diff --git a/ansible-prod/ansible/playbooks/apt-upgrade.yml b/ansible-prod/ansible/playbooks/apt-upgrade.yml deleted file mode 100644 index a437394fa..000000000 --- a/ansible-prod/ansible/playbooks/apt-upgrade.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Upgrade Debian avec become_pass dynamique - hosts: all - gather_facts: false - become: true - become_method: sudo - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - - - name: Définir le mot de passe sudo - ansible.builtin.set_fact: - ansible_become_pass: "{{ vault_secrets.become_passwords[inventory_hostname] }}" - - - name: Charger les facts système (setup) - ansible.builtin.setup: - - tasks: - - name: Mise à jour du cache APT - ansible.builtin.apt: - update_cache: yes - cache_valid_time: 3600 - - - name: Upgrade des paquets - ansible.builtin.apt: - upgrade: dist - autoremove: yes - autoclean: yes - diff --git a/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml b/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml deleted file mode 100644 index fdec4ac5d..000000000 --- a/ansible-prod/ansible/playbooks/apt-upgrade_v2.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Upgrade Debian avec become_pass dynamique (v2) - hosts: all - gather_facts: false - become: true - become_method: sudo - - pre_tasks: - - name: Charger les variables vault (become_passwords) - ansible.builtin.include_vars: - file: "../group_vars/all/vault.yml" - name: vault_secrets - - - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords) - ansible.builtin.set_fact: - _become_map: >- - {{ vault_secrets.become_passwords - if (vault_secrets is mapping and 'become_passwords' in vault_secrets) - else vault_secrets }} - - - name: Vérifier que le mot de passe existe pour l’hôte courant - ansible.builtin.assert: - that: - - _become_map is mapping - - inventory_hostname in _become_map - fail_msg: >- - Mot de passe manquant pour {{ inventory_hostname }}. - Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }} - - - name: Définir le mot de passe sudo (variable officielle) - ansible.builtin.set_fact: - ansible_become_password: "{{ _become_map[inventory_hostname] }}" - no_log: true - - - name: Charger les facts système (setup) - ansible.builtin.setup: - - tasks: - - name: Mise à jour du cache APT - ansible.builtin.apt: - update_cache: true - cache_valid_time: 3600 - - - name: Upgrade des paquets (dist-upgrade) + nettoyage - ansible.builtin.apt: - upgrade: dist - autoremove: true - autoclean: true - - # Optionnel : pour limiter le run à ton groupe via la CLI: - # Exécution conseillée : - # ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians - diff --git a/ansible-prod/ansible/playbooks/debian_fullserver_web.yml b/ansible-prod/ansible/playbooks/debian_fullserver_web.yml deleted file mode 100644 index a01f6f9e3..000000000 --- a/ansible-prod/ansible/playbooks/debian_fullserver_web.yml +++ /dev/null @@ -1,187 +0,0 @@ -- hosts: server_web - vars: - user: "smauro" - root_password: "testtest" - tasks: - - # 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter) - - name: Supprimer les lignes cdrom dans /etc/apt/sources.list - lineinfile: - path: /etc/apt/sources.list - regexp: '^deb cdrom:' - state: absent - become: yes - - # 1. Mettre à jour le fichier sources.list (sources HTTP officielles) - - name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm - copy: - dest: /etc/apt/sources.list - content: | - deb http://deb.debian.org/debian/ bookworm main non-free-firmware - deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware - - deb http://security.debian.org/debian-security bookworm-security main non-free-firmware - deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware - - deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware - deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware - become: yes - - # 2. Mettre à jour les paquets (apt update) - - name: Mettre à jour le cache apt - apt: - update_cache: yes - become: yes - - # 3. Collecter la liste des paquets installés - - name: Récupérer la liste des paquets installés - package_facts: - manager: apt - become: yes - - # 4. Installer sudo si non présent - - name: Installer sudo si non présent - apt: - name: sudo - state: present - become: yes - when: "'sudo' not in ansible_facts.packages" - - # 5. Ajouter l'utilisateur au groupe sudo - - name: Ajouter l'utilisateur au groupe sudo - user: - name: "{{ user }}" - groups: sudo - append: yes - become: yes - when: "'sudo' in ansible_facts.packages" - - # 6. Configurer le hostname - - name: Configurer le hostname - hostname: - name: "{{ ansible_hostname }}" - become: yes - - # 7. Changer le mot de passe root - - name: Changer le mot de passe root - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" - become: yes - - # 8. Configurer l'utilisateur smauro - - name: Configurer l'utilisateur smauro - user: - name: "{{ user }}" - password: "{{ user_password | password_hash('sha512') }}" - shell: /bin/bash - groups: sudo - state: present - become: yes - - # 9. Installer les paquets nécessaires - - name: Installer les paquets nécessaires - apt: - name: ["sudo", "vim", "curl", "git", "htop", "gnupg", "apache2", "net-tools"] - state: present - become: yes - - # 10. Installer les dépendances requises pour ajouter un dépôt - - name: Installer les dépendances requises pour ajouter un dépôt - apt: - name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"] - state: present - become: yes - - # 11. Ajouter le dépôt Sury pour PHP 8.3 - - name: Ajouter le dépôt Sury pour PHP 8.3 - shell: echo "deb https://packages.sury.org/php/ bookworm main" | tee /etc/apt/sources.list.d/sury-php.list - become: yes - - - name: Ajouter la clé GPG du dépôt Sury - shell: curl -fsSL https://packages.sury.org/php/apt.gpg | tee /etc/apt/trusted.gpg.d/sury-php.gpg > /dev/null - become: yes - - # 12. Mettre à jour et upgrader le système - - name: Mettre à jour et upgrader le système - apt: - update_cache: yes - upgrade: dist - become: yes - - # 13. Installer PHP 8.3 et modules requis - - name: Installer PHP 8.3 et modules requis - apt: - name: - - php8.3-cli - - php8.3-fpm - - php8.3-common - - php8.3-mbstring - - php8.3-xml - - php8.3-curl - - php8.3-zip - - php8.3-gd - - php8.3-mysql - state: present - become: yes - - - name: Redémarrer PHP 8.3-FPM - systemd: - name: php8.3-fpm - state: restarted - become: yes - - # 14. Redémarrer Apache - - name: Redémarrer Apache - systemd: - name: apache2 - state: restarted - become: yes - - # 15. Activer les modules rewrite et expires dans Apache - - name: Activer les modules rewrite et expires dans Apache - command: a2enmod rewrite expires - become: yes - - # 16. Redémarrer Apache après activation des modules - - name: Redémarrer Apache après activation des modules - systemd: - name: apache2 - state: restarted - become: yes - - # 17. Mettre à jour /etc/hosts avec le hostname - - name: Mettre à jour /etc/hosts avec le hostname - lineinfile: - path: /etc/hosts - regexp: '^127\.0\.0\.1\s+' - line: "127.0.0.1 localhost {{ ansible_hostname }}" - state: present - become: yes - - # 18. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config - - name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin\s+yes' - line: 'PermitRootLogin no' - state: present - become: yes - - # 19. Déployer le script MOTD personnalisé - - name: Déployer le script MOTD personnalisé - copy: - src: ../sources/99-motd - dest: /etc/update-motd.d/99-motd - owner: root - group: root - mode: '0755' - become: yes - - # 20. Redémarrer la machine (non bloquant) - - name: Redémarrer la machine - command: "nohup bash -c 'sleep 5 && reboot' &" - async: 1 - poll: 0 - ignore_errors: yes - become: yes diff --git a/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml b/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml deleted file mode 100644 index 4b8219e32..000000000 --- a/ansible-prod/ansible/playbooks/debian_fullserver_without_web.yml +++ /dev/null @@ -1,137 +0,0 @@ -- hosts: server_web - vars: - user: "smauro" - root_password: "testtest" - tasks: - - # 0. Supprimer les lignes CD-ROM du sources.list (empêche apt de planter) - - name: Supprimer les lignes cdrom dans /etc/apt/sources.list - lineinfile: - path: /etc/apt/sources.list - regexp: '^deb cdrom:' - state: absent - become: yes - - # 1. Mettre à jour le fichier sources.list (sources HTTP officielles) - - name: Remplacer le fichier sources.list par les dépôts HTTP Debian Bookworm - copy: - dest: /etc/apt/sources.list - content: | - deb http://deb.debian.org/debian/ bookworm main non-free-firmware - deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware - - deb http://security.debian.org/debian-security bookworm-security main non-free-firmware - deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware - - deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware - deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware - become: yes - - # 2. Mettre à jour les paquets (apt update) - - name: Mettre à jour le cache apt - apt: - update_cache: yes - become: yes - - # 3. Collecter