aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Compare commits

merge into: aurore:master
Branches Tags
aurore:master
aurore:new-infra
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server
...
pull from: aurore:logs
Branches Tags
aurore:new-infra
aurore:bird
aurore:dns
aurore:aruba
aurore:radius
aurore:on-en-a-litteralement-rien-a-foutre
aurore:radvd
aurore:keepalived
aurore:ifupdown2
aurore:master
aurore:dhcp
aurore:cleanup_no_ldap_for_servers
aurore:infra_router
aurore:ask_vault_pass
aurore:borgfix
aurore:auditd
aurore:prometheus_apt_pending_and_reboot
aurore:move_host_vars
aurore:prometheus-ipmi-exporter
aurore:fix-portail
aurore:crans
aurore:apt
aurore:remove_old_db_servers
aurore:rspamd
aurore:wireguard-ovh
aurore:pass
aurore:nullmailer
aurore:logs
aurore:mailserver
aurore:re2o-master
aurore:mail_server

5 commits
master ... logs

Author SHA1 Message Date
Jeltz
761df9d0b3 Add opendistro_common for OpenDistro repository
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-03-03 21:45:56 +01:00
Jeltz
d9fe57481a Add elastic_common role for Elastic repository 2021-03-03 21:45:17 +01:00
Jeltz
bd5b2e1fbe Add apt_common role for third party repositories 2021-03-03 21:44:37 +01:00
Jeltz
84b3407b34 Add elastic.adm.auro.re 2021-03-03 21:43:23 +01:00
Jeltz
7ada2fe769 WIP: add a role for ulogd2
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-03-03 03:02:53 +01:00
12 changed files with 232 additions and 0 deletions
Show stats Expand all files Collapse all files

1
hosts
View file

@ -38,6 +38,7 @@ prometheus-aurore.adm.auro.re
portail.adm.auro.re portail.adm.auro.re
jitsi-aurore.adm.auro.re jitsi-aurore.adm.auro.re
log.adm.auro.re log.adm.auro.re
elastic.adm.auro.re
[aurore_testing_vm] [aurore_testing_vm]
pendragon.adm.auro.re pendragon.adm.auro.re

19
roles/apt_common/tasks/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Install GnuPG (to manage the APT keystore)
become: true
apt:
name: gnupg2
state: latest
- name: Install common CA certificates
become: true
apt:
name: ca-certificates
state: latest
- name: Ensure that APT can use HTTPS repositories
become: true
apt:
name: apt-transport-https
state: latest
...

31
roles/elastic_common/files/elastic.gpg Normal file
View file

@ -0,0 +1,31 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
qPDlGRlOgVTd9xUfHFkzB52c70E=
=92oX
-----END PGP PUBLIC KEY BLOCK-----

4
roles/elastic_common/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- role: apt_common
...

20
roles/elastic_common/tasks/main.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Trust Elastic GPG key
become: true
apt_key:
data: "{{ lookup('file', 'elastic.gpg') }}"
state: present
- name: Install Elastic OSS repository
become: true
apt_repository:
repo: deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main
state: present
filename: elastic-oss-7
- name: Install default JRE
become: true
apt:
name: default-jre-headless
state: latest
...

53
roles/opendistro_common/files/opendistro.gpg Normal file
View file

@ -0,0 +1,53 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFxxbjoBEACzaNq4JNShPtxbESNK4Ihtj83FOJFPxZmr4v3OQY7YRxGeIuyT
KeC1Epx5qOgWZ+H8EBpRp+QBZ80cQq5nbDmrEXHYSJzek8w4PxMlD1lQ2foarHOz
tJ0DzsJyZHvHgpyKSV8K6Hp/Wt3ceL328TSxKZfKf55YS82oMofSqTDF+77NhB8o
S90XQCJc8QSJnVyXExeL+h0c2VC+QUoYlgVGU+lLyBxVvPGU1Va21u1uuOqBnoY3
ZsH2c8v5/GMDKnuXfiLfHrPS00e1x7H45m0EEr6T4cFzkylMlf+QhtPhvmK7XjQJ
YMHlj801ORUyjukb8mrgiP56HvNoYILSzukppb7aZrqAaONC0el74AAvCygj0OZf
Hnro2im0wFGrZ1cl+qO05M5yqxhMUX1SiVTlPum53NHADs5w2F+Bl+AiOPxJdq3I
w7B+bHKE9pJTP6H8elbiEmjJ4ITPrk3j+nqqpOH9wPFUhLUu2V70/QtgrmJrseR3
mxG+t8rXC0/0V4Gekf7+S28TpQfGg+ktmacSiIs76RnamUs8IyI2gnRX6LiW/AfQ
Ipqg8wF1fYlh6BDo8TJC/Xce1/WU7LCDfJ3HHlPQXDXmTiumwad4n+clpzuTgH7P
E+rv/9jxiFlJ6CIpaIVFBkmk5w1dFqiZBw/KBS4ltUriH/81Gyr7jzTr5QARAQAB
tIBPcGVuRGlzdHJvRm9yRWxhc3RpY3NlYXJjaCAoS2V5IEZvciBzaWduaW5nIE9w
ZW5EaXN0cm9Gb3JFbGFzdGljc2VhcmNoIGFydGlmYWN0cy4pIDxvcGVuZGlzdHJv
Zm9yZWxhc3RpY3NlYXJjaC1pbmZyYUBhbWF6b24uY29tPokCOQQTAQgAIwUCXHFu
OgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEEcs/fzjcDJeM5YP/34g
sPhSQvcQOclLpMYxULrRE9z/mz2syw4ODOafA1bff2x6viNDNInMa7/iLsg6mkyK
wqpt+Ckz5MgWpAU109K/1+LDTj19NBwKpDUvgvnNSH96Rt6hMLa2SsjGkyfdCqtb
cZVAKJhu8AgrjL/2IoHU+GWgRUZVv4w6VTJt2GM3By11ykxOmg6DEqkaXq8rJ+zy
3+ZdjBmxtkiBkax3Z1DTZaLMcAQBX4iaizbDlkY9B3/vqC3Ue3cmW+Zl4XkRCpV4
WQUPgeS4s2um44VWyzd4+zMUc1sxLaw/jm1bWbIzAhty2iB6SdNDWBVbdFO/Turx
xLBhL4nmqGw7w6ZwTF/h4xUMCV0EZ93JtaGX6hokd+a0Rj3INzr24FbIOzTJHmjn
QbZqKT77j5IJcCYLNTopnOF/NmzoyhUC9UFtyEiXxTeZxpj27PgqVez9xWfU9bXD
y0jhQDILR4tnkNa+QK1/5zFL5+0iE9tLgEL+Bb117fZ1kc1SySUcXZcm791+mzA7
l5dumLSlIR8cKotVMIj7VXqhOOIP8lV8cHXPcJ/O/bBwXSHN3cWA8/2OoN9Fcu1L
NSH9dNpM3BzkP6rEkNRje/Jx/wUWAySA9LQ9Kt5XNMNx93rF4en2TolQ4Z7mRaW9
bBVcczRtB+GHxiGSVYmYHRbP/jQyJUmPhuRbPlATuQINBFxxbjoBEADAhGsAwLPl
poq4O+8RBciUVzBtIAEEyJ8lrDJJ4IlxTKM4glOKhDWnIcY1BWP9x81/8F84ecwC
oDq2PrrppWlMD2Km26yEgJbPKsA/7OLJtOPdWKyY9Smm3+V0fi8LMruwKgtwcK+7
0boa8DL/r31PB75f/GrOywuLbxZxwzpCajIvYUR4R3qvdqkU6XDsshooAgZPsDG+
gDLkNeFUE92rR7+B5Px2+8b1/hiZh4x+L9ElqYdSqoHkIrI76fELQvjxCKPBQJo+
PBmTji79Agt1J7F+Br5Jjn+PWHiiIuNz1pX5OU5p2W0zoPTMwTk3ln/gra5yUIJ4
qItTPUK9Od14e2QGo5H8zTNDqotNyt13zkv6q1HKIj7QtMC9nY/wnxGNMVSxqfWo
LiDjJ2CzhGWGm5aN5T0Y/l+I89Lnce6fOCKzymoT86NYcd3A6QOlh7cGnhstD9tt
dD6vxedj44ElFaNY63POzuq9BVH+X/rnD84Srnmac/xVRA+l/5Wt5k17nOwxUPRc
wGOYGTh0+dX0i8WmTZGXkjL5R5APeijzQKAARvV9PEaY0eoqJbNf8CT04h5b7J6I
YtCgQaDJ+MqFjNbopfCGLrPNceasMx9YKpLjgsXoQ5TZeaeidP3GgIr1zts4xJgx
ty7wLMnZmDjr1PgUqvobzoPmpjSpMDC10QARAQABiQIfBBgBCAAJBQJccW46AhsM
AAoJEEcs/fzjcDJee6IP/iDtziBwxGhq2hKxdZMZghwCy6xX2x3l/4P5hSQuYiru
ThJZVcxMCZxuKk2thysnFp0gRHHr6S8X3rddc+Km80e3Dq0onMVHbbnFA7kSwjCx
92J16KwbVp5VQL/VpLJ9ggsAgrJc0B6GIud6wKQYpwByh0fJ8jSHz+PKbSjhpTDR
GJXKhpl8vWdKTxbJuUwW+MdeKS5+Llnnb3izAH2HvMbmJxTwPBmPqml05RovvfNT
KdyQ8rYPnq4ejbN3tDk28/iwg+qUDfMi8KztHbSzoHgRUkCNwMVjm+Qo5vbETjTx
20h52a+vJs9RhSmUndJYdFAEw5dIo3vsPplU1iWE9TDXIIYwwEufYHoAGTAgoZId
0PR2Y+KrvwxhjvjVObrydFbSeWUQzuibp7ipKiCy/jFKxglfiEb7lIWYBC0YbKnL
xJpBNEUBBe4ZkpX9pmBmdFfhONUtLRKe730izWiuPWPbzPR2QHjUScywVWdUt9HF
Nje2jUkK4Djt4dDlvqInFDSP+7fM5AOpvyry3XWtsEVcOOYV35RA20PQQ5pG7Tys
qfEtsS5L0Btq1VY2i0v9ozPnraMLJQeC8Hdm1MP+5v7PKksREakEyLRyPUB13zva
gPbaYazA6I5xRQgkPrHhMJLVllXUQC5CldKOHUUUhiBn6eEzBldiznarng92tmnd
=l21b
-----END PGP PUBLIC KEY BLOCK-----

4
roles/opendistro_common/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- role: apt_common
...

20
roles/opendistro_common/tasks/main.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Trust OpenDistro GPG key
become: true
apt_key:
data: "{{ lookup('file', 'opendistro.gpg') }}"
state: present
- name: Install OpenDistro repository
become: true
apt_repository:
repo: deb https://d3g5vo6xdbdb9a.cloudfront.net/apt stable main
state: present
filename: opendistro
- name: Install default JRE
become: true
apt:
name: default-jre-headless
state: latest
...

3
roles/ulogd2/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
ulogd2_plugins_dir: /usr/lib/x86_64-linux-gnu/ulogd
...

6
roles/ulogd2/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: Restart ulogd2
systemd:
name: ulogd.service
state: reloaded
...

24
roles/ulogd2/tasks/main.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: Install ulogd2
become: true
apt:
name: ulogd2
state: latest
- name: Configure ulogd2
become: true
template:
src: ulogd.conf.j2
dest: /etc/ulogd.conf
owner: root
group: root
mode: u=rw,g=r,o=
notify: Restart ulogd2
- name: Enable ulogd2
become: true
systemd:
name: ulogd.service
enabled: true
state: started
...

47
roles/ulogd2/templates/ulogd.conf.j2 Normal file
View file

@ -0,0 +1,47 @@
{{ ansible_managed | comment }}
# HWADDR, PRINTFLOW, MARK, NFACCT (pour ct) ?
{%
set plugins = [
"ulogd2_inppkt_NFLOG.so",
"ulogd2_filter_IFINDEX.so",
"ulogd2_filter_IP2STR.so",
"ulogd2_filter_PRINTPKT.so",
"ulogd2_filter_PRINTPKT.so",
"ulogd2_output_SYSLOG.so",
"ulogd2_raw2packet_BASE.so",
]
%}
[global]
logfile="syslog"
loglevel=3
{% for plugin in plugins %}
plugin="{{ ulogd2_plugins_dir }}/{{ plugin }}"
{% endfor %}
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
[ct1]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
#pollinterval=10 # use poll-based logging instead of event-driven
# If pollinterval is not set, NFCT plugin will work in event mode
# In this case, you can use the following filters on events:
#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
#accept_proto_filter=tcp,sctp # layer 4 proto of connections
[log1]
group=10
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#netlink_qthreshold=1
# set the delay before flushing packet in the queue inside kernel (in 10ms)
#netlink_qtimeout=100
[sys1]
facility=LOG_LOCAL2