diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2017-02-27 23:31:52 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2017-02-27 23:31:52 +0100 |
commit | 68ad649a208c6f8536bfede2ce0ae647d4e3d2b4 (patch) | |
tree | 163fde64aa1c9716a39074c35ceeaf32b3f8fa17 | |
parent | 66293e20bd06723887b3217a91324e154f2792f9 (diff) | |
download | playbooks-ansible-68ad649a208c6f8536bfede2ce0ae647d4e3d2b4.tar.gz playbooks-ansible-68ad649a208c6f8536bfede2ce0ae647d4e3d2b4.tar.xz playbooks-ansible-68ad649a208c6f8536bfede2ce0ae647d4e3d2b4.zip |
remove obsolete stuff, fix roles errors and update dns role
104 files changed, 714 insertions, 1949 deletions
@@ -2,4 +2,3 @@ roles/dnsserver/templates/keys.j2 roles/cozycloud/vars/keys.yml roles/torrelay/templates/keys.j2 roles/squid/files/certs -roles/dnsserver/files/work.casperlefantom.net.zone diff --git a/blackbird.yml b/blackbird.yml deleted file mode 100644 index c96f7bb..0000000 --- a/blackbird.yml +++ /dev/null @@ -1,443 +0,0 @@ ---- -- hosts: blackbird - remote_user: root - tasks: - - name: Téléchargement du dépôt RPMFusion Free - get_url: dest=/tmp/rpmfusion-free-release-stable.noarch.rpm url=http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm - - - name: Installation du dépôt RPMFusion Free - yum: pkg=/tmp/rpmfusion-free-release-stable.noarch.rpm state=installed - - - name: Téléchargement du dépôt RPMFusion NonFree - get_url: dest=/tmp/rpmfusion-nonfree-release-stable.noarch.rpm url=http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm - - - name: Installation du dépôt RPMFusion NonFree - yum: pkg=/tmp/rpmfusion-nonfree-release-stable.noarch.rpm state=installed - - - name: Installation du miroir updates - copy: src=files/updates-fantom.repo dest=/etc/yum.repos.d/updates-fantom.repo - - - name: Désactivation du dépôt Updates - lineinfile: dest=/etc/yum.repos.d/fedora-updates.repo state=present backrefs=yes regexp="^enabled=1" - line="enabled=0" - - - name: Installation du miroir updates-testing - copy: src=files/updates-testing-fantom.repo dest=/etc/yum.repos.d/updates-testing-fantom.repo - - - name: Installation de mon autorité de certification - copy: src=files/root.pem dest=/etc/pki/ca-trust/source/anchors/root.pem mode=444 - - - name: Installation de l'autorité de certification CACert - copy: src=files/cacert.pem dest=/etc/pki/ca-trust/source/anchors/cacert.pem mode=444 - - - name: Mise à jour de la base de confiance CA - command: /usr/bin/update-ca-trust - - - name: Mise à jour des tous les paquets installés - yum: name=* state=latest - - - name: Installation du groupe de paquets KDE - yum: name="@KDE Plasma Workspaces" state=present - - - name: Installation des paquets de base - yum: name={{ item }} state=present - with_items: - - yum-plugin-fastestmirror - - yum-plugin-verify - - elinks - - mutt - - irssi - - fetchmail - - procmail - - glances - - paman - - msmtp - - mplayer - - gparted - - gstreamer-ffmpeg - - gstreamer-plugins-bad - - rpm-sign - - terminator - - gstreamer-plugins-ugly - - pavucontrol - - pavumeter - - tmux - - pulseaudio-equalizer - - pulsecaster - - conky - - livecd-tools - - l10n-kickstarts - - apg - - i7z - - dnf - - ffmpeg - - lm_sensors - - hddtemp - - dconf-editor - - istanbul - - htop - - ntop - - iotop - - liferea - - iftop - - powertop - - mcabber - - arora - - avidemux - - bleachbit - - bless - - ghex - - pitivi - - epiphany - - liveusb-creator - - bvi - - easybashgui - - ftop - - fedora-review - - guake - - gajim - - mypaint - - gnome-tweak-tool - - quassel - - thunderbird - - vlc - - btrfs-progs - - zbar - - screen - - supybot-meetbot - - memtest86+ - - systemd-analyze - - pungi - - gitg - - gdisk - - youtube-dl - - gnome-shell-extension-user-theme - - sparse - - conglomerate - - rfkill - - ksysguardd - - kdenlive - - emacs - - emacs-nox - - xmined - - xinput_calibrator - - ldc-phobos-devel - - gtk-recordmydesktop - - cclive - - stellarium - - OpenStego - - Xnee - - cnee - - kernel-tools - - dnstracer - - mock-rpmfusion-free - - audacity-freeworld - - openshot - - asterisk-gui - - ldc-phobos-geany-tags - - vidalia - - boinc-manager - - rpmconf - - geany-plugins-addons - - geany-plugins-geniuspaste - - colordiff - - gnome-schedule - - gshutdown - - gstreamer1-libav - - aspell-fr - - gstreamer1-plugins-bad-free-extras - - gstreamer1-plugins-bad-freeworld - - gstreamer1-plugins-good-extras - - gstreamer1-plugins-ugly - - gimp-help-fr - - hunspell-fr - - libreoffice-langpack-fr - - pbzip2 - - pxz - - poezio - - realcrypt - - argus - - dnsenum - - dsniff - - etherape - - ettercap - - aircrack-ng - - firewalk - - hping3 - - hunt - - iptraf - - lynis - - nbtscan - - nc - - nc6 - - ncrack - - ngrep - - nmap - - nmap-frontend - - p0f - - packETH - - pcapdiff - - scapy - - sing - - socat - - ssldump - - tcpdump - - tcpjunk - - tcpxtract - - unicornscan - - xprobe2 - - yersinia - - afftools - - dc3dd - - ddrescue - - examiner - - foremost - - hexedit - - scanmem - - sleuthkit - - srm - - testdisk - - unhide - - httping - - lbd - - nikto - - ratproxy - - skipfish - - sqlninja - - airsnort - - kismet - - wavemon - - weplab - - flawfinder - - pscan - - rats - - splint - - chkrootkit - - labrea - - nebula - - pads - - john - - medusa - - ophcrack - - wireshark - - wireshark-gnome - - nessus-gui - - arpwatch - - tcpflow - - sectool - - unicornscan - - net-tools - - intrace - - conntrack-tools - - bind-utils - - steghide - - binutils - - macchanger - - cryptkeeper - - ecryptfs-utils - - ettercap-gtk - - whois - - postfix - - aide - - gstreamer-plugin-crystalhd - - gstreamer1-vaapi - - virt-manager - - - name: Configuration yum sans delta rpm - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="installonly_limit" - line="deltarpm=0" - - - name: Configuration yum affichage historique - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="deltarpm=0" - line="history_list_view=cmds" - - - name: Configuration yum clean on remove - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="history_list_view=cmds" - line="clean_requirements_on_remove=1" - - - name: Configuration écran rabattu systemd - lineinfile: dest=/etc/systemd/logind.conf create=yes state=present insertafter="#HandleLidSwitch" - line="HandleLidSwitch=ignore" - notify: reload systemd - - - name: Squelette bashrc - copy: src="files/bashrc" dest=/etc/skel/.bashrc mode=644 - - - name: Root bashrc - copy: src="files/bashrc" dest=/root/.bashrc mode=644 - - - name: Squelette emacs rc - copy: src="files/emacs.rc" dest=/etc/skel/.emacs mode=644 - - - name: Root emacs rc - copy: src="files/emacs.rc" dest=/root/.emacs mode=644 - - - name: Télécharge le paquet linux_logo fedora pour F20 - get_url: dest=/tmp/linux_logo.rpm url=http://fantom.fedorapeople.org/linux_logo-5.11-6.fc20.x86_64.rpm - when: ansible_distribution_version|int == 20 and ansible_architecture == "x86_64" - - - name: Télécharge le paquet linux_logo fedora pour F21 - get_url: dest=/tmp/linux_logo.rpm url=http://fantom.fedorapeople.org/linux_logo-5.11-6.fc21.x86_64.rpm - when: ansible_distribution_version|int == 21 and ansible_architecture == "x86_64" - - - name: Installe le paquet linux_logo fedora - yum: pkg=/tmp/linux_logo.rpm state=installed - - - name: Ajoute le paquet linux_logo fedora en Exclude - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="history_list_view=cmds" - line="exclude=linux_logo" - - - name: Installation de la clé ssh pour l'utilisateur root - authorized_key: user=root key="{{lookup('file', 'files/id_rsa.pub') }}" manage_dir=yes - - - name: Configuration du démon SSH - lineinfile: dest=/etc/ssh/sshd_config state=present backrefs=yes regexp="^PasswordAuthentication yes" - line="PasswordAuthentication no" - notify: restart sshd - - - name: Serveurs NTP 0.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 0.fedora.pool.ntp.org" - line="#server 0.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 1.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 1.fedora.pool.ntp.org" - line="#server 1.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 2.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 2.fedora.pool.ntp.org" - line="#server 2.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 3.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 3.fedora.pool.ntp.org" - line="#server 3.fedora.pool.ntp.org" - notify: restart chrony - - - name: Configuration serveur NTP actif - lineinfile: dest=/etc/chrony.conf create=yes state=present insertafter="#server 3.fedora.pool.ntp.org" - line="server ntp1.casperlefantom.net iburst" - notify: restart chrony - - - name: État du service postfix - service: name=postfix state=started enabled=yes - - - name: Configuration cron rapport disques durs - copy: src=files/diskreport.sh dest=/etc/cron.daily/diskreport.sh mode=755 - - - name: Configuration cron rapport SELinux - copy: src=files/eaureport.sh dest=/etc/cron.daily/eaureport.sh mode=755 - - - name: Configuration cron rapport RPM Verify - copy: src=files/rpmreport.sh dest=/etc/cron.daily/rpmreport.sh mode=755 - - - name: Configuration cron relabel système de fichier - copy: src=files/selinuxresto.sh dest=/etc/cron.monthly/selinuxresto.sh mode=755 - - - name: Configuration cron tests disques durs - copy: src=files/diskcheck.sh dest=/etc/cron.weekly/diskcheck.sh mode=755 - - - name: Configuration cron utilisateur casper - copy: src=files/crontab dest=/var/spool/cron/casper mode=600 - - - name: Configuration sysctl de la swap - copy: src=files/swapwait.conf dest=/etc/sysctl.d/swapwait.conf mode=644 - - - name: Configuration sudo pour l'utilisateur casper - copy: src=files/sudo dest=/etc/sudoers.d/blackbird mode=440 - - - name: Installation du HIDS AIDE - copy: src=files/z-aidereport.sh dest=/etc/cron.daily/z-aidereport.sh mode=755 - notify: initialize aide - - - name: Configuration de la variable EDITOR - lineinfile: dest=/root/bin/setvars create=yes state=present - line="export EDITOR='emacs -nw'" - - - name: Ajout des points de montage des disques virtuels NFS - file: name=/mnt/nfs1/ state=directory - - - name: Point de montage nfs2 - file: name=/mnt/nfs2/ state=directory - - - name: Point de montage nfs3 - file: name=/mnt/nfs3/ state=directory - - - name: Point de montage nfs4 - file: name=/mnt/nfs4/ state=directory - - - name: Point de montage lv1 - file: name=/mnt/lv1/ state=directory - - - name: Point de montage lv2 - file: name=/mnt/lv2/ state=directory - - - name: Point de montage lv3 - file: name=/mnt/lv3/ state=directory - - - name: Point de montage lv4 - file: name=/mnt/lv4/ state=directory - - - name: Point de montage usb1 - file: name=/mnt/usb1/ state=directory - - - name: Point de montage usb2 - file: name=/mnt/usb2/ state=directory - - - name: Point de montage usb3 - file: name=/mnt/usb3/ state=directory - - - name: Point de montage usb4 - file: name=/mnt/usb4/ state=directory - - - name: Configuration montage auto fstab - lineinfile: dest=/etc/fstab create=yes state=present insertafter=EOF - line="lancaster.casperlefantom.net:/mnt/nfs1/ /mnt/nfs1/ nfs4 defaults,sync,_netdev 0 0" - notify: mount all - - - name: État du service boinc-client - service: name=boinc-client state=started enabled=yes - - - name: Désactivation de Prelink - lineinfile: dest=/etc/sysconfig/prelink state=present backrefs=yes regexp="^PRELINKING=yes" - line="PRELINKING=no" - notify: prelink undo - - - name: Redirection du courrier de root - lineinfile: "dest=/etc/aliases create=yes state=present insertafter=EOF - line='root: casper'" - notify: newaliases db - - - name: Configuration de Postfix - lineinfile: dest=/etc/postfix/main.cf create=yes state=present insertafter='#mailbox_command' - line='mailbox_command = /usr/bin/procmail -a "$EXTENSION"' - notify: reload postfix - - - - handlers: - - name: restart sshd - service: name=sshd state=restarted - - - name: initialize aide - script: files/aideinit.sh - - - name: restart chrony - service: name=chronyd state=restarted - - - name: reload systemd - command: /usr/bin/systemctl --system daemon-reload - - - name: mount all - command: /usr/bin/mount -a - - - name: prelink undo - command: /usr/sbin/prelink -ua - - - name: newaliases db - command: /usr/bin/newaliases - - - name: reload postfix - service: name=postfix state=reloaded - diff --git a/files/aideinit.sh b/files/aideinit.sh deleted file mode 100755 index ae9eda7..0000000 --- a/files/aideinit.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/bash - -/usr/sbin/aide -i -/bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz -/sbin/restorecon -R /var/lib/aide/ diff --git a/files/auto-reboot.cron b/files/auto-reboot.cron deleted file mode 100644 index bdec6a3..0000000 --- a/files/auto-reboot.cron +++ /dev/null @@ -1,2 +0,0 @@ -# Reboot du Dimanche : -0 6 * * 7 root systemctl reboot diff --git a/files/backtransfer.sh b/files/backtransfer.sh deleted file mode 100644 index a9b07fa..0000000 --- a/files/backtransfer.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -mkdir /mnt/lvbackup -mount /dev/mapper/vg_lancaster-lv08 /mnt/lvbackup/ - -scp $(ls -tC1 /mnt/lvbackup/backconf-* | tail -1) casper@blackbird.casperlefantom.net:~/Documents/journal/sys-conf-backup/serveur/ -echo "Transfert backup de configuration effectué" - -umount /mnt/lvbackup -rmdir /mnt/lvbackup/ diff --git a/files/bashrc b/files/bashrc deleted file mode 100644 index 1a1ae1e..0000000 --- a/files/bashrc +++ /dev/null @@ -1,52 +0,0 @@ -# .bashrc - -# User specific aliases and functions - -alias rm='rm -i' -alias cp='cp -i' -alias mv='mv -i' -alias pop='popd' -alias up='popd' -alias myip='wget http://checkip.dyndns.org/ -O - -o /dev/null | awk "{ print \$6 }" | cut -d\< -f1' -alias f='find . -name' -alias beep='echo -e "\a"' -alias screenoff='xset dpms force off' -alias ltx='tmux ls' -alias atx='tmux attach -t' - -# Source global definitions -if [ -f /etc/bashrc ]; then - . /etc/bashrc -fi - -# Define personal variables -if [ -f $HOME/bin/setvars ]; then - . $HOME/bin/setvars -fi - -# Print fedora linux logo in interactive shell -if [ -n "$PS1" ]; then - if which linux_logo >/dev/null 2>&1; then - linux_logo -L 12 -F "Bienvenue sur l'hôte #H\n#V, Compilé #C \n#P #X #T, #R, #U" - fi -fi - -HISTSIZE=1500 -HISTIGNORE="history:exit:logout:[ ]*" - -RESET='\[$(tput sgr0)\]' -BOLD='\[$(tput bold)\]' -ULINE='\[$(tput smul)\]' - -BLUE='\[$(tput setaf 4)\]' -GREEN='\[$(tput setaf 2)\]' -RED='\[$(tput setaf 1)\]' -YELLOW='\[$(tput setaf 3)\]' -CYAN='\[$(tput setaf 6)\]' - -if [ $UID -eq 0 ]; then - PS1="$BOLD$RED\h$BLUE:$YELLOW\w$RED\\$ $RESET$RED" -else - PS1="$BOLD$GREEN\u$BLUE@$YELLOW\h$BLUE:\w$GREEN\\$ $RESET$GREEN" -fi -PS2='suite-> ' diff --git a/files/cacert.pem b/files/cacert.pem deleted file mode 100644 index e7dfc82..0000000 --- a/files/cacert.pem +++ /dev/null @@ -1,41 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 -IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB -IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA -Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO -BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi -MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ -ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ -8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 -zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y -fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 -w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc -G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k -epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q -laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ -QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU -fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 -YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w -ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY -gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe -MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 -IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy -dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw -czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 -dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl -aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC -AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg -b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB -ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc -nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg -18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c -gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl -Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY -sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T -SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF -CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum -GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk -zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW -omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD ------END CERTIFICATE----- diff --git a/files/crontab b/files/crontab deleted file mode 100644 index cc0e631..0000000 --- a/files/crontab +++ /dev/null @@ -1,28 +0,0 @@ -# Récupération des emails : -*/15 * * * * fetchmail >/dev/null 2>&1 - -# Ne pas laisser les mbox déborder : -#10 5 * * 3 bin/savemail >/dev/null - -# Réveil matin (sono) : -#0 9 * * 1-6 DISPLAY=:0 mplayer ~/Musique/06\ Stream\ ofconscouness.mp3 >/dev/null 2>&1 - -# Réveil matin (vidéo) + allumage de l'écran vga en veille : -#15 9 * * 1-6 DISPLAY=:0 xset dpms force on;sleep 10;DISPLAY=:0 mplayer -geometry 60\%:70\% ~/Vidéos/Clips/Katy\ Isterika\ Better\ Life\ Clip\ Vidéo.webm >/dev/null 2>&1 - -# Update les chroots mock de Rawhide : -#30 1 * * * mock -r fedora-rawhide-i386 --init; mock -r fedora-rawhide-i386-rpmfusion_free --init; mock -r fedora-rawhide-x86_64 --init; mock -r fedora-rawhide-x86_64-rpmfusion_free --init >/dev/null 2>&1 - -# Update des chroots mock des standards : -#50 1 * * * mock -r fedora-17-i386 --init; mock -r fedora-17-i386-rpmfusion_free --init; mock -r fedora-17-x86_64 --init; mock -r fedora-17-x86_64-rpmfusion_free --init; mock -r fedora-18-i386 --init; mock -r fedora-18-i386-rpmfusion_free --init; mock -r fedora-18-x86_64 --init; mock -r fedora-18-x86_64-rpmfusion_free --init; mock -r epel-6-i386 --init; mock -r epel-6-i386-rpmfusion_free --init; mock -r epel-6-x86_64 --init; mock -r epel-6-x86_64-rpmfusion_free --init >/dev/null 2>&1 - -# Execution de Xnee : -#* * * * * DISPLAY=:0 cnee --replay -f /tmp/gnee_casper.xns -fcr - -# Pour les màj manuelles de Rawhide : -5 7 * * * yum check-update - -# gvfsd-http logging -#*/30 * * * * ps -p $(ps -Ao '"\%p" "\%c"'|grep gvfsd-http|awk "{ print \$2 }"|cut -d \" -f1) -o 'vsz rss size' -o "\%mem"|tail -1 >>gvfsd-http.log - - diff --git a/files/diskcheck.sh b/files/diskcheck.sh deleted file mode 100755 index 820642d..0000000 --- a/files/diskcheck.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/bash -smartctl -t long /dev/sda -smartctl -t long /dev/sdb -smartctl -t long /dev/sdc diff --git a/files/diskreport.sh b/files/diskreport.sh deleted file mode 100755 index 95ae60a..0000000 --- a/files/diskreport.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/bash -smartctl -HAl error /dev/sda -smartctl -HAl error /dev/sdb -smartctl -HAl error /dev/sdc diff --git a/files/dovecot-master.txt b/files/dovecot-master.txt deleted file mode 100644 index c324c54..0000000 --- a/files/dovecot-master.txt +++ /dev/null @@ -1,3 +0,0 @@ - unix_listener /var/spool/postfix/private/auth { - mode = 0666 - } diff --git a/files/eaureport.sh b/files/eaureport.sh deleted file mode 100755 index c7ee285..0000000 --- a/files/eaureport.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/bash - -aureport -a -ts yesterday -te today -aureport -n -ts yesterday -te today -aureport -r -ts yesterday -te today -aureport -ma -i -ts yesterday -te today -aureport -l --failed -i -ts yesterday -te today -aureport -l --success -i -ts yesterday -te today diff --git a/files/emacs.rc b/files/emacs.rc deleted file mode 100644 index 29cc4fb..0000000 --- a/files/emacs.rc +++ /dev/null @@ -1,17 +0,0 @@ -;; .emacs - -(custom-set-variables - ;; uncomment to always end a file with a newline - ;'(require-final-newline t) - ;; uncomment to disable loading of "default.el" at startup - ;'(inhibit-default-init t) - ;; default to unified diffs - '(diff-switches "-u")) - -;;; uncomment for CJK utf-8 support for non-Asian users -;; (require 'un-define) -(menu-bar-mode 0) - -;; pour mutt: -(server-start) -(add-to-list 'auto-mode-alist '("/mutt" . mail-mode)) diff --git a/files/firewalld-public.xml b/files/firewalld-public.xml deleted file mode 100644 index 5c5f423..0000000 --- a/files/firewalld-public.xml +++ /dev/null @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<zone> - <short>Public</short> - <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> - <service name="http"/> - <service name="dns"/> - <service name="ntp"/> - <service name="smtp"/> - <service name="nfs"/> - <service name="ssh"/> - <service name="https"/> - <service name="imaps"/> - <port protocol="tcp" port="5222"/> - <port protocol="tcp" port="587"/> - <port protocol="udp" port="51413"/> - <port protocol="tcp" port="143"/> - <port protocol="tcp" port="51413"/> - <port protocol="tcp" port="5269"/> -</zone> diff --git a/files/id_rsa.pub b/files/id_rsa.pub deleted file mode 100644 index d5de22c..0000000 --- a/files/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDJtcIjcWlTvrND2a9L7yCGTJXykNbPq/k/ybySQ8cWGhiecIx4xUlR6CizRu+ZwyjtScDwjOUn6a36OzXYU9x3MPoE41mwUUkDb+MLvc+PCIx/l2e8zsYmlf9Bcvmu3nT41ijfxKl+srGQ+MoIkmBysU4obhnhyJ1Mgz6qHvctOJkTknA4TdUsL3OCw+il72HWyQkI/dJuq/NP4mxpRqF9BDLOuxCsN5wSU3ZcU+JSKIrw9XOII2Yp/PzUzPlpFcycVYCoYuSPjF8lAqSJQW6qKTBey3Q6RodSqyFOHUqSKhOt+tPPl6KWV45ETX5Eugk1crm33nzzquAy3LUItqByZykOvwSs+gsRoAR2Q6W9uBtGx7GACni9CjwbJSbkGX71UW0Kfe1vZrbgAOFe1wS3GGJqMDym1v5LwdvdVjrukcGV8a3oBDJXgawFom9bkxTah8Sm8iQKVGy4MDj9m+MH7GAKI0XhzKbJZtiOb2F0CvZ/t8ByfAoov1hvmgYyqHaUyWWIDowubSJc9ly3EazS1CTkbGciof8JoxRr7TUCp1WDTT3n2lTqxLuiaYHa+emguK2qYcUei2f/Y3xkrhhsK9Z7NAHLhUfDXASgBkUiRyeM87vWc5+8fOBWvKJvf69bcoemNZUJlzW/Jjya8aV5egrdK4oeUFWxv6K6A2wQRRauvlcLx/vTUhbqxPdL9U6bsO/nZbi2kK8v4ZrX1KCGy5iJs0rRbAY8AvbDrCH3eV5XfBCXULgRqGRQ1hhsSYzAgSVUmnrrvL1s1OiQ3e8s4yzclzkVtoDMqAi22S0fgiczi3tZ4alE4l5usaxYjIYo1uOrF8474QbXGmhMuUv0guyTu1aid6fbsAIdXWQXVdGbPdozgTJt0sD+v1Ea+xpybLPvt1yFBz6e8uFhXn7i10IyPW99Wlbb3lNlUkrshdkJ53IMLKi9PqcvCd/O4C8HyhE+6mSQe09/rg0woWP4f2ZWd3E2cpkK+aAwRP8aCZqhebPjBvaS13a4D8hMrsQiR3HKMSay5gSQkJFjEho7Uzj6moFPu00UdOJdDqg9Ss/WZgi5SmULuaTAfyisGJddN8Sq2PSI57xmtGnCpxKVW4IfmZNF9ruBq+SFPWpxTDduYLs3GXNZiM6yC8gehuCUwGOrzbFPM7kryiy1DJlZ1PzQ0Ndkig5KtqYMwsQP26r575D/eV8VnzfSaRZXk233yA3B3hGS8gIn7h+qMzlpJDl5iYU7ZweHl5Ns0ddnaDMh3ie+XNE13OsTm0fxOmUyS7CrogAqIFbkUZ13oENaLeLqrQkkke7aJrSDUbx7bevnPOeAo2WSeR2Zq6YbVsT/1I8sSQ8wZyfnMLqYLkOb fantom@fedoraproject.org diff --git a/files/irssi.service b/files/irssi.service deleted file mode 100644 index c467382..0000000 --- a/files/irssi.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=IRSSI in a Tmux session with user 'irssi' -After=network.target syslog.target auditd.service named.service - -[Service] -Type=forking -User=irssi -Group=irssi -ExecStart=/usr/bin/tmux new-session -ds irssi -n irssi irssi - -[Install] -WantedBy=multi-user.target diff --git a/files/nbackconf.sh b/files/nbackconf.sh deleted file mode 100644 index 6a2cb88..0000000 --- a/files/nbackconf.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/bash - -mkdir /mnt/lvbackup -mount /dev/mapper/vg_lancaster-lv08 /mnt/lvbackup/ -pushd /mnt/lvbackup - -tar -Jcf backconf-$(date +%Y%m%d).tar.xz $(locate '*\.bak') -find . -name "backconf-*.tar.xz" -ctime +30 -delete - -popd -umount /mnt/lvbackup -rmdir /mnt/lvbackup/ diff --git a/files/ndiffconf.sh b/files/ndiffconf.sh deleted file mode 100644 index e9ff995..0000000 --- a/files/ndiffconf.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/bash - -for i in $(locate '*\.bak') -do - diff -up $i $(echo $i | sed 's/.bak//') - echo -e "\n" -done diff --git a/files/powertop.sh b/files/powertop.sh deleted file mode 100644 index a006ab8..0000000 --- a/files/powertop.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/bash -powertop --html=/var/www/powertop/index.html --time=600 -sleep 610 -sed -i s@'<title>PowerTOP report</title>'@"<title>PowerTOP report $(date +%d/%m/%y\ %R)</title>"@ /var/www/powertop/index.html diff --git a/files/root.pem b/files/root.pem deleted file mode 100644 index eb9913d..0000000 --- a/files/root.pem +++ /dev/null @@ -1,39 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGxzCCBK+gAwIBAgIJAPh0szidm4XLMA0GCSqGSIb3DQEBCwUAMIGdMQswCQYD -VQQGEwJGUjEWMBQGA1UECBMNSWxlLWRlLUZyYW5jZTENMAsGA1UEBxMERXZyeTEa -MBgGA1UEChMRTWF0dGhpZXUgU2F1bG5pZXIxIjAgBgNVBAMTGU1hdHRoaWV1IFNh -dWxuaWVyIFJvb3QgQ0ExJzAlBgkqhkiG9w0BCQEWGGZhbnRvbUBmZWRvcmFwcm9q -ZWN0Lm9yZzAeFw0xMzA4MjAwMjM5MDJaFw0yMzA4MTgwMjM5MDJaMIGdMQswCQYD -VQQGEwJGUjEWMBQGA1UECBMNSWxlLWRlLUZyYW5jZTENMAsGA1UEBxMERXZyeTEa -MBgGA1UEChMRTWF0dGhpZXUgU2F1bG5pZXIxIjAgBgNVBAMTGU1hdHRoaWV1IFNh -dWxuaWVyIFJvb3QgQ0ExJzAlBgkqhkiG9w0BCQEWGGZhbnRvbUBmZWRvcmFwcm9q -ZWN0Lm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL19KTkGd6tN -yVBUEqxrHyX5GTR2/jVtBXuMESluJ27CmzBLl79ITk/iVvMgPmqkoGMJzGnDYrUW -LkCu6F6+1P1MQhGvyN8sIVc7rm8kDVidsjeoYHRIDfVYCkoGdojfGjBn84IiS9wn -GY1XoltmHNSvQckt+wj2/vE3+gWTkYlTr5M0cknRrz5a4HM0bc4TL3MivE0rmy0G -UkqQ1J4T6+JDK9G0CkUuZ7JJ3RSL+wl23+Kvu2i4XEleLe2UkYIV/j1/dGhLDiTV -AgFFNFKQvVSy/RTYjjOFmxsBaqrxZ+M4l+sTPEY81WsRVGJaMMlJ0W8gODFbMJGb -7wiF51JZKmX2eu8Q8pSpz8grja+ORU2G1goJBYRdHASmIs8a78R/by+dHLpeweZH -5jegddSWXtrm9ioUJZJV9WQvIKeFsa7i6gEiCUSy/IQXWcsEVN90vJ/c/4HNxgQS -SQ/ZXKy7EkNURM6pwF9zLiv+9TZYo0+1swqrxnITZ6YWHiI5KkiHAMCcuol3UDhx -cEMrFKhRWc5NSVcD9w1ftuVWZxbjuWTfQtgylRvVofbT8911Tz/TuBOeq7cl2iye -6GLQ5rgQNYUQcBJZ6v+W2eLBuX3kSVGUGpE7O3xqDW/gGKrQJVxtlHzmqSdv5iPy -wT8Xr0009E1lVtIr+sHrcQxb5+XDz3MFAgMBAAGjggEGMIIBAjAdBgNVHQ4EFgQU -BZCbv0I448Da7UeBD2I5ue6L+GAwgdIGA1UdIwSByjCBx4AUBZCbv0I448Da7UeB -D2I5ue6L+GChgaOkgaAwgZ0xCzAJBgNVBAYTAkZSMRYwFAYDVQQIEw1JbGUtZGUt -RnJhbmNlMQ0wCwYDVQQHEwRFdnJ5MRowGAYDVQQKExFNYXR0aGlldSBTYXVsbmll -cjEiMCAGA1UEAxMZTWF0dGhpZXUgU2F1bG5pZXIgUm9vdCBDQTEnMCUGCSqGSIb3 -DQEJARYYZmFudG9tQGZlZG9yYXByb2plY3Qub3JnggkA+HSzOJ2bhcswDAYDVR0T -BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAeIszChr/fUR6H+net1CJ9WQUbl5u -3qGfFdYmkZwsEPJruTwTLfoRNJAdqmVJWQwyhrixeFvv985KbKemZ1hjrDsfrEhM -Ughxec1ZdS2571WE62ZjznI6e5Vig/9ZiUHrtj65HkZ3/Kq8OMWhFl+IcHHb/dKP -BrE+rMT8uuK54y2dH1EgVCWQX+ubVrLsQA4rlDTZ5N9NZFlgwkrpuBkCOua4XSo9 -CxQfuLmemhqM7uYeO/qIJFUexDBxpgqnCgiXH8KvSbeOWy/5/pC4X6Fc4F0hJNo5 -dgtZyhHX8RLjkU8X6fSxrAoVnLnRuWqx8fg2O+l1zsQLX2kpnhdOqyspvSMIa77i -IEWfbwU1DnEQoIqFjV44RLtyp9YGNai0zncjAvPsn0WzOvc+L4KsvNAaeJkhJM5m -IqQGR0/HDI/dfMsPWsnCCY99trDc3loRJnyd8rX39YKrleOtW5SCKiG+SSRwKWRC -lV9fhEYARaezOkBo/s2T/Z288TazTK82vL4I5BXJwJS4I/jpN0nVE3w7tNg2Oenu -NcnjreFw4SozDzPolXVCVm/+6yVXDYaooONg3Xz0iOFqa0RpJx9biWJR20UkHUDk -zW79/SFQtGaDzbZxKEc+vsPbhOYuOxHlvYgoA26RtoeiSuM8LQc7JOb7AGsKj9N7 -/eeZtulc5h5vZ2E= ------END CERTIFICATE----- diff --git a/files/rpmreport.sh b/files/rpmreport.sh deleted file mode 100755 index 25ca420..0000000 --- a/files/rpmreport.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/bash - -rpm -Va | grep -v /lib/modules/ diff --git a/files/selinuxresto.sh b/files/selinuxresto.sh deleted file mode 100755 index 22ff769..0000000 --- a/files/selinuxresto.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/bash -touch /.autorelabel && echo 'SELinux: autorelabel au prochain reboot' diff --git a/files/sudo b/files/sudo deleted file mode 100644 index 7b164c3..0000000 --- a/files/sudo +++ /dev/null @@ -1,7 +0,0 @@ -User_Alias MOI = casper - -Cmnd_Alias CLI = /usr/bin/yum, /usr/bin/dnf, /usr/bin/touch /.autorelabel -Cmnd_Alias DESKTOP = /usr/sbin/i7z, /usr/sbin/iftop, /usr/sbin/iotop -o - -MOI ALL = NOPASSWD: CLI -MOI ALL = NOPASSWD: DESKTOP diff --git a/files/swapwait.conf b/files/swapwait.conf deleted file mode 100644 index 95f8990..0000000 --- a/files/swapwait.conf +++ /dev/null @@ -1 +0,0 @@ -vm.swappiness = 5 diff --git a/files/transmission-daemon.service b/files/transmission-daemon.service deleted file mode 100644 index f315b15..0000000 --- a/files/transmission-daemon.service +++ /dev/null @@ -1,9 +0,0 @@ -#.include /lib/systemd/system/transmission-daemon.service -[Unit] -Description=EDITED: Transmission BT Client headless -After=syslog.target NetworkManager.service httpd.service -[Service] -ExecStart=/usr/bin/transmission-daemon -f --no-blocklist -g /var/lib/transmission/.config/transmission -e /var/log/transmission-daemon.log -User=transmission -[Install] -WantedBy=multi-user.target diff --git a/files/transmission.conf b/files/transmission.conf deleted file mode 100644 index bdf0de2..0000000 --- a/files/transmission.conf +++ /dev/null @@ -1,2 +0,0 @@ -net.core.rmem_max = 4194304 -net.core.wmem_max = 1048576 diff --git a/files/trepquota.sh b/files/trepquota.sh deleted file mode 100755 index 123bc32..0000000 --- a/files/trepquota.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/bash -repquota -a diff --git a/files/update-mirror.cron b/files/update-mirror.cron deleted file mode 100644 index 40eeb9d..0000000 --- a/files/update-mirror.cron +++ /dev/null @@ -1,3 +0,0 @@ -# Mise à jour du miroir sous l'utilisateur 'matthieu' -# Le vhost apache 'mirror' étant owné par 'matthieu' -45 */6 * * * matthieu /home/matthieu/bin/update-mirror diff --git a/files/updates-fantom.repo b/files/updates-fantom.repo deleted file mode 100644 index e6c00d6..0000000 --- a/files/updates-fantom.repo +++ /dev/null @@ -1,26 +0,0 @@ -[updates-fantom] -name=Fedora $releasever - $basearch - Updates on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/$basearch/ -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False - -[updates-debuginfo-fantom] -name=Fedora $releasever - $basearch - Updates - Debug on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/$basearch/debug/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False - -[updates-source-fantom] -name=Fedora $releasever - Updates Source on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/SRPMS/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False diff --git a/files/updates-testing-fantom.repo b/files/updates-testing-fantom.repo deleted file mode 100644 index 88542b2..0000000 --- a/files/updates-testing-fantom.repo +++ /dev/null @@ -1,26 +0,0 @@ -[updates-testing-fantom] -name=Fedora $releasever - $basearch - Test Updates on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/$basearch/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False - -[updates-testing-debuginfo-fantom] -name=Fedora $releasever - $basearch - Test Updates Debug on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False - -[updates-testing-source-fantom] -name=Fedora $releasever - Test Updates Source on Casper's server -failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/SRPMS/ -enabled=0 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch -skip_if_unavailable=False diff --git a/files/z-aidereport.sh b/files/z-aidereport.sh deleted file mode 100755 index fa56fe4..0000000 --- a/files/z-aidereport.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/bash - -aide --update --verbose=20 -cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && echo "Updated database file: aide.db.gz" diff --git a/host_vars/176.31.191.26 b/host_vars/176.31.191.26 new file mode 100644 index 0000000..3a2c2fe --- /dev/null +++ b/host_vars/176.31.191.26 @@ -0,0 +1,5 @@ +nickname: Casper03 +is_gardian: true +bprate: '100 MB' +bpburst: '120 MB' + diff --git a/host_vars/192.168.0.25 b/host_vars/192.168.0.25 new file mode 100644 index 0000000..554bef8 --- /dev/null +++ b/host_vars/192.168.0.25 @@ -0,0 +1,6 @@ +is_dnsmaster: true +nickname: Casper01 +bprate: '80 KB' +bpburst: '100 KB' +is_gardian: true + diff --git a/host_vars/195.154.75.244 b/host_vars/195.154.75.244 index 8fe688f..8ae1d70 100644 --- a/host_vars/195.154.75.244 +++ b/host_vars/195.154.75.244 @@ -1,5 +1,5 @@ nickname: Casper04 -tor_address: tor-proxy-readme2.casperlefantom.net -is_gardian: true bprate: '100 MB' bpburst: '120 MB' +outdoor: true + diff --git a/host_vars/55spwg2dynxd5zbb.onion b/host_vars/55spwg2dynxd5zbb.onion new file mode 100644 index 0000000..b4c7641 --- /dev/null +++ b/host_vars/55spwg2dynxd5zbb.onion @@ -0,0 +1,2 @@ +outdoor: true + diff --git a/host_vars/bpr7drsao5vozzr5.onion b/host_vars/bpr7drsao5vozzr5.onion index 8fe688f..8ae1d70 100644 --- a/host_vars/bpr7drsao5vozzr5.onion +++ b/host_vars/bpr7drsao5vozzr5.onion @@ -1,5 +1,5 @@ nickname: Casper04 -tor_address: tor-proxy-readme2.casperlefantom.net -is_gardian: true bprate: '100 MB' bpburst: '120 MB' +outdoor: true + diff --git a/host_vars/d72vewh3wa4lwpaj.onion b/host_vars/d72vewh3wa4lwpaj.onion index d66b9c6..554bef8 100644 --- a/host_vars/d72vewh3wa4lwpaj.onion +++ b/host_vars/d72vewh3wa4lwpaj.onion @@ -1,7 +1,6 @@ -nickname: Casper02 +is_dnsmaster: true +nickname: Casper01 bprate: '80 KB' bpburst: '100 KB' -is_public: true -is_mail: true -is_jabber: true -is_seeks: true +is_gardian: true + diff --git a/host_vars/gfuzfrkr6mg47ktw.onion b/host_vars/gfuzfrkr6mg47ktw.onion new file mode 100644 index 0000000..3a2c2fe --- /dev/null +++ b/host_vars/gfuzfrkr6mg47ktw.onion @@ -0,0 +1,5 @@ +nickname: Casper03 +is_gardian: true +bprate: '100 MB' +bpburst: '120 MB' + diff --git a/host_vars/lancaster.casperlefantom.net b/host_vars/lancaster.casperlefantom.net index d66b9c6..554bef8 100644 --- a/host_vars/lancaster.casperlefantom.net +++ b/host_vars/lancaster.casperlefantom.net @@ -1,7 +1,6 @@ -nickname: Casper02 +is_dnsmaster: true +nickname: Casper01 bprate: '80 KB' bpburst: '100 KB' -is_public: true -is_mail: true -is_jabber: true -is_seeks: true +is_gardian: true + diff --git a/host_vars/ns2.casperlefantom.net b/host_vars/ns2.casperlefantom.net deleted file mode 100644 index 2ff3681..0000000 --- a/host_vars/ns2.casperlefantom.net +++ /dev/null @@ -1,5 +0,0 @@ -nickname: Casper01 -tor_address: tor-proxy-readme.casperlefantom.net -is_public: true -bprate: '100 MB' -bpburst: '120 MB' diff --git a/host_vars/ns3.casperlefantom.net b/host_vars/ns3.casperlefantom.net index ec7f64f..3a2c2fe 100644 --- a/host_vars/ns3.casperlefantom.net +++ b/host_vars/ns3.casperlefantom.net @@ -1,6 +1,5 @@ nickname: Casper03 -is_exit: true -tor_address: tor-proxy-readme1.casperlefantom.net -is_public: true +is_gardian: true bprate: '100 MB' bpburst: '120 MB' + diff --git a/host_vars/ns4.casperlefantom.net b/host_vars/ns4.casperlefantom.net new file mode 100644 index 0000000..8ae1d70 --- /dev/null +++ b/host_vars/ns4.casperlefantom.net @@ -0,0 +1,5 @@ +nickname: Casper04 +bprate: '100 MB' +bpburst: '120 MB' +outdoor: true + diff --git a/host_vars/oi7lqemjftlwweyx.onion b/host_vars/oi7lqemjftlwweyx.onion deleted file mode 100644 index ec7f64f..0000000 --- a/host_vars/oi7lqemjftlwweyx.onion +++ /dev/null @@ -1,6 +0,0 @@ -nickname: Casper03 -is_exit: true -tor_address: tor-proxy-readme1.casperlefantom.net -is_public: true -bprate: '100 MB' -bpburst: '120 MB' diff --git a/host_vars/yphjncx7saejay4n.onion b/host_vars/yphjncx7saejay4n.onion deleted file mode 100644 index 2ff3681..0000000 --- a/host_vars/yphjncx7saejay4n.onion +++ /dev/null @@ -1,5 +0,0 @@ -nickname: Casper01 -tor_address: tor-proxy-readme.casperlefantom.net -is_public: true -bprate: '100 MB' -bpburst: '120 MB' @@ -1,34 +1,20 @@ [clients] +3bt4evcfdlpiewcp.onion onc27ga76nsdpmwc.onion -gwwikvfpyznivuen.onion - -[yum-updatesd] -d72vewh3wa4lwpaj.onion -bpr7drsao5vozzr5.onion [dns] -d72vewh3wa4lwpaj.onion -yphjncx7saejay4n.onion -oi7lqemjftlwweyx.onion +d72vewh3wa4lwpaj.onion:54444 +gfuzfrkr6mg47ktw.onion +bpr7drsao5vozzr5.onion [update] +3bt4evcfdlpiewcp.onion onc27ga76nsdpmwc.onion -gwwikvfpyznivuen.onion -yphjncx7saejay4n.onion -oi7lqemjftlwweyx.onion -55spwg2dynxd5zbb.onion - -[proxies] -yphjncx7saejay4n.onion -oi7lqemjftlwweyx.onion +gfuzfrkr6mg47ktw.onion +bpr7drsao5vozzr5.onion +d72vewh3wa4lwpaj.onion:54444 [reboot] -yphjncx7saejay4n.onion -oi7lqemjftlwweyx.onion -gwwikvfpyznivuen.onion - -[torrelay] -d72vewh3wa4lwpaj.onion +gfuzfrkr6mg47ktw.onion bpr7drsao5vozzr5.onion -yphjncx7saejay4n.onion -oi7lqemjftlwweyx.onion + diff --git a/lancaster.yml b/lancaster.yml deleted file mode 100644 index 2761fa0..0000000 --- a/lancaster.yml +++ /dev/null @@ -1,260 +0,0 @@ ---- -- hosts: lancaster - remote_user: root - tasks: - - name: Installation des paquets de base - yum: name={{ item }} state=present - with_items: - - inadyn - - libao-devel - - awstats - - fail2ban - - openvpn - - xml-commons-apis - - xml-commons-apis12 - - php-domxml-php4-php5 - - php-xml - - php-imap - - screen - - tmux - - htop - - nmap - - glances - - yum-plugin-fastestmirror - - yum-plugin-verify - - hddtemp - - iftop - - powertop - - iotop - - bvi - - whois - - lm_sensors - - systemd-analyze - - postfix - - php-IDNA_Convert - - php-simplepie - - irssi - - transmission-daemon - - rkhunter - - unhide - - rpmconf - - colordiff - - patch - - emacs-nox - - dovecot-mysql - - dovecot-pigeonhole - - whowatch - - gpm - - ImageMagick - - yum-updatesd - - mined - - ipset - - aide - - nfswatch - - - name: Redirection du courrier de root - lineinfile: 'dest=/etc/aliases create=yes state=present insertafter="^# Person who should get root" - line="root: casper"' - notify: newaliases db - - - name: Redirection du courrier de matthieu - lineinfile: 'dest=/etc/aliases create=yes state=present insertafter="root: casper" - line="matthieu: casper"' - notify: newaliases db - - - name: Autorise toutes les connexions sur Chrony - lineinfile: dest=/etc/chrony.conf create=yes state=present insertafter="#allow 192.168/16" - line="allow" - notify: restart chrony - - - name: Active les logs de Chrony - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^noclientlog" - line="#noclientlog" - notify: restart chrony - - - name: Active le debug de Chrony - lineinfile: dest=/etc/chrony.conf create=yes state=present insertafter="#log measurements statistics tracking" - line="log measurements statistics tracking" - notify: restart chrony - - - name: Configuration de la résolution ipv4 du nom d'hôte - lineinfile: dest=/etc/hosts create=yes state=present insertafter=EOF - line="{{ ansible_default_ipv4.address }} {{ ansible_hostname }}" - - - name: Configuration de la résolution ipv6 du nom d'hôte - lineinfile: dest=/etc/hosts create=yes state=present insertafter=EOF - line="{{ ansible_default_ipv6.address }} {{ ansible_hostname }}" - - - name: Activation de tests rkhunter - lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes - regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps" - line="DISABLE_TESTS=suspscan deleted_files hidden_procs" - - - name: Configuration yum nombre de kernels - lineinfile: dest=/etc/yum.conf state=present backrefs=yes regexp="^installonly_limit=3" - line="installonly_limit=13" - - - name: Configuration yum affichage historique - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter=EOF - line="history_list_view=cmds" - - - name: Configuration yum clean on remove - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter=EOF - line="clean_requirements_on_remove=1" - - - name: Configuration yum sans delta rpm - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter=EOF - line="deltarpm=0" - - - name: Configuration cron reboot auto - copy: src=files/auto-reboot.cron dest=/etc/cron.d/auto-reboot mode=644 - - - name: Configuration cron miroir local - copy: src=files/update-mirror.cron dest=/etc/cron.d/update-mirror mode=644 - - - name: Configuration cron rapport disques durs - copy: src=files/diskreport.sh dest=/etc/cron.daily/diskreport.sh mode=755 - - - name: Configuration cron rapport SELinux - copy: src=files/eaureport.sh dest=/etc/cron.daily/eaureport.sh mode=755 - - - name: Configuration cron backup auto - copy: src=files/nbackconf.sh dest=/etc/cron.daily/nbackconf.sh mode=755 - - - name: Configuration cron Diff auto - copy: src=files/ndiffconf.sh dest=/etc/cron.daily/ndiffconf.sh mode=755 - - - name: Configuration cron rapport RPM Verify - copy: src=files/rpmreport.sh dest=/etc/cron.daily/rpmreport.sh mode=755 - - - name: Installation du HIDS AIDE - copy: src=files/z-aidereport.sh dest=/etc/cron.daily/z-aidereport.sh mode=755 - notify: initialize aide - - - name: Configuration cron transfert de backup - copy: src=files/backtransfer.sh dest=/etc/cron.monthly/backtransfer.sh mode=755 - - - name: Configuration cron relabel système de fichier - copy: src=files/selinuxresto.sh dest=/etc/cron.monthly/selinuxresto.sh mode=755 - - - name: Configuration cron rapport des quotas fs - copy: src=files/trepquota.sh dest=/etc/cron.monthly/trepquota.sh mode=755 - - - name: Configuration cron tests disques durs - copy: src=files/diskcheck.sh dest=/etc/cron.weekly/diskcheck.sh mode=755 - - - name: Configuration cron rapport powertop - copy: src=files/powertop.sh dest=/etc/cron.weekly/powertop.sh mode=755 - - - name: Configuration dovecot logging - lineinfile: dest=/etc/dovecot/conf.d/10-logging.conf create=yes state=present insertafter="^#verbose_ssl = no" - line="verbose_ssl = yes" - notify: restart dovecot - - - name: Configuration dovecot accès mail - lineinfile: "dest=/etc/dovecot/conf.d/10-mail.conf create=yes state=present insertafter='^#mail_location' - line='mail_location = mbox:~/Mail:INBOX=/var/mail/%u'" - notify: restart dovecot - - - name: Configuration dovecot certificat SSL - lineinfile: dest=/etc/dovecot/conf.d/10-ssl.conf state=present backrefs=yes regexp="^ssl_cert = </etc/pki/dovecot/certs/dovecot.pem" - line="ssl_cert = </etc/pki/tls/certs/casperlefantom.1.crt" - notify: restart dovecot - - - name: Configuration dovecot clé SSL - lineinfile: dest=/etc/dovecot/conf.d/10-ssl.conf state=present backrefs=yes regexp="^ssl_key = </etc/pki/dovecot/private/dovecot.pem" - line="ssl_key = </etc/pki/tls/private/casperlefantom.1.key" - notify: restart dovecot - - - name: Configuration du pare-feu - copy: src=files/firewalld-public.xml dest=/etc/firewalld/zones/public.xml mode=644 - notify: restart firewalld - - - name: Configuration apache mod_ssl - lineinfile: "dest=/etc/httpd/conf.d/ssl.conf state=present backrefs=yes regexp='^<VirtualHost _default_:443>' - line='<VirtualHost {{ ansible_hostname }}:443>'" - notify: restart apache - - - name: Configuration PHP timezone - lineinfile: dest=/etc/php.d/localtime.ini create=yes state=present - line='date.timezone = "Europe/Paris"' - notify: restart apache - - - name: Configuration du démon SSH - lineinfile: dest=/etc/ssh/sshd_config state=present backrefs=yes regexp="^PasswordAuthentication yes" - line="PasswordAuthentication no" - notify: restart sshd - - - name: Désactivation de Prelink - lineinfile: dest=/etc/sysconfig/prelink state=present backrefs=yes regexp="^PRELINKING=yes" - line="PRELINKING=no" - notify: prelink undo - - - name: Configuration sysctl du démon Transmission - copy: src=files/transmission.conf dest=/etc/sysctl.d/transmission.conf mode=644 - - - name: Configuration du service irssi - copy: src=files/irssi.service dest=/etc/systemd/system/irssi.service mode=644 - notify: reload systemd - - - name: Configuration du service transmission-deamon - copy: src=files/transmission-daemon.service dest=/etc/systemd/system/transmission-daemon.service mode=644 - notify: reload systemd - - - name: yum-updatesd lancé toutes les 3h au lieu de 1h - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^run_interval = 3600" - line="run_interval = 10800" - notify: restart yum-updatesd - - - name: yum-updatesd actualise toutes les 30min au lieu de 10min - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^updaterefresh = 600" - line="updaterefresh = 1800" - notify: restart yum-updatesd - - - name: yum-updatesd informe mise à jour par email - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^emit_via = dbus" - line="emit_via = email" - notify: restart yum-updatesd - - - name: yum-updatesd installe les mise à jour disponibles - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^do_update = no" - line="do_update = yes" - notify: restart yum-updatesd - - - name: État du service yum-updatesd - service: name=yum-updatesd state=started enabled=yes - - - - - handlers: - - name: newaliases db - command: /usr/bin/newaliases - - - name: restart chrony - service: name=chronyd state=restarted - - - name: initialize aide - script: files/aideinit.sh - - - name: restart dovecot - service: name=dovecot state=restarted - - - name: restart firewalld - service: name=firewalld state=restarted - - - name: restart apache - service: name=httpd state=restarted - - - name: restart sshd - service: name=sshd state=restarted - - - name: prelink undo - command: /usr/sbin/prelink -ua - - - name: reload systemd - command: /usr/bin/systemctl --system daemon-reload - - - name: restart yum-updatesd - service: name=yum-updatesd state=restarted - diff --git a/mosquito.yml b/mosquito.yml deleted file mode 100644 index d24764c..0000000 --- a/mosquito.yml +++ /dev/null @@ -1,213 +0,0 @@ ---- -- hosts: mosquito - remote_user: root - tasks: - - name: Installation des paquets de base - yum: name={{ item }} state=present - with_items: - - elinks - - livecd-tools - - colordiff - - fpaste - - wget - - emacs-nox - - glances - - htop - - iftop - - iotop - - lm_sensors - - memtest86+ - - mined - - powertop - - rpmconf - - screen - - tmux - - yum-plugin-fastestmirror - - gpm - - bash-completion - - vim-enhanced - - yum-plugin-verify - - yum-updatesd - - aide - - postfix - - mutt - - nfs-utils - - qemu-kvm - - libvirt-client - - libvirt-daemon - - libvirt-daemon-driver-libxl - - libvirt-daemon-driver-nwfilter - - libvirt-daemon-driver-storage - - libvirt-daemon-driver-uml - - libvirt-daemon-driver-network - - libvirt-daemon-driver-xen - - libvirt-daemon-driver-qemu - - libvirt-daemon-driver-secret - - libvirt-daemon-driver-interface - - libvirt-daemon-driver-lxc - - libvirt-daemon-driver-nodedev - - - name: Configuration yum sans delta rpm - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="installonly_limit" - line="deltarpm=0" - - - name: Configuration yum affichage historique - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="deltarpm=0" - line="history_list_view=cmds" - - - name: Configuration yum clean on remove - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="history_list_view=cmds" - line="clean_requirements_on_remove=1" - - - name: Configuration écran rabattu systemd - lineinfile: dest=/etc/systemd/logind.conf create=yes state=present insertafter="#HandleLidSwitch" - line="HandleLidSwitch=ignore" - notify: reload systemd - - - name: Squelette bashrc - copy: src="files/bashrc" dest=/etc/skel/.bashrc mode=644 - - - name: Root bashrc - copy: src="files/bashrc" dest=/root/.bashrc mode=644 - - - name: Squelette emacs rc - copy: src="files/emacs.rc" dest=/etc/skel/.emacs mode=644 - - - name: Root emacs rc - copy: src="files/emacs.rc" dest=/root/.emacs mode=644 - - - name: Installation du miroir updates - copy: src=files/updates-fantom.repo dest=/etc/yum.repos.d/updates-fantom.repo - notify: disable updates - - - name: Installation du miroir updates-testing - copy: src=files/updates-testing-fantom.repo dest=/etc/yum.repos.d/updates-testing-fantom.repo - notify: disable updates - - - name: Télécharge le paquet linux_logo fedora pour F20 - get_url: dest=/tmp/linux_logo.rpm url=http://fantom.fedorapeople.org/linux_logo-5.11-6.fc20.x86_64.rpm - when: ansible_distribution_version|int == 20 and ansible_architecture == "x86_64" - - - name: Télécharge le paquet linux_logo fedora pour F21 - get_url: dest=/tmp/linux_logo.rpm url=http://fantom.fedorapeople.org/linux_logo-5.11-6.fc21.x86_64.rpm - when: ansible_distribution_version|int == 21 and ansible_architecture == "x86_64" - - - name: Installe le paquet linux_logo fedora - yum: pkg=/tmp/linux_logo.rpm state=installed - - - name: Ajoute le paquet linux_logo fedora en Exclude - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="clean_requirements_on_remove=1" - line="exclude=linux_logo" - - - name: Installation de la clé ssh pour l'utilisateur root - authorized_key: user=root key="{{lookup('file', 'files/id_rsa.pub') }}" manage_dir=yes - - - name: Configuration du démon SSH - lineinfile: dest=/etc/ssh/sshd_config state=present backrefs=yes regexp="^PasswordAuthentication yes" - line="PasswordAuthentication no" - notify: restart sshd - - - name: Serveurs NTP 0.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 0.fedora.pool.ntp.org" - line="#server 0.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 1.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 1.fedora.pool.ntp.org" - line="#server 1.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 2.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 2.fedora.pool.ntp.org" - line="#server 2.fedora.pool.ntp.org" - notify: restart chrony - - - name: Serveurs NTP 3.fedora.pool.ntp.org désactivé - lineinfile: dest=/etc/chrony.conf state=present backrefs=yes regexp="^server 3.fedora.pool.ntp.org" - line="#server 3.fedora.pool.ntp.org" - notify: restart chrony - - - name: Configuration serveur NTP actif - lineinfile: dest=/etc/chrony.conf create=yes state=present insertafter="#server 3.fedora.pool.ntp.org" - line="server ntp1.casperlefantom.net iburst" - notify: restart chrony - - - name: Installation de mon autorité de certification - copy: src=files/root.pem dest=/etc/pki/ca-trust/source/anchors/root.pem mode=444 - notify: ca trust - - - name: Installation de l'autorité de certification CACert - copy: src=files/cacert.pem dest=/etc/pki/ca-trust/source/anchors/cacert.pem mode=444 - notify: ca trust - - - name: yum-updatesd lancé toutes les 3h au lieu de 1h - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^run_interval = 3600" - line="run_interval = 10800" - - - name: yum-updatesd actualise toutes les 30min au lieu de 10min - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^updaterefresh = 600" - line="updaterefresh = 1800" - - - name: yum-updatesd informe mise à jour par email - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^emit_via = dbus" - line="emit_via = email" - - - name: yum-updatesd installe les mise à jour disponibles - lineinfile: dest=/etc/yum/yum-updatesd.conf state=present backrefs=yes regexp="^do_update = no" - line="do_update = yes" - - - name: État du service yum-updatesd - service: name=yum-updatesd state=started enabled=yes - - - name: État du service postfix - service: name=postfix state=started enabled=yes - - - name: État du service libvirtd - service: name=libvirtd state=stopped enabled=no - - - name: Configuration cron reboot auto - copy: src=files/auto-reboot.cron dest=/etc/cron.d/auto-reboot mode=644 - - - name: Configuration cron rapport disques durs - copy: src=files/diskreport.sh dest=/etc/cron.daily/diskreport.sh mode=755 - - - name: Configuration cron rapport SELinux - copy: src=files/eaureport.sh dest=/etc/cron.daily/eaureport.sh mode=755 - - - name: Configuration cron rapport RPM Verify - copy: src=files/rpmreport.sh dest=/etc/cron.daily/rpmreport.sh mode=755 - - - name: Configuration cron relabel système de fichier - copy: src=files/selinuxresto.sh dest=/etc/cron.monthly/selinuxresto.sh mode=755 - - - name: Configuration cron tests disques durs - copy: src=files/diskcheck.sh dest=/etc/cron.weekly/diskcheck.sh mode=755 - - - name: Installation du HIDS AIDE - copy: src=files/z-aidereport.sh dest=/etc/cron.daily/z-aidereport.sh mode=755 - notify: initialize aide - - - name: Configuration de la variable EDITOR - lineinfile: dest=/root/bin/setvars create=yes state=present - line="export EDITOR=emacs" - - - - handlers: - - name: restart sshd - service: name=sshd state=restarted - - - name: initialize aide - script: files/aideinit.sh - - - name: restart chrony - service: name=chronyd state=restarted - - - name: ca trust - command: /usr/bin/update-ca-trust - - - name: reload systemd - command: /usr/bin/systemctl --system daemon-reload - - - name: disable updates - command: /usr/bin/yum-config-manager --disable updates diff --git a/ns2.yml b/ns2.yml deleted file mode 100644 index f216528..0000000 --- a/ns2.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -- hosts: ns2 - remote_user: root - tasks: - - name: Installation des paquets de base - yum: name={{ item }} state=present - with_items: - - aide - - bind - - emacs-nox - - iotop - - ipset - - nmap - - postfix - - powertop - - yum-plugin-fastestmirror - - yum-plugin-verify - - screen - - ntp - - dovecot-mysql - - dovecot-pigeonhole - - - name: Installation de la clé ssh pour l'utilisateur root - authorized_key: user=root key="{{lookup('file', 'files/id_rsa.pub') }}" manage_dir=yes - - - name: Configuration du démon SSH - lineinfile: dest=/etc/ssh/sshd_config state=present backrefs=yes regexp="^PasswordAuthentication yes" - line="PasswordAuthentication no" - notify: restart sshd - - - name: Configuration yum affichage historique - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="installonly_limit" - line="history_list_view=cmds" - - - name: Configuration yum clean on remove - lineinfile: dest=/etc/yum.conf create=yes state=present insertafter="history_list_view=cmds" - line="clean_requirements_on_remove=1" - - - name: Root bashrc - copy: src="files/bashrc" dest=/root/.bashrc mode=644 - - - name: Root emacs rc - copy: src="files/emacs.rc" dest=/root/.emacs mode=644 - - - name: Configure la variable EDITOR - lineinfile: dest=/root/bin/setvars create=yes state=present - line="export EDITOR=emacs" - - - name: Serveurs NTP 0.centos.pool.ntp.org désactivé - lineinfile: dest=/etc/ntp.conf state=present backrefs=yes regexp="^server 0.centos.pool.ntp.org" - line="#server 0.centos.pool.ntp.org" - - - name: Serveurs NTP 1.centos.pool.ntp.org désactivé - lineinfile: dest=/etc/ntp.conf state=present backrefs=yes regexp="^server 1.centos.pool.ntp.org" - line="#server 1.centos.pool.ntp.org" - - - name: Serveurs NTP 2.centos.pool.ntp.org désactivé - lineinfile: dest=/etc/ntp.conf state=present backrefs=yes regexp="^server 2.centos.pool.ntp.org" - line="#server 2.centos.pool.ntp.org" - - - name: Serveurs NTP 3.centos.pool.ntp.org désactivé - lineinfile: dest=/etc/ntp.conf state=present backrefs=yes regexp="^server 3.centos.pool.ntp.org" - line="#server 3.centos.pool.ntp.org" - - - name: Configuration serveur NTP actif - lineinfile: dest=/etc/ntp.conf create=yes state=present insertafter="#server 3.centos.pool.ntp.org" - line="server ntp1.casperlefantom.net iburst" - notify: restart ntpd - - - name: Transfert de mon certificat racine - copy: src=files/root.pem dest=/root/root.pem mode=444 - - - name: État du service named - service: name=named state=started enabled=yes - - - name: État du service ntpd - service: name=ntpd state=started enabled=yes - - - - handlers: - - name: restart sshd - service: name=sshd state=restarted - - - name: restart ntpd - service: name=ntpd state=restarted diff --git a/playbooks/update.yml b/playbooks/update.yml index e823d8f..58cd0be 100644 --- a/playbooks/update.yml +++ b/playbooks/update.yml @@ -6,12 +6,12 @@ - name: Mise à jour système avec yum yum: name=* state=latest register: update1 - when: ansible_distribution_version|int <= 21 or ansible_distribution == "CentOS" + when: ansible_pkg_mgr == "yum" - name: Mise à jour système avec dnf dnf: name=* state=latest register: update2 - when: ansible_distribution_version|int >= 22 + when: ansible_pkg_mgr == "dnf" - hosts: - reboot diff --git a/roles/clients/files/sudo b/roles/clients/files/sudo index 7b164c3..1dc9e53 100644 --- a/roles/clients/files/sudo +++ b/roles/clients/files/sudo @@ -1,7 +1,14 @@ -User_Alias MOI = casper +User_Alias MOI = casper, matthieusaulnier -Cmnd_Alias CLI = /usr/bin/yum, /usr/bin/dnf, /usr/bin/touch /.autorelabel +Cmnd_Alias CLI = /usr/bin/yum, /usr/bin/dnf, /usr/bin/touch /.autorelabel, /usr/bin/journalctl Cmnd_Alias DESKTOP = /usr/sbin/i7z, /usr/sbin/iftop, /usr/sbin/iotop -o +Cmnd_Alias DOCKER = /usr/bin/docker +Cmnd_Alias POWEROFF = /usr/sbin/poweroff +Cmnd_Alias SHINT = /usr/sbin/sgdisk -Z MOI ALL = NOPASSWD: CLI MOI ALL = NOPASSWD: DESKTOP +MOI ALL = NOPASSWD: DOCKER +MOI ALL = NOPASSWD: POWEROFF +MOI ALL = NOPASSWD: SHINT + diff --git a/roles/clients/tasks/main.yml b/roles/clients/tasks/main.yml index be8a8fb..5f5875a 100644 --- a/roles/clients/tasks/main.yml +++ b/roles/clients/tasks/main.yml @@ -7,8 +7,9 @@ - name: Utilisation de la swap sysctl include: sysctl.yml -- name: Installation de KDE - include: kde.yml +# groupname incorrect +#- name: Installation de KDE +# include: kde.yml - name: Configuration sudo include: sudo.yml diff --git a/roles/clients/tasks/pkgs.yml b/roles/clients/tasks/pkgs.yml index 689a8bb..606f600 100644 --- a/roles/clients/tasks/pkgs.yml +++ b/roles/clients/tasks/pkgs.yml @@ -19,11 +19,8 @@ - livecd-tools - l10n-kickstarts - apg - - i7z - - dnf - ffmpeg - dconf-editor - - istanbul - ntop - liferea - mcabber @@ -73,7 +70,6 @@ - openshot - asterisk-gui - ldc-phobos-geany-tags - - vidalia - geany-plugins-addons - geany-plugins-geniuspaste - gshutdown @@ -95,7 +91,6 @@ - lynis - nbtscan - nc - - nc6 - ncrack - ngrep - nmap-frontend @@ -142,22 +137,27 @@ - ophcrack - wireshark - wireshark-gnome - - nessus-gui - arpwatch - tcpflow - - sectool - unicornscan - net-tools - intrace - conntrack-tools - binutils - macchanger - - cryptkeeper - ecryptfs-utils - ettercap-gtk - virt-manager - qrencode - kde-l10n-French + - fdupes + - transmission + - mediainfo + - httpie + - enscript + - mumble-plugins + - transmission-gtk + - simple-scan - name: Installation des paquets codecs dnf: name={{ item }} state=present diff --git a/roles/common/files/bashrc b/roles/common/files/bashrc index f506493..9fb69d2 100644 --- a/roles/common/files/bashrc +++ b/roles/common/files/bashrc @@ -5,37 +5,50 @@ alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' -alias pop='popd' -alias up='popd' -alias myip='curl https://lancaster.casperlefantom.net/ipclient.php' -alias torip='torsocks curl https://lancaster.casperlefantom.net/ipclient.php' +alias ll='ls -lh' alias f='find . -iname' +alias up='popd' +alias pop='popd' +alias myip='curl https://lancaster.casperlefantom.net:4433/ipclient.php' +alias torip='torsocks curl https://lancaster.casperlefantom.net:4433/ipclient.php' alias beep='echo -e "\a"' alias screenoff='xset dpms force off' +alias wifion='nmcli r wifi on' +alias wifioff='nmcli r wifi off' alias ltx='tmux ls' alias atx='tmux attach -t' alias addkey='gpg --keyserver hkp://keys.fedoraproject.org --recv-key' alias poezio='tmux -2 new-session -s poezio -n "poezio-debug by tor" "proxychains4 poezio --debug ~/.local/share/poezio/debug.log"' +alias tssh='torsocks ssh -F /home/$USER/.ssh/config2' +alias tscp='torsocks scp -F /home/$USER/.ssh/config2' +alias trsync='torsocks rsync -e "ssh -F /home/$USER/.ssh/config2"' +alias mnt='mount | column -t' + # Source global definitions if [ -f /etc/bashrc ]; then - . /etc/bashrc + . /etc/bashrc fi # Define personal variables if [ -f $HOME/bin/setvars ]; then - . $HOME/bin/setvars + . $HOME/bin/setvars +fi +# Define personal functions +if [ -f $HOME/bin/setfunctions ]; then + . $HOME/bin/setfunctions fi # Print fedora linux logo in interactive shell if [ -n "$PS1" ]; then if which linux_logo >/dev/null 2>&1; then - linux_logo -L fedora -F "Bienvenue sur l'hôte #H\n#V, Compilé #C \n#P #X #T, #R, #U" + linux_logo -L fedora -F "Bienvenue sur l'hôte #H\n#V, Compilé #C \n#P #X #T, #R, #U" fi fi -HISTSIZE=2500 +HISTSIZE=25000 HISTIGNORE="history:exit:logout:[ ]*" +HISTTIMEFORMAT="%d/%m/%y %T " RESET='\[$(tput sgr0)\]' BOLD='\[$(tput bold)\]' @@ -48,8 +61,8 @@ YELLOW='\[$(tput setaf 3)\]' CYAN='\[$(tput setaf 6)\]' if [ $UID -eq 0 ]; then - PS1="$BOLD$RED\h$BLUE:$YELLOW\w$RED\\$ $RESET$RED" + PS1="$BOLD$RED\h$BLUE:$YELLOW\w$RED\\$ $RESET$RED" else - PS1="$BOLD$GREEN\u$BLUE@$YELLOW\h$BLUE:\w$GREEN\\$ $RESET$GREEN" + PS1="$BOLD$GREEN\u$BLUE@$YELLOW\h$BLUE:\w$GREEN\\$ $RESET$GREEN" fi PS2='suite-> ' diff --git a/roles/common/files/emacs.rc b/roles/common/files/emacs.rc index 4f82ac4..9a3d9fa 100644 --- a/roles/common/files/emacs.rc +++ b/roles/common/files/emacs.rc @@ -26,11 +26,67 @@ ;;(standard-display-ascii ?\t "^I") ;; Draw tabs with the same color as trailing whitespace -(add-hook 'font-lock-mode-hook - (lambda () - (font-lock-add-keywords - nil - '(("\t" 0 'trailing-whitespace prepend))))) +;;(add-hook 'font-lock-mode-hook +;; (lambda () +;; (font-lock-add-keywords +;; nil +;; '(("\t" 0 'trailing-whitespace prepend))))) ;; Disable auto indent (electric-indent-mode 0) + +;; third-party repository +(require 'package) +(add-to-list 'package-archives + '("melpa" . "http://melpa.milkbox.net/packages/") t) + +;; get the PATH env +(defun set-exec-path-from-shell-PATH () + (let ((path-from-shell (replace-regexp-in-string + "[ \t\n]*$" + "" + (shell-command-to-string "$SHELL --login -i -c 'echo $PATH'")))) + (setenv "PATH" path-from-shell) + (setq eshell-path-env path-from-shell) ; for eshell users + (setq exec-path (split-string path-from-shell path-separator)))) + +(when window-system (set-exec-path-from-shell-PATH)) + +;; manual setup of the root directory +(setenv "GOPATH" "/home/casper/progtest/work") + +;; launch goformat when saving file +(add-to-list 'exec-path "/home/casper/progtest/work/bin") + + +;; le mastard +(defun my-go-mode-hook () + ; Use goimports instead of go-fmt + (setq gofmt-command "goimports") + ; Call Gofmt before saving + (add-hook 'before-save-hook 'gofmt-before-save) + ; Customize compile command to run go build + (if (not (string-match "go" compile-command)) + (set (make-local-variable 'compile-command) + "go build -v && go test -v && go vet && go install")) + ; Godef jump key binding + (local-set-key (kbd "M-.") 'godef-jump)) + ; Compile command key binding + ;(local-set-key (kdb "M-§") 'compile-command)) + ;(global-set-key (kbd "M-§") 'compile-command) +(add-hook 'go-mode-hook 'my-go-mode-hook) + + +;; auto-completion for go +(defun auto-complete-for-go () + (auto-complete-mode 1)) +(add-hook 'go-mode-hook 'auto-complete-for-go) + +(with-eval-after-load 'go-mode + (require 'go-autocomplete)) + +;; quiet compile command +(setq compilation-read-command nil) + +;; compile command +(global-set-key (kbd "M-!") 'compile) diff --git a/roles/common/files/updates-fantom-hidden.repo b/roles/common/files/updates-fantom-hidden.repo new file mode 100644 index 0000000..1620b3e --- /dev/null +++ b/roles/common/files/updates-fantom-hidden.repo @@ -0,0 +1,29 @@ +[updates-fantom-hidden] +name=Fedora $releasever - $basearch - Updates on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/$releasever/$basearch/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[updates-debuginfo-fantom-hidden] +name=Fedora $releasever - $basearch - Updates - Debug on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/$releasever/$basearch/debug/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[updates-source-fantom-hidden] +name=Fedora $releasever - Updates Source on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/$releasever/SRPMS/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False diff --git a/roles/common/files/updates-fantom.repo b/roles/common/files/updates-fantom.repo index 55821da..cb54c47 100644 --- a/roles/common/files/updates-fantom.repo +++ b/roles/common/files/updates-fantom.repo @@ -1,7 +1,7 @@ [updates-fantom] name=Fedora $releasever - $basearch - Updates on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/$basearch/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/$releasever/$basearch/ enabled=1 gpgcheck=1 metadata_expire=6h @@ -11,7 +11,7 @@ skip_if_unavailable=False [updates-debuginfo-fantom] name=Fedora $releasever - $basearch - Updates - Debug on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/$basearch/debug/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/$releasever/$basearch/debug/ enabled=0 gpgcheck=1 metadata_expire=6h @@ -21,7 +21,7 @@ skip_if_unavailable=False [updates-source-fantom] name=Fedora $releasever - Updates Source on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/$releasever/SRPMS/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/$releasever/SRPMS/ enabled=0 gpgcheck=1 metadata_expire=6h diff --git a/roles/common/files/updates-testing-fantom-hidden.repo b/roles/common/files/updates-testing-fantom-hidden.repo new file mode 100644 index 0000000..729bb71 --- /dev/null +++ b/roles/common/files/updates-testing-fantom-hidden.repo @@ -0,0 +1,29 @@ +[updates-testing-fantom-hidden] +name=Fedora $releasever - $basearch - Test Updates on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/testing/$releasever/$basearch/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[updates-testing-debuginfo-fantom-hidden] +name=Fedora $releasever - $basearch - Test Updates Debug on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False + +[updates-testing-source-fantom-hidden] +name=Fedora $releasever - Test Updates Source on Casper's hidden server +failovermethod=priority +baseurl=http://pmstfd4f6s5bm2xq.onion/pub/fedora/linux/updates/testing/$releasever/SRPMS/ +enabled=0 +gpgcheck=1 +metadata_expire=6h +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False diff --git a/roles/common/files/updates-testing-fantom.repo b/roles/common/files/updates-testing-fantom.repo index 45f7693..9d89634 100644 --- a/roles/common/files/updates-testing-fantom.repo +++ b/roles/common/files/updates-testing-fantom.repo @@ -1,7 +1,7 @@ [updates-testing-fantom] name=Fedora $releasever - $basearch - Test Updates on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/$basearch/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/testing/$releasever/$basearch/ enabled=0 gpgcheck=1 metadata_expire=6h @@ -11,7 +11,7 @@ skip_if_unavailable=False [updates-testing-debuginfo-fantom] name=Fedora $releasever - $basearch - Test Updates Debug on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/testing/$releasever/$basearch/debug/ enabled=0 gpgcheck=1 metadata_expire=6h @@ -21,7 +21,7 @@ skip_if_unavailable=False [updates-testing-source-fantom] name=Fedora $releasever - Test Updates Source on Casper's server failovermethod=priority -baseurl=https://mirror.casperlefantom.net/pub/fedora/linux/updates/testing/$releasever/SRPMS/ +baseurl=https://mirror.casperlefantom.net:4433/pub/fedora/linux/updates/testing/$releasever/SRPMS/ enabled=0 gpgcheck=1 metadata_expire=6h diff --git a/roles/common/files/zshrc b/roles/common/files/zshrc index 693d06c..21a79bf 100644 --- a/roles/common/files/zshrc +++ b/roles/common/files/zshrc @@ -1,7 +1,8 @@ # Lines configured by zsh-newuser-install HISTFILE=~/.histfile -HISTSIZE=2500 -SAVEHIST=2500 +HISTSIZE=25000 +SAVEHIST=25000 +HISTTIMEFORMAT="%d/%m/%y %T " bindkey -e # End of lines configured by zsh-newuser-install # The following lines were added by compinstall @@ -17,30 +18,43 @@ alias mv='mv -i' alias ll='ls -lh' alias f='find . -iname' alias up='popd' -alias myip='curl https://lancaster.casperlefantom.net/ipclient.php' -alias torip='torsocks curl https://lancaster.casperlefantom.net/ipclient.php' +alias pop='popd' +alias myip='curl https://lancaster.casperlefantom.net:4433/ipclient.php' +alias torip='torsocks curl https://lancaster.casperlefantom.net:4433/ipclient.php' alias beep='echo -e "\a"' alias screenoff='xset dpms force off' +alias wifion='nmcli r wifi on' +alias wifioff='nmcli r wifi off' alias ltx='tmux ls' alias atx='tmux attach -t' alias addkey='gpg --keyserver hkp://keys.fedoraproject.org --recv-key' alias poezio='tmux -2 new-session -s poezio -n "poezio-debug by tor" "proxychains4 poezio --debug ~/.local/share/poezio/debug.log"' +alias tssh='torsocks ssh -F /home/$USER/.ssh/config2' +alias tscp='torsocks scp -F /home/$USER/.ssh/config2' +alias trsync='torsocks rsync -e "ssh -F /home/$USER/.ssh/config2"' +alias mnt='mount | column -t' + # Define personal variables if [ -f $HOME/bin/setvars ]; then - . $HOME/bin/setvars + . $HOME/bin/setvars +fi +# Define personal functions +if [ -f $HOME/bin/setfunctions ]; then + . $HOME/bin/setfunctions fi # Print fedora linux logo in interactive shell if [ -n "$PS1" ]; then if which linux_logo >/dev/null 2>&1; then - linux_logo -L fedora -F "Bienvenue sur l'hôte #H\n#V, Compilé #C \n#P #X #T, #R, #U" + linux_logo -L fedora -F "Bienvenue sur l'hôte #H\n#V, Compilé #C \n#P #X #T, #R, #U" fi fi setopt hist_ignore_space setopt autocd setopt correctall +setopt extendedhistory autoload -U promptinit promptinit autoload -U colors diff --git a/roles/common/tasks/cron.yml b/roles/common/tasks/cron.yml index 8dab3e2..5abc63f 100644 --- a/roles/common/tasks/cron.yml +++ b/roles/common/tasks/cron.yml @@ -10,18 +10,10 @@ template: src=diskreport.sh.j2 dest=/etc/cron.daily/diskreport.sh mode=755 when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" -- name: Rapport SELinux - copy: src=eaureport.sh dest=/etc/cron.daily/eaureport.sh mode=755 - when: ansible_selinux.status != "disabled" - - name: Rapport RPM Verify copy: src=rpmreport.sh dest=/etc/cron.daily/rpmreport.sh mode=755 when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" -- name: Relabel système de fichier - copy: src=selinuxresto.sh dest=/etc/cron.monthly/selinuxresto.sh mode=755 - when: ansible_selinux.status != "disabled" - - name: Tests disques durs template: src=diskcheck.sh.j2 dest=/etc/cron.weekly/diskcheck.sh mode=755 when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host" diff --git a/roles/common/tasks/deps.yml b/roles/common/tasks/deps.yml new file mode 100644 index 0000000..7a47fc0 --- /dev/null +++ b/roles/common/tasks/deps.yml @@ -0,0 +1,7 @@ +- name: Installation des dépendances du playbook + dnf: name={{ item }} state=present + with_items: + - libselinux-python + - python-dnf + - python-firewall + when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bb7ac53..ccd8c06 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,3 +1,6 @@ +- name: Install playbook dependancies + include: deps.yml + - name: Configuration démon SSH include: ssh.yml @@ -7,8 +10,9 @@ - name: Installation des points de montage standard include: mnt.yml -- name: Configuration du fichier hôte - include: host.yml +## ipv6 default address unavailable +##- name: Configuration du fichier hôte +## include: host.yml - name: Configuration démon Cron include: cron.yml diff --git a/roles/common/tasks/pkgs.yml b/roles/common/tasks/pkgs.yml index e0870fa..3c5b687 100644 --- a/roles/common/tasks/pkgs.yml +++ b/roles/common/tasks/pkgs.yml @@ -24,6 +24,9 @@ - libselinux-python - policycoreutils-python - cryptsetup + - rsync + - sudo + - lsof when: ansible_distribution == "CentOS" - name: Installation des paquets @@ -38,7 +41,7 @@ - patch - gpm - elinks - - vim-enhanced + - vim - mutt - nfs-utils - tcpdump @@ -50,6 +53,8 @@ - libselinux-python - policycoreutils-python - cryptsetup + - rsync + - sudo when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 diff --git a/roles/common/tasks/repos.yml b/roles/common/tasks/repos.yml index 51e2777..f4723ea 100644 --- a/roles/common/tasks/repos.yml +++ b/roles/common/tasks/repos.yml @@ -11,23 +11,24 @@ when: ansible_distribution_version|int >= 20 and ansible_architecture == "x86_64" and ansible_distribution_release != "Rawhide" -- name: Installation du miroir updates-testing - copy: src=updates-testing-fantom.repo dest=/etc/yum.repos.d/updates-testing-fantom.repo +- name: Installation du miroir hidden updates + copy: src=updates-fantom-hidden.repo dest=/etc/yum.repos.d/updates-fantom-hidden.repo when: ansible_distribution_version|int >= 20 and ansible_architecture == "x86_64" and ansible_distribution_release != "Rawhide" -- name: Désactivation du dépôt updates-testing - ini_file: dest=/etc/yum.repos.d/fedora-updates-testing.repo - section=updates-testing +- name: Désactivation du dépôt Fantom + ini_file: dest=/etc/yum.repos.d/updates-fantom.repo + section=updates option=enabled value=0 - when: ansible_distribution_version|int >= 22 and ansible_architecture == "x86_64" - and ansible_distribution_release != "Rawhide" + when: ansible_distribution_version|int >= 20 and ansible_architecture == "x86_64" + and ansible_distribution_release != "Rawhide" and outdoor is defined -- name: Désactivation du miroir updates-testing - ini_file: dest=/etc/yum.repos.d/updates-testing-fantom.repo - section=updates-testing-fantom +- name: Activation du dépôt Updates + ini_file: dest=/etc/yum.repos.d/fedora-updates.repo + section=updates option=enabled - value=0 - when: ansible_distribution_version|int >= 22 and ansible_architecture == "x86_64" - and ansible_distribution_release != "Rawhide" + value=1 + when: ansible_distribution_version|int >= 20 and ansible_architecture == "x86_64" + and ansible_distribution_release != "Rawhide" and outdoor is defined + diff --git a/roles/common/tasks/selinux.yml b/roles/common/tasks/selinux.yml index 7f5f9cd..a206e0d 100644 --- a/roles/common/tasks/selinux.yml +++ b/roles/common/tasks/selinux.yml @@ -1,3 +1,10 @@ - name: Activation de SELinux selinux: policy=targeted state=enforcing - when: ansible_distribution == "Fedora" + +- name: Rapport SELinux + copy: src=eaureport.sh dest=/etc/cron.daily/eaureport.sh mode=755 + when: ansible_selinux.status != "disabled" + +- name: Relabel système de fichier + copy: src=selinuxresto.sh dest=/etc/cron.monthly/selinuxresto.sh mode=755 + when: ansible_selinux.status != "disabled" diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml index 09fae77..7e851d2 100644 --- a/roles/common/tasks/ssh.yml +++ b/roles/common/tasks/ssh.yml @@ -1,3 +1,6 @@ +- name: Activation du démon sshd + service: name=sshd state=started enabled=yes + - name: Installation de la clé ssh pour l'utilisateur root authorized_key: user=root key="{{lookup('file', 'id_rsa.pub') }}" manage_dir=yes diff --git a/roles/common/templates/hosts.j2 b/roles/common/templates/hosts.j2 index 6d2d8da..7b90647 100644 --- a/roles/common/templates/hosts.j2 +++ b/roles/common/templates/hosts.j2 @@ -1,4 +1,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 {{ ansible_default_ipv4.address }} {{ ansible_hostname }} +{% if ansible_default_ipv6.address is defined %} {{ ansible_default_ipv6.address }} {{ ansible_hostname }} +{% endif %} diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml index 4d64425..1120a18 100644 --- a/roles/common/vars/main.yml +++ b/roles/common/vars/main.yml @@ -1,3 +1,3 @@ minkernel: 2 -maxkernel: 10 +maxkernel: 6 logo_release: 22 diff --git a/roles/dnsserver/files/117.103.247.82.in-addr.arpa.zone b/roles/dnsserver/files/117.103.247.82.in-addr.arpa.zone index 5973ce9..ba5c4b7 100644 --- a/roles/dnsserver/files/117.103.247.82.in-addr.arpa.zone +++ b/roles/dnsserver/files/117.103.247.82.in-addr.arpa.zone @@ -1,6 +1,6 @@ $ttl 86400 @ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( - 2015050300; + 2015111501; 28800; 604800; 604800; diff --git a/roles/dnsserver/files/2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone b/roles/dnsserver/files/2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone index d24d74c..a151846 100644 --- a/roles/dnsserver/files/2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone +++ b/roles/dnsserver/files/2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone @@ -1,10 +1,10 @@ $ttl 86400 @ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( - 2014060901; + 2015111500; 28800; 604800; 604800; 86400); IN NS ns1.casperlefantom.net. - IN PTR blackbird.casperlefantom.net. + IN PTR blackbird.home.casperlefantom.net. diff --git a/roles/dnsserver/files/244.75.154.195.in-addr.arpa.zone b/roles/dnsserver/files/244.75.154.195.in-addr.arpa.zone new file mode 100644 index 0000000..b5b7a33 --- /dev/null +++ b/roles/dnsserver/files/244.75.154.195.in-addr.arpa.zone @@ -0,0 +1,10 @@ +$ttl 86400 +@ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( + 2015111400; + 28800; + 604800; + 604800; + 86400); + + IN NS ns1.casperlefantom.net. + IN PTR ns4.casperlefantom.net. diff --git a/roles/dnsserver/files/3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone b/roles/dnsserver/files/3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone index e69e4fd..28411ea 100644 --- a/roles/dnsserver/files/3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone +++ b/roles/dnsserver/files/3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone @@ -1,10 +1,10 @@ $ttl 86400 @ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( - 2014060901; + 2015111500; 28800; 604800; 604800; 86400); IN NS ns1.casperlefantom.net. - IN PTR mosquito.casperlefantom.net. + IN PTR mosquito.home.casperlefantom.net. diff --git a/roles/dnsserver/files/4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone b/roles/dnsserver/files/4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone index 5973ce9..cdc1fef 100644 --- a/roles/dnsserver/files/4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone +++ b/roles/dnsserver/files/4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone @@ -1,10 +1,10 @@ $ttl 86400 @ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( - 2015050300; + 2015111500; 28800; 604800; 604800; 86400); IN NS ns1.casperlefantom.net. - IN PTR lancaster.casperlefantom.net. + IN PTR lancaster.home.casperlefantom.net. diff --git a/roles/dnsserver/files/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone b/roles/dnsserver/files/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..ca91431 --- /dev/null +++ b/roles/dnsserver/files/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone @@ -0,0 +1,10 @@ +$ttl 86400 +@ IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( + 2016120400; + 28800; + 604800; + 604800; + 86400); + + IN NS ns1.casperlefantom.net. + IN PTR falcon.home.casperlefantom.net. diff --git a/roles/dnsserver/files/admin.casperlefantom.net.zone b/roles/dnsserver/files/admin.casperlefantom.net.zone new file mode 100644 index 0000000..70522ec --- /dev/null +++ b/roles/dnsserver/files/admin.casperlefantom.net.zone @@ -0,0 +1,27 @@ +$ttl 86400 +admin.casperlefantom.net. IN SOA ns.admin.casperlefantom.net. hostmaster.casperlefantom.net. ( +2016120401 +10800 +3600 +604800 +38400 ) + +@ IN NS ns.admin.casperlefantom.net. + +@ IN A 82.247.103.117 +@ IN AAAA 2a01:e35:2f76:7750::4 + +ns IN A 82.247.103.117 +ns IN AAAA 2a01:e35:2f76:7750::4 + +lancaster IN A 82.247.103.117 +lancaster IN AAAA 2a01:e35:2f76:7750::4 +* IN CNAME lancaster + +bt1 IN A 82.247.103.117 +bt1 IN AAAA 2a01:e35:2f76:7750::4 + +vps128389 IN A 176.31.191.26 +vps128389 IN AAAA 2001:41d0:52:100::f2 + +sd-38449 IN A 195.154.75.244 diff --git a/roles/dnsserver/files/casperlefantom.net.zone b/roles/dnsserver/files/casperlefantom.net.zone index d8585ca..2ef4fe6 100644 --- a/roles/dnsserver/files/casperlefantom.net.zone +++ b/roles/dnsserver/files/casperlefantom.net.zone @@ -1,44 +1,52 @@ $ttl 86400 -casperlefantom.net. IN SOA ns1.casperlefantom.net. hostmaster.casperlefantom.net. ( -2015100605 +casperlefantom.net. IN SOA nsa.casperlefantom.net. hostmaster.casperlefantom.net. ( +2016120412 10800 3600 604800 38400 ) -@ IN NS ns1.casperlefantom.net. -@ IN NS ns2.casperlefantom.net. -@ IN NS ns3.casperlefantom.net. -@ IN NS ns4.casperlefantom.net. -home IN NS home.casperlefantom.net. -work IN NS work.casperlefantom.net. +@ IN NS nsa.casperlefantom.net. +@ IN NS nsc.casperlefantom.net. +@ IN NS nsd.casperlefantom.net. +home IN NS ns.home.casperlefantom.net. +admin IN NS ns.admin.casperlefantom.net. +vpn IN NS nsa.vpn.casperlefantom.net. +vpn IN NS nsb.vpn.casperlefantom.net. @ IN MX 10 mail.casperlefantom.net. -@ IN A 82.247.103.117 -@ IN AAAA 2a01:e35:2f76:7750::4 -@ IN A 178.170.111.194 -@ IN AAAA 2a00:c70:1:178:170:111:194:c0de -@ IN A 176.31.191.26 -@ IN AAAA 2001:41d0:52:100::f2 @ IN A 195.154.75.244 -www IN A 82.247.103.117 -www IN AAAA 2a01:e35:2f76:7750::4 -* IN CNAME www - home IN A 192.168.0.25 home IN AAAA 2a01:e35:2f76:7750::4 -work IN A 192.168.111.162 +ns.home.casperlefantom.net. IN A 192.168.0.25 +ns.home.casperlefantom.net. IN AAAA 2a01:e35:2f76:7750::4 + +admin IN A 82.247.103.117 +admin IN AAAA 2a01:e35:2f76:7750::4 + +ns.admin.casperlefantom.net. IN A 82.247.103.117 +ns.admin.casperlefantom.net. IN AAAA 2a01:e35:2f76:7750::4 + +vpn IN A 172.18.2.0 +nsa.vpn.casperlefantom.net. IN A 172.18.2.0 +nsb.vpn.casperlefantom.net. IN A 172.18.3.0 + + +www IN A 82.247.103.117 +www IN AAAA 2a01:e35:2f76:7750::4 +* IN CNAME www -bt1 IN A 82.247.103.117 -bt1 IN AAAA 2a01:e35:2f76:7750::4 ns1 IN A 82.247.103.117 ns1 IN AAAA 2a01:e35:2f76:7750::4 +nsa IN A 82.247.103.117 +nsa IN AAAA 2a01:e35:2f76:7750::4 + ntp1 IN A 82.247.103.117 ntp1 IN AAAA 2a01:e35:2f76:7750::4 @@ -51,20 +59,21 @@ mail IN AAAA 2a01:e35:2f76:7750::4 smtp IN A 82.247.103.117 smtp IN AAAA 2a01:e35:2f76:7750::4 -dl IN A 82.247.103.117 -dl IN AAAA 2a01:e35:2f76:7750::4 +dl IN A 195.154.75.244 + mirror IN A 82.247.103.117 mirror IN AAAA 2a01:e35:2f76:7750::4 + jabber IN A 82.247.103.117 jabber IN AAAA 2a01:e35:2f76:7750::4 conference IN A 82.247.103.117 conference IN AAAA 2a01:e35:2f76:7750::4 -search IN A 82.247.103.117 -search IN AAAA 2a01:e35:2f76:7750::4 +search IN A 195.154.75.244 + ssl IN A 82.247.103.117 ssl IN AAAA 2a01:e35:2f76:7750::4 @@ -72,6 +81,9 @@ ssl IN AAAA 2a01:e35:2f76:7750::4 ns2 IN A 178.170.111.194 ns2 IN AAAA 2a00:c70:1:178:170:111:194:c0de +nsb IN A 178.170.111.194 +nsb IN AAAA 2a00:c70:1:178:170:111:194:c0de + ntp2 IN A 178.170.111.194 ntp2 IN AAAA 2a00:c70:1:178:170:111:194:c0de @@ -81,36 +93,31 @@ bank IN AAAA 2a01:e35:2f76:7750::4 blog IN A 82.247.103.117 blog IN AAAA 2a01:e35:2f76:7750::4 -admin IN A 82.247.103.117 -admin IN AAAA 2a01:e35:2f76:7750::4 - -tor-proxy-readme IN A 178.170.111.194 -tor-proxy-readme IN AAAA 2a00:c70:1:178:170:111:194:c0de - -tor-proxy-readme1 IN A 176.31.191.26 -tor-proxy-readme1 IN AAAA 2001:41d0:52:100::f2 - -tor-proxy-readme2 IN A 195.154.75.244 - - 69656hpv111194 IN A 178.170.111.194 69656hpv111194 IN AAAA 2a00:c70:1:178:170:111:194:c0de vps128389 IN A 176.31.191.26 vps128389 IN AAAA 2001:41d0:52:100::f2 +sd-38449 IN A 195.154.75.244 + + ns3 IN A 176.31.191.26 ns3 IN AAAA 2001:41d0:52:100::f2 +nsc IN A 176.31.191.26 +nsc IN AAAA 2001:41d0:52:100::f2 + ntp3 IN A 176.31.191.26 ntp3 IN AAAA 2001:41d0:52:100::f2 -rtig IN A 82.247.103.117 -rtig IN AAAA 2a01:e35:2f76:7750::4 +rtig IN A 195.154.75.244 -printer IN A 82.247.103.117 -printer IN AAAA 2a01:e35:2f76:7750::4 ns4 IN A 195.154.75.244 + +nsd IN A 195.154.75.244 + + ntp4 IN A 195.154.75.244 diff --git a/roles/dnsserver/files/home.casperlefantom.net.zone b/roles/dnsserver/files/home.casperlefantom.net.zone index bb1ff08..b0c6bfe 100644 --- a/roles/dnsserver/files/home.casperlefantom.net.zone +++ b/roles/dnsserver/files/home.casperlefantom.net.zone @@ -1,6 +1,6 @@ $ttl 86400 home.casperlefantom.net. IN SOA ns.home.casperlefantom.net. hostmaster.casperlefantom.net. ( -2015100604 +2016120400 10800 3600 604800 @@ -24,6 +24,9 @@ blackbird IN AAAA 2a01:e35:2f76:7750::2 mosquito IN A 192.168.0.52 mosquito IN AAAA 2a01:e35:2f76:7750::3 +falcon IN A 192.168.0.54 +falcon IN AAAA 2a01:e35:2f76:7750::5 + vm01 IN A 192.168.0.60 vm01 IN AAAA 2a01:e35:2f76:7750::10 @@ -32,3 +35,6 @@ vm02 IN AAAA 2a01:e35:2f76:7750::11 vm03 IN A 192.168.0.62 vm03 IN AAAA 2a01:e35:2f76:7750::12 + +mirror IN A 192.168.0.25 +mirror IN AAAA 2a01:e35:2f76:7750::4 diff --git a/roles/dnsserver/files/vpn.casperlefantom.net.zone b/roles/dnsserver/files/vpn.casperlefantom.net.zone new file mode 100644 index 0000000..cead710 --- /dev/null +++ b/roles/dnsserver/files/vpn.casperlefantom.net.zone @@ -0,0 +1,20 @@ +$ttl 86400 +vpn.casperlefantom.net. IN SOA nsa.vpn.casperlefantom.net. hostmaster.casperlefantom.net. ( +2016120402 +10800 +3600 +604800 +38400 ) + +@ IN NS nsa.vpn.casperlefantom.net. +@ IN NS nsb.vpn.casperlefantom.net. + +@ IN A 172.18.2.0 + +nsa IN A 172.18.2.0 +nsb IN A 172.18.3.0 + +sd-38449 IN A 172.18.2.0 +* IN CNAME sd-38449 + +vps128389 IN A 172.18.3.0 diff --git a/roles/dnsserver/tasks/config.yml b/roles/dnsserver/tasks/config.yml index 8802577..2f8655a 100644 --- a/roles/dnsserver/tasks/config.yml +++ b/roles/dnsserver/tasks/config.yml @@ -10,14 +10,18 @@ owner=root group=named mode=640 - when: ansible_default_ipv6.address == master_ipv6 + when: is_dnsmaster is defined notify: reload named with_items: - casperlefantom.net.zone + - home.casperlefantom.net.zone + - admin.casperlefantom.net.zone + - vpn.casperlefantom.net.zone - exocet14.net.zone - 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone - 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone - 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone + - 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa.zone - 117.103.247.82.in-addr.arpa.zone - e.d.0.c.4.9.1.0.1.1.1.0.0.7.1.0.8.7.1.0.1.0.0.0.0.7.c.0.0.0.a.2.ip6.arpa.zone - 194.111.170.178.in-addr.arpa.zone @@ -25,6 +29,7 @@ - 2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.2.5.0.0.0.d.1.4.1.0.0.2.ip6.arpa.zone - 216.82.26.93.in-addr.arpa.zone - 1.7.3.c.0.e.e.f.f.f.2.f.0.4.a.e.0.0.6.e.2.3.d.0.2.3.4.8.2.0.a.2.ip6.arpa.zone + - 244.75.154.195.in-addr.arpa.zone - name: Ouverture des ports Firewalld firewalld: service=dns permanent={{ item }} state=enabled diff --git a/roles/dnsserver/templates/named.conf.j2 b/roles/dnsserver/templates/named.conf.j2 index 71d7a8c..b255726 100644 --- a/roles/dnsserver/templates/named.conf.j2 +++ b/roles/dnsserver/templates/named.conf.j2 @@ -12,18 +12,21 @@ acl "whitelist-recursion" { {% endfor %} }; -{% if ansible_default_ipv6.address == master_ipv6 %} +{% if is_dnsmaster is defined %} acl "transferlist" { {{ slave1_ipv6 }}; {{ slave2_ipv6 }}; {{ slave3_ipv6 }}; {{ slave4_ipv6 }}; + {{ slave5_ipv4 }}; }; {% endif %} options { listen-on port 53 { localhost; {{ ansible_default_ipv4.address }}; }; +{% if ansible_default_ipv6.address is defined %} listen-on-v6 port 53 { localhost; {{ ansible_default_ipv6.address }}; }; +{% endif %} directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; @@ -33,8 +36,8 @@ options { allow-recursion { whitelist-recursion; }; allow-transfer { none; }; version "SECRET"; -{% if ansible_default_ipv6.address != master_ipv6 %} - forwarders { {{ master_ipv6 }}; }; +{% if is_dnsmaster is not defined %} + forwarders { {{ master_ipv6 }}; {{ master_ipv4 }}; }; {% endif %} dnssec-enable yes; @@ -114,7 +117,7 @@ logging { // {% block keys %}{% endblock %} -{% if ansible_default_ipv6.address == master_ipv6 %} +{% if is_dnsmaster is defined %} server {{ slave1_ipv4 }} { keys { Forwarder; }; }; @@ -146,8 +149,12 @@ server {{ slave4_ipv4 }} { server {{ slave4_ipv6 }} { keys { Forwarder; }; }; + +server {{ slave5_ipv4 }} { + keys { Forwarder; }; +}; {% endif %} -{% if ansible_default_ipv6.address != master_ipv6 %} +{% if is_dnsmaster is not defined %} server {{ master_ipv4 }} { keys { Forwarder; }; }; @@ -169,28 +176,19 @@ zone "." IN { {% for item in zonelist %} zone "{{ item }}" IN { -{% if ansible_default_ipv6.address == master_ipv6 %} +{% if is_dnsmaster is defined %} type master; allow-transfer { transferlist; }; file "{{ item }}.zone"; notify yes; {% endif %} -{% if ansible_default_ipv6.address != master_ipv6 %} +{% if is_dnsmaster is not defined %} type slave; file "{{ item }}.zone"; - masters { {{ master_ipv6 }}; }; + masters { {{ master_ipv6 }}; {{ master_ipv4 }}; }; {% endif %} }; {% endfor %} -{% if ansible_default_ipv6.address == slave2_ipv6 or ansible_default_ipv6.address == slave3_ipv6 %} -{% for item in domainlist %} -zone "{{ item }}" IN { - type master; - file "named.empty"; -}; -{% endfor %} -{% endif %} - include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; diff --git a/roles/dnsserver/vars/main.yml b/roles/dnsserver/vars/main.yml index cae95da..318244b 100644 --- a/roles/dnsserver/vars/main.yml +++ b/roles/dnsserver/vars/main.yml @@ -13,9 +13,13 @@ slave3_ipv6: 2a01:e35:2f76:7750::3 slave4_ipv4: 176.31.191.26 slave4_ipv6: 2001:41d0:52:100::f2 +slave5_ipv4: 195.154.75.244 + + whitelist: - localhost - 192.168.0.0/24 + - 172.18.0.0/16 - 2a01:e35:2f76:7750::/64 - 82.247.103.117 - 2a00:c70:1:178:170:111:194:c0de @@ -28,17 +32,22 @@ whitelist: zonelist: - casperlefantom.net + - home.casperlefantom.net + - admin.casperlefantom.net + - vpn.casperlefantom.net - exocet14.net - 117.103.247.82.in-addr.arpa - 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa - 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa - 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa + - 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.7.6.7.f.2.5.3.e.0.1.0.a.2.ip6.arpa - 194.111.170.178.in-addr.arpa - e.d.0.c.4.9.1.0.1.1.1.0.0.7.1.0.8.7.1.0.1.0.0.0.0.7.c.0.0.0.a.2.ip6.arpa - 26.191.31.176.in-addr.arpa - 2.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.2.5.0.0.0.d.1.4.1.0.0.2.ip6.arpa - 216.82.26.93.in-addr.arpa - 1.7.3.c.0.e.e.f.f.f.2.f.0.4.a.e.0.0.6.e.2.3.d.0.2.3.4.8.2.0.a.2.ip6.arpa + - 244.75.154.195.in-addr.arpa domainlist: - google.com diff --git a/roles/ntpserver/tasks/pkgs.yml b/roles/ntpserver/tasks/pkgs.yml index 67f3cbf..27e5424 100644 --- a/roles/ntpserver/tasks/pkgs.yml +++ b/roles/ntpserver/tasks/pkgs.yml @@ -1,7 +1,7 @@ - name: Installation du paquet NTP yum: name=ntp state=present - when: ansible_distribution == "CentOS" + when: ansible_pkg_mgr == "yum" - name: Installation du paquet Chrony dnf: name=chrony state=present - when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 + when: ansible_pkg_mgr == "dnf" diff --git a/roles/ntpserver/templates/chrony.conf.j2 b/roles/ntpserver/templates/chrony.conf.j2 index ba38298..e101f86 100644 --- a/roles/ntpserver/templates/chrony.conf.j2 +++ b/roles/ntpserver/templates/chrony.conf.j2 @@ -1,16 +1,16 @@ # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% if ansible_default_ipv6.address == ntp1_ipv6 %} +{% if ansible_hostname == "lancaster" %} server 0.fedora.pool.ntp.org iburst server 1.fedora.pool.ntp.org iburst server 2.fedora.pool.ntp.org iburst server 3.fedora.pool.ntp.org iburst {% endif %} -{% if ansible_default_ipv6.address != ntp1_ipv6 %} +{% if ansible_hostname != "lancaster" %} server ntp1.casperlefantom.net iburst {% endif %} -{% if ansible_default_ipv6.address != ntp2_ipv6 and ansible_default_ipv6.address != ntp1_ipv6 %} -server ntp2.casperlefantom.net iburst +{% if ansible_hostname != "vps128389" and ansible_hostname != "lancaster" %} +server ntp3.casperlefantom.net iburst {% endif %} # Ignore stratum in source selection. diff --git a/roles/ntpserver/templates/ntp.conf.j2 b/roles/ntpserver/templates/ntp.conf.j2 index 4fd4798..72b18b2 100644 --- a/roles/ntpserver/templates/ntp.conf.j2 +++ b/roles/ntpserver/templates/ntp.conf.j2 @@ -19,17 +19,17 @@ restrict -6 ::1 # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% if ansible_default_ipv6.address == ntp1_ipv6 %} +{% if ansible_hostname == "lancaster" %} server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst {% endif %} -{% if ansible_default_ipv6.address != ntp1_ipv6 %} +{% if ansible_hostname != "lancaster" %} server ntp1.casperlefantom.net iburst {% endif %} -{% if ansible_default_ipv6.address != ntp2_ipv6 and ansible_default_ipv6.address != ntp1_ipv6 %} -server ntp2.casperlefantom.net iburst +{% if ansible_hostname != "vps128389" and ansible_hostname != "lancaster" %} +server ntp3.casperlefantom.net iburst {% endif %} #broadcast 192.168.1.255 autokey # broadcast server diff --git a/roles/ntpserver/vars/main.yml b/roles/ntpserver/vars/main.yml deleted file mode 100644 index 8654cbd..0000000 --- a/roles/ntpserver/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -ntp1_ipv6: 2a01:e35:2f76:7750::4 -ntp2_ipv6: 2a00:c70:1:178:170:111:194:c0de diff --git a/roles/squid/handlers/main.yml b/roles/squid/handlers/main.yml deleted file mode 100644 index ca24469..0000000 --- a/roles/squid/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: restart squid - service: name=squid state=restarted diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml deleted file mode 100644 index 6acf4c3..0000000 --- a/roles/squid/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: Installation du paquet squid depuis le dépôt - yum: name=squid state=present - when: ansible_distribution == "CentOS" - -- name: Installation du paquet squid depuis le dépôt - dnf: name=squid state=present - when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 - -- name: Configuration du service - template: src=head.j2 dest=/etc/squid/squid.conf - owner=root - group=squid - mode=640 - notify: restart squid - -- name: Installation des clés et certificats serveur - copy: src=certs/{{ item.name }} dest=/etc/pki/tls/{{ item.dir }} - mode={{ item.mode }} - with_items: - - { name: 'cache.crt', dir: 'certs', mode: '644' } - - { name: 'cache.key', dir: 'private', mode: '400' } - -- name: Ouverture des ports Firewalld - firewalld: service={{ item[0] }} permanent={{ item[1] }} state=enabled - with_nested: - - [ 'http', 'https' ] - - [ 'true', 'false' ] - when: ansible_distribution == "Fedora" - -- name: Activation et démarrage du reverse proxy squid - service: name=squid state=started enabled=yes diff --git a/roles/squid/templates/head.j2 b/roles/squid/templates/head.j2 deleted file mode 100644 index d1ec7bb..0000000 --- a/roles/squid/templates/head.j2 +++ /dev/null @@ -1,40 +0,0 @@ -{% extends "squid.conf.j2" %} -{% block head %} -http_port {{ ansible_default_ipv4.address }}:80 vhost -http_port [{{ ansible_default_ipv6.address }}]:80 vhost - -https_port {{ ansible_default_ipv4.address }}:443 cert=/etc/pki/tls/certs/cache.crt key=/etc/pki/tls/private/cache.key cipher=HIGH:!MD5 options=NO_SSLv2,NO_SSLv3 vhost -https_port [{{ ansible_default_ipv6.address }}]:443 cert=/etc/pki/tls/certs/cache.crt key=/etc/pki/tls/private/cache.key cipher=HIGH:!MD5 options=NO_SSLv2,NO_SSLv3 vhost - -{% if is_public is defined %} -cache_peer 127.0.0.1 parent 9030 0 no-query originserver name=tor -{% endif %} -cache_peer [2a01:e35:2f76:7750::4] parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=lancaster - -acl meshotes dstdomain {{ ansible_default_ipv4.address }} [{{ ansible_default_ipv6.address }}] -{% if is_public is defined %} -acl torsites dstdomain tor-proxy-readme.casperlefantom.net tor-proxy-readme1.casperlefantom.net -{% endif %} -acl messites dstdomain {% for item in sitelist %}{{ item }} {% endfor %} {{ ansible_hostname }}.casperlefantom.net - - -http_access allow meshotes -{% if is_public is defined %} -http_access allow torsites -{% endif %} -http_access allow messites - -{% if is_public is defined %} -cache_peer_access tor allow meshotes -cache_peer_access tor allow torsites -cache_peer_access tor deny all -{% endif %} -{% if is_public is not defined %} -cache_peer_access lancaster allow meshotes -{% endif %} -cache_peer_access lancaster allow messites -cache_peer_access lancaster deny all - -cache_mgr {{ contact_mgr }} -visible_hostname {{ ansible_hostname }}.casperlefantom.net -{% endblock %} diff --git a/roles/squid/templates/squid.conf.j2 b/roles/squid/templates/squid.conf.j2 deleted file mode 100644 index 4f618a0..0000000 --- a/roles/squid/templates/squid.conf.j2 +++ /dev/null @@ -1,91 +0,0 @@ -{% block head %}{% endblock %} - -# -# Recommended minimum configuration: -# -{% if ansible_distribution == "CentOS" %} -acl manager proto cache_object -acl localhost src 127.0.0.1/32 ::1 -acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 -{% endif %} - -# Example rule allowing access from your local networks. -# Adapt to list your (internal) IP networks from where browsing -# should be allowed -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -acl localnet src fc00::/7 # RFC 4193 local private network range -acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines - -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -# -# Recommended minimum Access Permission configuration: -# -{% if ansible_distribution == "CentOS" %} -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager -{% endif %} - -# Deny requests to certain unsafe ports -http_access deny !Safe_ports - -# Deny CONNECT to other than secure SSL ports -http_access deny CONNECT !SSL_ports - -{% if ansible_distribution == "Fedora" %} -# Only allow cachemgr access from localhost -http_access allow localhost manager -http_access deny manager -{% endif %} - -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost - -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# - -# Example rule allowing access from your local networks. -# Adapt localnet in the ACL section to list your (internal) IP networks -# from where browsing should be allowed -http_access allow localnet -http_access allow localhost - -# And finally deny all other access to this proxy -http_access deny all - -# Squid normally listens to port 3128 -http_port 3128 - -{% if ansible_distribution == "CentOS" %} -# We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? -{% endif %} - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 - -# Leave coredumps in the first cache dir -coredump_dir /var/spool/squid - -# Add any of your own refresh_pattern entries above these. -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 diff --git a/roles/squid/vars/main.yml b/roles/squid/vars/main.yml deleted file mode 100644 index 9a93829..0000000 --- a/roles/squid/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -contact_mgr: hostmaster@casperlefantom.net -sitelist: - - casperlefantom.net - - dl.casperlefantom.net - - ns2.casperlefantom.net - - ns3.casperlefantom.net diff --git a/roles/torrelay/files/tor-dac-capabilities.pp b/roles/torrelay/files/tor-dac-capabilities.pp Binary files differnew file mode 100644 index 0000000..a6a8e85 --- /dev/null +++ b/roles/torrelay/files/tor-dac-capabilities.pp diff --git a/roles/torrelay/files/tor-exit-notice.html b/roles/torrelay/files/tor-exit-notice.html index 4d103b5..a316025 100644 --- a/roles/torrelay/files/tor-exit-notice.html +++ b/roles/torrelay/files/tor-exit-notice.html @@ -1,144 +1,2 @@ -<?xml version="1.0"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"> -<head> -<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> -<title>This is a Tor Exit Router</title> +It works -<!-- - -This notice is intended to be placed on a virtual host for a domain that -your Tor exit node IP reverse resolves to so that people who may be about -to file an abuse complaint would check it first before bothering you or -your ISP. Ex: -http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org. - -This type of setup has proven very effective at reducing abuse complaints -for exit node operators. - -There are a few places in this document that you may want to customize. -They are marked with FIXME. - ---> - -</head> -<body> - -<p style="text-align:center; font-size:xx-large; font-weight:bold">This is a -Tor Exit Router</p> - -<p> -Most likely you are accessing this website because you had some issue with -the traffic coming from this IP. This router is part of the <a -href="https://www.torproject.org/">Tor Anonymity Network</a>, which is -dedicated to <a href="https://www.torproject.org/about/overview">providing -privacy</a> to people who need it most: average computer users. This -router IP should be generating no other traffic, unless it has been -compromised.</p> - - -<!-- FIXME: you should probably grab your own copy of how_tor_works_thumb.png - and serve it locally --> - -<p style="text-align:center"> -<a href="https://www.torproject.org/about/overview"> -<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/> -</a></p> - -<p> -Tor sees use by <a href="https://www.torproject.org/about/torusers">many -important segments of the population</a>, including whistle blowers, -journalists, Chinese dissidents skirting the Great Firewall and oppressive -censorship, abuse victims, stalker targets, the US military, and law -enforcement, just to name a few. While Tor is not designed for malicious -computer users, it is true that they can use the network for malicious ends. -In reality however, the actual amount of <a -href="https://www.torproject.org/docs/faq-abuse">abuse</a> is quite low. This -is largely because criminals and hackers have significantly better access to -privacy and anonymity than do the regular users whom they prey upon. Criminals -can and do <a -href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html">build, -sell, and trade</a> far larger and <a -href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html">more -powerful networks</a> than Tor on a daily basis. Thus, in the mind of this -operator, the social need for easily accessible censorship-resistant private, -anonymous communication trumps the risk of unskilled bad actors, who are -almost always more easily uncovered by traditional police work than by -extensive monitoring and surveillance anyway.</p> - -<p> -In terms of applicable law, the best way to understand Tor is to consider it a -network of routers operating as common carriers, much like the Internet -backbone. However, unlike the Internet backbone routers, Tor routers -explicitly do not contain identifiable routing information about the source of -a packet, and no single Tor node can determine both the origin and destination -of a given transmission.</p> - -<p> -As such, there is little the operator of this router can do to help you track -the connection further. This router maintains no logs of any of the Tor -traffic, so there is little that can be done to trace either legitimate or -illegitimate traffic (or to filter one from the other). Attempts to -seize this router will accomplish nothing.</p> - -<!-- FIXME: US-Only section. Remove if you are a non-US operator --> -<!-- -<p> -Furthermore, this machine also serves as a carrier of email, which means that -its contents are further protected under the ECPA. <a -href="http://www.law.cornell.edu/uscode/text/18/2707">18 -USC 2707</a> explicitly allows for civil remedies ($1000/account -<i><b>plus</b></i> legal fees) -in the event of a seizure executed without good faith or probable cause (it -should be clear at this point that traffic with an originating IP address of -FIXME_DNS_NAME should not constitute probable cause to seize the -machine). Similar considerations exist for 1st amendment content on this -machine.</p> ---> -<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in - fact reported DMCA harassment... --> - -<p> -If you are a representative of a company who feels that this router is being -used to violate the DMCA, please be aware that this machine does not host or -contain any illegal content. Also be aware that network infrastructure -maintainers are not liable for the type of content that passes over their -equipment, in accordance with <a -href="http://www.law.cornell.edu/uscode/text/17/512">DMCA -"safe harbor" provisions</a>. In other words, you will have just as much luck -sending a takedown notice to the Internet backbone providers. Please consult -<a href="https://www.torproject.org/eff/tor-dmca-response">EFF's prepared -response</a> for more information on this matter.</p> - -<p>For more information, please consult the following documentation:</p> - -<ol> -<li><a href="https://www.torproject.org/about/overview">Tor Overview</a></li> -<li><a href="https://www.torproject.org/docs/faq-abuse">Tor Abuse FAQ</a></li> -<li><a href="https://www.torproject.org/eff/tor-legal-faq">Tor Legal FAQ</a></li> -</ol> - -<p> -That being said, if you still have a complaint about the router, you may -email the <a href="mailto:hostmaster@casperlefantom.net?subject=Tor%20exit%20node">maintainer</a>. If -complaints are related to a particular service that is being abused, I will -consider removing that service from my exit policy, which would prevent my -router from allowing that traffic to exit through it. I can only do this on an -IP+destination port basis, however. Common P2P ports are -already blocked.</p> - -<p> -You also have the option of blocking this IP address and others on -the Tor network if you so desire. The Tor project provides a <a -href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">web service</a> -to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a -specified IP:port combination, and an official <a -href="https://www.torproject.org/tordnsel/dist/">DNSRBL</a> is also available to -determine if a given IP address is actually a Tor exit server. Please -be considerate -when using these options. It would be unfortunate to deny all Tor users access -to your site indefinitely simply because of a few bad apples.</p> - -</body> -</html> diff --git a/roles/torrelay/files/tor-exit-notice_orig.html b/roles/torrelay/files/tor-exit-notice_orig.html new file mode 100644 index 0000000..4d103b5 --- /dev/null +++ b/roles/torrelay/files/tor-exit-notice_orig.html @@ -0,0 +1,144 @@ +<?xml version="1.0"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> +<title>This is a Tor Exit Router</title> + +<!-- + +This notice is intended to be placed on a virtual host for a domain that +your Tor exit node IP reverse resolves to so that people who may be about +to file an abuse complaint would check it first before bothering you or +your ISP. Ex: +http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org. + +This type of setup has proven very effective at reducing abuse complaints +for exit node operators. + +There are a few places in this document that you may want to customize. +They are marked with FIXME. + +--> + +</head> +<body> + +<p style="text-align:center; font-size:xx-large; font-weight:bold">This is a +Tor Exit Router</p> + +<p> +Most likely you are accessing this website because you had some issue with +the traffic coming from this IP. This router is part of the <a +href="https://www.torproject.org/">Tor Anonymity Network</a>, which is +dedicated to <a href="https://www.torproject.org/about/overview">providing +privacy</a> to people who need it most: average computer users. This +router IP should be generating no other traffic, unless it has been +compromised.</p> + + +<!-- FIXME: you should probably grab your own copy of how_tor_works_thumb.png + and serve it locally --> + +<p style="text-align:center"> +<a href="https://www.torproject.org/about/overview"> +<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/> +</a></p> + +<p> +Tor sees use by <a href="https://www.torproject.org/about/torusers">many +important segments of the population</a>, including whistle blowers, +journalists, Chinese dissidents skirting the Great Firewall and oppressive +censorship, abuse victims, stalker targets, the US military, and law +enforcement, just to name a few. While Tor is not designed for malicious +computer users, it is true that they can use the network for malicious ends. +In reality however, the actual amount of <a +href="https://www.torproject.org/docs/faq-abuse">abuse</a> is quite low. This +is largely because criminals and hackers have significantly better access to +privacy and anonymity than do the regular users whom they prey upon. Criminals +can and do <a +href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html">build, +sell, and trade</a> far larger and <a +href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html">more +powerful networks</a> than Tor on a daily basis. Thus, in the mind of this +operator, the social need for easily accessible censorship-resistant private, +anonymous communication trumps the risk of unskilled bad actors, who are +almost always more easily uncovered by traditional police work than by +extensive monitoring and surveillance anyway.