la liste des paquets installés - - name: Récupérer la liste des paquets installés - package_facts: - manager: apt - become: yes - - # 4. Installer sudo si non présent - - name: Installer sudo si non présent - apt: - name: sudo - state: present - become: yes - when: "'sudo' not in ansible_facts.packages" - - # 5. Ajouter l'utilisateur au groupe sudo - - name: Ajouter l'utilisateur au groupe sudo - user: - name: "{{ user }}" - groups: sudo - append: yes - become: yes - when: "'sudo' in ansible_facts.packages" - - # 6. Configurer le hostname - - name: Configurer le hostname - hostname: - name: "{{ ansible_hostname }}" - become: yes - - # 7. Changer le mot de passe root - - name: Changer le mot de passe root - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" - become: yes - - # 8. Configurer l'utilisateur smauro - - name: Configurer l'utilisateur smauro - user: - name: "{{ user }}" - password: "{{ user_password | password_hash('sha512') }}" - shell: /bin/bash - groups: sudo - state: present - become: yes - - # 9. Installer les paquets nécessaires - - name: Installer les paquets nécessaires - apt: - name: ["sudo", "vim", "curl", "git", "htop", "cifs-utils", "net-tools"] - state: present - become: yes - - # 10. Installer les dépendances requises pour ajouter un dépôt - - name: Installer les dépendances requises pour ajouter un dépôt - apt: - name: ["apt-transport-https", "ca-certificates", "lsb-release", "curl"] - state: present - become: yes - - # 11. Mettre à jour et upgrader le système - - name: Mettre à jour et upgrader le système - apt: - update_cache: yes - upgrade: dist - become: yes - - # 12. Mettre à jour /etc/hosts avec le hostname - - name: Mettre à jour /etc/hosts avec le hostname - lineinfile: - path: /etc/hosts - regexp: '^127\.0\.0\.1\s+' - line: "127.0.0.1 localhost {{ ansible_hostname }}" - state: present - become: yes - - # 13. Retirer 'PermitRootLogin yes' dans /etc/ssh/sshd_config - - name: Retirer ou modifier 'PermitRootLogin yes' dans /etc/ssh/sshd_config - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin\s+yes' - line: 'PermitRootLogin no' - state: present - become: yes - - # 14. Déployer le script MOTD personnalisé - - name: Déployer le script MOTD personnalisé - copy: - src: ../sources/99-motd - dest: /etc/update-motd.d/99-motd - owner: root - group: root - mode: '0755' - become: yes - - # 15. Redémarrer la machine (non bloquant) - - name: Redémarrer la machine - command: "nohup bash -c 'sleep 5 && reboot' &" - async: 1 - poll: 0 - ignore_errors: yes - become: yes diff --git a/ansible-prod/ansible/playbooks/debian_setup.yml b/ansible-prod/ansible/playbooks/debian_setup.yml deleted file mode 100644 index b1bf70c8b..000000000 --- a/ansible-prod/ansible/playbooks/debian_setup.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -- hosts: debian_vm - vars: - user: "smauro" - root_password: "testtest" - tasks: - # 1. Passer à root et installer sudo - - name: Passer à root et installer sudo - become: yes - become_user: root - become_method: su - command: apt install sudo -y - vars: - ansible_become_pass: "{{ root_password }}" # Le mot de passe root est passé ici - register: result - - - name: Afficher le résultat de l'installation de sudo - debug: - var: result - - # 2. Ajouter l'utilisateur au groupe sudo - - name: Ajouter l'utilisateur au groupe sudo - user: - name: "{{ user }}" - groups: sudo - append: yes - become: yes - become_user: root - become_method: su - - # 3. Mettre à jour les paquets - - name: Mettre à jour les paquets - apt: - update_cache: yes - become: yes - become_user: root - become_method: su - - # 4. Configurer le hostname - - name: Configurer le hostname - hostname: - name: "ntp01deb" - become: yes - become_user: root - become_method: su - - # 5. Changer le mot de passe root - - name: Changer le mot de passe root - user: - name: root - password: "{{ root_password | password_hash('sha512') }}" - become: yes - become_user: root - become_method: su - - # 6. Configurer l'utilisateur smauro - - name: Configurer l'utilisateur smauro - user: - name: "{{ user }}" - password: "{{ root_password | password_hash('sha512') }}" - shell: /bin/bash - groups: sudo - state: present - become: yes - become_user: root - become_method: su - - - name: Installer les paquets nécessaires - apt: - name: "{{ item }}" - state: present - loop: - - sudo - - vim - - curl - - git - - htop - become: yes - become_user: root - become_method: su - - - name: Redémarrer la machine - reboot: - msg: "Redémarrage après configuration." - pre_reboot_delay: 5 - become: yes - become_user: root - become_method: su diff --git a/ansible-prod/ansible/playbooks/fail2ban.yml b/ansible-prod/ansible/playbooks/fail2ban.yml deleted file mode 100644 index 6c4bd63dc..000000000 --- a/ansible-prod/ansible/playbooks/fail2ban.