diff --git a/25_vaults.odt b/25_vaults.odt deleted file mode 100644 index 798ecb3..0000000 Binary files a/25_vaults.odt and /dev/null differ diff --git a/Readme.md b/Readme.md index d0decad..3995b44 100644 --- a/Readme.md +++ b/Readme.md @@ -1,6 +1,4 @@ - -# Vault ----------- +## Vault *Tâche*: Sécuriser des données sensibles @@ -8,7 +6,7 @@ *Norme*: en utilisant les vaults -## Pratique:* +## Pratique: Le mot de passe protégeant l'accès au répertoire /Private est en clair dans le playbook. @@ -16,8 +14,7 @@ Utiliser un vault pour que ce ne soit plus le cas. ## Performance -On a un fichier vault supplémentaire dans le sous répertoire variables du rôle. +Le mot de passe n'est plus en clair dans le playbook -Celui-ci n'est pas lisible directement, il faut passer par la commande ansible-vault pour l'éditer ou le consulter. +Proposition de solution: voir branche "solution" -Notre playbook doit inclure ce fichier et être appelé avec l'option --vault-id afin de disposer de la clé permettant de déchiffrer le vault. diff --git a/ansible_apache_formation/README.md b/ansible_apache_formation/README.md new file mode 100644 index 0000000..6093f71 --- /dev/null +++ b/ansible_apache_formation/README.md @@ -0,0 +1,38 @@ +Role Name +========= +apache_formation + +NOT FOR PRODUCTION USE + +This role has been designed for training purpose + +Requirements +------------ + +None + +Role Variables +-------------- + +Dependencies +------------ + +None + +Example Playbook +---------------- + +--- +- hosts: test + roles: + - apache_formation + +License +------- + +BSD + +Author Information +------------------ + +Thomas Constans diff --git a/ansible_apache_formation/defaults/main.yml b/ansible_apache_formation/defaults/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/ansible_apache_formation/defaults/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible_apache_formation/handlers/main.yml b/ansible_apache_formation/handlers/main.yml new file mode 100644 index 0000000..81a5908 --- /dev/null +++ b/ansible_apache_formation/handlers/main.yml @@ -0,0 +1,4 @@ +- name: reload httpd + service: + name: "{{ apache_service_name }}" + state: reloaded diff --git a/myapache/meta/main.yml b/ansible_apache_formation/meta/main.yml similarity index 79% rename from myapache/meta/main.yml rename to ansible_apache_formation/meta/main.yml index 7223799..38015ad 100644 --- a/myapache/meta/main.yml +++ b/ansible_apache_formation/meta/main.yml @@ -1,7 +1,8 @@ galaxy_info: - author: your name - description: your description - company: your company (optional) + role_name: apache_formation + author: Thomas Constans + description: Simple apache role set up for training purpose + company: www.opendoor.fr # If the issue tracker for your role is not on github, uncomment the # next line and provide a value @@ -14,7 +15,7 @@ galaxy_info: # - GPLv3 # - Apache # - CC-BY - license: license (GPLv2, CC-BY, etc) + license: GPLv2 min_ansible_version: 1.2 @@ -32,19 +33,12 @@ galaxy_info: # # platforms is a list of platforms, and each platform has a name and a list of versions. # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: EL + versions: + - 7 - galaxy_tags: [] + galaxy_tags: [apache,training] # List tags for your role here, one per line. A tag is a keyword that describes # and categorizes the role. Users find roles by searching for tags. Be sure to # remove the '[]' above, if you add tags to this list. @@ -52,6 +46,6 @@ galaxy_info: # NOTE: A tag is limited to a single word comprised of alphanumeric characters. # Maximum 20 tags per role. -dependencies: [] + dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. \ No newline at end of file diff --git a/ansible_apache_formation/tasks/apache.yml b/ansible_apache_formation/tasks/apache.yml new file mode 100644 index 0000000..7d15a0a --- /dev/null +++ b/ansible_apache_formation/tasks/apache.yml @@ -0,0 +1,57 @@ +--- +- name: installation + package: + name: "{{ apache_package_name }}" + state: present + +- name: configuration + notify: reload httpd + template: + src: vhost.conf + dest: /etc/httpd/conf.d/vhost.conf + mode: 0640 + owner: root + group: apache + +- name: enable service + service: + name: "{{ apache_service_name }}" + enabled: yes + +- name: open firewall port + firewalld: + service: http + permanent: yes + immediate: yes + state: enabled + ignore_errors: yes + +- name: create documentroot + file: + name: "{{ apache_documentroot }}" + state: directory + +- name: create index file + template: + src: index.html + dest: "{{ apache_documentroot }}/index.html" + mode: 0644 + +- name: install python passlib package + package: + name: python-passlib + state: present + +- name: passwd file + htpasswd: + path: "/etc/httpd/passwd" + name: tom + password: "123Soleil" + mode: 0640 + owner: root + group: "apache" + +- name: start service + service: + name: "{{ apache_service_name }}" + state: restarted \ No newline at end of file diff --git a/ansible_apache_formation/tasks/main.yml b/ansible_apache_formation/tasks/main.yml new file mode 100644 index 0000000..239d2eb --- /dev/null +++ b/ansible_apache_formation/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- import_tasks: apache.yml + tags: httpd \ No newline at end of file diff --git a/ansible_apache_formation/templates/index.html b/ansible_apache_formation/templates/index.html new file mode 100644 index 0000000..675be45 --- /dev/null +++ b/ansible_apache_formation/templates/index.html @@ -0,0 +1 @@ +

Welcome aboard {{ ansible_hostname }}

\ No newline at end of file diff --git a/ansible_apache_formation/templates/vhost.conf b/ansible_apache_formation/templates/vhost.conf new file mode 100644 index 0000000..7a2633c --- /dev/null +++ b/ansible_apache_formation/templates/vhost.conf @@ -0,0 +1,24 @@ + + ServerName {{ apache_server_name }} + ServerAlias www.{{ apache_server_name }} + ServerAlias {{ inventory_hostname }} + DocumentRoot /var/www/html/{{ apache_server_name }} + CustomLog /var/log/httpd/{{ apache_server_name }}_access.log combined + ErrorLog /var/log/httpd/{{ apache_server_name }}_error.log + + Options none + Allowoverride none + Require all denied + + + + Require all granted + + + Options indexes + AuthName "stop" + AuthType Basic + AuthUserFile /etc/httpd/passwd + require valid-user + + \ No newline at end of file diff --git a/myapache/tests/inventory b/ansible_apache_formation/tests/inventory similarity index 100% rename from myapache/tests/inventory rename to ansible_apache_formation/tests/inventory diff --git a/ansible_apache_formation/tests/test.yml b/ansible_apache_formation/tests/test.yml new file mode 100644 index 0000000..3af12d2 --- /dev/null +++ b/ansible_apache_formation/tests/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: centos + roles: + - tconstans.ansible_apache_formation \ No newline at end of file diff --git a/ansible_apache_formation/vars/main.yml b/ansible_apache_formation/vars/main.yml new file mode 100644 index 0000000..73b314f --- /dev/null +++ b/ansible_apache_formation/vars/main.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/apache.yml b/apache.yml deleted file mode 100644 index 9fa4778..0000000 --- a/apache.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: install apache via ansible playbook - hosts: test - user: ansible - become: true - roles: - - myapache diff --git a/myapache/README.md b/myapache/README.md deleted file mode 100644 index 4b2f3e0..0000000 --- a/myapache/README.md +++ /dev/null @@ -1,45 +0,0 @@ -Role Name -========= - -Rôle de deploiement apache sur une centos. - -1 seul vhost - -Requirements ------------- - -None - -Role Variables --------------- - -http_port: 80 -servername: orsys.fr -serveralias: "www.{{ servername }}" -documentroot: /var/www/html/orsys.fr -accesslog: /var/log/httpd/access_orsys.fr_log -errorlog: /var/log/httpd/error_orsys.fr_log - -Dependencies ------------- - -None - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { myapache } - -License -------- - -BSD - -Author Information ------------------- - -Thomas Constans diff --git a/myapache/defaults/main.yml b/myapache/defaults/main.yml deleted file mode 100644 index 8c667e1..0000000 --- a/myapache/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for myapache \ No newline at end of file diff --git a/myapache/files/index.html b/myapache/files/index.html deleted file mode 100644 index 416474e..0000000 --- a/myapache/files/index.html +++ /dev/null @@ -1 +0,0 @@ -

hello World

\ No newline at end of file diff --git a/myapache/handlers/main.yml b/myapache/handlers/main.yml deleted file mode 100644 index 2a19def..0000000 --- a/myapache/handlers/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# handlers file for myapache -- name: reload httpd - service: - name: "{{ service_name }}" - state: reloaded - -- name: reload firewalld - service: - name: firewalld - state: reloaded diff --git a/myapache/tasks/main.yml b/myapache/tasks/main.yml deleted file mode 100644 index d98bbe7..0000000 --- a/myapache/tasks/main.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# tasks file for myapache -- name: import distribution specific variables - tags: http - include_vars: "{{ ansible_distribution|lower }}.yml" - -- name: include sensitive information - tags: http - include_vars: apache_sensitive_data.yml - -- name: install apache - tags: httpd - package: - name: "{{ package_name }}" - state: latest - -- name: conf httpd - tags: httpd - notify: reload httpd - template: - src: vhost.conf.jj - dest: "{{ apache_conf_dir }}/vhost.conf" - mode: 0640 - owner: root - group: "{{ apache_group }}" - -- name: activate apache - tags: httpd - service: - name: "{{ service_name }}" - enabled: yes - -- name: open firewall port - tags: httpd - firewalld: - service: http - permanent: yes - immediate: yes - state: enabled - ignore_errors: yes - notify: reload firewalld - when: ansible_distribution|lower != "debian" - -- name: create documentroot - tags: httpd - file: - name: "{{ item.documentroot }}" - state: directory - with_items: - - "{{ apache_vhosts }}" - -- name: install python passlib package - tags: req,httpd - package: - name: python-passlib - state: latest - -- name: create index file - tags: httpd - copy: - src: index.html - dest: "{{ item.documentroot }}/index.html" - mode: 0644 - with_items: - - "{{ apache_vhosts }}" - -- name: passwd file - htpasswd: - path: "{{ apache_conf_dir }}/passwd" - name: tom - password: "{{ httpasswd }}" - mode: 0640 - owner: root - group: "{{ apache_group }}" \ No newline at end of file diff --git a/myapache/templates/vhost.conf.jj b/myapache/templates/vhost.conf.jj deleted file mode 100644 index be39939..0000000 --- a/myapache/templates/vhost.conf.jj +++ /dev/null @@ -1,28 +0,0 @@ -{% for vhost in apache_vhosts %} - - ServerName {{ vhost.servername|lower }} - ServerAlias {{ vhost.serveralias }} - DocumentRoot {{ vhost.documentroot }} - CustomLog {{ vhost.accesslog }} combined - ErrorLog {{ vhost.errorlog }} - - Options none - Allowoverride none - Require all denied - - - - Options {{ vhost.documentrootoptions|default( "none" ) }} - Require all granted - - - Alias /private /usr/share/doc - - Options indexes - AuthName "stop" - AuthType Basic - AuthUserFile {{ apache_conf_dir }}/passwd - require valid-user - - -{% endfor %} \ No newline at end of file diff --git a/myapache/tests/test.yml b/myapache/tests/test.yml deleted file mode 100644 index 797e379..0000000 --- a/myapache/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - myapache \ No newline at end of file diff --git a/myapache/vars/apache_sensitive_data.yml b/myapache/vars/apache_sensitive_data.yml deleted file mode 100644 index 782663b..0000000 --- a/myapache/vars/apache_sensitive_data.yml +++ /dev/null @@ -1,6 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31653731393732623239623030633932666534613931666630313335346338306362356263366261 -6465393132643537613161343263613530656263623236390a633835613663643464313930613562 -31306535323538633664393032386665396239626563343736636266333436336265386639323035 -6530326539336236320a613631653861303464353066353961383738396639313831323065623639 -32663763333138613435653438363734343739303838303232313337313230646364 diff --git a/myapache/vars/centos.yml b/myapache/vars/centos.yml deleted file mode 120000 index ba2f905..0000000 --- a/myapache/vars/centos.yml +++ /dev/null @@ -1 +0,0 @@ -redhat.yml \ No newline at end of file diff --git a/myapache/vars/debian.yml b/myapache/vars/debian.yml deleted file mode 100644 index 03ceb9d..0000000 --- a/myapache/vars/debian.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apache_conf_dir: /etc/apache2/sites-enabled -apache_log_dir: /var/log/apache2 -package_name: apache2 -service_name: apache2 -apache_user: www-data -apache_group: www-data diff --git a/myapache/vars/main.yml b/myapache/vars/main.yml deleted file mode 100644 index 1fb822e..0000000 --- a/myapache/vars/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# vars file for myapache -http_port: 80 -apache_vhosts: -- servername: ORSYS.Fr - serveralias: www.orsys.fr - documentroot: /var/www/html/orsys.fr - accesslog: "{{ apache_log_dir }}/access_orsys.fr_log" - errorlog: "{{ apache_log_dir }}/error_orsys.fr_log" -- servername: thomas.fr - serveralias: www.thomas.fr - documentroot: /var/www/html/thomas.fr - accesslog: "{{ apache_log_dir }}/access_thomas.fr_log" - errorlog: "{{ apache_log_dir }}/error_thomas.fr_log" - documentrootoptions: indexes \ No newline at end of file diff --git a/myapache/vars/redhat.yml b/myapache/vars/redhat.yml deleted file mode 100644 index c77ed08..0000000 --- a/myapache/vars/redhat.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apache_conf_dir: /etc/httpd/conf.d/ -apache_log_dir: /var/log/httpd -package_name: httpd -service_name: httpd -apache_user: apache -apache_group: apache