sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Huge Push for swarm mode

Browse Source
This commit is contained in:
sgratias
2024-07-12 18:28:44 +02:00
parent 5471abe521
commit dd6dbdf702
17 changed files with 325 additions and 663 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -2,4 +2,5 @@ backup/
scaleway/ scaleway/
.vagrant/ .vagrant/
ressources ressources
SecLists/ SecLists/
scan/

2
backup.yml
View File

@@ -78,7 +78,7 @@
- /opt/dockerapps/appdata/bind/config/named.conf - /opt/dockerapps/appdata/bind/config/named.conf
- /opt/dockerapps/appdata/bind/records/example.com.zone - /opt/dockerapps/appdata/bind/records/example.com.zone
- /opt/dockerapps/appdata/bind/records/jingoh.private.zone - /opt/dockerapps/appdata/bind/records/jingoh.private.zone
# crowdsec #! crowdsec
- /opt/dockerapps/appdata/crowdsec/crowdsec/parsers/s01-parse/tcpudp-flood-traefik.yaml - /opt/dockerapps/appdata/crowdsec/crowdsec/parsers/s01-parse/tcpudp-flood-traefik.yaml
- /opt/dockerapps/appdata/crowdsec/crowdsec/acquis.yaml - /opt/dockerapps/appdata/crowdsec/crowdsec/acquis.yaml
- /opt/dockerapps/appdata/crowdsec/dashboard/docker/Dockerfile - /opt/dockerapps/appdata/crowdsec/dashboard/docker/Dockerfile

134
host_vars/ovh01.yml
View File

@@ -1,130 +1,6 @@
# --- ---
# #* DOCKER docker_swarm_addr: 100.96.125.190
# docker_install_compose: true docker_swarm_interface: wt0
# pip_executable: pip3 pip_install_packages:
- docker
# #*PIP
# pip_install_packages:
# - docker-compose
# #* SSH
# #ssh_listen_to: "{{ host_private_address }}"
# #* USERS
# management_user_list:
# - name: admin
# shell: '/bin/bash'
# authorized_keys:
# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
# exclusive: yes
# sudo:
# hosts: ALL
# as: ALL
# commands: ALL
# nopasswd: ALL
# #* FIREWALL
# firewall_allowed_tcp_ports:
# - "22"
# - "80"
# - "443"
# - "9100"
# - "9090"
# - "3000"
# - "9323"
# #* NETBIRD
# netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED
# netbird_register: true
# #* TLS
# node_exporter_tls_server_config:
# cert_file: /etc/node_exporter/tls.cert
# key_file: /etc/node_exporter/tls.key
# #* NODE_EXPORTER
# # node_exporter_basic_auth_users:
# # randomuser: examplepassword
# node_exporter_web_listen_address: "{{ host_private_address }}:9100"
# #* PROMETHEUS
# prometheus_web_listen_address: "{{ host_private_address }}:9090"
# prometheus_scrape_configs:
# - job_name: "prometheus" # Custom scrape job, here using `static_config`
# metrics_path: "/metrics"
# static_configs:
# - targets:
# - "{{ host_private_address }}:9090"
# - job_name: "node1"
# scheme: https # Custom scrape job, here using `static_config`
# metrics_path: "/metrics"
# tls_config:
# ca_file: "{{ node_exporter_tls_server_config.cert_file }}"
# static_configs:
# - targets:
# - "{{ ansible_hostname }}.netbird.cloud:9100"
# - job_name: "node2"
# scheme: https # Custom scrape job, here using `static_config`
# metrics_path: "/metrics"
# tls_config:
# ca_file: "/etc/node_exporter/tls_scaleway.cert"
# static_configs:
# - targets:
# - "scaleway.netbird.cloud:9100"
# # - "{{ host_private_address }}:9100"
# - job_name: "git"
# scheme: https # Custom scrape job, here using `static_config`
# metrics_path: "/metrics"
# static_configs:
# - targets:
# - "gitea.jingoh.fr"
# - job_name: "publicservicediscovery"
# metrics_path: "/metrics"
# basic_auth:
# username: 'jingohtraf'
# password: 'FSzmSLr#6i9M#d'
# scheme: https
# file_sd_configs:
# - files:
# - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets`
# prometheus_targets:
# node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<<BASENAME>>.yml"
# - targets: #
# - "traefik.jingoh.fr"
# #* GRAFANA
# grafana_address: "{{ host_private_address }}"
# install_grafana__protocol: "https"
# install_grafana__http_addr: "{{ host_private_address }}"
# install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud"
# inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}"
# inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}"
# # ##########
# # # CHISEL #
# # ##########
# # chisel_server: false
# # chisel_client_server_url: "{{ chisel_server_host }}:8080"
# # chisel_client_remotes: "R:{{ chisel_server_host }}:socks"
# # chisel_service_name: chisel-client
# # chisel_config_name: chisel-client
# # chisel_conf:
# # # chisel enable auth and finder
# # - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# # regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# # state: present
# # line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# # - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# # regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}"
# # state: present
# # line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}"

6
host_vars/scale01.yml Normal file
View File

@@ -0,0 +1,6 @@
---
docker_swarm_addr: 100.96.212.100
docker_swarm_interface: wt0
pip_install_packages:
- docker

25
host_vars/ubuntu-worker.yml
View File

@@ -1,25 +0,0 @@
---
kubernetes_version: 1.28
kubernetes_role: node
kubernetes_alias_bashrc:
- path: "/root/.bashrc"
regexp: "^source /usr/share/bash-completion/bash_completion"
state: present
line: "source /usr/share/bash-completion/bash_completion"
- path: "/root/.bashrc"
regexp: "^source /etc/bash_completion"
state: present
line: "source /etc/bash_completion"
- path: "/root/.bashrc"
regexp: "^source <(kubectl completion bash)"
state: present
line: "source <(kubectl completion bash)"
- path: "/root/.bashrc"
regexp: "^alias k=kubectl"
state: present
line: "alias k=kubectl"
- path: "/root/.bashrc"
regexp: "^complete -F __start_kubectl k"
state: present
line: "complete -F __start_kubectl k"

