From cf8fe7edb72308e4ab3b57f958dcccf42f773912 Mon Sep 17 00:00:00 2001 From: greg Date: Mon, 29 Sep 2025 15:48:00 +0200 Subject: [PATCH] update for trixie OK --- .gitignore | 2 +- README.md | 16 ++++++--- handlers.yml | 10 +++--- hosts | 4 +-- playbook.yml | 27 +++++++------- tasks/basics_install.yml | 2 +- tasks/certbot.yml | 74 +++++++++++++++++++------------------- tasks/clamav.yml | 32 +++++++++++------ tasks/create_user.yml | 15 ++++++++ tasks/docker.yml | 15 ++++---- tasks/fail2ban.yml | 2 +- tasks/nginx.yml | 6 ++-- tasks/reboot.yml | 2 +- tasks/ssh.yml | 4 +-- tasks/ufw.yml | 4 +-- templates/fail2ban.conf.j2 | 4 ++- vars.yml | 15 ++++++-- 17 files changed, 141 insertions(+), 93 deletions(-) create mode 100644 tasks/create_user.yml diff --git a/.gitignore b/.gitignore index c4737f6..08a013c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -files/id_ed25519.pub \ No newline at end of file +files/*.pub \ No newline at end of file diff --git a/README.md b/README.md index e722cf3..ff4d00a 100644 --- a/README.md +++ b/README.md @@ -56,9 +56,15 @@ sudo apt install ansible -y ## CONFIGURATION -- Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port` et l'`admin_email` +- Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port`, `admin_password` et l'`admin_email` -- Ajouter une clé SSH `ed25519` dans le dossier `files/` +```bash +# Générer l'admin password: +python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))" +``` +> Remplacer `monmotdepasse` par le mot de passe voulu + +- Ajouter une clé SSH `~/.ssh/id_ed25519.pub` dans le dossier `files/` > Cette clé permettra l'accès au serveur une fois le playbook terminé @@ -75,6 +81,8 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud ``` > ssh_port changera le port de connection ssh de la machine cible +:bulb: Idéalement, une clé SSH est déjà ajoutée au serveur lors de la création (VPS cloud) + ## DOCUMENTATION - [Ansible](https://docs.ansible.com/ansible/latest/index.html) @@ -82,5 +90,5 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud ## TO DO -- [ ] update sources.list for Debian 13 -- [ ] test \ No newline at end of file +- [x] update sources.list for Debian 13 +- [x] test \ No newline at end of file diff --git a/handlers.yml b/handlers.yml index bc6dae9..e493204 100644 --- a/handlers.yml +++ b/handlers.yml @@ -1,16 +1,16 @@ --- -- name: restart nginx +- name: Restart nginx service: name=nginx state=restarted -- name: restart fail2ban +- name: Restart fail2ban service: name=fail2ban state=restarted -- name: restart ssh +- name: Restart ssh service: name=ssh state=restarted -- name: restart ufw +- name: Restart ufw service: name=ufw state=restarted -- name: restart server +- name: Restart server command: /sbin/reboot \ No newline at end of file diff --git a/hosts b/hosts index 41b6fe5..0883e19 100644 --- a/hosts +++ b/hosts @@ -1,8 +1,8 @@ #hosts [garage-server] -192.168.1.160:47590 +92.243.24.17:22 [garage-server.vars] -ansible_user=bellinuxien +ansible_user=debian #ansible_private_key_file=/home/greg/.ssh/private-key diff --git a/playbook.yml b/playbook.yml index 85d24f6..86eed9f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,22 +4,23 @@ - hosts: garage-server become: true remote_user: "{{ user }}" - + vars_files: - vars.yml tasks: - - include: tasks/apt_update.yml - - include: tasks/create_workspace.yml - - include: tasks/basics_install.yml - - include: tasks/docker.yml - - include: tasks/ssh.yml - - include: tasks/fail2ban.yml - - include: tasks/ufw.yml - - include: tasks/clamav.yml - - include: tasks/nginx.yml - - include: tasks/certbot.yml - - include: tasks/reboot.yml + - import_tasks: tasks/apt_update.yml + - import_tasks: tasks/create_user.yml + - import_tasks: tasks/create_workspace.yml + - import_tasks: tasks/basics_install.yml + - import_tasks: tasks/docker.yml + - import_tasks: tasks/ssh.yml + - import_tasks: tasks/fail2ban.yml + - import_tasks: tasks/ufw.yml + - import_tasks: tasks/clamav.yml + - import_tasks: tasks/nginx.yml + - import_tasks: tasks/certbot.yml + - import_tasks: tasks/reboot.yml handlers: - - include: handlers.yml + - import_tasks: handlers.yml diff --git a/tasks/basics_install.yml b/tasks/basics_install.yml index bc8b9e0..3ce8482 100644 --- a/tasks/basics_install.yml +++ b/tasks/basics_install.yml @@ -14,7 +14,7 @@ - gnupg - lsb-release - ca-certificates - - software-properties-common + # - software-properties-common - apt-transport-https - bash-completion state: present diff --git a/tasks/certbot.yml b/tasks/certbot.yml index 630b0e1..fe42ebf 100644 --- a/tasks/certbot.yml +++ b/tasks/certbot.yml @@ -3,44 +3,44 @@ - name: Install Certbot apt: package=certbot state=present -- name: Check if certificate already exists. - stat: - path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem - register: letsencrypt_cert +# - name: Check if certificate already exists. +# stat: +# path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem +# register: letsencrypt_cert -- name: Ensure pre and post hook folders exist. - file: - path: /etc/letsencrypt/renewal-hooks/{{ item }} - state: directory - mode: 0755 - owner: root - group: root - with_items: - - pre - - post +# - name: Ensure pre and post hook folders exist. +# file: +# path: /etc/letsencrypt/renewal-hooks/{{ item }} +# state: directory +# mode: 0755 +# owner: root +# group: root +# with_items: +# - pre +# - post -- name: Create pre hook to stop services. - template: - src: stop_services.j2 - dest: /etc/letsencrypt/renewal-hooks/pre/stop_services - owner: root - group: root - mode: 0750 - when: - - certbot_create_standalone_stop_services is defined - - certbot_create_standalone_stop_services +# - name: Create pre hook to stop services. +# template: +# src: stop_services.j2 +# dest: /etc/letsencrypt/renewal-hooks/pre/stop_services +# owner: root +# group: root +# mode: 0750 +# when: +# - certbot_create_standalone_stop_services is defined +# - certbot_create_standalone_stop_services -- name: Create post hook to start services. - template: - src: start_services.j2 - dest: /etc/letsencrypt/renewal-hooks/post/start_services - owner: root - group: root - mode: 0750 - when: - - certbot_create_standalone_stop_services is defined - - certbot_create_standalone_stop_services +# - name: Create post hook to start services. +# template: +# src: start_services.j2 +# dest: /etc/letsencrypt/renewal-hooks/post/start_services +# owner: root +# group: root +# mode: 0750 +# when: +# - certbot_create_standalone_stop_services is defined +# - certbot_create_standalone_stop_services -- name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" - when: not letsencrypt_cert.stat.exists \ No newline at end of file +# - name: Generate new certificate if one doesn't exist. +# command: "{{ certbot_create_command }}" +# when: not letsencrypt_cert.stat.exists \ No newline at end of file diff --git a/tasks/clamav.yml b/tasks/clamav.yml index b602fc3..5af21a5 100644 --- a/tasks/clamav.yml +++ b/tasks/clamav.yml @@ -1,24 +1,34 @@ --- -- name: Install ClamAV (Antivirus) +- name: Installer ClamAV et Cron apt: name: - clamav - clamav-daemon + - cron state: latest + update_cache: yes -- name: Copy Clam-scan script +- name: S'assurer que le service clamav-freshclam est démarré et activé + service: + name: clamav-freshclam + state: started + enabled: true + +- name: Copier le script Clam-scan copy: src: "./files/clamav-scan.sh" - dest: "/home/{{ user }}" + dest: "/home/{{ user }}/clam-scan.sh" owner: "{{ user }}" group: "{{ user }}" - mode: 755 + mode: '0755' + +# - name: Ajouter la crontab pour le scan quotidien +# ansible.builtin.cron: +# name: "clam-scan" +# state: present +# minute: "0" +# hour: "0" +# job: "/home/{{ user }}/clam-scan.sh" +# user: "{{ user }}" -- name: Install crontab for daily scan - ansible.builtin.cron: - name: "clam-scan" - state: present - minute: "00" - hour: "00" - job: "/home/{{ user }}/clam-scan.sh" \ No newline at end of file diff --git a/tasks/create_user.yml b/tasks/create_user.yml new file mode 100644 index 0000000..660c470 --- /dev/null +++ b/tasks/create_user.yml @@ -0,0 +1,15 @@ +--- + +- name: Créer un utilisateur + ansible.builtin.user: + name: "{{ admin_user }}" + comment: "Utilisateur administrateur" + shell: /bin/bash + groups: sudo + append: yes + create_home: yes + +- name: Définir le mot de passe de l'utilisateur + ansible.builtin.user: + name: "{{ admin_user }}" + password: "{{ admin_user_password }}" \ No newline at end of file diff --git a/tasks/docker.yml b/tasks/docker.yml index f6aa46b..9eece9c 100644 --- a/tasks/docker.yml +++ b/tasks/docker.yml @@ -12,10 +12,12 @@ dest: /etc/apt/keyrings/docker.gpg mode: '0644' -- name: Ajouter le dépôt Docker à la liste des sources + installation des dépendances +- name: Ajouter le dépôt Docker à la liste des sources ansible.builtin.apt_repository: - repo: "deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable" - filename: docker- name: Mettre à jour les paquets et installer les dépendances + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable" + filename: docker + +- name: Mettre à jour les paquets et installer les dépendances apt: update_cache: yes name: @@ -40,6 +42,7 @@ groups: docker append: yes -- name: Recharger le shell pour appliquer les changements de groupe - shell: "newgrp docker" - ignore_errors: true +# broken (hanging forever) +# - name: Recharger le shell pour appliquer les changements de groupe +# shell: "newgrp docker" +# ignore_errors: true diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index d7ca2ab..cc001e2 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -7,4 +7,4 @@ template: src=templates/fail2ban.conf.j2 dest=/etc/fail2ban/jail.local notify: - - restart fail2ban \ No newline at end of file + - Restart fail2ban \ No newline at end of file diff --git a/tasks/nginx.yml b/tasks/nginx.yml index b7a3103..f2f7b1e 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -16,8 +16,8 @@ file: path=/etc/nginx/includes state=directory # changer pour les confs avec ssl -- name: Modify nginx configuration (main) - template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf +# - name: Modify nginx configuration (main) +# template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf notify: - - restart nginx + - Restart nginx diff --git a/tasks/reboot.yml b/tasks/reboot.yml index e3897b7..8290d5f 100644 --- a/tasks/reboot.yml +++ b/tasks/reboot.yml @@ -4,4 +4,4 @@ command: echo "Rebooting..." notify: - - restart server \ No newline at end of file + - Restart server \ No newline at end of file diff --git a/tasks/ssh.yml b/tasks/ssh.yml index fa44ac5..db21921 100644 --- a/tasks/ssh.yml +++ b/tasks/ssh.yml @@ -7,11 +7,11 @@ owner: root group: root mode: '0600' - notify: Restart SSH + notify: Restart ssh - name: SSH key for access authorized_key: user: "{{ user }}" state: present key: "{{ lookup('file', 'files/id_ed25519.pub') }}" - notify: Restart SSH \ No newline at end of file + notify: Restart ssh \ No newline at end of file diff --git a/tasks/ufw.yml b/tasks/ufw.yml index 9f467bb..99c3c2b 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -17,12 +17,12 @@ - { rule: 'allow', port: '443', proto: 'tcp' } notify: - - restart ufw + - Restart ufw - name: Enable ufw logging ufw: logging=on notify: - - restart ufw + - Restart ufw - name: Enable ufw ufw: state=enabled \ No newline at end of file diff --git a/templates/fail2ban.conf.j2 b/templates/fail2ban.conf.j2 index 843e395..7c9a3e0 100644 --- a/templates/fail2ban.conf.j2 +++ b/templates/fail2ban.conf.j2 @@ -51,6 +51,7 @@ port = {{ ssh_port }} filter = sshd logpath = /var/log/auth.log maxretry = 6 +bantime = {{ bantime_seconds | default(600) }} [ssh-ddos] @@ -58,4 +59,5 @@ enabled = true port = {{ ssh_port }} filter = sshd-ddos logpath = /var/log/auth.log -maxretry = 6 \ No newline at end of file +maxretry = 6 +bantime = {{ bantime_seconds | default(600) }} \ No newline at end of file diff --git a/vars.yml b/vars.yml index ea18516..94a9319 100644 --- a/vars.yml +++ b/vars.yml @@ -1,6 +1,15 @@ --- -user: garage +# User pour se connecter la première fois (sudoer) +user: debian +# User final (sudoers) +admin_user: user +# Obtenu avec la command: python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))" +admin_user_password: '' +# SSH port après configuration ssh_port: 47490 -admin_email: contact@legaragenumerique.fr -ansible_python_interpreter: /usr/bin/python3 \ No newline at end of file +# Bantime pour la prison SSh (fail2ban) +bantime_seconds: 600 +admin_email: contact@domain.tld +ansible_python_interpreter: /usr/bin/python3 +domain: \ No newline at end of file