commit 6c3dfc1c6b404373c2f2c1750c36ee390b5a7137 Author: Thomas Constans Date: Tue Sep 22 15:42:05 2020 +0200 initial commit diff --git a/25_vaults.odt b/25_vaults.odt new file mode 100644 index 0000000..798ecb3 Binary files /dev/null and b/25_vaults.odt differ diff --git a/Readme.md b/Readme.md new file mode 100644 index 0000000..d0decad --- /dev/null +++ b/Readme.md @@ -0,0 +1,23 @@ + +# Vault +---------- + +*Tâche*: Sécuriser des données sensibles + +*Condition*: quand on a des données / variables / mot de passe sensibles + +*Norme*: en utilisant les vaults + +## Pratique:* + +Le mot de passe protégeant l'accès au répertoire /Private est en clair dans le playbook. + +Utiliser un vault pour que ce ne soit plus le cas. + +## Performance + +On a un fichier vault supplémentaire dans le sous répertoire variables du rôle. + +Celui-ci n'est pas lisible directement, il faut passer par la commande ansible-vault pour l'éditer ou le consulter. + +Notre playbook doit inclure ce fichier et être appelé avec l'option --vault-id afin de disposer de la clé permettant de déchiffrer le vault. diff --git a/apache.yml b/apache.yml new file mode 100644 index 0000000..9fa4778 --- /dev/null +++ b/apache.yml @@ -0,0 +1,7 @@ +--- +- name: install apache via ansible playbook + hosts: test + user: ansible + become: true + roles: + - myapache diff --git a/myapache/README.md b/myapache/README.md new file mode 100644 index 0000000..4b2f3e0 --- /dev/null +++ b/myapache/README.md @@ -0,0 +1,45 @@ +Role Name +========= + +Rôle de deploiement apache sur une centos. + +1 seul vhost + +Requirements +------------ + +None + +Role Variables +-------------- + +http_port: 80 +servername: orsys.fr +serveralias: "www.{{ servername }}" +documentroot: /var/www/html/orsys.fr +accesslog: /var/log/httpd/access_orsys.fr_log +errorlog: /var/log/httpd/error_orsys.fr_log + +Dependencies +------------ + +None + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { myapache } + +License +------- + +BSD + +Author Information +------------------ + +Thomas Constans diff --git a/myapache/defaults/main.yml b/myapache/defaults/main.yml new file mode 100644 index 0000000..8c667e1 --- /dev/null +++ b/myapache/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for myapache \ No newline at end of file diff --git a/myapache/files/index.html b/myapache/files/index.html new file mode 100644 index 0000000..416474e --- /dev/null +++ b/myapache/files/index.html @@ -0,0 +1 @@ +

hello World

\ No newline at end of file diff --git a/myapache/handlers/main.yml b/myapache/handlers/main.yml new file mode 100644 index 0000000..2a19def --- /dev/null +++ b/myapache/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# handlers file for myapache +- name: reload httpd + service: + name: "{{ service_name }}" + state: reloaded + +- name: reload firewalld + service: + name: firewalld + state: reloaded diff --git a/myapache/meta/main.yml b/myapache/meta/main.yml new file mode 100644 index 0000000..7223799 --- /dev/null +++ b/myapache/meta/main.yml @@ -0,0 +1,57 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. \ No newline at end of file diff --git a/myapache/tasks/main.yml b/myapache/tasks/main.yml new file mode 100644 index 0000000..d98bbe7 --- /dev/null +++ b/myapache/tasks/main.yml @@ -0,0 +1,74 @@ +--- +# tasks file for myapache +- name: import distribution specific variables + tags: http + include_vars: "{{ ansible_distribution|lower }}.yml" + +- name: include sensitive information + tags: http + include_vars: apache_sensitive_data.yml + +- name: install apache + tags: httpd + package: + name: "{{ package_name }}" + state: latest + +- name: conf httpd + tags: httpd + notify: reload httpd + template: + src: vhost.conf.jj + dest: "{{ apache_conf_dir }}/vhost.conf" + mode: 0640 + owner: root + group: "{{ apache_group }}" + +- name: activate apache + tags: httpd + service: + name: "{{ service_name }}" + enabled: yes + +- name: open firewall port + tags: httpd + firewalld: + service: http + permanent: yes + immediate: yes + state: enabled + ignore_errors: yes + notify: reload firewalld + when: ansible_distribution|lower != "debian" + +- name: create documentroot + tags: httpd + file: + name: "{{ item.documentroot }}" + state: directory + with_items: + - "{{ apache_vhosts }}" + +- name: install python passlib package + tags: req,httpd + package: + name: python-passlib + state: latest + +- name: create index file + tags: httpd + copy: + src: index.html + dest: "{{ item.documentroot }}/index.html" + mode: 0644 + with_items: + - "{{ apache_vhosts }}" + +- name: passwd file + htpasswd: + path: "{{ apache_conf_dir }}/passwd" + name: tom + password: "{{ httpasswd }}" + mode: 0640 + owner: root + group: "{{ apache_group }}" \ No newline at end of file diff --git a/myapache/templates/vhost.conf.jj b/myapache/templates/vhost.conf.jj new file mode 100644 index 0000000..be39939 --- /dev/null +++ b/myapache/templates/vhost.conf.jj @@ -0,0 +1,28 @@ +{% for vhost in apache_vhosts %} + + ServerName {{ vhost.servername|lower }} + ServerAlias {{ vhost.serveralias }} + DocumentRoot {{ vhost.documentroot }} + CustomLog {{ vhost.accesslog }} combined + ErrorLog {{ vhost.errorlog }} + + Options none + Allowoverride none + Require all denied + + + + Options {{ vhost.documentrootoptions|default( "none" ) }} + Require all granted + + + Alias /private /usr/share/doc + + Options indexes + AuthName "stop" + AuthType Basic + AuthUserFile {{ apache_conf_dir }}/passwd + require valid-user + + +{% endfor %} \ No newline at end of file diff --git a/myapache/tests/inventory b/myapache/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/myapache/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/myapache/tests/test.yml b/myapache/tests/test.yml new file mode 100644 index 0000000..797e379 --- /dev/null +++ b/myapache/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - myapache \ No newline at end of file diff --git a/myapache/vars/apache_sensitive_data.yml b/myapache/vars/apache_sensitive_data.yml new file mode 100644 index 0000000..782663b --- /dev/null +++ b/myapache/vars/apache_sensitive_data.yml @@ -0,0 +1,6 @@ +$ANSIBLE_VAULT;1.1;AES256 +31653731393732623239623030633932666534613931666630313335346338306362356263366261 +6465393132643537613161343263613530656263623236390a633835613663643464313930613562 +31306535323538633664393032386665396239626563343736636266333436336265386639323035 +6530326539336236320a613631653861303464353066353961383738396639313831323065623639 +32663763333138613435653438363734343739303838303232313337313230646364 diff --git a/myapache/vars/centos.yml b/myapache/vars/centos.yml new file mode 120000 index 0000000..ba2f905 --- /dev/null +++ b/myapache/vars/centos.yml @@ -0,0 +1 @@ +redhat.yml \ No newline at end of file diff --git a/myapache/vars/debian.yml b/myapache/vars/debian.yml new file mode 100644 index 0000000..03ceb9d --- /dev/null +++ b/myapache/vars/debian.yml @@ -0,0 +1,7 @@ +--- +apache_conf_dir: /etc/apache2/sites-enabled +apache_log_dir: /var/log/apache2 +package_name: apache2 +service_name: apache2 +apache_user: www-data +apache_group: www-data diff --git a/myapache/vars/main.yml b/myapache/vars/main.yml new file mode 100644 index 0000000..1fb822e --- /dev/null +++ b/myapache/vars/main.yml @@ -0,0 +1,15 @@ +--- +# vars file for myapache +http_port: 80 +apache_vhosts: +- servername: ORSYS.Fr + serveralias: www.orsys.fr + documentroot: /var/www/html/orsys.fr + accesslog: "{{ apache_log_dir }}/access_orsys.fr_log" + errorlog: "{{ apache_log_dir }}/error_orsys.fr_log" +- servername: thomas.fr + serveralias: www.thomas.fr + documentroot: /var/www/html/thomas.fr + accesslog: "{{ apache_log_dir }}/access_thomas.fr_log" + errorlog: "{{ apache_log_dir }}/error_thomas.fr_log" + documentrootoptions: indexes \ No newline at end of file diff --git a/myapache/vars/redhat.yml b/myapache/vars/redhat.yml new file mode 100644 index 0000000..c77ed08 --- /dev/null +++ b/myapache/vars/redhat.yml @@ -0,0 +1,7 @@ +--- +apache_conf_dir: /etc/httpd/conf.d/ +apache_log_dir: /var/log/httpd +package_name: httpd +service_name: httpd +apache_user: apache +apache_group: apache