96
host_vars/ubuntu.yml
View File

@@ -1,96 +0,0 @@
---
# elasticstack_ca_pass: setuppassword
elasticsearch_api_host: 192.168.0.26
elasticsearch_http_publish_host: 192.168.0.26
elasticsearch_network_host: 192.168.0.26
elasticsearch_ssl_verification_mode: none
# logstash_elasticsearch: 192.168.0.26
#* USERS
management_user_list:
- name: admin
shell: '/bin/bash'
authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: ALL
#* FIREWALL
firewall_allowed_tcp_ports:
- "22"
- "80"
- "443"
- "9100"
- "9090"
- "3000"
#* NETBIRD
netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED
netbird_register: true
#* TLS
node_exporter_tls_server_config:
cert_file: /etc/node_exporter/tls.cert
key_file: /etc/node_exporter/tls.key
#* NODE_EXPORTER
# node_exporter_basic_auth_users:
# randomuser: examplepassword
node_exporter_web_listen_address: "{{ host_private_address }}:9100"
#* PROMETHEUS
prometheus_web_listen_address: "{{ host_private_address }}:9090"
prometheus_scrape_configs:
- job_name: "prometheus" # Custom scrape job, here using `static_config`
metrics_path: "/metrics"
static_configs:
- targets:
- "{{ host_private_address }}:9090"
- job_name: "node1"
scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics"
tls_config:
ca_file: "{{ node_exporter_tls_server_config.cert_file }}"
static_configs:
- targets:
- "{{ ansible_hostname }}.netbird.cloud:9100"
# - "{{ host_private_address }}:9100"
- job_name: "git"
scheme: https # Custom scrape job, here using `static_config`
metrics_path: "/metrics"
static_configs:
- targets:
- "gitea.jingoh.fr"
- job_name: "publicservicediscovery"
metrics_path: "/metrics"
basic_auth:
username: 'jingohtraf'
password: 'FSzmSLr#6i9M#d'
scheme: https
file_sd_configs:
- files:
- "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets`
prometheus_targets:
node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<<BASENAME>>.yml"
- targets: #
- "traefik.jingoh.fr"
#* GRAFANA
grafana_address: "{{ host_private_address }}"
install_grafana__protocol: "https"
install_grafana__http_addr: "{{ host_private_address }}"
install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud"
inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}"
inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}"

6
host_vars/v1.yml Normal file
View File

@@ -0,0 +1,6 @@
---
docker_swarm_addr: 192.168.56.4
docker_swarm_interface: eth1
pip_install_packages:
- docker

5
host_vars/v2.yml Normal file
View File

@@ -0,0 +1,5 @@
---
docker_swarm_addr: 192.168.56.40
docker_swarm_interface: eth1
pip_install_packages:
- docker

316
host_vars/vagrant.yml
View File

@@ -1,316 +0,0 @@
docker_install_compose: false
# kubernetes_config_kubelet_configuration:
# cgroupDriver: systemd
kubernetes_version: 1.28
kubernetes_apiserver_advertise_address: 192.168.33.10
kubernetes_load_balancer_public_ip: 192.168.33.11
kubernetes_pod_network:
# Flannel CNI.
cni: 'flannel'
cidr: '10.244.0.0/16'
# containerd_config_systemd: true
# containerd_config_disabled_cgroups: true
# kubernetes_ignore_preflight_errors: null
# kubernetes_kubeadm_init_extra_opts:
# - "--pod-network-cidr=10.244.0.0/16"
# - "--control-plane-endpoint=192.168.33.10"
# kubernetes_namespaces:
# - apiVersion: v1
# kind: Namespace
# metadata:
# name: argocd
# kubernetes_namespace: toto
kubernetes_argocd_objects:
- namespace: argocd
kind: Secret
definition:
- apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsVENDQTMwQ0ZHZ1grMjdlSkJObVRVVDhUcjRsZEdUR0l4SzlNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR0cKTVFzd0NRWURWUVFHRXdKR1VqRVBNQTBHQTFVRUNBd0dSbkpoYm1ObE1RNHdEQVlEVlFRSERBVlFZWEpwY3pFTgpNQXNHQTFVRUNnd0VWRVZUVkRFTk1Bc0dBMVVFQ3d3RVZFVlRWREViTUJrR0ExVUVBd3dTWVhKbmIyTmtMblJ5CllXVm1hV3N1Ym1WME1Sc3dHUVlKS29aSWh2Y05BUWtCRmd4dWIyTkFkR1Z6ZEM1amIyMHdIaGNOTWpNd09ETXcKTVRVek9UUXpXaGNOTWpNd09USTVNVFV6T1RReldqQ0JoakVMTUFrR0ExVUVCaE1DUmxJeER6QU5CZ05WQkFnTQpCa1p5WVc1alpURU9NQXdHQTFVRUJ3d0ZVR0Z5YVhNeERUQUxCZ05WQkFvTUJGUkZVMVF4RFRBTEJnTlZCQXNNCkJGUkZVMVF4R3pBWkJnTlZCQU1NRW1GeVoyOWpaQzUwY21GbFptbHJMbTVsZERFYk1Ca0dDU3FHU0liM0RRRUoKQVJZTWJtOWpRSFJsYzNRdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQQozcVhnNU1JM1Q4OGNiKzRHem9ENmI4eUs4YnplVlh5ZmUwcDVGcjBNbFlOSjNqai9GbXE1dzZ4akZTcUo0NTR3CnRSWkJUSEFIUnNTNlJFZHFSay8xdGNyV2s1ZStNbHhqamtqd3pXOS9kNW5CRER4MWRkL0VPVDA2MTY4RlorWkwKeGNseDFSVlN3L3Q3UmxlQTFJYTF5dmZRcnJXV2V0Qm9BQXZaeG1YVmtTK0tjUTl0ZXRudnFDUUJ2eDJVdTgxUgpaME9SeTN1U3doTUlRUlh5NzdvanM4MEN1ZjlQU0ZzRmUrUnZjQU5tVDlqZjNwYy9LNjRsME5WK0VqU3Biekp6ClFRL1BxdHR2NUFtck1JNFNEcGs4VWtKY3hHY09ZZ3BBV2hOK3Nzc0lHSnFBYlQyWjVWTExhdnp3STBsZlEweUgKMWtmQ2FqZ1FrTW5nOG51aTAxMzdGRkZmVjVPVGZkMTh2T2wxTlRIOVc2Q1d6eW5abXc5VGxBdVF1YWl1dFRtTwptU2VmOW9hbElhc2RnZVQ2WUprMzRuRWQwSEhJcFZFcWlhUHZXZlVzSlJHbldTWWRTWWd1UklFaDhTbDFJVy9PCldKUmNua2VrZmJxaTRCZ2pYR295TTJnQTBCWDNRcHVSOXMvZUdrWnVrWW8vQmRnczNORFB0OEYwYWFvemlYVEcKU2pXQVpOU3VKRHhwdWJ6WFNVMWtpa2pQUDM5aXJrOXVOZzlBbkZNUzNzak1CZEVyZmdybld6RE5SNzF0K0lLQgo1RTRrYklPdGlVbXp4MlFzVGdQNkhXTFJQd0pjT0pXWVVkYXBKTFJJb2J1VTUrdWhwaU9tSk9rK20wUnkzdnJVCkk5VXNhUGc2YndWWWNseWFzR3Q1eXJTRFRmenQxRTBvc1FTcldxTllzejhDQXdFQUFUQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBZ0VBcWNPNVA5YStwZnZ4VXZXS1N0ZVduYXIzVVhUQzlQa3JYTW8zYzFZNWdSUmJSZTUzOTUwbApEYVZYQ1UxR25FN3ZoQndtTUdycmFZOXFJRlZRZUNvRDBBd05HZURnL2s2QkJqWXNCZ2k3eVhyUnhBVnFyY3BNCjMrb2tvTzR6a29JVnNLSUVwSG1nVzJIckFUSjBBMWRxazZSUENXZ2RPY0JqZUhocldXZWNDeHpvSk5TdkNhd1cKZmpsNkg5c2NKT3lZS01za3lYTldBb2xQTkxkTHpsL3hDTFVPdTZUREYySGdHSWpHZmdIbW9kYUpuVUJYNXU1QwpTaGxOd1Z2U2pMWUY3QTVEWlF6aHBzTzgyZGVMZVFPeGxwZ2hUcFE1UC95MU5PWXJ0dDAxeVZBTkFnRFgySkVXCjRVK1k5VERoVGVWM3VMRmU0OHpEazBtTms5WDRWb0NyQWhOVnJMNmFxN2pMWUtuNCtjUWFlMWFiaXhaMVVKUkgKVDJDV0dybnUrRTN4R09GdWNlSytCT2NJRGNZRjVVcFdMYTFVOUxUTXRKMFN2bkh4dnAxZHgyKzN4VzdVS2RURApOc0xzcG4wSXRiUzR1aFRvZEdpQUZUSEMxMTZlUE5OT2RXNjlDVGVGa2dQaVJRcFcwY0VGZ1NVc0ZDcGFFbUpECnp1YUVYeWN1SE8zVGJsTCtIUFoxcEQ5U0FyZHFRMlR4Z2V6MW55eHM5MERuTldDcjl3QjhWRE53S084ekVzNzIKYVNJTFE1Ym0zeVFEanI5QVVFUVFpSWNscUJlcTVGTW9aNFpFOC9TTFlLdmJMR3hZY3d2ckxuNTZJVFBCdmxUcApVamdkYXFBR2NtUDV1azlPRStQdjJiTmJldEFGTUZUZG0wQ1pqUEcvMjB3dHNhUjRDRzB2MVFjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRGVwZURrd2pkUHp4eHYKN2diT2dQcHZ6SXJ4dk41VmZKOTdTbmtXdlF5VmcwbmVPUDhXYXJuRHJHTVZLb25qbmpDMUZrRk1jQWRHeExwRQpSMnBHVC9XMXl0YVRsNzR5WEdPT1NQRE5iMzkzbWNFTVBIVjEzOFE1UFRyWHJ3Vm41a3ZGeVhIVkZWTEQrM3RHClY0RFVoclhLOTlDdXRaWjYwR2dBQzluR1pkV1JMNHB4RDIxNjJlK29KQUcvSFpTN3pWRm5RNUhMZTVMQ0V3aEIKRmZMdnVpT3p6UUs1LzA5SVd3Vjc1Rzl3QTJaUDJOL2VsejhycmlYUTFYNFNOS2x2TW5OQkQ4K3EyMi9rQ2FzdwpqaElPbVR4U1FsekVadzVpQ2tCYUUzNnl5d2dZbW9CdFBabmxVc3RxL1BBalNWOURUSWZXUjhKcU9CQ1F5ZUR5CmU2TFRYZnNVVVY5WGs1TjkzWHk4NlhVMU1mMWJvSmJQS2RtYkQxT1VDNUM1cUs2MU9ZNlpKNS8yaHFVaHF4MkIKNVBwZ21UZmljUjNRY2NpbFVTcUpvKzlaOVN3bEVhZFpKaDFKaUM1RWdTSHhLWFVoYjg1WWxGeWVSNlI5dXFMZwpHQ05jYWpJemFBRFFGZmRDbTVIMno5NGFSbTZSaWo4RjJDemMwTSszd1hScHFqT0pkTVpLTllCazFLNGtQR201CnZOZEpUV1NLU004L2YyS3VUMjQyRDBDY1V4TGV5TXdGMFN0K0N1ZGJNTTFIdlczNGdvSGtUaVJzZzYySlNiUEgKWkN4T0Evb2RZdEUvQWx3NGxaaFIxcWtrdEVpaHU1VG42NkdtSTZZazZUNmJSSExlK3RRajFTeG8rRHB2QlZoeQpYSnF3YTNuS3RJTk4vTzNVVFNpeEJLdGFvMWl6UHdJREFRQUJBb0lDQVFDWWYxVkNXaVE0YmNzMGZ2djZoUzBEClZqMzB4VUFqblhBK3FndTJIMVozTWExdW4rdFlGMUdWVElXeEFhbmdWWUZYQng5Q2s1am9SK2FzeloxaysyOTQKVEs0YitWczBjME5kT1doMXpXQ3BNbzZmS3VucENwTUVBWVJFSm9TMVhXK1kwUmsrc1pRMjJCRGZaUi9BY1dRaQoyUW4rSURJcGZJVS9RdDZ1blNGaWlBVnkydlpKcHV3WFpsSXI3TDdxd3Y1MmxEbFAvaHZQQWVvdGFqTXpMM00wCnU3NmFWdHllMm5rdkdvK1pVVHJLaGVrUU5OZjN1eGY3cWI3b0NWbmo1OUk1UmZNZk81MnZ1MCtkdWpGei9sRHEKcHJtVGJHTFZrOS92MGxwOWE4TG4xeXNQcDVtNUVMUnpXenUvYjRub05vcnpvY0x2cmVicXhOdG1PbmlUL1ZMeQptRERZbUxrbUY2WkwwMnRpVWFOajlTY05iYjh2bGdHb0M4ek14bjBFMWtZVDJ0bHFFbEppK05LN2dlczlyWHJqCkdiYWVxTWF1YnNWb0xLNGFsNGlSOE1LWjErV3UyTkNuWjIzSlpvYzJTdFFPRWtNRmFJeENPYWp4VWRMeTZkS2UKNk9HS0RYUXUvTFludHFnM2hpenhCbW83T3RmWC9rTitxWlU2Z09kMy92TE1FSk5XYkdPVHdaKzUySUl4bEVTSwpXR2JiL1FXOEcrMXFtelViUDFDZy9yRkRJWmY0OU40cWFuYTBFeHFjcDZkWk5YRU9YL1d0aWNlRXM4K0ZqNnZWCkVSMUorNHpWRVpMeGNCVC9aMC9hOHozenBuWWVabDFMYkhzQ0Q3RCt6VGRwS3E0bStlQkFiMWNQT2V5czF0RW4Kd2dwbG5vYk5DM2VBdkd3MjRubUtBUUtDQVFFQSt6bmN5RW9kNmVBbDNBc0YwTkNtVTI1bEFHVEdLVVlsSy9LdgorWGFPMnVGOFNLeEV3YVVPUzFicGU4TnNzamoyTGpucHkrQ1UzVW9OZExXUDhuc3hrZlpFbDB0a0MwWHU4UzU4Ck5TWjJkWG9MMEdBU0FtcDRsQTFDazBJeUg3ekxPajJBOGhlazRMUWRNemo0RHVSZjFYN1RRVzRhanMzQjJhSTIKSjlZN0cxaEFBV0dUMFR4Z0E2Y3dkUnZRbTNhczZoWCthZzZiaGE0YjQ3ejBxaHdaZ01aUnVSeGdEL2ZjbDVxVwphSmcvOGVsdjVMT1Y3UUpud2d4WTBJSmtocWdYU0JEZXprd2pvQ1FuWXdlYTlZSmlOK3Vrbnd0b3Btb2pEaWJXCkMzR0tjb3plY2ZYV3B1a3FocGkvcUIyeDhxclNVaTMyaVZKbjNRenY5YVJjeFZ2RUlRS0NBUUVBNHVEK0Y4b0wKQ2lBUGZlSlQ1WFFmNEtVdTlabTJLZU9tNmtRUURadEYrQXk2M1NSOEYvZFV5Qlk3T0FuVkRsSXZRZmZLaS9ZVApWMjVLNWQ4QUN5ak1lMnczeEJFTVVyVWtZT0hpK2ZZVk9kNytaRm5hTFU5UG56NWRMQ2t0OVpDdnNzR2FzMGdwCm5DMXdtaUxYQ1dOSDUvZjh1UW1STFM3VHY5VHFWb0lIWGNzNzNwK0hnNEJkbFFuclI5aWRITDlLTThpeUtpdEgKU3VlMmVmMkc5N0Nrek9uL3VUQUxKNzV6dkhXaDVtS1EwQlVNLzhMWmdMTXMyUkN5V3lnQ3hTdmF4MHBmYkVkMwplTGRETldoclBreXc2MmdTVVpoeXRTWXdQdmxraDFOSDI5OTc4VlovMXVrdlBJRXpVTHNCUjkxWm96NjJ0ZXVRCjFWNkdVVDcvK1MyTFh3S0NBUUI1WUJCQ0dFVHhqS0RkK2RsYWRLUVhKUHZaUDliWmRCRmJkVW45M1lEUlVTV0oKdXVrUklaeVJXN0U4WVVOdnE4T011K0F2NXhZay83VVdrTzIxK2owTnh3eUdpQjhTcnp2cy9FZDRLbGdMRStjSApTcE1JNWNYUnljSkRnVFRVVHBObFZQZXFmeS9pZkVLclQ3ZlJBaGNtLzdvekgyM25WcE4wZ1VGbTU4THd5Q2RNClE0ZDJESlJhejNqQzY2aFNvL2lRdEFXUjJmTGJtQzNUVHFScVYxOGU3ekhtbkVYeEVSQmJrbzFlaFVoSHFUK3QKSC9Lc2FvQVVxWUJ6Wkx3S3JzVm94UFhRZDhxeWdTVWlYRGRLckM2bDA4eGFKdG50cE5QQTc1UjBQT3Zsd2hkcQp1WnAyVTZwL0V1ZHQ0c0xwZWd4Wk5lbXBtTTJqWjYrN1h5aVBGWEhoQW9JQkFDM052SjZ5NUoycnNWVDV6M1JBCmlIc0Mva01KUUZTZXFFRWRjcHc4bjlpZlFVNktJaDk0aUg1SXRyWHVqanZ3N2FlRXpqaUplb2dwTlNmSmFLblkKRjhoSEpjOEluaE5Jak1xZWNBT0U0ZTRvRGZYV2lneWh1WEp0MWNPbm9LYTJDakt0a1h6bWNiZ2RHR0dWN1JIeApJRUE5dWFEbHhKQjVwcmhRMU9xWUg4S1kyRUp1dEo0ZzJVUFFsOWFPYmRHeThOa1ppSmFvM0NETVBQUE44bVNwCkhleGN4WXJ1bnlIcitsT3U3L3VpSkpoTjE2eisrb2hZSkJMQ295OXlHWFVURUgweGo2ZzltV29lbll2M3c4YjEKRnJhLzhRcldHenBsTmxKUWFUSkU1dm9GMlhEMHhLUnZ1V0NldU94d2hLYXNrbjg1bHd1TlBsVkZXeHFsL0dtaQovME1DZ2dFQkFPazAwQlpJRWt3MTd6cERlTW53a1JQMURTblAyN0RwN3E4bnRNREplYW0vUGY5Ynk0ZkczSG9VCk12eXRubmlhN0F5SHl4TXJWN2plQVNjVCt5aVJJdXlmcUM5aGNTTU5RK0pxODVyN3pxNnE3VHZBWGRkeWJnUkgKUzR4Y3ByWG1VNVI4dGkyekVtUFpiOFRZOFFGdHNLTTdyaUtkcndCK3JpRGVYWkpTTVRQWXM3NTMwT3Vmc1BPRgpEM0VydlZweE9DTGROL0ZxWW42TFBrRUpNSXluNUZBekpqSXRRSTJuOGRIMlNRdEU1UjlyV1ZsSkNjYndicVh0Ck01UVFLODkyM0V5KzFwWUxOZXQ5Vmo0cUs1NHA0YWtiUFkwUTROeTlZZjdxek5LUjYxcDdZWkZXL29icmY2R0sKS0J2TWFsNlhRSktlOHJkNEFiMkVyOEQyQnBDc3E1dz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
metadata:
name: cert-argocd
namespace: argocd
type: kubernetes.io/tls
- apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsVENDQTMwQ0ZHZ1grMjdlSkJObVRVVDhUcjRsZEdUR0l4SzlNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR0cKTVFzd0NRWURWUVFHRXdKR1VqRVBNQTBHQTFVRUNBd0dSbkpoYm1ObE1RNHdEQVlEVlFRSERBVlFZWEpwY3pFTgpNQXNHQTFVRUNnd0VWRVZUVkRFTk1Bc0dBMVVFQ3d3RVZFVlRWREViTUJrR0ExVUVBd3dTWVhKbmIyTmtMblJ5CllXVm1hV3N1Ym1WME1Sc3dHUVlKS29aSWh2Y05BUWtCRmd4dWIyTkFkR1Z6ZEM1amIyMHdIaGNOTWpNd09ETXcKTVRVek9UUXpXaGNOTWpNd09USTVNVFV6T1RReldqQ0JoakVMTUFrR0ExVUVCaE1DUmxJeER6QU5CZ05WQkFnTQpCa1p5WVc1alpURU9NQXdHQTFVRUJ3d0ZVR0Z5YVhNeERUQUxCZ05WQkFvTUJGUkZVMVF4RFRBTEJnTlZCQXNNCkJGUkZVMVF4R3pBWkJnTlZCQU1NRW1GeVoyOWpaQzUwY21GbFptbHJMbTVsZERFYk1Ca0dDU3FHU0liM0RRRUoKQVJZTWJtOWpRSFJsYzNRdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQQozcVhnNU1JM1Q4OGNiKzRHem9ENmI4eUs4YnplVlh5ZmUwcDVGcjBNbFlOSjNqai9GbXE1dzZ4akZTcUo0NTR3CnRSWkJUSEFIUnNTNlJFZHFSay8xdGNyV2s1ZStNbHhqamtqd3pXOS9kNW5CRER4MWRkL0VPVDA2MTY4RlorWkwKeGNseDFSVlN3L3Q3UmxlQTFJYTF5dmZRcnJXV2V0Qm9BQXZaeG1YVmtTK0tjUTl0ZXRudnFDUUJ2eDJVdTgxUgpaME9SeTN1U3doTUlRUlh5NzdvanM4MEN1ZjlQU0ZzRmUrUnZjQU5tVDlqZjNwYy9LNjRsME5WK0VqU3Biekp6ClFRL1BxdHR2NUFtck1JNFNEcGs4VWtKY3hHY09ZZ3BBV2hOK3Nzc0lHSnFBYlQyWjVWTExhdnp3STBsZlEweUgKMWtmQ2FqZ1FrTW5nOG51aTAxMzdGRkZmVjVPVGZkMTh2T2wxTlRIOVc2Q1d6eW5abXc5VGxBdVF1YWl1dFRtTwptU2VmOW9hbElhc2RnZVQ2WUprMzRuRWQwSEhJcFZFcWlhUHZXZlVzSlJHbldTWWRTWWd1UklFaDhTbDFJVy9PCldKUmNua2VrZmJxaTRCZ2pYR295TTJnQTBCWDNRcHVSOXMvZUdrWnVrWW8vQmRnczNORFB0OEYwYWFvemlYVEcKU2pXQVpOU3VKRHhwdWJ6WFNVMWtpa2pQUDM5aXJrOXVOZzlBbkZNUzNzak1CZEVyZmdybld6RE5SNzF0K0lLQgo1RTRrYklPdGlVbXp4MlFzVGdQNkhXTFJQd0pjT0pXWVVkYXBKTFJJb2J1VTUrdWhwaU9tSk9rK20wUnkzdnJVCkk5VXNhUGc2YndWWWNseWFzR3Q1eXJTRFRmenQxRTBvc1FTcldxTllzejhDQXdFQUFUQU5CZ2txaGtpRzl3MEIKQVFzRkFBT0NBZ0VBcWNPNVA5YStwZnZ4VXZXS1N0ZVduYXIzVVhUQzlQa3JYTW8zYzFZNWdSUmJSZTUzOTUwbApEYVZYQ1UxR25FN3ZoQndtTUdycmFZOXFJRlZRZUNvRDBBd05HZURnL2s2QkJqWXNCZ2k3eVhyUnhBVnFyY3BNCjMrb2tvTzR6a29JVnNLSUVwSG1nVzJIckFUSjBBMWRxazZSUENXZ2RPY0JqZUhocldXZWNDeHpvSk5TdkNhd1cKZmpsNkg5c2NKT3lZS01za3lYTldBb2xQTkxkTHpsL3hDTFVPdTZUREYySGdHSWpHZmdIbW9kYUpuVUJYNXU1QwpTaGxOd1Z2U2pMWUY3QTVEWlF6aHBzTzgyZGVMZVFPeGxwZ2hUcFE1UC95MU5PWXJ0dDAxeVZBTkFnRFgySkVXCjRVK1k5VERoVGVWM3VMRmU0OHpEazBtTms5WDRWb0NyQWhOVnJMNmFxN2pMWUtuNCtjUWFlMWFiaXhaMVVKUkgKVDJDV0dybnUrRTN4R09GdWNlSytCT2NJRGNZRjVVcFdMYTFVOUxUTXRKMFN2bkh4dnAxZHgyKzN4VzdVS2RURApOc0xzcG4wSXRiUzR1aFRvZEdpQUZUSEMxMTZlUE5OT2RXNjlDVGVGa2dQaVJRcFcwY0VGZ1NVc0ZDcGFFbUpECnp1YUVYeWN1SE8zVGJsTCtIUFoxcEQ5U0FyZHFRMlR4Z2V6MW55eHM5MERuTldDcjl3QjhWRE53S084ekVzNzIKYVNJTFE1Ym0zeVFEanI5QVVFUVFpSWNscUJlcTVGTW9aNFpFOC9TTFlLdmJMR3hZY3d2ckxuNTZJVFBCdmxUcApVamdkYXFBR2NtUDV1azlPRStQdjJiTmJldEFGTUZUZG0wQ1pqUEcvMjB3dHNhUjRDRzB2MVFjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRGVwZURrd2pkUHp4eHYKN2diT2dQcHZ6SXJ4dk41VmZKOTdTbmtXdlF5VmcwbmVPUDhXYXJuRHJHTVZLb25qbmpDMUZrRk1jQWRHeExwRQpSMnBHVC9XMXl0YVRsNzR5WEdPT1NQRE5iMzkzbWNFTVBIVjEzOFE1UFRyWHJ3Vm41a3ZGeVhIVkZWTEQrM3RHClY0RFVoclhLOTlDdXRaWjYwR2dBQzluR1pkV1JMNHB4RDIxNjJlK29KQUcvSFpTN3pWRm5RNUhMZTVMQ0V3aEIKRmZMdnVpT3p6UUs1LzA5SVd3Vjc1Rzl3QTJaUDJOL2VsejhycmlYUTFYNFNOS2x2TW5OQkQ4K3EyMi9rQ2FzdwpqaElPbVR4U1FsekVadzVpQ2tCYUUzNnl5d2dZbW9CdFBabmxVc3RxL1BBalNWOURUSWZXUjhKcU9CQ1F5ZUR5CmU2TFRYZnNVVVY5WGs1TjkzWHk4NlhVMU1mMWJvSmJQS2RtYkQxT1VDNUM1cUs2MU9ZNlpKNS8yaHFVaHF4MkIKNVBwZ21UZmljUjNRY2NpbFVTcUpvKzlaOVN3bEVhZFpKaDFKaUM1RWdTSHhLWFVoYjg1WWxGeWVSNlI5dXFMZwpHQ05jYWpJemFBRFFGZmRDbTVIMno5NGFSbTZSaWo4RjJDemMwTSszd1hScHFqT0pkTVpLTllCazFLNGtQR201CnZOZEpUV1NLU004L2YyS3VUMjQyRDBDY1V4TGV5TXdGMFN0K0N1ZGJNTTFIdlczNGdvSGtUaVJzZzYySlNiUEgKWkN4T0Evb2RZdEUvQWx3NGxaaFIxcWtrdEVpaHU1VG42NkdtSTZZazZUNmJSSExlK3RRajFTeG8rRHB2QlZoeQpYSnF3YTNuS3RJTk4vTzNVVFNpeEJLdGFvMWl6UHdJREFRQUJBb0lDQVFDWWYxVkNXaVE0YmNzMGZ2djZoUzBEClZqMzB4VUFqblhBK3FndTJIMVozTWExdW4rdFlGMUdWVElXeEFhbmdWWUZYQng5Q2s1am9SK2FzeloxaysyOTQKVEs0YitWczBjME5kT1doMXpXQ3BNbzZmS3VucENwTUVBWVJFSm9TMVhXK1kwUmsrc1pRMjJCRGZaUi9BY1dRaQoyUW4rSURJcGZJVS9RdDZ1blNGaWlBVnkydlpKcHV3WFpsSXI3TDdxd3Y1MmxEbFAvaHZQQWVvdGFqTXpMM00wCnU3NmFWdHllMm5rdkdvK1pVVHJLaGVrUU5OZjN1eGY3cWI3b0NWbmo1OUk1UmZNZk81MnZ1MCtkdWpGei9sRHEKcHJtVGJHTFZrOS92MGxwOWE4TG4xeXNQcDVtNUVMUnpXenUvYjRub05vcnpvY0x2cmVicXhOdG1PbmlUL1ZMeQptRERZbUxrbUY2WkwwMnRpVWFOajlTY05iYjh2bGdHb0M4ek14bjBFMWtZVDJ0bHFFbEppK05LN2dlczlyWHJqCkdiYWVxTWF1YnNWb0xLNGFsNGlSOE1LWjErV3UyTkNuWjIzSlpvYzJTdFFPRWtNRmFJeENPYWp4VWRMeTZkS2UKNk9HS0RYUXUvTFludHFnM2hpenhCbW83T3RmWC9rTitxWlU2Z09kMy92TE1FSk5XYkdPVHdaKzUySUl4bEVTSwpXR2JiL1FXOEcrMXFtelViUDFDZy9yRkRJWmY0OU40cWFuYTBFeHFjcDZkWk5YRU9YL1d0aWNlRXM4K0ZqNnZWCkVSMUorNHpWRVpMeGNCVC9aMC9hOHozenBuWWVabDFMYkhzQ0Q3RCt6VGRwS3E0bStlQkFiMWNQT2V5czF0RW4Kd2dwbG5vYk5DM2VBdkd3MjRubUtBUUtDQVFFQSt6bmN5RW9kNmVBbDNBc0YwTkNtVTI1bEFHVEdLVVlsSy9LdgorWGFPMnVGOFNLeEV3YVVPUzFicGU4TnNzamoyTGpucHkrQ1UzVW9OZExXUDhuc3hrZlpFbDB0a0MwWHU4UzU4Ck5TWjJkWG9MMEdBU0FtcDRsQTFDazBJeUg3ekxPajJBOGhlazRMUWRNemo0RHVSZjFYN1RRVzRhanMzQjJhSTIKSjlZN0cxaEFBV0dUMFR4Z0E2Y3dkUnZRbTNhczZoWCthZzZiaGE0YjQ3ejBxaHdaZ01aUnVSeGdEL2ZjbDVxVwphSmcvOGVsdjVMT1Y3UUpud2d4WTBJSmtocWdYU0JEZXprd2pvQ1FuWXdlYTlZSmlOK3Vrbnd0b3Btb2pEaWJXCkMzR0tjb3plY2ZYV3B1a3FocGkvcUIyeDhxclNVaTMyaVZKbjNRenY5YVJjeFZ2RUlRS0NBUUVBNHVEK0Y4b0wKQ2lBUGZlSlQ1WFFmNEtVdTlabTJLZU9tNmtRUURadEYrQXk2M1NSOEYvZFV5Qlk3T0FuVkRsSXZRZmZLaS9ZVApWMjVLNWQ4QUN5ak1lMnczeEJFTVVyVWtZT0hpK2ZZVk9kNytaRm5hTFU5UG56NWRMQ2t0OVpDdnNzR2FzMGdwCm5DMXdtaUxYQ1dOSDUvZjh1UW1STFM3VHY5VHFWb0lIWGNzNzNwK0hnNEJkbFFuclI5aWRITDlLTThpeUtpdEgKU3VlMmVmMkc5N0Nrek9uL3VUQUxKNzV6dkhXaDVtS1EwQlVNLzhMWmdMTXMyUkN5V3lnQ3hTdmF4MHBmYkVkMwplTGRETldoclBreXc2MmdTVVpoeXRTWXdQdmxraDFOSDI5OTc4VlovMXVrdlBJRXpVTHNCUjkxWm96NjJ0ZXVRCjFWNkdVVDcvK1MyTFh3S0NBUUI1WUJCQ0dFVHhqS0RkK2RsYWRLUVhKUHZaUDliWmRCRmJkVW45M1lEUlVTV0oKdXVrUklaeVJXN0U4WVVOdnE4T011K0F2NXhZay83VVdrTzIxK2owTnh3eUdpQjhTcnp2cy9FZDRLbGdMRStjSApTcE1JNWNYUnljSkRnVFRVVHBObFZQZXFmeS9pZkVLclQ3ZlJBaGNtLzdvekgyM25WcE4wZ1VGbTU4THd5Q2RNClE0ZDJESlJhejNqQzY2aFNvL2lRdEFXUjJmTGJtQzNUVHFScVYxOGU3ekhtbkVYeEVSQmJrbzFlaFVoSHFUK3QKSC9Lc2FvQVVxWUJ6Wkx3S3JzVm94UFhRZDhxeWdTVWlYRGRLckM2bDA4eGFKdG50cE5QQTc1UjBQT3Zsd2hkcQp1WnAyVTZwL0V1ZHQ0c0xwZWd4Wk5lbXBtTTJqWjYrN1h5aVBGWEhoQW9JQkFDM052SjZ5NUoycnNWVDV6M1JBCmlIc0Mva01KUUZTZXFFRWRjcHc4bjlpZlFVNktJaDk0aUg1SXRyWHVqanZ3N2FlRXpqaUplb2dwTlNmSmFLblkKRjhoSEpjOEluaE5Jak1xZWNBT0U0ZTRvRGZYV2lneWh1WEp0MWNPbm9LYTJDakt0a1h6bWNiZ2RHR0dWN1JIeApJRUE5dWFEbHhKQjVwcmhRMU9xWUg4S1kyRUp1dEo0ZzJVUFFsOWFPYmRHeThOa1ppSmFvM0NETVBQUE44bVNwCkhleGN4WXJ1bnlIcitsT3U3L3VpSkpoTjE2eisrb2hZSkJMQ295OXlHWFVURUgweGo2ZzltV29lbll2M3c4YjEKRnJhLzhRcldHenBsTmxKUWFUSkU1dm9GMlhEMHhLUnZ1V0NldU94d2hLYXNrbjg1bHd1TlBsVkZXeHFsL0dtaQovME1DZ2dFQkFPazAwQlpJRWt3MTd6cERlTW53a1JQMURTblAyN0RwN3E4bnRNREplYW0vUGY5Ynk0ZkczSG9VCk12eXRubmlhN0F5SHl4TXJWN2plQVNjVCt5aVJJdXlmcUM5aGNTTU5RK0pxODVyN3pxNnE3VHZBWGRkeWJnUkgKUzR4Y3ByWG1VNVI4dGkyekVtUFpiOFRZOFFGdHNLTTdyaUtkcndCK3JpRGVYWkpTTVRQWXM3NTMwT3Vmc1BPRgpEM0VydlZweE9DTGROL0ZxWW42TFBrRUpNSXluNUZBekpqSXRRSTJuOGRIMlNRdEU1UjlyV1ZsSkNjYndicVh0Ck01UVFLODkyM0V5KzFwWUxOZXQ5Vmo0cUs1NHA0YWtiUFkwUTROeTlZZjdxek5LUjYxcDdZWkZXL29icmY2R0sKS0J2TWFsNlhRSktlOHJkNEFiMkVyOEQyQnBDc3E1dz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
metadata:
name: cert-argocd-test
namespace: argocd
type: kubernetes.io/tls
kubernetes_tree_base_dir:
- /opt
- /opt/kubernetes
kubernetes_service: infra
kubernetes_git_repo: perso-infra
kubernetes_git_url: github.com
kubernetes_allow_pods_on_control_plane: false
kubernetes_alias_bashrc:
- path: "/root/.bashrc"
regexp: "^source /usr/share/bash-completion/bash_completion"
state: present
line: "source /usr/share/bash-completion/bash_completion"
- path: "/root/.bashrc"
regexp: "^source /etc/bash_completion"
state: present
line: "source /etc/bash_completion"
- path: "/root/.bashrc"
regexp: "^source <(kubectl completion bash)"
state: present
line: "source <(kubectl completion bash)"
- path: "/root/.bashrc"
regexp: "^alias k=kubectl"
state: present
line: "alias k=kubectl"
- path: "/root/.bashrc"
regexp: "^complete -F __start_kubectl k"
state: present
line: "complete -F __start_kubectl k"
# - echo "source /usr/share/bash-completion/bash_completion" >> ~/.bashrc
# - echo "source /etc/bash_completion" >> ~/.bashrc
# - echo "source <(kubectl completion bash)" >> ~/.bashrc
# - echo "alias k=kubectl" >> ~/.bashrc
# - echo "complete -F __start_kubectl k" >> ~/.bashrc
# - complete -F __start_kubectl k
#- echo "function kname() {k config set-context --current --namespace $1}" >> ~/.bashrc
kubernetes_namespaces_crd:
- namespace: argocd
url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
file: install
- namespace: traefik
url: https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
file: kubernetes-crd-definition-v1
# - namespace: traefik
# url: https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
# file: kubernetes-crd-rbac
kubernetes_namespaces: "{{ kubernetes_namespaces_crd }}"
kubernetes_traefik_objects:
- namespace: traefik
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
definition:
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
- namespace: traefik
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
definition:
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: traefik
- namespace: traefik
apiVersion: v1
kind: ServiceAccount
definition:
metadata:
name: traefik-account
- namespace: traefik
kind: Deployment
apiVersion: apps/v1
definition:
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
