coimbrap/projet_serveur_krkn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Amélioration du déploiement via Ansible

Browse Source
This commit is contained in:
Pierre Coimbra
2020-03-21 14:13:43 +01:00
parent 8342918591
commit a52a234214
20 changed files with 1025 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
deploiement/sources/zone_dmz/config_dmz.yml Normal file
View File

@@ -0,0 +1,30 @@
- hosts: dns
tasks:
- name: Copy Bind configuration for DNS
copy:
src: /root/src/dns/bind/zones
dest: /etc/bind
owner: root
group: root
mode: '0644'
- name: Copy Bind configuration for DNS
copy:
src: /root/src/dns/bind/named.conf
dest: /etc/bind
owner: root
group: root
mode: '0644'
- name: Copy Bind configuration for DNS
copy:
src: /root/src/dns/bind/named.conf.options
dest: /etc/bind
owner: root
group: root
mode: '0644'
- name: Restart ferm for DNS
systemd:
name: "bind9"
state: restarted

60
deploiement/sources/zone_dmz/ct_dmz.yml
View File

@@ -1,10 +1,13 @@
# HAProxy et DNS
# HAProxy, DNS et Proxy Interne
# HAProxy Master (CT102) : 10.0.0.6 | 10.0.1.1 | 10.0.3.1 | 10.1.0.102
# HAProxy Slave (CT103) : 10.0.0.7 | 10.0.1.2 10.0.3.2 | 10.1.0.103
# Proxy Interne (CT104) : 10.0.0.9 | 10.0.1.252 | 10.0.2.252 | 10.0.3.252 | 10.0.4.252 | 10.1.0.104
# DNS (CT107): 10.0.0.253 | | 10.0.1.253 | 10.0.2.253 | 10.1.0.107
# Gateway 10.0.0.0/24 -> 10.0.0.254
# Gateway 10.0.1.0/24 -> 10.0.1.254
# Gateway 10.0.2.0/24 -> 10.0.3.254
# Gateway 10.0.3.0/24 -> 10.0.3.254
# Gateway 10.0.4.0/24 -> 10.0.3.254
# Gateway 10.1.0.0/24 -> 10.1.0.254
# Créer les containers, les mets à jours, configure les mises à jours de sécurité automatique,
@@ -17,11 +20,11 @@
- include_vars: /root/src/source_pve.yml
- include_vars: /root/src/password_dmz.yml
- name: Create LXC for HAProxy Master (CT101)
- name: Create LXC for HAProxy Master (CT102)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
api_host: '10.1.0.4'
node: alpha
cpus: 1
cores: 2
@@ -35,16 +38,16 @@
vmid: 102
onboot: yes
unprivileged: yes
nameserver: '10.0.0.253'
nameserver: '10.0.0.253 80.67.169.12'
netif: '{"net0":"name=eth0,ip=10.0.0.6/24,gw=10.0.0.254,bridge=vmbr1,tag=10","net1":"name=eth1,ip=10.0.1.1/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net2":"name=eth2,ip=10.0.3.1/24,gw=10.0.3.254,bridge=vmbr1,tag=40","net3":"name=eth3,ip=10.1.0.102/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Create LXC for HAProxy Slave (CT102)
- name: Create LXC for HAProxy Slave (CT103)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
api_host: '10.1.0.4'
node: beta
cpus: 1
cores: 2
@@ -58,16 +61,16 @@
vmid: 103
onboot: yes
unprivileged: yes
nameserver: '10.0.0.253'
nameserver: '10.0.0.253 80.67.169.12'
netif: '{"net0":"name=eth0,ip=10.0.0.7/24,gw=10.0.0.254,bridge=vmbr1,tag=10","net1":"name=eth1,ip=10.0.1.2/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net2":"name=eth2,ip=10.0.3.2/24,gw=10.0.3.254,bridge=vmbr1,tag=40","net3":"name=eth3,ip=10.1.0.103/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Create LXC for Bind9 (CT106)
- name: Create LXC for Bind9 (CT107)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
api_host: '10.1.0.4'
node: beta
cpus: 1
cores: 1
@@ -90,12 +93,13 @@
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
api_host: '10.1.0.4'
vmid: "{{ item }}"
state: started
with_items:
- '102'
- '103'
- '104'
- '107'
# Pas de config des proxy car sur accès au net depuis la DMZ.
@@ -136,6 +140,7 @@
- hosts: haproxy
tasks:
- include_vars: /root/src/password_dmz.yml
- name: Install requirement for HAProxy
apt:
pkg:
@@ -147,7 +152,7 @@
- keepalived
- name: Create hasync for HAProxy
user:
user:
name: hasync
password: "{{ pass_hasync_same }}"
state: present
@@ -237,15 +242,6 @@
with_items:
- 'bind9'
- name: Prepare NGINX for Bind9
file:
path: "{{ item }}"
state: absent
with_items:
- '/etc/nginx/sites-enabled/default'
- '/etc/nginx/sites-available/default'
- '/etc/letsencrypt/live/README'
- name: Prepare Bind9
file:
path: "{{ item }}"
@@ -277,3 +273,27 @@
systemd:
name: "ferm"
state: restarted
- hosts: proxyint
tasks:
- name: Enable service for Proxy
systemd:
name: "{{ item }}"
enabled: yes
with_items:
- 'apt-cacher-ng'
- 'squid'
- name: Copy ferm configuration for Proxy
copy:
src: /root/src/ferm/proxyint_ferm.conf
dest: /etc/ferm/ferm.conf
owner: root
group: root
mode: '0640'
- name: Restart ferm for Proxy
systemd:
name: "ferm"
state: restarted

