diff --git a/ansible/inventory/production/group_vars/web.yml b/ansible/inventory/production/group_vars/web.yml new file mode 100644 index 0000000..2e09fa1 --- /dev/null +++ b/ansible/inventory/production/group_vars/web.yml @@ -0,0 +1,5 @@ +users: + - username: 'artentica' + # groups: "admin,www-data" + - username: 'doctor' + # groups: "admin,www-data" \ No newline at end of file diff --git a/ansible/inventory/production/host_vars/mainServer.yml b/ansible/inventory/production/host_vars/mainServer.yml new file mode 100644 index 0000000..64c1ce2 --- /dev/null +++ b/ansible/inventory/production/host_vars/mainServer.yml @@ -0,0 +1,8 @@ +--- +ansible_host: 91.121.85.107 +ansible_port: 137 +data_center: RBX1 +rack: 07A01 +id: 172791 +reverse: ns352698.ip-91-121-85.eu +... \ No newline at end of file diff --git a/ansible/inventory/production/hosts b/ansible/inventory/production/hosts new file mode 100644 index 0000000..79608c3 --- /dev/null +++ b/ansible/inventory/production/hosts @@ -0,0 +1,4 @@ +# file: production + +[web] +mainServer \ No newline at end of file diff --git a/ansible/roles/packages/defaults/main.yml b/ansible/roles/packages/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/packages/tasks/main.yml b/ansible/roles/packages/tasks/main.yml new file mode 100644 index 0000000..78f7ecc --- /dev/null +++ b/ansible/roles/packages/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# - debug: +# msg: "{{ hostvars[inventory_hostname] }}" + +- name: Dependencies installation + pacman: + name: + - git + - vim + - htop + - zsh + - sudo + + update_cache: yes + # upgrade: yes + state: latest +... \ No newline at end of file diff --git a/ansible/roles/ssh/defaults/main.yml b/ansible/roles/ssh/defaults/main.yml new file mode 100644 index 0000000..d746762 --- /dev/null +++ b/ansible/roles/ssh/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# Default path of the ssh config file +sshd_config_path: "/etc/ssh/sshd_config" +... \ No newline at end of file diff --git a/ansible/roles/ssh/handlers/main.yml b/ansible/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..3916ed8 --- /dev/null +++ b/ansible/roles/ssh/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + service: + name: sshd + state: restarted \ No newline at end of file diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..e39e305 --- /dev/null +++ b/ansible/roles/ssh/tasks/main.yml @@ -0,0 +1,76 @@ +--- +# ansible_port can change throughout this role, keep a copy around +- name: Set configured port fact + set_fact: + configured_port: "{{ ansible_port }}" + +- name: "Check port {{ ansible_port }}" + wait_for: + port: "{{ ansible_port }}" + state: "started" + host: "{{ ansible_host }}" + connect_timeout: "5" + timeout: "5" + delegate_to: "localhost" + ignore_errors: "yes" + register: ssh_port + +- debug: + msg: "{{ ansible_host }}" + +- name: "Check port 22" + wait_for: + port: "22" + state: "started" + host: "{{ ansible_host }}" + connect_timeout: "5" + timeout: "5" + delegate_to: "localhost" + ignore_errors: "yes" + register: ssh_port_default + when: + - ssh_port is defined + - ssh_port.state is undefined + +- name: Set SSH port to 22 + set_fact: + ansible_port: 22 + when: ssh_port_default.state is defined + +# - name: Security | Disallow password authentication +# lineinfile: +# dest: /etc/ssh/sshd_config +# regexp: "^[#]*PasswordAuthentication" +# line: "PasswordAuthentication no" +# state: present +# notify: restart ssh +# tags: ["ssh"] + +- name: Change sshd config + lineinfile: + dest: "{{ sshd_config_path }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^Port', line: 'Port "{{configured_port}}"' } + - { regexp: '^[#]*PasswordAuthentication=', line: 'PasswordAuthentication no' } + - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' } + notify: "restart sshd" + +# We notified "Restart