GARAGENUM/ansible-server-garage
GARAGENUM/ansible-server-garage
15
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update for trixie OK

Browse Source
This commit is contained in:
Grégory Lebreton 2025-09-29 15:48:00 +02:00
parent 7cfe0cfd0e
commit cf8fe7edb7
17 changed files with 141 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
files/id_ed25519.pub files/*.pub

16
README.md
View File

@ -56,9 +56,15 @@ sudo apt install ansible -y
## CONFIGURATION ## CONFIGURATION
- Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port` et l'`admin_email` - Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port`, `admin_password` et l'`admin_email`
- Ajouter une clé SSH `ed25519` dans le dossier `files/` ```bash
# Générer l'admin password:
python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))"
```
> Remplacer `monmotdepasse` par le mot de passe voulu
- Ajouter une clé SSH `~/.ssh/id_ed25519.pub` dans le dossier `files/`
> Cette clé permettra l'accès au serveur une fois le playbook terminé > Cette clé permettra l'accès au serveur une fois le playbook terminé
@ -75,6 +81,8 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud
``` ```
> ssh_port changera le port de connection ssh de la machine cible > ssh_port changera le port de connection ssh de la machine cible
:bulb: Idéalement, une clé SSH est déjà ajoutée au serveur lors de la création (VPS cloud)
## DOCUMENTATION ## DOCUMENTATION
- [Ansible](https://docs.ansible.com/ansible/latest/index.html) - [Ansible](https://docs.ansible.com/ansible/latest/index.html)
@ -82,5 +90,5 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud
## TO DO ## TO DO
- [ ] update sources.list for Debian 13 - [x] update sources.list for Debian 13
- [ ] test - [x] test

10
handlers.yml
View File

@ -1,16 +1,16 @@
--- ---
- name: restart nginx - name: Restart nginx
service: name=nginx state=restarted service: name=nginx state=restarted
- name: restart fail2ban - name: Restart fail2ban
service: name=fail2ban state=restarted service: name=fail2ban state=restarted
- name: restart ssh - name: Restart ssh
service: name=ssh state=restarted service: name=ssh state=restarted
- name: restart ufw - name: Restart ufw
service: name=ufw state=restarted service: name=ufw state=restarted
- name: restart server - name: Restart server
command: /sbin/reboot command: /sbin/reboot

4
hosts
View File

@ -1,8 +1,8 @@
#hosts #hosts
[garage-server] [garage-server]
192.168.1.160:47590 92.243.24.17:22
[garage-server.vars] [garage-server.vars]
ansible_user=bellinuxien ansible_user=debian
#ansible_private_key_file=/home/greg/.ssh/private-key #ansible_private_key_file=/home/greg/.ssh/private-key

27
playbook.yml
View File

@ -4,22 +4,23 @@
- hosts: garage-server - hosts: garage-server
become: true become: true
remote_user: "{{ user }}" remote_user: "{{ user }}"
vars_files: vars_files:
- vars.yml - vars.yml
tasks: tasks:
- include: tasks/apt_update.yml - import_tasks: tasks/apt_update.yml
- include: tasks/create_workspace.yml - import_tasks: tasks/create_user.yml
- include: tasks/basics_install.yml - import_tasks: tasks/create_workspace.yml
- include: tasks/docker.yml - import_tasks: tasks/basics_install.yml
- include: tasks/ssh.yml - import_tasks: tasks/docker.yml
- include: tasks/fail2ban.yml - import_tasks: tasks/ssh.yml
- include: tasks/ufw.yml - import_tasks: tasks/fail2ban.yml
- include: tasks/clamav.yml - import_tasks: tasks/ufw.yml
- include: tasks/nginx.yml - import_tasks: tasks/clamav.yml
- include: tasks/certbot.yml - import_tasks: tasks/nginx.yml
- include: tasks/reboot.yml - import_tasks: tasks/certbot.yml
- import_tasks: tasks/reboot.yml
handlers: handlers:
- include: handlers.yml - import_tasks: handlers.yml

