bin/
args:
creates: /usr/local/bin/node_exporter
- name: Créer l'utilisateur prometheus
user:
name: prometheus
shell: /usr/sbin/nologin
system: yes
create_home: no
state: present
- name: Créer le service systemd pour Node Exporter
copy:
dest: /etc/systemd/system/node_exporter.service
content: |
[Unit]
Description=Prometheus Node Exporter
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/node_exporter
[Install]
WantedBy=multi-user.target
mode: '0644'
- name: Recharger systemd
systemd:
daemon_reload: yes
- name: Activer et démarrer Node Exporter
systemd:
name: node_exporter
enabled: yes
state: started