GARAGENUM/ansible-server-garage
GARAGENUM/ansible-server-garage
15
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update for trixie OK

Browse Source
This commit is contained in:
Grégory Lebreton 2025-09-29 15:48:00 +02:00
parent 7cfe0cfd0e
commit cf8fe7edb7
17 changed files with 141 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
files/id_ed25519.pub
files/*.pub

16
README.md
View File

@ -56,9 +56,15 @@ sudo apt install ansible -y
## CONFIGURATION
- Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port` et l'`admin_email`
- Editer le fichier `vars.yml` et renseigner le `user`, `ssh_port`, `admin_password` et l'`admin_email`
- Ajouter une clé SSH `ed25519` dans le dossier `files/`
```bash
# Générer l'admin password:
python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))"
```
> Remplacer `monmotdepasse` par le mot de passe voulu
- Ajouter une clé SSH `~/.ssh/id_ed25519.pub` dans le dossier `files/`
> Cette clé permettra l'accès au serveur une fois le playbook terminé
@ -75,6 +81,8 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud
```
> ssh_port changera le port de connection ssh de la machine cible
:bulb: Idéalement, une clé SSH est déjà ajoutée au serveur lors de la création (VPS cloud)
## DOCUMENTATION
- [Ansible](https://docs.ansible.com/ansible/latest/index.html)
@ -82,5 +90,5 @@ ansible-playbook -i hosts playbook.yml --user=username --extra-vars "ansible_sud
## TO DO
- [ ] update sources.list for Debian 13
- [ ] test
- [x] update sources.list for Debian 13
- [x] test

10
handlers.yml
View File

@ -1,16 +1,16 @@
---
- name: restart nginx
- name: Restart nginx
service: name=nginx state=restarted
- name: restart fail2ban
- name: Restart fail2ban
service: name=fail2ban state=restarted
- name: restart ssh
- name: Restart ssh
service: name=ssh state=restarted
- name: restart ufw
- name: Restart ufw
service: name=ufw state=restarted
- name: restart server
- name: Restart server
command: /sbin/reboot

4
hosts
View File

@ -1,8 +1,8 @@
#hosts
[garage-server]
192.168.1.160:47590
92.243.24.17:22
[garage-server.vars]
ansible_user=bellinuxien
ansible_user=debian
#ansible_private_key_file=/home/greg/.ssh/private-key

27
playbook.yml
View File

@ -4,22 +4,23 @@
- hosts: garage-server
become: true
remote_user: "{{ user }}"
vars_files:
- vars.yml
tasks:
- include: tasks/apt_update.yml
- include: tasks/create_workspace.yml
- include: tasks/basics_install.yml
- include: tasks/docker.yml
- include: tasks/ssh.yml
- include: tasks/fail2ban.yml
- include: tasks/ufw.yml
- include: tasks/clamav.yml
- include: tasks/nginx.yml
- include: tasks/certbot.yml
- include: tasks/reboot.yml
- import_tasks: tasks/apt_update.yml
- import_tasks: tasks/create_user.yml
- import_tasks: tasks/create_workspace.yml
- import_tasks: tasks/basics_install.yml
- import_tasks: tasks/docker.yml
- import_tasks: tasks/ssh.yml
- import_tasks: tasks/fail2ban.yml
- import_tasks: tasks/ufw.yml
- import_tasks: tasks/clamav.yml
- import_tasks: tasks/nginx.yml
- import_tasks: tasks/certbot.yml
- import_tasks: tasks/reboot.yml
handlers:
- include: handlers.yml
- import_tasks: handlers.yml

2
tasks/basics_install.yml
View File

@ -14,7 +14,7 @@
- gnupg
- lsb-release
- ca-certificates
- software-properties-common
# - software-properties-common
- apt-transport-https
- bash-completion
state: present

74
tasks/certbot.yml
View File

@ -3,44 +3,44 @@
- name: Install Certbot
apt: package=certbot state=present
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
register: letsencrypt_cert
# - name: Check if certificate already exists.
# stat:
# path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
# register: letsencrypt_cert
- name: Ensure pre and post hook folders exist.
file:
path: /etc/letsencrypt/renewal-hooks/{{ item }}
state: directory
mode: 0755
owner: root
group: root
with_items:
- pre
- post
# - name: Ensure pre and post hook folders exist.
# file:
# path: /etc/letsencrypt/renewal-hooks/{{ item }}
# state: directory
# mode: 0755
# owner: root
# group: root
# with_items:
# - pre
# - post
- name: Create pre hook to stop services.
template:
src: stop_services.j2
dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
owner: root
group: root
mode: 0750
when:
- certbot_create_standalone_stop_services is defined
- certbot_create_standalone_stop_services
# - name: Create pre hook to stop services.
# template:
# src: stop_services.j2
# dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
# owner: root
# group: root
# mode: 0750
# when:
# - certbot_create_standalone_stop_services is defined
# - certbot_create_standalone_stop_services
- name: Create post hook to start services.
template:
src: start_services.j2
dest: /etc/letsencrypt/renewal-hooks/post/start_services
owner: root
group: root
mode: 0750
when:
- certbot_create_standalone_stop_services is defined
- certbot_create_standalone_stop_services
