coimbrap/projet_serveur_krkn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Début du déploiement via ANSIBLE

Browse Source
This commit is contained in:
Pierre Coimbra
2020-02-28 17:41:17 +01:00
parent b21da67c88
commit e480ed1a68
11 changed files with 868 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
deploiement/sources/zone_dmz/ct_dmz.yml Normal file
View File

@@ -0,0 +1,275 @@
# HAProxy et DNS
# HAProxy Master (CT100) : 10.0.0.6 | 10.0.1.1 | 10.0.3.1 | 10.1.0.100
# HAProxy Slave (CT101) : 10.0.0.7 | 10.0.1.2 10.0.3.2 | 10.1.0.101
# DNS (CT106): 10.0.0.253 | | 10.0.1.253 | 10.0.2.253 | 10.1.0.106
# Gateway 10.0.0.0/24 -> 10.0.0.254
# Gateway 10.0.1.0/24 -> 10.0.1.254
# Gateway 10.0.3.0/24 -> 10.0.3.254
# Gateway 10.1.0.0/24 -> 10.1.0.254
# Créer les containers, les mets à jours, configure les mises à jours de sécurité automatique,
# installe des paquets utile et ceux des services, met en place ferm via notre template.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- include_vars: /root/src/source_pve.yml
- include_vars: /root/src/password_dmz.yml
- name: Create LXC for HAProxy Master (CT101)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
node: alpha
cpus: 1
cores: 2
memory: 2048
disk: 16
swap: 1024
storage: local-zfs
ostemplate: 'local:vztmpl/debian-10.0-standard_10.0-1_amd64.tar.gz'
password: "{{ pass_haproxy_master }}"
hostname: HAProxyMaster
vmid: 101
onboot: yes
unprivileged: yes
nameserver: '10.0.0.253'
netif: '{"net0":"name=eth0,ip=10.0.0.6/24,gw=10.0.0.254,bridge=vmbr1,tag=10","net1":"name=eth1,ip=10.0.1.1/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net2":"name=eth2,ip=10.0.3.1/24,gw=10.0.3.254,bridge=vmbr1,tag=40","net3":"name=eth3,ip=10.1.0.101/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Create LXC for HAProxy Slave (CT102)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
node: beta
cpus: 1
cores: 2
memory: 2048
disk: 16
swap: 1024
storage: local-zfs
ostemplate: 'local:vztmpl/debian-10.0-standard_10.0-1_amd64.tar.gz'
password: "{{ pass_haproxy_slave }}"
hostname: HAProxySlave
vmid: 102
onboot: yes
unprivileged: yes
nameserver: '10.0.0.253'
netif: '{"net0":"name=eth0,ip=10.0.0.7/24,gw=10.0.0.254,bridge=vmbr1,tag=10","net1":"name=eth1,ip=10.0.1.2/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net2":"name=eth2,ip=10.0.3.2/24,gw=10.0.3.254,bridge=vmbr1,tag=40","net3":"name=eth3,ip=10.1.0.102/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Create LXC for Bind9 (CT106)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
node: beta
cpus: 1
cores: 1
memory: 1024
disk: 16
swap: 1024
storage: local-zfs
ostemplate: 'local:vztmpl/debian-10.0-standard_10.0-1_amd64.tar.gz'
password: "{{ pass_dns }}"
hostname: DNS
vmid: 106
onboot: yes
unprivileged: yes
nameserver: '80.67.169.12,80.67.169.40'
netif: '{"net0":"name=eth0,ip=10.0.0.253/24,gw=10.0.0.254,bridge=vmbr1,tag=10","net1":"name=eth1,ip=10.0.1.253/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net2":"name=eth2,ip=10.0.2.253/24,gw=10.0.2.254,bridge=vmbr1,tag=30","net3":"name=eth3,ip=10.1.0.106/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Start DMZ containers