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- -- name: Install and configure Fail2ban with Mattermost notifications - hosts: servers - become: yes - gather_facts: no - vars: - ssh_port: "{{ ssh_port }}" - mattermost_webhook: "{{ mattermost_webhook }}" - - tasks: - - name: Install Fail2ban - apt: - name: fail2ban - state: present - update_cache: yes - - - name: Install iptables - apt: - name: iptables - state: present - update_cache: yes - - - name: Ensure Fail2ban service is started and enabled - systemd: - name: fail2ban - state: started - enabled: yes - - - name: Configure Fail2ban jail.local - copy: - dest: /etc/fail2ban/jail.local - content: | - [sshd] - enabled = true - port = {{ ssh_port }} - filter = sshd - maxretry = 3 - findtime = 600 - bantime = 1800 - backend = systemd - action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost - notify: Restart Fail2ban - - - name: Create Mattermost action file - copy: - dest: /etc/fail2ban/action.d/mattermost.conf - content: | - [Definition] - actionstart = - actionstop = - actionban = curl -X POST -H "Content-Type: application/json" --data "{\"text\": \"🚨 *$(hostname -s)* : **Fail2ban** a banni l'IP **** après trop d'échecs SSH 🚨\"}" "https://mattermost.evotechsphere.fr/hooks/gexfyc1kdffpxfxmb8hrw3oxdo" - actionunban = - notify: Restart Fail2ban - - handlers: - - name: Restart Fail2ban - systemd: - name: fail2ban - state: restarted - diff --git a/ansible-prod/ansible/playbooks/motd.yml b/ansible-prod/ansible/playbooks/motd.yml deleted file mode 100644 index 0b065ab6d..000000000 --- a/ansible-prod/ansible/playbooks/motd.yml +++ /dev/null @@ -1,27 +0,0 @@ -- hosts: server - vars: - user: "smauro" - become: yes - #root_password: "testtest" - tasks: - # 4. Mettre à jour les paquets - - name: Mettre à jour les paquets - apt: - update_cache: yes - become: yes - - # 11. Mettre à jour et upgrader le système - - name: Mettre à jour et upgrader le système - apt: - update_cache: yes - upgrade: dist - become: yes - - - name: Déployer le script MOTD personnalisé - copy: - src: ../sources/99-motd # Chemin relatif depuis où tu exécutes le playbook - dest: /etc/update-motd.d/99-motd - owner: root - group: root - mode: '0755' - become: yes diff --git a/ansible-prod/ansible/playbooks/node_explorer.yml b/ansible-prod/ansible/playbooks/node_explorer.yml deleted file mode 100644 index 0b08afb53..000000000 --- a/ansible-prod/ansible/playbooks/node_explorer.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -- name: Install and configure Node Explorer - hosts: grafana - become: yes - gather_facts: no - vars: - user_home: "/home/smauro" - tmp_dir: "/home/smauro/tmp" - node_exporter_version: "1.9.0" - node_exporter_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" - extract_dir: "/home/smauro/tmp/node_exporter-{{ node_exporter_version }}.linux-amd64" - - tasks: - - name: Créer le répertoire tmp s'il n'existe pas - file: - path: "{{ tmp_dir }}" - state: directory - owner: smauro - group: smauro - mode: '0755' - - - name: Télécharger Node Exporter - get_url: - url: "{{ node_exporter_url }}" - dest: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" - mode: '0644' - - - name: Extraire Node Exporter - ansible.builtin.unarchive: - src: "{{ tmp_dir }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" - dest: "{{ tmp_dir }}" - remote_src: yes - - - name: Déplacer Node Exporter vers /usr/local/bin/ - command: mv {{ extract_dir }}/node_exporter /usr/local/bin/ - args: - creates: /usr/local/bin/node_exporter - - - name: Créer l'utilisateur prometheus - user: - name: prometheus - shell: /usr/sbin/nologin - system: yes - create_home: no - state: present - - - name: Créer le service systemd pour Node Exporter - copy: - dest: /etc/systemd/system/node_exporter.service - content: | - [Unit] - Description=Prometheus Node Exporter - Wants=network-online.target - After=network-online.target - - [Service] - User=prometheus - Group=prometheus - Type=simple - ExecStart=/usr/local/bin/node_exporter - - [Install] - WantedBy=multi-user.target - mode: '0644' - - - name: Recharger systemd - systemd: - daemon_reload: yes - - - name: Activer et démarrer Node Exporter - systemd: - name: node_exporter - enabled: yes - state: started