# - name: Create post hook to start services.
# template:
# src: start_services.j2
# dest: /etc/letsencrypt/renewal-hooks/post/start_services
# owner: root
# group: root
# mode: 0750
# when:
# - certbot_create_standalone_stop_services is defined
# - certbot_create_standalone_stop_services
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists
# - name: Generate new certificate if one doesn't exist.
# command: "{{ certbot_create_command }}"
# when: not letsencrypt_cert.stat.exists

32
tasks/clamav.yml
View File

@ -1,24 +1,34 @@
---
- name: Install ClamAV (Antivirus)
- name: Installer ClamAV et Cron
apt:
name:
- clamav
- clamav-daemon
- cron
state: latest
update_cache: yes
- name: Copy Clam-scan script
- name: S'assurer que le service clamav-freshclam est démarré et activé
service:
name: clamav-freshclam
state: started
enabled: true
- name: Copier le script Clam-scan
copy:
src: "./files/clamav-scan.sh"
dest: "/home/{{ user }}"
dest: "/home/{{ user }}/clam-scan.sh"
owner: "{{ user }}"
group: "{{ user }}"
mode: 755
mode: '0755'
# - name: Ajouter la crontab pour le scan quotidien
# ansible.builtin.cron:
# name: "clam-scan"
# state: present
# minute: "0"
# hour: "0"
# job: "/home/{{ user }}/clam-scan.sh"
# user: "{{ user }}"
- name: Install crontab for daily scan
ansible.builtin.cron:
name: "clam-scan"
state: present
minute: "00"
hour: "00"
job: "/home/{{ user }}/clam-scan.sh"

15
tasks/create_user.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Créer un utilisateur
ansible.builtin.user:
name: "{{ admin_user }}"
comment: "Utilisateur administrateur"
shell: /bin/bash
groups: sudo
append: yes
create_home: yes
- name: Définir le mot de passe de l'utilisateur
ansible.builtin.user:
name: "{{ admin_user }}"
password: "{{ admin_user_password }}"

15
tasks/docker.yml
View File

@ -12,10 +12,12 @@
dest: /etc/apt/keyrings/docker.gpg
mode: '0644'
- name: Ajouter le dépôt Docker à la liste des sources + installation des dépendances
- name: Ajouter le dépôt Docker à la liste des sources
ansible.builtin.apt_repository:
repo: "deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable"
filename: docker- name: Mettre à jour les paquets et installer les dépendances
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian {{ ansible_lsb.codename }} stable"
filename: docker
- name: Mettre à jour les paquets et installer les dépendances
apt:
update_cache: yes
name:
@ -40,6 +42,7 @@
groups: docker
append: yes
- name: Recharger le shell pour appliquer les changements de groupe
shell: "newgrp docker"
ignore_errors: true
# broken (hanging forever)
# - name: Recharger le shell pour appliquer les changements de groupe
# shell: "newgrp docker"
# ignore_errors: true

2
tasks/fail2ban.yml
View File

@ -7,4 +7,4 @@
template: src=templates/fail2ban.conf.j2 dest=/etc/fail2ban/jail.local
notify:
- restart fail2ban
- Restart fail2ban

6
tasks/nginx.yml
View File

@ -16,8 +16,8 @@
file: path=/etc/nginx/includes state=directory
# changer pour les confs avec ssl
- name: Modify nginx configuration (main)
template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf
# - name: Modify nginx configuration (main)
# template: src=templates/nginx-site.conf.j2 dest=/etc/nginx/nginx.conf
notify:
- restart nginx
- Restart nginx

2
tasks/reboot.yml
View File

@ -4,4 +4,4 @@
command: echo "Rebooting..."
notify:
- restart server
- Restart server

4
tasks/ssh.yml
View File

@ -7,11 +7,11 @@
owner: root
group: root
mode: '0600'
notify: Restart SSH
notify: Restart ssh
- name: SSH key for access
authorized_key:
user: "{{ user }}"
state: present
key: "{{ lookup('file', 'files/id_ed25519.pub') }}"
notify: Restart SSH
notify: Restart ssh

4
tasks/ufw.yml
View File

@ -17,12 +17,12 @@
- { rule: 'allow', port: '443', proto: 'tcp' }
notify:
- restart ufw
- Restart ufw
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
- Restart ufw
- name: Enable ufw
ufw: state=enabled

4
templates/fail2ban.conf.j2
View File

@ -51,6 +51,7 @@ port = {{ ssh_port }}
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
bantime = {{ bantime_seconds | default(600) }}
[ssh-ddos]
@ -58,4 +59,5 @@ enabled = true
port = {{ ssh_port }}
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
maxretry = 6
bantime = {{ bantime_seconds | default(600) }}

15
vars.yml
View File

@ -1,6 +1,15 @@
---
user: garage
# User pour se connecter la première fois (sudoer)
user: debian
# User final (sudoers)
admin_user: user
# Obtenu avec la command: python3 -c "import crypt; print(crypt.crypt('monmotdepasse', crypt.mksalt(crypt.METHOD_SHA512)))"
admin_user_password: ''
# SSH port après configuration
ssh_port: 47490
admin_email: contact@legaragenumerique.fr
ansible_python_interpreter: /usr/bin/python3
# Bantime pour la prison SSh (fail2ban)
bantime_seconds: 600
admin_email: contact@domain.tld
ansible_python_interpreter: /usr/bin/python3
domain: