Table des matières

Ansible-Exemple

INVENTAIRE

Création d'un fichier d'inventaire

nano inventaire.yml
inventaire.yml
all:
  vars:
    ansible_python_interpreter: /bin/python3
  children:
    deb_master:
      vars:
        ansible_user: ansible  # Utilisateur pour se connecter en SSH
        dns_redirecteur:
          - "10.100.0.3"
          - "10.0.0.3"
        allow_query: "10.102.200.0/16"  # Sous-réseau autorisé
        network_interfaces:
          - name: "ens33"
            ip_address: "10.102.200.153"
            netmask: "255.255.0.0"
            gateway: "10.102.200.254"
          #- name: "eth1"
          #  ip_address: "192.168.1.10"
          #  netmask: "255.255.255.0"
          #  gateway: "192.168.1.1"
      hosts:
        10.102.200.153:
    deb_slave:
      vars:
        ansible_user: ansible  # Utilisateur pour se connecter en SSH
        dns_redirecteur:
          - "10.100.0.3"
          - "10.0.0.3"
        allow_query: "10.102.200.0/16"  # Sous-réseau autorisé
        network_interfaces:
          - name: "ens33"
            ip_address: "10.102.200.80"
            netmask: "255.255.0.0"
            gateway: "10.102.200.254"
          #- name: "eth1"
          #  ip_address: "192.168.1.10"
          #  netmask: "255.255.255.0"
          #  gateway: "192.168.1.1"
      hosts:
        10.102.200.80:

CONFIG - Lan

Création d'un PLAYBOOK de config réseau

nano Playbook_Install_Config_LAN.yml
Playbook_Install_Config_LAN.yml
---
- name: Playbook pour configurer les interfaces réseau
  hosts: all
  become: yes
  tasks:

    - name: Configurer les interfaces réseau
      template:
        src: Templates_interfaces_Debian11.j2
        dest: /etc/network/interfaces
        owner: root
        group: root
        mode: '0644'
        backup: yes
      notify:
        - Restart Networking

  handlers:
    - name: Restart Networking
      ansible.builtin.systemd:
        name: networking
        state: restarted

    - name: Bring up network interfaces
      ansible.builtin.command:
        cmd: "ifup {{ item.name }}"
      loop: "{{ network_interfaces }}"

Création d'un TEMPLATE d'interfaces Debian (j2)

nano Templates_interfaces_Debian.j2
Templates_interfaces_Debian.j2
# Configuration réseau générée par Ansible
 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# Inclure les configurations d'autres interfaces, si présentes
source /etc/network/interfaces.d/*
 
# Interface de bouclage (loopback)
auto lo
iface lo inet loopback
 
{% for iface in network_interfaces %}
auto {{ iface.name }}
iface {{ iface.name }} inet static
    address {{ iface.ip_address }}
    netmask {{ iface.netmask }}
    gateway {{ iface.gateway }}
{% endfor %}
[ansible@srv-ansible projet1]$

CONFIG - SSH

Création PLAYBOOK config SSH

nano Playbook_Config_SSH.yml
Playbook_Config_SSH.yml
---
- name: Playbook pour installer/configurer/sécuriser SSH et installer/configurer BIND
  hosts: all
  become: yes
  tasks:

    - name: Assurer que le service SSH est installé
      apt:
        name: openssh-server
        state: present
        update_cache: yes

    - name: Ajouter un bloc de configuration SSH dans /etc/ssh/sshd_config
      ansible.builtin.blockinfile:
        path: /etc/ssh/sshd_config
        backup: true
        insertafter: EOF
        block: |
          # Configuration personnalisée SSH
          Match User ansible
            AllowUsers [email protected]
            PasswordAuthentication no
        marker: "# {mark} Configuration SSH"
        #owner: root
        #group: root
        #mode: '0600'
      notify:
        - Restart SSH

    - name: Neutraliser la connexion via un accès console de l’utilisateur ansible
      user:
        name: ansible
        password: "!"

  handlers:
    - name: Restart SSH
      service:
        name: ssh
        state: restarted

INSTALL - Apache2

Création PLAYBOOK Apache2

nano Playbook_Install_Apache2.yml
Playbook_Install_Apache2.yml
---
- hosts: all
  become: yes  # Permet de s'assurer que les tâches sont exécutées avec les privilèges sudo
  tasks:
    - name: Update the APT package list
      apt:
        update_cache: yes

    - name: Install Apache
      apt:
        name: apache2
        state: present

    - name: Ensure Apache is started and enabled
      systemd:
        name: apache2
        state: started
        enabled: yes

INSTALL / CONFIG - Bind9

Création PLAYBOOK Bind9

nano Playbook_Install_Config_Bind9.yml
Playbook_Install_Config_Bind9.yml
---
- name: Playbook pour installer/configurer/sécuriser SSH et installer/configurer BIND
  hosts: all
  become: yes
  tasks:

    - name: Installer le service BIND
      apt:
        name: bind9
        state: present
        update_cache: yes

    - name: Configurer BIND avec un DNS redirecteur et désactiver DNSSEC
      template:
        src: Templates_named.conf.options.j2
        dest: /etc/bind/named.conf.options
        owner: root
        group: bind
        mode: '0644'
      notify:
        - Restart BIND

  handlers:
    - name: Restart BIND
      service:
        name: bind9
        state: restarted

Création d'un TEMPLATE config BIND9 (j2)

nano Templates_named.conf.options.j2
Templates_named.conf.options.j2
options {
    directory "/var/cache/bind";
 
    // Adresses des DNS redirecteurs remplacé par la variable appropriée situé dans le fichier inventaire.yml
    forwarders {
        {% for dns in dns_redirecteur %}
            {{ dns }};
        {% endfor %}
    };
 
    dnssec-validation no;
 
    // Redirection unique (forward only)
    forward only;
 
    auth-nxdomain no;    # conform to RFC1035
    listen-on { any; };
    listen-on-v6 { any; };
 
    // Permet uniquement les requêtes des adresses spécifier dans le fichier inventaire.yml
    allow-query {
        {{ allow_query | default('any') }};
    };
 
};