2
tasks/basics_install.yml
View File

@ -14,7 +14,7 @@
- gnupg - gnupg
- lsb-release - lsb-release
- ca-certificates - ca-certificates
- software-properties-common # - software-properties-common
- apt-transport-https - apt-transport-https
- bash-completion - bash-completion
state: present state: present

74
tasks/certbot.yml
View File

@ -3,44 +3,44 @@
- name: Install Certbot - name: Install Certbot
apt: package=certbot state=present apt: package=certbot state=present
- name: Check if certificate already exists. # - name: Check if certificate already exists.
stat: # stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem # path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
register: letsencrypt_cert # register: letsencrypt_cert
- name: Ensure pre and post hook folders exist. # - name: Ensure pre and post hook folders exist.
file: # file:
path: /etc/letsencrypt/renewal-hooks/{{ item }} # path: /etc/letsencrypt/renewal-hooks/{{ item }}
state: directory # state: directory
mode: 0755 # mode: 0755
owner: root # owner: root
group: root # group: root
with_items: # with_items:
- pre # - pre
- post # - post
- name: Create pre hook to stop services. # - name: Create pre hook to stop services.
template: # template:
src: stop_services.j2 # src: stop_services.j2
dest: /etc/letsencrypt/renewal-hooks/pre/stop_services # dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
owner: root # owner: root
group: root # group: root
mode: 0750 # mode: 0750
when: # when:
- certbot_create_standalone_stop_services is defined # - certbot_create_standalone_stop_services is defined
- certbot_create_standalone_stop_services # - certbot_create_standalone_stop_services
- name: Create post hook to start services. # - name: Create post hook to start services.
template: # template:
src: start_services.j2 # src: start_services.j2
dest: /etc/letsencrypt/renewal-hooks/post/start_services # dest: /etc/letsencrypt/renewal-hooks/post/start_services
owner: root # owner: root
group: root # group: root
mode: 0750 # mode: 0750
when: # when:
- certbot_create_standalone_stop_services is defined # - certbot_create_standalone_stop_services is defined
- certbot_create_standalone_stop_services # - certbot_create_standalone_stop_services
- name: Generate new certificate if one doesn't exist. # - name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}" # command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists # when: not letsencrypt_cert.stat.exists

32
tasks/clamav.yml
View File

@ -1,24 +1,34 @@
--- ---
- name: Install ClamAV (Antivirus) - name: Installer ClamAV et Cron
apt: apt:
name: name:
- clamav - clamav
- clamav-daemon - clamav-daemon
- cron
state: latest state: latest
update_cache: yes
- name: Copy Clam-scan script - name: S'assurer que le service clamav-freshclam est démarré et activé
service:
name: clamav-freshclam
state: started
enabled: true
- name: Copier le script Clam-scan
copy: copy:
src: "./files/clamav-scan.sh" src: "./files/clamav-scan.sh"
dest: "/home/{{ user }}" dest: "/home/{{ user }}/clam-scan.sh"
owner: "{{ user }}" owner: "{{ user }}"
group: "{{ user }}" group: "{{ user }}"
mode: 755 mode: '0755'
# - name: Ajouter la crontab pour le scan quotidien
# ansible.builtin.cron:
# name: "clam-scan"
# state: present
# minute: "0"
# hour: "0"
# job: "/home/{{ user }}/clam-scan.sh"
# user: "{{ user }}"
- name: Install crontab for daily scan
ansible.builtin.cron:
name: "clam-scan"
state: present
minute: "00"
hour: "00"
job: "/home/{{ user }}/clam-scan.sh"

15
tasks/create_user.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Créer un utilisateur
ansible.builtin.user:
name: "{{ admin_user }}"
comment: "Utilisateur administrateur"
shell: /bin/bash
groups: sudo
append: yes
create_home: yes
- name: Définir le mot de passe de l'utilisateur
ansible.builtin.user:
name: "{{ admin_user }}"
password: "{{ admin_user_password }}"