sshd" if we modified the sshd config. +# By calling flush_handlers, we make sure the handler is run *right now* +- name: Ensure SSH is reloaded if need be + meta: flush_handlers + + +- name: "Set SSH port to {{ configured_port }}" + set_fact: + ansible_port: "{{ configured_port }}" + when: ssh_port_default.state is defined + +# Gather facts should be set to false when running this role since it will +# fail if the Ansible SSH port is not set correctly. +# We run setup to gather facts here once the SSH port is set up. +- name: Run deferred setup to gather facts + setup: +... diff --git a/ansible/roles/swarm/defaults/main.yml b/ansible/roles/swarm/defaults/main.yml new file mode 100644 index 0000000..30668fa --- /dev/null +++ b/ansible/roles/swarm/defaults/main.yml @@ -0,0 +1,8 @@ +--- +packages: + - docker + - docker-compose + - python-pip + +docker_group: docker +... diff --git a/ansible/roles/swarm/handlers/main.yml b/ansible/roles/swarm/handlers/main.yml new file mode 100644 index 0000000..2ed49bb --- /dev/null +++ b/ansible/roles/swarm/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart docker + service: + name: docker + state: restarted +... \ No newline at end of file diff --git a/ansible/roles/swarm/tasks/main.yml b/ansible/roles/swarm/tasks/main.yml new file mode 100644 index 0000000..ceb78c2 --- /dev/null +++ b/ansible/roles/swarm/tasks/main.yml @@ -0,0 +1,29 @@ +--- + +- name: install Docker and dependencies + pacman: + name: "{{ packages }}" + state: latest + update_cache: yes + with_items: "{{ packages }}" + +- name: "Ensure group {{ docker_group }} exists" + group: + name: "{{ docker_group }}" + +- name: Add user to docker group + user: + name: "{{ item.username }}" + group: "{{ docker_group }}" + with_items: "{{ users }}" + +- name: Ensure Docker is running + service: + name: docker + state: started + enabled: yes + +- name: Init a new swarm with default parameters + docker_swarm: + state: present +... \ No newline at end of file diff --git a/ansible/roles/users/files/artentica.key.pub b/ansible/roles/users/files/artentica.key.pub new file mode 100644 index 0000000..ba8f1c5 --- /dev/null +++ b/ansible/roles/users/files/artentica.key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSuo82KyqCWnmAPNTWbZq+vFaIH2YFJkLNvkANV65mc \ No newline at end of file diff --git a/ansible/roles/users/files/doctor.key.pub b/ansible/roles/users/files/doctor.key.pub new file mode 100644 index 0000000..ba8f1c5 --- /dev/null +++ b/ansible/roles/users/files/doctor.key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSuo82KyqCWnmAPNTWbZq+vFaIH2YFJkLNvkANV65mc \ No newline at end of file diff --git a/ansible/roles/users/tasks/main.yml b/ansible/roles/users/tasks/main.yml new file mode 100644 index 0000000..a3ece52 --- /dev/null +++ b/ansible/roles/users/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: "Create user: {{item.username}}" + user: + name: "{{ item.username }}" + groups: "admin" + with_items: "{{ users }}" + +- name: "Add authorized keys" + authorized_key: + user: "{{ item.username }}" + key: "{{ lookup('file', 'files/'+ item.username + '.key.pub') }}" + with_items: "{{ users }}" + +- name: "Allow admin users to sudo without a password" + lineinfile: + dest: "/etc/sudoers" # path: in version 2.3 + state: "present" + regexp: "^%admin" + line: "%admin ALL=(ALL) NOPASSWD: ALL" +... \ No newline at end of file diff --git a/ansible/site.yml b/ansible/site.yml new file mode 100644 index 0000000..9cc9cd6 --- /dev/null +++ b/ansible/site.yml @@ -0,0 +1,34 @@ +--- +- name: Server ssh only + hosts: web + remote_user: root + gather_facts: no + roles: + - role: ssh + tags: + - ssh + +- name: Server installation + hosts: web + remote_user: root + roles: + - role: packages + tags: + - packages + +- name: User configuration + hosts: web + remote_user: root + roles: + - role: users + tags: + - users + +- name: Swarm installation & configuration + hosts: web + remote_user: root + roles: + - role: swarm + tags: + - swarm +... diff --git a/postInstall.sh b/postInstall.sh new file mode 100644 index 0000000..8f8aa66 --- /dev/null +++ b/postInstall.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +wget https://pkgbuild.com/~eschwartz/repo/x86_64-extracted/pacman-static +chmod +x pacman-static +./pacman-static --noconfirm -Syyu python +rm ./pacman-static +reboot -f \ No newline at end of file diff --git a/swarm/example.yml b/swarm/example.yml new file mode 100644 index 0000000..0689188 --- /dev/null +++ b/swarm/example.yml @@ -0,0 +1,75 @@ +version: "3.8" + + +networks: + traefik: + name: "dmz" + driver: overlay + attachable: true + +services: + + traefik: + image: "traefik:v2.2" + command: + - "--global.sendanonymoususage=false" # désactivation de l'envoi de donnée + - "--global.checknewversion=false" # puisque dockerisé, on désactive le check de mise à jour + - "--accesslog=true" # Pour avoir les logs d'accès + - "--api=true" # Pour activer l'api + # Swarm + #traefik.http.services.myservice.loadbalancer.server.port=8080 + - "--providers.docker.swarmMode=true" + - "--providers.docker.watch=true" + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--api.insecure=true" # Activer pour exposer l'api sur 8080 + - "--api.dashboard=true" # Pour activer le dashboard + - "--log.level=DEBUG" + #- "--providers.file.directory=/etc/traefik/conf.d/" # Permets de charger les configurations dans le répertoire (tout les yaml et toml) + #- "--providers.file.watch=true" # Permets de surveiller le répertoire précédent pour charger dynamiquement les configurations + - "--entrypoints.http.address=:80" # Création de l'entrypoint nommé web sur le port 80 + - "--entrypoints.https.address=:443" # Création de l'entrypoint nommé websecure sur le port 443 + #- "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Pour créer une redirection vers https + #- "--entrypoints.web.http.redirections.entrypoint.to=websecure" # Pour rediriger vers l'entrypoint websecure (port 443) + - "--certificatesresolvers.letsencrypt-rsa2048.acme.email=server@vincentriouallon.ovh" + - "--certificatesresolvers.letsencrypt-rsa2048.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + - "--certificatesresolvers.letsencrypt-rsa2048.acme.storage=/acme.json" + - "--certificatesresolvers.letsencrypt-rsa2048.acme.keytype=RSA2048" + - "--certificatesresolvers.letsencrypt-rsa2048.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt-rsa2048.acme.tlschallenge=true" + networks: + - traefik + ports: + - "8080:8080" + - "443:443" + - "80:80" + deploy: + labels: + - "traefik.http.services.traefik.loadbalancer.server.port=8080" + - "traefik.docker.lbswarm=true" + - "traefik.enable=true" + - "traefik.docker.network=dmz" + - "traefik.http.routers.traefik.entrypoints=https" + - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + + whoami: + image: "containous/whoami" + networks: + - traefik + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=dmz" + - "traefik.docker.lbswarm=true" + - "traefik.http.routers.reverse_proxy_plex_insecure.rule=Host(`whoami.vincentriouallon.ovh`)" + - "traefik.http.routers.reverse_proxy_plex_insecure.middlewares=http-redirect@docker" + - "traefik.http.routers.reverse_proxy_plex.entrypoints=https" + - "traefik.http.routers.reverse_proxy_plex.tls=true" + - "traefik.http.routers.reverse_proxy_plex.tls.certresolver=letsencrypt-rsa2048" + - "traefik.http.routers.reverse_proxy_plex.rule=Host(`whoami.vincentriouallon.ovh`)" + - "traefik.http.services.reverse_proxy_plex.loadbalancer.passhostheader=true" + - "traefik.http.services.reverse_proxy_plex.loadbalancer.server.port=80" + - "traefik.http.services.reverse_proxy_plex.loadbalancer.server.scheme=http" + +