49
deploiement/sources/zone_dmz/dns/bind/named.conf Normal file
View File

@@ -0,0 +1,49 @@
include "/etc/bind/named.conf.options";
acl front {
127.0.0.1;
10.0.0.0/24;
};
acl back {
10.0.1.0/24;
10.0.2.0/24;
};
view "internalfront" {
recursion yes;
match-clients {front;};
allow-query {front;};
allow-recursion {front;};
allow-query-cache {front;};
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918";
zone "krhacken.org" {
notify no;
type master;
file "/etc/bind/zones/db.krhacken.org.front";
};
zone "1.0.10.in-addr.arpa" {
notify no;
type master;
file "/etc/bind/zones/db.krhacken.org.intrafront.rev";
};
};
view "internalback" {
recursion yes;
match-clients {back;};
allow-query {back;};
allow-recursion {back;};
allow-query-cache {back;};
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918";
zone "krhacken.org" {
notify no;
type master;
file "/etc/bind/zones/db.krhacken.org.back";
};
zone "1.1.10.in-addr.arpa" {
notify no;
type master;
file "/etc/bind/zones/db.krhacken.org.intraback.rev";
};
};

30
deploiement/sources/zone_dmz/dns/bind/named.conf.options Normal file
View File

@@ -0,0 +1,30 @@
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on { any;};
version "V1.0";
forwarders {
80.67.169.12;
80.67.169.40;
};
forward only;
};
logging {
channel query_log {
file "/var/log/dns/query.log";
severity debug 10;
print-category yes;
print-time yes;
print-severity yes;
};
channel error_log {
file "/var/log/dns/error.log";
severity error;
print-category yes;
print-time yes;
print-severity yes;
};
category queries { query_log;};
category security { error_log;};
};

17
deploiement/sources/zone_dmz/dns/bind/zones/db.krhacken.org.back Normal file
View File

@@ -0,0 +1,17 @@
$TTL 10800
@ IN SOA dns.krhacken.org. (
2015010101 ; Serial
5400 ; Refresh
2700 ; Retry
2419200 ; Expire
300 ) ; Negative TTL
IN NS dns.krhacken.org. ;Nom du serveur
alpha.haproxy IN A 10.0.1.1
beta.haproxy IN A 10.0.1.2
alpha.ldap IN A 10.0.2.1
beta.ldap IN A 10.0.2.2
vip.ldap IN A 10.0.2.3
alpha.nginx IN A 10.0.2.4
beta.nginx IN A 10.0.2.5
dns IN A 10.0.2.253
proxyint IN A 10.0.2.254

19
deploiement/sources/zone_dmz/dns/bind/zones/db.krhacken.org.front Normal file
View File