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
vmid: "{{ item }}"
state: started
with_items:
- '101'
- '102'
- '106'
# Pas de config des proxy car sur accès au net depuis la DMZ.
- hosts: zonedmz
tasks:
- name: Apt Update for DMZ
apt:
update_cache: yes
- name: Apt Upgrade for DMZ
apt:
upgrade: dist
- name: Install utils for DMZ
apt:
pkg:
- vim
- net-tools
- nmap
- dnsutils
- ferm
- unattended-upgrades
- apt-listchanges
- wget
- curl
- git
- name: Unattended-Upgrades Activation for DMZ
shell: |
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades
echo 'Unattended-Upgrade::Mail "root";' >> /etc/apt/apt.conf.d/50unattended-upgrades
- hosts: haproxy
tasks:
- name: Install requirement for HAProxy
apt:
pkg:
- haproxy
- hatop
- certbot
- nginx
- psmisc
- keepalived
- name: Create hasync for HAProxy
user:
name: hasync
password: "{{ pass_hasync_same }}"
state: present
- name: Enable service for HAProxy
systemd:
name: "{{ item }}"
enabled: yes
with_items:
- 'haproxy'
- 'nginx'
- 'keepalived'
- name: Prepare NGINX for HAProxy
file:
path: "{{ item }}"
state: absent
with_items:
- '/etc/nginx/sites-enabled/default'
- '/etc/nginx/sites-available/default'
- '/etc/letsencrypt/live/README'
- name: Prepare HAProxy for HAProxy
file:
path: "{{ item }}"
state: directory
with_items:
- '/home/hasync/letsencrypt-requests'
- '/etc/ssl/letsencrypt'
- name: Prepare keepalived for HAProxy
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: Prepare keepalived for HAProxy
sysctl:
name: net.ipv4.ip_nonlocal_bind
value: '1'
sysctl_set: yes
state: present
reload: yes
- name: Copy cert deploy script for HAProxy
copy:
src: /root/src/script_haproxy_deploy_cert.sh
dest: /root/install-certs.sh
owner: root
group: root
mode: '0740'
- name: Copy cert renew script for HAProxy
copy:
src: /root/src/script_haproxy_renew_cert.sh
dest: /home/hasync/renew.sh
owner: hasync
group: hasync
mode: '0740'
- name: Copy ferm configuration for HAProxy
copy:
src: /root/src/ferm/haproxy_ferm.conf
dest: /etc/ferm/ferm.conf
owner: root
group: root
mode: '0640'
- name: Restart ferm for HAProxy
systemd:
name: "ferm"
state: restarted
- hosts: dns
tasks:
- name: Install requirement for Bind9
apt:
pkg:
- bind9
- name: Enable service for Bind9
systemd:
name: "{{ item }}"
enabled: yes
with_items:
- 'bind9'
- name: Prepare NGINX for HAProxy
file:
path: "{{ item }}"
state: absent
with_items:
- '/etc/nginx/sites-enabled/default'
- '/etc/nginx/sites-available/default'
- '/etc/letsencrypt/live/README'
- name: Prepare Bind9
file:
path: "{{ item }}"
state: directory
with_items:
- '/var/log/dns/'
- '/etc/bind/zones'
- name: Prepare Bind9
file:
path: "{{ item }}"
state: touch
owner: bind
group: bind
mode: '0640'
with_items:
- '/var/log/dns/query.log'
- '/var/log/dns/error.log'
- name: Copy ferm configuration for HAProxy
copy:
src: /root/src/ferm/dns_ferm.conf
dest: /etc/ferm/ferm.conf
owner: root
group: root
mode: '0640'
- name: Restart ferm for HAProxy
systemd:
name: "ferm"
state: restarted

29
deploiement/sources/zone_dmz/dns_ferm.conf Normal file
View File

@@ -0,0 +1,29 @@
@def $IF_ADMIN = eth3;
@def $IF_FRONT = eth0;
@def $IF_BACK = (eth1 eth2);
@def $OPEN_PORT_FRONT = (22 53);
@def $PROTO_FRONT = (tcp udp);
@def $OPEN_PORT_BACK = (22 53);
@def $PROTO_BACK = (tcp udp);
@def $HAVE_BACK = 1; #0 pour NON 1 pour OUI
table filter {
chain INPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
interface $IF_ADMIN ACCEPT;
interface $IF_FRONT proto $PROTO_FRONT dport $OPEN_PORT_FRONT ACCEPT;
@if $HAVE_BACK {
interface $IF_BACK proto $PROTO_BACK dport $OPEN_PORT_BACK ACCEPT;
}
proto icmp icmp-type echo-request ACCEPT;
}
chain OUTPUT policy ACCEPT;
chain FORWARD policy DROP;
}

29
deploiement/sources/zone_dmz/haproxy_ferm.conf Normal file
View File

@@ -0,0 +1,29 @@
@def $IF_ADMIN = eth3;
@def $IF_FRONT = eth0;
@def $IF_BACK = (eth1 eth2);
@def $OPEN_PORT_FRONT = (22 80 443);
@def $PROTO_FRONT = (tcp);
@def $OPEN_PORT_BACK = (22 80);
@def $PROTO_BACK = (tcp);
@def $HAVE_BACK = 1; #0 pour NON 1 pour OUI
table filter {
chain INPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
interface $IF_ADMIN ACCEPT;
interface $IF_FRONT proto $PROTO_FRONT dport $OPEN_PORT_FRONT ACCEPT;
@if $HAVE_BACK {
interface $IF_BACK proto $PROTO_BACK dport $OPEN_PORT_BACK ACCEPT;
}
proto icmp icmp-type echo-request ACCEPT;
}
chain OUTPUT policy ACCEPT;
chain FORWARD policy DROP;
}

19
deploiement/sources/zone_dmz/script_haproxy_deploy_cert.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
if [ "$(ip a | grep -c "10.0.0.8")" -ge 1 ]; then
ct_ip=$(ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1 | tail -c2)
if [ $ct_ip = 6 ]
then
other_ip=10.0.0.7
fi
if [ $ct_ip = 7 ]
then
other_ip=10.0.0.6
fi
certbot renew
rm -rf /etc/ssl/letsencrypt/*
for domain in $(ls /etc/letsencrypt/live); do
cat /etc/letsencrypt/live/$domain/privkey.pem /etc/letsencrypt/live/$domain/fullchain.pem > /etc/ssl/letsencrypt/$domain.pem
done
scp -r /etc/ssl/letsencrypt/* hasync@$other_ip:/etc/ssl/letsencrypt
else
fi

19
deploiement/sources/zone_dmz/script_haproxy_renew_cert.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
if [ "$(ip a | grep -c "10.0.0.8")" -ge 1 ]; then
ct_ip=$(ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1 | tail -c2)
if [ $ct_ip = 6 ]
then
other_ip=10.0.0.7
fi
if [ $ct_ip = 7 ]
then
other_ip=10.0.0.6
fi
certbot renew
rm -rf /etc/ssl/letsencrypt/*
for domain in $(ls /etc/letsencrypt/live); do
cat /etc/letsencrypt/live/$domain/privkey.pem /etc/letsencrypt/live/$domain/fullchain.pem > /etc/ssl/letsencrypt/$domain.pem
done
scp -r /etc/ssl/letsencrypt/* hasync@$other_ip:/etc/ssl/letsencrypt
else
fi

170
deploiement/sources/zone_proxy/ct_proxy.yml Normal file
View File

@@ -0,0 +1,170 @@
# NGINX REVERSE
# Nginx Alpha (CT104) : 10.0.1.3 | 10.0.2.4 | 10.1.0.104
# Nginx Beta (CT105) : 10.0.1.4 | 10.0.2.5 | 10.1.0.105
# Gateway 10.0.1.0/24 -> 10.0.1.254
# Gateway 10.0.2.0/24 -> 10.0.2.254
# Gateway 10.1.0.0/24 -> 10.1.0.254
# Créer les containers, les mets à jours, configure les mises à jours de sécurité automatique,
# installe des paquets utile et ceux des services, met en place ferm via notre template.
- hosts: localhost
connection: local
gather_facts: no
tasks:
- include_vars: /root/src/source_pve.yml
- include_vars: /root/src/password_proxy.yml
- name: Create LXC for Nginx Master (CT104)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
node: alpha
cpus: 1
cores: 2
memory: 2048
disk: 16
swap: 1024
storage: local-zfs
ostemplate: 'local:vztmpl/debian-10.0-standard_10.0-1_amd64.tar.gz'
password: "{{ pass_nginx_alpha }}"
hostname: NginxMaster
vmid: 104
onboot: yes
unprivileged: yes
nameserver: '10.0.1.253'
netif: '{"net0":"name=eth0,ip=10.0.1.3/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net1":"name=eth1,ip=10.0.2.4/24,gw=10.0.2.254,bridge=vmbr1,tag=30","net3":"name=eth3,ip=10.1.0.104/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Create LXC for Nginx Slave (CT105)
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
node: beta
cpus: 1
cores: 2
memory: 2048
disk: 16
swap: 1024
storage: local-zfs
ostemplate: 'local:vztmpl/debian-10.0-standard_10.0-1_amd64.tar.gz'
password: "{{ pass_nginx_slave }}"
hostname: NginxSlave
vmid: 105
onboot: yes
unprivileged: yes
nameserver: '10.0.1.253'
netif: '{"net0":"name=eth0,ip=10.0.1.4/24,gw=10.0.1.254,bridge=vmbr1,tag=20","net1":"name=eth1,ip=10.0.2.5/24,gw=10.0.2.254,bridge=vmbr1,tag=30","net3":"name=eth3,ip=10.1.0.105/24,gw=10.1.0.254,bridge=vmbr2,tag=100"}'
pubkey: "{{ ssh_pub }}"
state: present
- name: Start Proxy containers
proxmox:
api_user: root@pam
api_password: "{{ pass_pve }}"
api_host: '10.1.0.1'
vmid: "{{ item }}"
state: started
with_items:
- '104'
- '105'
- hosts: zoneproxy
tasks:
- name: APT configuration for Proxy
copy:
dest: "/etc/apt/apt.conf.d/01proxy"
content: |
Acquire::http {
Proxy "http://10.0.1.252:9999";
};
- name: WGET configuration for Proxy
copy:
dest: "/root/.wgetrc"
content: |
http_proxy = http://10.0.1.252:3128/
https_proxy = http://10.0.1.252:3128/
use_proxy = on
- name: Apt Update for Proxy
apt:
update_cache: yes
- name: Apt Upgrade for Proxy
apt:
upgrade: dist
- name: Install utils for Proxy
apt:
pkg:
- vim
- net-tools
- nmap
- dnsutils
- ferm
- unattended-upgrades
- apt-listchanges
- wget
- curl
- git
- name: Unattended-Upgrades Activation for Proxy
shell: |
echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades
echo 'Unattended-Upgrade::Mail "root";' >> /etc/apt/apt.conf.d/50unattended-upgrades
- hosts: nginx
tasks:
- name: Install requirement for Nginx
apt:
pkg:
- nginx
- name: Enable service for Nginx
systemd:
name: "{{ item }}"
enabled: yes
with_items:
- 'nginx'
- name: Prepare NGINX for Nginx
file:
path: "{{ item }}"
state: absent
with_items:
- '/etc/nginx/sites-enabled/default'
- '/etc/nginx/sites-available/default'
- name: Prepare Nginx for Nginx
file:
path: "{{ item }}"
state: directory
with_items:
- '/home/hasync/letsencrypt-requests'
- '/etc/ssl/letsencrypt'
- name: Copy webhost deploy script for Nginx
copy:
src: /root/src/script_nginx.sh
dest: /root/deploy-webhost.sh
owner: root
group: root
mode: '0740'
- name: Copy ferm configuration for Nginx
copy:
src: /root/src/ferm/nginx_ferm.conf
dest: /etc/ferm/ferm.conf
owner: root
group: root
mode: '0640'
- name: Restart ferm for Nginx
systemd:
name: "ferm"
state: restarted

25
deploiement/sources/zone_proxy/script_nginx.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
if [ "$#" -eq "0" ]
then
echo "Bad Usage !"
else
ct_ip=$(ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1 | tail -c2)
if [ $ct_ip = 3 ]
then
other_ip=10.0.1.4
fi
if [ $ct_ip = 4 ]
then
other_ip=10.0.1.3
fi
if [ -f "/etc/nginx/sites-available/$1" ]
then
ln -s /etc/nginx/sites-available/$1 /etc/nginx/sites-enabled
systemctl restart nginx.service
scp /etc/nginx/sites-available/$1 root@$other_ip:/etc/nginx/sites-available/
ssh root@$other_ip "ln -s /etc/nginx/sites-available/$1 /etc/nginx/sites-enabled"
ssh root@$other_ip 'systemctl restart nginx.service'
else
echo "Not exist !"
fi
fi