</p> + +<p> +In terms of applicable law, the best way to understand Tor is to consider it a +network of routers operating as common carriers, much like the Internet +backbone. However, unlike the Internet backbone routers, Tor routers +explicitly do not contain identifiable routing information about the source of +a packet, and no single Tor node can determine both the origin and destination +of a given transmission.</p> + +<p> +As such, there is little the operator of this router can do to help you track +the connection further. This router maintains no logs of any of the Tor +traffic, so there is little that can be done to trace either legitimate or +illegitimate traffic (or to filter one from the other). Attempts to +seize this router will accomplish nothing.</p> + +<!-- FIXME: US-Only section. Remove if you are a non-US operator --> +<!-- +<p> +Furthermore, this machine also serves as a carrier of email, which means that +its contents are further protected under the ECPA. <a +href="http://www.law.cornell.edu/uscode/text/18/2707">18 +USC 2707</a> explicitly allows for civil remedies ($1000/account +<i><b>plus</b></i> legal fees) +in the event of a seizure executed without good faith or probable cause (it +should be clear at this point that traffic with an originating IP address of +FIXME_DNS_NAME should not constitute probable cause to seize the +machine). Similar considerations exist for 1st amendment content on this +machine.</p> +--> +<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in + fact reported DMCA harassment... --> + +<p> +If you are a representative of a company who feels that this router is being +used to violate the DMCA, please be aware that this machine does not host or +contain any illegal content. Also be aware that network infrastructure +maintainers are not liable for the type of content that passes over their +equipment, in accordance with <a +href="http://www.law.cornell.edu/uscode/text/17/512">DMCA +"safe harbor" provisions</a>. In other words, you will have just as much luck +sending a takedown notice to the Internet backbone providers. Please consult +<a href="https://www.torproject.org/eff/tor-dmca-response">EFF's prepared +response</a> for more information on this matter.</p> + +<p>For more information, please consult the following documentation:</p> + +<ol> +<li><a href="https://www.torproject.org/about/overview">Tor Overview</a></li> +<li><a href="https://www.torproject.org/docs/faq-abuse">Tor Abuse FAQ</a></li> +<li><a href="https://www.torproject.org/eff/tor-legal-faq">Tor Legal FAQ</a></li> +</ol> + +<p> +That being said, if you still have a complaint about the router, you may +email the <a href="mailto:hostmaster@casperlefantom.net?subject=Tor%20exit%20node">maintainer</a>. If +complaints are related to a particular service that is being abused, I will +consider removing that service from my exit policy, which would prevent my +router from allowing that traffic to exit through it. I can only do this on an +IP+destination port basis, however. Common P2P ports are +already blocked.</p> + +<p> +You also have the option of blocking this IP address and others on +the Tor network if you so desire. The Tor project provides a <a +href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">web service</a> +to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a +specified IP:port combination, and an official <a +href="https://www.torproject.org/tordnsel/dist/">DNSRBL</a> is also available to +determine if a given IP address is actually a Tor exit server. Please +be considerate +when using these options. It would be unfortunate to deny all Tor users access +to your site indefinitely simply because of a few bad apples.</p> + +</body> +</html> diff --git a/roles/torrelay/tasks/#main.yml# b/roles/torrelay/tasks/#main.yml# new file mode 100644 index 0000000..4865bea --- /dev/null +++ b/roles/torrelay/tasks/#main.yml# @@ -0,0 +1,79 @@ +## paquet pourri +##- name: Installation du paquet centos6 Tor depuis torproject.org +## yum: name=https://deb.torproject.org/torproject.org/rpm/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/tor-{{ versionupstream }}-tor.1.rh6_7.{{ ansible_architecture }}.rpm state=present +## when: ansible_distribution == "CentOS" and ansible_distribution_major_version|int == 6 + +- name: Installation du paquet centos Tor depuis torproject.org + yum: name=https://deb.torproject.org/torproject.org/rpm/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/tor-{{ versionupstream }}-tor.1.rh7_1_1503.{{ ansible_architecture }}.rpm state=present + when: ansible_distribution == "CentOS" and ansible_distribution_major_version|int == 7 + +- name: Installation du paquet Tor depuis le dépôt + yum: name=tor state=present + when: ansible_distribution == "Fedora" and ansible_distribution_version|int <= 21 + +- name: Installation du paquet Tor depuis le dépôt + dnf: name=tor state=present + when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 + +- name: Installation de paquets optionnels depuis le dépôt + yum: name={{ item }} state=present + with_items: + - tor-arm + - proxychains + when: ansible_distribution == "Fedora" and ansible_distribution_version|int <= 21 + +- name: Installation de paquets optionnels depuis le dépôt + dnf: name={{ item }} state=present + with_items: + - tor-arm + - proxychains + when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 + +- name: Configuration de proxychains + copy: src=proxychains.conf dest=/etc/proxychains.conf + mode=644 + when: ansible_distribution == "Fedora" + +- name: Création des répertoires de base + file: path=/usr/local/share/tor state=directory + +- name: Installation de la page d'accueil html + copy: src=tor-exit-notice.html dest=/usr/local/share/tor/tor-exit-notice.html + mode=644 + +- name: Configuration du service + template: src=keys.j2 dest=/etc/tor/torrc + owner=root + group=root + mode=644 + +- name: Ouverture des ports Firewalld standards + firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled + with_nested: + - [ '9001/tcp', '9030/tcp' ] + - [ 'true', 'false' ] + when: ansible_distribution == "Fedora" and is_public is defined + +- name: Ouverture des ports Firewalld spéciaux + firewalld: service={{ item[0] }} permanent={{ item[1] }} state=enabled + with_nested: + - [ 'http', 'https' ] + - [ 'true', 'false' ] + when: ansible_distribution == "Fedora" and is_gardian is defined + +- name: Déploiement du module SELinux pour hidden_services + copy: src=tor-selinux-f22-policy-module.pp dest=/root/tor-selinux-f22-policy-module.pp + mode=644 + when: ansible_distribution == "Fedora" + +- name: Déploiement du module SELinux pour hidden_services + copy: src=tor-selinux-centos6.6-policy-module.pp dest=/root/tor-selinux-centos6.6-policy-module.pp + mode=644 + when: ansible_distribution == "CentOS" + +- name: Configuration du booleen SELinux + seboolean: name=tor_can_network_relay state=yes persistent=yes + when: ansible_selinux.status != "disabled" and is_gardian is defined + +- name: Activation et démarrage du relai Tor + service: name=tor state=started enabled=yes diff --git a/roles/torrelay/tasks/main.yml b/roles/torrelay/tasks/main.yml index fd8cd15..a5d8072 100644 --- a/roles/torrelay/tasks/main.yml +++ b/roles/torrelay/tasks/main.yml @@ -1,7 +1,11 @@ -- name: Installation du paquet Tor depuis torproject.org - yum: name=https://deb.torproject.org/torproject.org/rpm/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/tor-{{ versionupstream }}-tor.1.rh6_6.{{ ansible_architecture }}.rpm state=present +- name: Installation du paquet centos6 Tor depuis torproject.org + yum: name=https://deb.torproject.org/torproject.org/rpm/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/tor-{{ versionupstream }}-tor.1.rh6_7.{{ ansible_architecture }}.rpm state=present when: ansible_distribution == "CentOS" and ansible_distribution_major_version|int == 6 +- name: Installation du paquet centos Tor depuis torproject.org + yum: name=https://deb.torproject.org/torproject.org/rpm/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/tor-{{ versionupstream }}-tor.1.rh7_1_1503.{{ ansible_architecture }}.rpm state=present + when: ansible_distribution == "CentOS" and ansible_distribution_major_version|int == 7 + - name: Installation du paquet Tor depuis le dépôt yum: name=tor state=present when: ansible_distribution == "Fedora" and ansible_distribution_version|int <= 21 @@ -61,6 +65,11 @@ mode=644 when: ansible_distribution == "Fedora" +- name: Déploiement du module SELinux pour AVC dac error + copy: src=tor-dac-capabilities.pp dest=/root/tor-dac-capabilities.pp + mode=644 + when: ansible_distribution == "Fedora" + - name: Déploiement du module SELinux pour hidden_services copy: src=tor-selinux-centos6.6-policy-module.pp dest=/root/tor-selinux-centos6.6-policy-module.pp mode=644 diff --git a/roles/torrelay/templates/torrc.j2 b/roles/torrelay/templates/torrc.j2 index b2dff22..26bde28 100644 --- a/roles/torrelay/templates/torrc.j2 +++ b/roles/torrelay/templates/torrc.j2 @@ -1,7 +1,5 @@ Log notice file /var/log/tor/notices.log Log warn file /var/log/tor/warnings.log -RunAsDaemon 1 -DataDirectory /var/lib/tor # Here are ControlPort configuration imported from ansible template keys.j2 # # for exemple: @@ -9,83 +7,80 @@ DataDirectory /var/lib/tor # HashedControlPassword my-hashed-password-here # {% block keys %}{% endblock %} + + HiddenServiceDir /var/lib/tor/hidden_service1/ HiddenServicePort 22 127.0.0.1:22 +HiddenServicePort 54444 127.0.0.1:54444 -{% if is_public is defined %} -HiddenServicePort 9030 127.0.0.1:9030 -{% endif %} - -HiddenServicePort 80 127.0.0.1:80 -HiddenServicePort 443 127.0.0.1:443 -{% if is_mail is defined %} +{% if ansible_hostname == "lancaster" %} +HiddenServicePort 9030 127.0.0.1:9030 +HiddenServicePort 80 127.0.0.1:4433 HiddenServicePort 143 127.0.0.1:143 HiddenServicePort 993 127.0.0.1:993 HiddenServicePort 25 127.0.0.1:25 HiddenServicePort 587 127.0.0.1:587 -{% endif %} - -{% if is_jabber is defined %} HiddenServicePort 5222 127.0.0.1:5222 +HiddenServicePort 9090 127.0.0.1:9090 +HiddenServiceDir /var/lib/tor/hidden_service2/ +HiddenServicePort 80 127.0.0.1:4433 +HiddenServiceDir /var/lib/tor/hidden_service3/ +HiddenServicePort 80 127.0.0.1:4433 +HiddenServiceDir /var/lib/tor/hidden_service4/ +HiddenServicePort 80 127.0.0.1:4434 +HiddenServicePort 443 127.0.0.1:4434 {% endif %} -{% if is_bitcoin is defined %} -HiddenServicePort 8333 127.0.0.1:8333 -{% endif %} -{% if is_seeks is defined %} -HiddenServiceDir /var/lib/tor/hidden_service2/ +{% if ansible_hostname == "sd-38449" %} HiddenServicePort 80 127.0.0.1:80 HiddenServicePort 443 127.0.0.1:443 {% endif %} + {% if is_public is defined %} ORPort {{ orport }} - {% if tor_address is defined %} Address {{ tor_address }} {% endif %} - Nickname {{ nickname }} RelayBandwidthRate {{ bprate }} RelayBandwidthBurst {{ bpburst }} ContactInfo {{ contactinfo }} DirPort {{ dirport }} - - -{% if is_exit is defined %} DirPortFrontPage /usr/local/share/tor/tor-exit-notice.html -{% endif %} - {% endif %} + {% if is_gardian is defined %} ORPort {{ httpsport }} - {% if tor_address is defined %} Address {{ tor_address }} {% endif %} - Nickname {{ nickname }} RelayBandwidthRate {{ bprate }} RelayBandwidthBurst {{ bpburst }} ContactInfo {{ contactinfo }} DirPort {{ httpport }} DirPortFrontPage /usr/local/share/tor/tor-exit-notice.html + {% endif %} + MyFamily {% for item in fingerprints %}${{ item }}, {% endfor %} + {% if is_exit is defined %} ExitRelay 1 {%endif %} + {% if is_exit is not defined %} ExitPolicy reject *:* {% endif %} diff --git a/roles/torrelay/vars/main.yml b/roles/torrelay/vars/main.yml index 36e1826..2537806 100644 --- a/roles/torrelay/vars/main.yml +++ b/roles/torrelay/vars/main.yml @@ -1,11 +1,10 @@ orport: 9001 contactinfo: '0x83288189 Casper <fantom AT fedoraproject dot org>' dirport: 9030 -versionupstream: 0.2.6.10 +versionupstream: 0.2.7.6 fingerprints: - - D8AE9C760B74AFE3CA0F48EEB21271E22CF25F7A - C9B3C1661A9577BA24C1C2C6123918921A495509 - - 8AAACCAEF793C4C55999A53DC1FFFA43D9FFE224 + - 7350AB9ED7568F22745198359373C04AC783C37C - BB60F5BA113A0B8B44B7B37DE3567FE561E92F78 httpport: 80 httpsport: 443 diff --git a/roles/yum-updatesd/files/yum-updatesd.conf b/roles/yum-updatesd/files/yum-updatesd.conf deleted file mode 100644 index a60fa61..0000000 --- a/roles/yum-updatesd/files/yum-updatesd.conf +++ /dev/null @@ -1,18 +0,0 @@ -[main] -# how often to check for new updates (in seconds) -run_interval = 10800 -# how often to allow checking on request (in seconds) -updaterefresh = 1800 - -# how to send notifications (valid: dbus, email, syslog) -emit_via = email -# should we listen via dbus to give out update information/check for -# new updates -dbus_listener = yes - -# automatically install updates -do_update = yes -# automatically download updates -do_download = no -# automatically download deps of updates -do_download_deps = no diff --git a/roles/yum-updatesd/handlers/main.yml b/roles/yum-updatesd/handlers/main.yml deleted file mode 100644 index df562f5..0000000 --- a/roles/yum-updatesd/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: restart yum-updatesd - service: name=yum-updatesd state=restarted diff --git a/roles/yum-updatesd/tasks/main.yml b/roles/yum-updatesd/tasks/main.yml deleted file mode 100644 index 1596987..0000000 --- a/roles/yum-updatesd/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: Installation du paquet Yum-Updatesd - yum: name=yum-updatesd state=present - when: ansible_distribution == "Fedora" and ansible_distribution_version|int <= 21 - -- name: Installation du paquet Yum-Updatesd - dnf: name=yum-updatesd state=present - when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 22 - -- name: Configuration du service Yum-Updatesd - copy: src=yum-updatesd.conf dest=/etc/yum/yum-updatesd.conf mode=644 - notify: restart yum-updatesd - when: ansible_distribution == "Fedora" - -- name: Activation et démarrage du service Yum-Updatesd - service: name=yum-updatesd state=started enabled=yes - when: ansible_distribution == "Fedora" diff --git a/site.retry b/site.retry new file mode 100644 index 0000000..fcb2ab3 --- /dev/null +++ b/site.retry @@ -0,0 +1,2 @@ +bpr7drsao5vozzr5.onion +d72vewh3wa4lwpaj.onion @@ -6,7 +6,6 @@ - include: ntpserver.yml - include: clients.yml -- include: yum-updatesd.yml - include: dnsserver.yml - include: torrelay.yml -- include: squid.yml + diff --git a/squid.yml b/squid.yml deleted file mode 100644 index feda70f..0000000 --- a/squid.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: proxies - remote_user: root - roles: - - squid diff --git a/yum-updatesd.yml b/yum-updatesd.yml deleted file mode 100644 index c28aedc..0000000 --- a/yum-updatesd.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: yum-updatesd - remote_user: root - roles: - - yum-updatesd |