@@ -0,0 +1,19 @@
$TTL 10800
@ IN SOA dns.krhacken.org. (
2015010101 ; Serial
5400 ; Refresh
2700 ; Retry
2419200 ; Expire
300 ) ; Negative TTL
IN NS dns.krhacken.org. ;Nom du serveur
alpha.fw IN A 10.0.0.1
beta.fw IN A 10.0.0.2
vip.fw IN A 10.0.0.3
alpha.haproxy IN A 10.0.0.4
beta.haproxy IN A 10.0.0.5
vip.haproxy IN A 10.0.0.6
proxyint IN A 10.0.0.7
mail IN A 10.0.0.10
dns IN A 10.0.0.253
alpha.nginx IN A 10.0.1.3
beta.nginx IN A 10.0.1.4

18
deploiement/sources/zone_dmz/dns/bind/zones/db.krhacken.org.intraback.rev Normal file
View File

@@ -0,0 +1,18 @@
REV
$TTL 10800
@ IN SOA dns.krhacken.org. (
2015021102 ; Serial
5400 ; Refresh
2700 ; Retry
2419200 ; Expire
300 ) ; Negative TTL
@ IN NS dns.krhacken.org.
253 IN PTR dns.krhacken.org.
1 IN PTR alpha.haproxy.krhacken.org.
2 IN PTR beta.haproxy.krhacken.org.
1 IN PTR alpha.ldap.krhacken.org.
2 IN PTR beta.ldap.krhacken.org.
3 IN PTR vip.ldap.krhacken.org.
4 IN PTR alpha.nginx.krhacken.org.
5 IN PTR beta.nginx.krhacken.org.
254 IN PTR proxyint.krhacken.org.

20
deploiement/sources/zone_dmz/dns/bind/zones/db.krhacken.org.intrafront.rev Normal file
View File

@@ -0,0 +1,20 @@
REV
$TTL 10800
@ IN SOA dns.krhacken.org. (
2015021102 ; Serial
5400 ; Refresh
2700 ; Retry
2419200 ; Expire
300 ) ; Negative TTL
@ IN NS dns.krhacken.org.
253 IN PTR dns.krhacken.org.
1 IN PTR alpha.fw.krhacken.org.
2 IN PTR beta.fw.krhacken.org.
3 IN PTR vip.fw.krhacken.org.
4 IN PTR alpha.haproxy.krhacken.org.
5 IN PTR beta.haproxy.krhacken.org.
6 IN PTR vip.haproxy.krhacken.org.
7 IN PTR proxyint.krhacken.org.
10 IN PTR mail.krhacken.org.
3 IN PTR alpha.nginx.krhacken.org.
4 IN PTR beta.nginx.krhacken.org.

10
deploiement/sources/zone_dmz/ferm/dns_ferm.conf
View File

@@ -13,10 +13,10 @@
@def $UDP_OPEN_PORT_FRONT_REQUEST = (53);
# Depuis l'intérieur sur l'interface principale
@def $HAVE_FRONT_ACCESS = 0; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_ACCESS = ();
@def $NEED_UDP_FRONT_ACCESS = 0; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_FRONT_ACCESS = ();
@def $HAVE_FRONT_ACCESS = 1; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_ACCESS = (53);
@def $NEED_UDP_FRONT_ACCESS = 1; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_FRONT_ACCESS = (53);
# Depuis l'extérieur sur les interfaces secondaires
@@ -84,7 +84,7 @@ table filter {
}
@if $NEED_UDP_FRONT_ACCESS {
outerface $IF_BACK proto udp dport $UDP_OPEN_PORT_FRONT_ACCESS ACCEPT;
outerface $IF_FRONT proto udp dport $UDP_OPEN_PORT_FRONT_ACCESS ACCEPT;
}
@if $HAVE_BACK_ACCESS {

6
deploiement/sources/zone_dmz/ferm/haproxy_ferm.conf
View File

@@ -14,8 +14,8 @@
# Depuis l'intérieur sur l'interface principale
@def $HAVE_FRONT_ACCESS = 1; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_ACCESS = (22 80 443 8006);
@def $NEED_UDP_FRONT_ACCESS = 0; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_ACCESS = (22 80 443 8006 53);
@def $NEED_UDP_FRONT_ACCESS = 1; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_FRONT_ACCESS = (53);
@@ -84,7 +84,7 @@ table filter {
}
@if $NEED_UDP_FRONT_ACCESS {
outerface $IF_BACK proto udp dport $UDP_OPEN_PORT_FRONT_ACCESS ACCEPT;
outerface $IF_FRONT proto udp dport $UDP_OPEN_PORT_FRONT_ACCESS ACCEPT;
}
@if $HAVE_BACK_ACCESS {

102
deploiement/sources/zone_dmz/ferm/proxyint_ferm.conf Normal file
View File

@@ -0,0 +1,102 @@
@def $IF_ADMIN = eth5;
@def $IF_FRONT = eth0;
@def $IF_BACK = (eth1 eth2 eth3 eth4);
# REQUEST : EXT -> INT | ACCESS : INT -> EXT
# Depuis l'extérieur sur l'interface principale
@def $HAVE_FRONT_REQUEST = 1; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_REQUEST = (3128 9999);
@def $NEED_UDP_FRONT_REQUEST = 0; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_FRONT_REQUEST = ();
# Depuis l'intérieur sur l'interface principale
@def $HAVE_FRONT_ACCESS = 1; #0 pour NON 1 pour OUI
@def $OPEN_PORT_FRONT_ACCESS = (10:65535);
@def $NEED_UDP_FRONT_ACCESS = 0; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_FRONT_ACCESS = (53);
# Depuis l'extérieur sur les interfaces secondaires
@def $HAVE_BACK_REQUEST = 1; #0 pour NON 1 pour OUI
@def $OPEN_PORT_BACK_REQUEST = (3128 9999);
@def $NEED_UDP_BACK_REQUEST = 0; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_BACK_REQUEST = ();
# Depuis l'intérieur sur les interfaces secondaires
@def $HAVE_BACK_ACCESS = 0; #0 pour NON 1 pour OUI
@def $OPEN_PORT_BACK_ACCESS = ();
@def $NEED_UDP_BACK_ACCESS = 0; #0 pour NON 1 pour OUI
@def $UDP_OPEN_PORT_BACK_ACCESS = ();
# Besoin de VRRP sur IF_VRRP
@def $NEED_VRRP = 0; #0 pour NON 1 pour OUI
@def $IF_VRRP = eth0;
table filter {
chain INPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
interface $IF_ADMIN ACCEPT;
@if $HAVE_FRONT_REQUEST {
interface $IF_FRONT proto tcp dport $OPEN_PORT_FRONT_REQUEST ACCEPT;
}
@if $NEED_VRRP {
interface $IF_VRRP proto vrrp ACCEPT;
}
@if $NEED_UDP_FRONT_REQUEST {
interface $IF_FRONT proto udp dport $UDP_OPEN_PORT_FRONT_REQUEST ACCEPT;
}
@if $HAVE_BACK_REQUEST {
interface $IF_BACK proto tcp dport $OPEN_PORT_BACK_REQUEST ACCEPT;
}
@if $NEED_UDP_BACK_REQUEST {
interface $IF_BACK proto udp dport $UDP_OPEN_PORT_BACK_REQUEST ACCEPT;
}
proto icmp icmp-type echo-request ACCEPT;
}
chain OUTPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
outerface lo ACCEPT;
@if $HAVE_FRONT_ACCESS {
outerface $IF_FRONT proto tcp ACCEPT;
}
@if $NEED_VRRP {
outerface $IF_VRRP proto vrrp ACCEPT;
}
@if $NEED_UDP_FRONT_ACCESS {
outerface $IF_FRONT proto udp dport $UDP_OPEN_PORT_FRONT_ACCESS ACCEPT;
}
@if $HAVE_BACK_ACCESS {
outerface $IF_BACK proto tcp dport $OPEN_PORT_BACK_ACCESS ACCEPT;
}
@if $NEED_UDP_BACK_ACCESS {
outerface $IF_BACK proto udp dport $UDP_OPEN_PORT_BACK_ACCESS ACCEPT;
}
proto icmp ACCEPT;
}
chain FORWARD policy DROP;
}