15
tasks/docker.yml
View File

@ -12,10 +12,12 @@
dest: /etc/apt/keyrings/docker.gpg dest: /etc/apt/keyrings/docker.gpg
mode: '0644' mode: '0644'
- name: Ajouter le dépôt Docker à la liste des sources + installation des dépendances - name: Ajouter le dépôt Docker à la liste des sources
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable" repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable"
filename: docker- name: Mettre à jour les paquets et installer les dépendances filename: docker
- name: Mettre à jour les paquets et installer les dépendances
apt: apt:
update_cache: yes update_cache: yes
name: name:
@ -40,6 +42,7 @@
groups: docker groups: docker
append: yes append: yes
- name: Recharger le shell pour appliquer les changements de groupe # broken (hanging forever)
shell: "newgrp docker" # - name: Recharger le shell pour appliquer les changements de groupe
ignore_errors: true # shell: "newgrp docker"
# ignore_errors: true

2
tasks/fail2ban.yml
View File

@ -7,4 +7,4 @@
template: src=templates/fail2ban.conf.j2 dest=/etc/fail2ban/jail.local template: src=templates/fail2ban.conf.j2 dest=/etc/fail2ban/jail.local
notify: notify:
- restart fail2ban - Restart fail2ban

6
tasks/nginx.yml
View File

@ -16,8 +16,8 @@
file: path=/etc/nginx/includes state=directory file: path=/etc/nginx/includes state=directory
# changer pour les confs avec ssl # changer pour les confs avec ssl
- name: Modify nginx configuration (main) # - name: Modify nginx configuration (main)
template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf # template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf
notify: notify:
- restart nginx - Restart nginx

2
tasks/reboot.yml
View File

@ -4,4 +4,4 @@
command: echo "Rebooting..." command: echo "Rebooting..."
notify: notify:
- restart server - Restart server

4
tasks/ssh.yml
View File

@ -7,11 +7,11 @@
owner: root owner: root
group: root group: root
mode: '0600' mode: '0600'
notify: Restart SSH notify: Restart ssh
- name: SSH key for access - name: SSH key for access
authorized_key: authorized_key:
user: "{{ user }}" user: "{{ user }}"
state: present state: present
key: "{{ lookup('file', 'files/id_ed25519.pub') }}" key: "{{ lookup('file', 'files/id_ed25519.pub') }}"
notify: Restart SSH notify: Restart ssh

4
tasks/ufw.yml
View File

@ -17,12 +17,12 @@
- { rule: 'allow', port: '443', proto: 'tcp' } - { rule: 'allow', port: '443', proto: 'tcp' }
notify: notify:
- restart ufw - Restart ufw
- name: Enable ufw logging - name: Enable ufw logging
ufw: logging=on ufw: logging=on
notify: notify:
- restart ufw - Restart ufw
- name: Enable ufw - name: Enable ufw
ufw: state=enabled ufw: state=enabled

4
templates/fail2ban.conf.j2
View File

@ -51,6 +51,7 @@ port = {{ ssh_port }}
filter = sshd filter = sshd
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 6 maxretry = 6
bantime = {{ bantime_seconds | default(600) }}
[ssh-ddos] [ssh-ddos]
@ -58,4 +59,5 @@ enabled = true
port = {{ ssh_port }} port = {{ ssh_port }}
filter = sshd-ddos filter = sshd-ddos
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 6 maxretry = 6
bantime = {{ bantime_seconds | default(600) }}

15
vars.yml
View File

@ -1,6 +1,15 @@
--- ---
user: garage # User pour se connecter la première fois (sudoer)
user: debian
# User final (sudoers)
admin_user: user
# Obtenu avec la command: python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))"
admin_user_password: ''
# SSH port après configuration
ssh_port: 47490 ssh_port: 47490
admin_email: contact@legaragenumerique.fr # Bantime pour la prison SSh (fail2ban)
ansible_python_interpreter: /usr/bin/python3 bantime_seconds: 600
admin_email: contact@domain.tld
ansible_python_interpreter: /usr/bin/python3
domain: