ajoute les archives

2023-03-09 16:44:05 +01:00
commit 38129c2455
30 changed files with 532 additions and 0 deletions
@@ -0,0 +1,2 @@
+# Dépot de script ansible
+
@@ -0,0 +1 @@
+ansible_python_interpreter: /usr/bin/python3
@@ -0,0 +1,2 @@
+---
+zimbraSkinLoginBackgroundImage: "https://www.ledepartement66.fr/wp-content/uploads/2022/09/ValeursEnFete-Oct2022-Couverture-Zimbra-2100x1400px-scaled.jpg"
@@ -0,0 +1,2 @@
+---
+zimbraSkinLoginBackgroundImage: "https://www.ledepartement66.fr/wp-content/uploads/2022/09/ValeursEnFete-Oct2022-Couverture-Zimbra-2100x1400px-scaled.jpg"
@@ -0,0 +1,2 @@
+---
+zimbraSkinLoginBackgroundImage: "https://www.ledepartement66.fr/wp-content/uploads/2022/09/ValeursEnFete-Oct2022-Couverture-Zimbra-2100x1400px-scaled.jpg"
@@ -0,0 +1,6 @@
+---
+zimbraMailDomain: "zimbrantoine.zextras.lan"
+zimbraSkinLogoURL: "https://bal.groupechevalier.fr"
+zimbraSkinLogoAppBanner: "/logos/Groupe-Chevalier-200x35.png" 
+zimbraSkinLogoLoginBanner: "/logos/Groupe-Chevalier-320x80.png"
+zimbraSkinLoginBackgroundImage: "https://www.ledepartement66.fr/wp-content/uploads/2022/09/ValeursEnFete-Oct2022-Couverture-Zimbra-2100x1400px-scaled.jpg"
@@ -0,0 +1,15 @@
+---
+# Config global 
+
+ignoreip: "127.0.0.1/8 192.168.73.60/32"
+destmail: "admin@zimbraluis.zextras.lan"
+sendername: "Fail2ban"
+sendermail: "fail2ban@zimbraluis.zextras.lan"
+
+bantime_account: "600"
+findtime_account: "1200"
+maxretry_account: "3"
+
+bantime_postfix: "600"
+findtime_postfix: "1200"
+maxretry_postfix: "3"
@@ -0,0 +1,8 @@
+zimbra-labs-antoine ansible_user=antoine ansible_host=192.168.73.63 ansible_become=true
+[cd66-zms]
+cd66-zms1 ansible_become=true
+cd66-zms2 ansible_become=true
+cd66-zms3 ansible_become=true
+
+mairie-lateste
+zimbraluis ansible_user=zimbraluis ansible_host=zimbraluis.zextras.lan ansible_become=true ansible_sudo_pass=zimbraluis
@@ -0,0 +1,34 @@
+---
+- name: Zimbra Lab Antoine
+  hosts: zimbra-labs-antoine
+  roles:
+    - role: prerequis
+    - role: set-global-logo
+      tags: set-global-logo
+    - role: set-zextras-custom-login-page
+      tags: set-zxt-custom-login-page
+    - role: set-zextras-login-logo
+      tags: set-zextras-login-logo
+    - role: set-zextras-global-login-logo
+      tags: set-zextras-global-login-logo
+    - role: set-zextras-theme
+      tags: set-zextras-theme
+
+
+- name: Zimbra CD66
+  hosts: cd66-zms
+  roles:
+    - role: set-zextras-global-login-logo
+      tags: cd66-zextras-global-login-logo
+
+- name: Mairie-Lateste
+  hosts: mairie-lateste
+  roles:
+    - role: set-zextras-theme
+      tags: set-zextras-theme-lateste
+
+- name: Lab Fail2ban
+  hosts: zimbraluis
+  roles:
+    - role: set-fail2ban
+      tags: set-fail2ban
@@ -0,0 +1,3 @@
+---
+- name: Update timezone
+  ansible.builtin.command: dpkg-reconfigure --frontend noninteractive tzdata
@@ -0,0 +1,58 @@
+---
+# Set Timezone
+- name: Set timezone variables
+  ansible.builtin.copy:
+    content: 'Europe/Paris'
+    dest: /etc/timezone
+    owner: root
+    group: root
+    mode: 0644
+    backup: true
+    force: false
+  notify:
+    - Update timezone
+
+# Disable ipv6
+- name: Checking GRUB cmdline
+  ansible.builtin.shell: "grep 'GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6.disable=1.*' /etc/default/grub"
+  register: grub_cfg_grep
+  changed_when: false
+  failed_when: false
+
+- name: Disable IPV6 on GRUB cmdline
+  ansible.builtin.replace:
+    path: '/etc/default/grub'
+    regexp: '^GRUB_CMDLINE_LINUX_DEFAULT="((\w.?)*)"$'
+    replace: 'GRUB_CMDLINE_LINUX_DEFAULT="\1 ipv6.disable=1"'
+  when: '"ipv6.disable=1" not in grub_cfg_grep.stdout'
+
+# Remove snap
+- name: Stop service snap, if running
+  ansible.builtin.systemd:
+    name: snapd
+    state: stopped
+  register: unused_disable # on enregistre le retour de la commande pour déclencher l'arret que si le service existe
+  failed_when: "unused_disable is failed and ('find' not in unused_disable.msg and 'found' not in unused_disable.msg)"
+
+- name: Uninstall
+  ansible.builtin.apt:
+    pkg:
+      - snapd
+      - gnome-software-plugin-snap
+    state: absent
+    purge: true
+
+- name: Delete snap directory
+  ansible.builtin.file:
+    path:
+      - ~/snap/
+      - /var/cache/snapd/
+    state: absent
+
+# Install LibreOffice
+- name: Apt Install Prerequis
+  ansible.builtin.apt:
+    update_cache: true
+    name:
+      - libreoffice
+      - net-tools
@@ -0,0 +1,6 @@
+---
+- name: Reload fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: reload
+    enabled: true
@@ -0,0 +1,21 @@
+---
+- name: Installing Fail2ban
+  ansible.builtin.apt:
+    update_cache: yes
+    name: fail2ban
+
+- name: Copy {{ item.src }} config
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: 0644
+    backup: yes
+  loop:
+    - { src: 'jail.conf.ubuntu.j2', dest: '/etc/fail2ban/jail.conf' }
+    - { src: 'zimbra.conf.ubuntu.j2', dest: '/etc/fail2ban/filter.d/zimbra.conf' }
+    - { src: 'zimbra-postfix.conf.ubuntu.j2', dest: '/etc/fail2ban/filter.d/zimbra-postfix.conf' }
+    - { src: 'sendmail.conf.ubuntu.j2', dest: '/etc/fail2ban/action.d/sendmail.conf' }
+    - { src: 'sendmail-common.conf.ubuntu.j2', dest: '/etc/fail2ban/action.d/sendmail-common.conf' }
+  #notify: Reload fail2ban
@@ -0,0 +1,30 @@
+# Fail2Ban configuration file
+#
+
+[DEFAULT]
+ignoreip = {{ ignoreip }}
+bantime  = 86400
+findtime = 1200
+maxretry = 5
+
+backend = auto
+
+[zimbra-account]
+enabled = true
+filter = zimbra
+action = iptables-allports[name=zimbra-account]
+         sendmail[name=zimbra-account, dest={{ destmail }}]
+logpath = /opt/zimbra/log/mailbox.log
+bantime = {{ bantime_account }}
+findtime = {{ findtime_account }}
+maxretry = {{ maxretry_account }}
+
+[zimbra-postfix]
+enabled = true
+filter = zimbra-postfix
+action = iptables-allports[name=zimbra-postfix]
+         sendmail[name=zimbra-postfix, dest={{ destmail }}]
+logpath = /var/log/zimbra.log
+bantime = {{ bantime_postfix }}
+findtime = {{ findtime_postfix }}
+maxretry = {{ maxretry_postfix }}
@@ -0,0 +1,73 @@
+# Fail2Ban configuration file
+#
+# Common settings for sendmail actions
+#
+# Users can override the defaults in sendmail-common.local
+
+[INCLUDES]
+
+after = sendmail-common.local
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
+              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+              From: <sendername> <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
+             Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+             From: <sendername> <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban =
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+
+# Recipient mail address
+#
+dest = {{ destmail }}
+
+# Sender mail address
+#
+sender = {{ sendermail }}
+
+# Sender display name
+#
+sendername = {{ sendername }}
@@ -0,0 +1,36 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# bypass ban/unban for restored tickets
+norestored = 1
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
+            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /opt/zimbra/common/sbin/sendmail <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
@@ -0,0 +1,5 @@
+[Definition]
+
+failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
+
+ignoreregex =
@@ -0,0 +1,11 @@
+[Definition]
+
+failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
+        \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
+        \;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
+        \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
+        \WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
+        \;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* missing userPassword;$
+        \;oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, invalid password;$
+        \;oip=<HOST>;.* account - Error occurred during authentication: authentication failed for .* ;$
+ignoreregex =
@@ -0,0 +1,3 @@
+---
+- name: Restart Mailbox
+  ansible.builtin.command: sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart
@@ -0,0 +1,61 @@
+---
+- name: Vérification de la présence des paramètres d'entrées dans les variables
+  ansible.builtin.fail:
+    msg: |
+      la variable {{ item }} est obligatoire pour
+      utiliser le role set-logo.
+      Veuillez la rajouter dans les host_vars
+  when:
+    - item is not defined
+  loop:
+    - zimbraSkinLogoURL
+    - zimbraSkinLogoAppBanner
+    - zimbraSkinLogoLoginBanner
+
+## zimbraSkinLogoURL
+- name: Récup param - zmprov gacf zimbraSkinLogoURL
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gacf zimbraSkinLogoURL | awk '{print $2}'
+  register: gcf
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Set param - zmprov mcf zimbraSkinLogoURL
+  ansible.builtin.command: "/opt/zimbra/bin/zmprov mcf zimbraSkinLogoURL {{ zimbraSkinLogoURL }}"
+  when: gcf.stdout != zimbraSkinLogoURL
+  notify:
+    - Restart Mailbox
+
+## zimbraSkinLogoAppBanner
+- name: Get param - zmprov gacf zimbraSkinLogoAppBanner
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gacf zimbraSkinLogoAppBanner | awk '{print $2}'
+  register: gcf
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Set param - zmprov mcf zimbraSkinLogoAppBanner
+  ansible.builtin.command: "/opt/zimbra/bin/zmprov mcf zimbraSkinLogoAppBanner {{ zimbraSkinLogoAppBanner }}"
+  when: gcf.stdout != zimbraSkinLogoAppBanner
+  notify:
+    - Restart Mailbox
+
+## zimbraSkinLogoLoginBanner
+- name: Get param - zmprov gacf zimbraSkinLogoLoginBanner
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gacf zimbraSkinLogoLoginBanner | awk '{print $2}'
+  register: gcf
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Set param - zmprov mcf zimbraSkinLogoLoginBanner
+  ansible.builtin.command: "/opt/zimbra/bin/zmprov mcf zimbraSkinLogoLoginBanner {{ zimbraSkinLogoLoginBanner }}"
+  when: gcf.stdout != zimbraSkinLogoLoginBanner
+  notify:
+    - Restart Mailbox
@@ -0,0 +1,63 @@
+---
+- name: Check input variable
+  ansible.builtin.fail:
+    msg: |
+      la variable zimbraMailDomain est obligatoire pour
+      utiliser le role set-logo.
+      Veuillez la rajouter dans les host_vars
+  when:
+    - zimbraMailDomain is not defined
+
+- name: Check param - zmprov gd zimbraPublicServiceHostname
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gd {{ zimbraMailDomain }} zimbraPublicServiceHostname | sed -n 2p | awk '{print $2}'
+  register: zps_hostname
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Stop run if zimbraPublicServiceHostname param not set
+  ansible.builtin.fail:
+    msg: |
+      Veuillez d'abord renseigner
+      la configuration zimbraPublicServiceHostname
+      du domaine {{ zimbraMailDomain }}
+  when:
+    - zps_hostname.stdout == ""
+
+- name: Check param - zmprov gd zimbraPublicServiceProtocol
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gd {{ zimbraMailDomain }} zimbraPublicServiceProtocol | sed -n 2p | awk '{print $2}'
+  register: zps_protocol
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Stop run if zimbraPublicServiceProtocol param not set
+  ansible.builtin.fail:
+    msg: |
+      Veuillez d'abord renseigner
+      la configuration zimbraPublicServiceProtocol
+      du domaine {{ zimbraMailDomain }}
+  when:
+    - zps_protocol.stdout == ""
+
+- name: Check param - zmprov gd zimbraPublicServicePort
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zmprov gd {{ zimbraMailDomain }} zimbraPublicServicePort | sed -n 2p | awk '{print $2}'
+  register: zps_port
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Stop run if zimbraPublicServicePort param not set
+  ansible.builtin.fail:
+    msg: |
+      Veuillez d'abord renseigner
+      la configuration zimbraPublicServicePort
+      du domaine {{ zimbraMailDomain }}
+  when:
+    - zps_port.stdout == ""
@@ -0,0 +1,11 @@
+---
+- name: Check required parameters
+  include_tasks: check_param.yml
+
+- name: Set zextras login page
+  ansible.builtin.command: "/opt/zimbra/bin/zmprov
+    md {{ zimbraMailDomain }} \
+    zimbraAuthMech custom:zx \
+    zimbraWebClientLoginURL /zx/login/page/?domain={{ zimbraMailDomain }} \
+    zimbraWebClientLogoutURL /zx/auth/logout/"
+  changed_when: true
@@ -0,0 +1,24 @@
+---
+- name: Vérification de la présence des paramètres d'entrées dans les variables
+  ansible.builtin.fail:
+    msg: |
+      la variable {{ item }} est obligatoire pour
+      utiliser le role set-logo.
+      Veuillez la rajouter dans les host_vars
+  when:
+    - item is not defined
+  loop:
+    - zimbraSkinLoginBackgroundImage
+
+- name: Get param - zxsuite auth loginPage getBackgroundImage global
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zxsuite auth loginPage getBackgroundImage global
+  register: logo_path
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Set param - zxsuite auth loginPage setBackgroundImage
+  ansible.builtin.command: "/opt/zimbra/bin/zxsuite auth loginPage setBackgroundImage global {{ zimbraSkinLoginBackgroundImage }}"
+  when: logo_path.stdout != zimbraSkinLoginBackgroundImage
@@ -0,0 +1,25 @@
+---
+- name: Vérification de la présence des paramètres d'entrées dans les variables
+  ansible.builtin.fail:
+    msg: |
+      la variable {{ item }} est obligatoire pour
+      utiliser le role set-logo.
+      Veuillez la rajouter dans les host_vars
+  when:
+    - item is not defined
+  loop:
+    - zimbraMailDomain
+    - zimbraSkinLogoLoginBanner
+
+- name: Get param - zxsuite auth loginPage getLogo
+  ansible.builtin.shell: |
+    set -e -o pipefail
+    /opt/zimbra/bin/zxsuite auth loginPage getLogo domain {{ zimbraMailDomain }}
+  register: logo_path
+  changed_when: false
+  args:
+    executable: /bin/bash
+
+- name: Set param - zxsuite auth loginPage setLogo
+  ansible.builtin.command: "/opt/zimbra/bin/zxsuite auth loginPage setLogo domain {{ zimbraMailDomain }} {{ zimbraSkinLogoLoginBanner }}"
+  when: logo_path.stdout != zimbraSkinLogoLoginBanner
@@ -0,0 +1,3 @@
+---
+- name: Restart Mailbox
+  ansible.builtin.command: sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl restart
@@ -0,0 +1,19 @@
+---
+- name: Check if Zextras theme is present
+  ansible.builtin.stat:
+    path: /opt/zimbra/jetty/webapps/zimbra/skins/zextras/zextras.css
+  register: zextras_theme_present
+
+- name: Download Zextras Theme Installer
+  ansible.builtin.unarchive:
+    src: http://download.zextras.com/zextras-theme-installer/latest/zextras-theme-ubuntu.tgz
+    dest: /tmp/
+    remote_src: true
+  when: not zextras_theme_present.stat.exists
+
+- name: Install le theme zextras
+  ansible.builtin.apt:
+    deb: "/tmp/zextras-theme-installer/packages/zextras-theme_1.0.1_amd64.deb"
+  when: not zextras_theme_present.stat.exists
+  notify:
+    - Restart Mailbox
@@ -0,0 +1,5 @@
+---
+- name: Update et upgrade package system Ubuntu
+  ansible.builtin.apt:
+    update_cache: yes
+    upgrade: yes
				`@@ -0,0 +1 @@`
				`ansible_python_interpreter: /usr/bin/python3`