hostNetwork: true
containers:
- name: traefik
image: traefik:v2.10
args:
- --accessLog
- --api.insecure=false
- --api.dashboard
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.websecure.address=:443
- --providers.kubernetesingress=true
- --providers.kubernetescrd=true
- --log.level=debug
- --metrics.prometheus=true
- --metrics.prometheus.buckets=0.1,0.3,1.2,5.0
- --metrics.prometheus.addEntryPointsLabels=true
- --metrics.prometheus.addrouterslabels=true
- --metrics.prometheus.addServicesLabels=true
- --metrics.prometheus.manualrouting=true
#Cela signifie que Traefik ne vérifiera pas la validité du certificat SSL/TLS du serveur vers lequel il dirige le trafic
# Ok en dev (self-signed) NOK en prod
# Utilisé pour argocd - 500 Internal Error traefik
- --serverstransport.insecureskipverify=true
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- namespace: traefik
apiVersion: v1
kind: Secret
definition:
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsekNDQTM4Q0ZGSjc1dnE5KzhJUGNIR0RHcU5EM1ZnRzZyU1FNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR0gKTVFzd0NRWURWUVFHRXdKR1VqRVBNQTBHQTFVRUNBd0dSbkpoYm1ObE1RNHdEQVlEVlFRSERBVlFZWEpwY3pFTwpNQXdHQTFVRUNnd0ZTMFZaV1U4eERqQU1CZ05WQkFzTUJVdEZXVmxQTVJrd0Z3WURWUVFEREJCMFpYTjBMblJ5CllXVm1hV3N1Ym1WME1Sd3dHZ1lKS29aSWh2Y05BUWtCRmcxMFpYTjBRSFJsYzNRdVkyOXRNQjRYRFRJek1EZ3kKTnpFME5ESXhObG9YRFRJek1Ea3lOakUwTkRJeE5sb3dnWWN4Q3pBSkJnTlZCQVlUQWtaU01ROHdEUVlEVlFRSQpEQVpHY21GdVkyVXhEakFNQmdOVkJBY01CVkJoY21sek1RNHdEQVlEVlFRS0RBVkxSVmxaVHpFT01Bd0dBMVVFCkN3d0ZTMFZaV1U4eEdUQVhCZ05WQkFNTUVIUmxjM1F1ZEhKaFpXWnBheTV1WlhReEhEQWFCZ2txaGtpRzl3MEIKQ1FFV0RYUmxjM1JBZEdWemRDNWpiMjB3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQwpBUURNbG9aSE4yOE04SERMU2t5WkJ5SzhvWEtTcDB0WHFnL3FrM1FpeHQ5UEpnOWduYWs1NThtVEgwemNzQk1VCmFndEtTWXU1akdQSGFSQ3dXNDdrTGp6TUlLL2RYdWlDRE1nUUN6RFB0cWM2Qm9KQy95UTZHV1VwU2hhSmVQUVUKRFRVK09NamNpd09LSmkxOTFKMnR3ZGxpb21FbXZYWUFHcStzSkRVa25WL1FadVBZMlpmcVZibnBwQkt5U0FvegpJWVVGRzdOSTk2K3o3TW5IelVWNG94V1lkQkNjTWNvMllFV3lNU2hhR0hDV3Z3dUtXalZJWXJWSGI1dlQyWVF4CjRCbHlUa2dEQ1o3bTZWMlhLcFJIalp4cjJJVHh1T0FybzhoZ3FHSGprbnptVGh6ZnZKK1NuWk8xK253OXEvNnMKN1lxbkI1RUh2UVdBSks5UkYrZDZsOGZTam1iUGs0VGl1cWNqRkljUXprSnVUV2ZSbk1MN0YybXQ4Z0p6azlZRwpsaW1jcTdkSTdENFFDaEJadGt1Ny93TmUrSTI2Y0MwM0l5QnR0SFRqeUlvbWJ4K1JVOFJBaGFKNDZtY3Y4ZUdCCjNIeS9hVjZERFB6SWdUc1JQWTNuekhlYWhmOHJmamNRcDcrZGNuNmxDV0pROW0rQVFNN0hZZGtJdXQ5QlF0aEQKemlHZFFLd3ZBdmFTV3krRjdQc2kxUXQwTDhxZ01OT2JDTUl6ZUdCYXg0ZkdZQnJjNFQ3UXFVNzBKakZXWXhQUwpzU1UzRm5sWFhLbXFTZ29naFd3Y2tqWUJCakJnb1E4dmZJNDhqTDlycmJkZWFxSWJXSkRSeXc4R0ZGNDVDMzNQCkxRWC9zWEN3Wno0YjVHYkZZNWRzbVBGdFVnUG9TVWtZWm9KVU8waUw3NXhMRVFJREFRQUJNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElDQVFDWU0vY2tKUDBYelk1bTJsQlRWdm9hUzg1MVJlRTA5YmFqaXlMbnYrTFpLRTNyVzFQTAo1citubzNXVCtZWmxYUzVGS0Z4cGZMdXdJRGZtZTZjOUVldzRLbkdxaTVVTXJrVjJxb3lPUmxIRzdESG1ocW5NCjlNK1J2Zks4QldaUmMwQ0lwOGQ3dnBhWW1xQ0tFdURYajZZd2FSUmJHejdkcE1MYnFsNWViaU5md2c5em1aaE0KNmxXcVphN3JxTzBwMEp3NXNOLzZUS2F1QXlkUitaS1NGdzVVVWFCN20veW1MN0lWVk5WRVBzRm5aYnViRm40YwpZQm93NHA1V3NjUHoyQTVmUG83QzlkZkNaaWpCYmlodXNYdTIzMDEwSU9ITys4SjlOMFBtUit5Y0J3dHd2MmhRCmpzbThPTTV0YTFUZkJmeHUzeWNQZjl2Um5SVlJHVkg0eEdLN2tTMnNwKzZiS0xEM2hKNFN2VkRNdVBHQW5zb2gKbGFOb2JqL2l0NU1MQ08wcDhMclJ2OHdwTUdnVUZ0eVNtR2FDa0MvM0pqQ1BTbnI2S1d3a3VQVnRVVlZpSjhpagpKREhBcW9hSWhLVzcwOXZTdWlFbHZUTlIwUmJWWHVaRDZqRHRDTGdmaXB1T2E1endoeEd3aVhHL1g1bUszaUxkCnRCUi9JeGw0ZUlQV1BVbEtnZHBMVzFIU2I3aU42cG05cjQveGpEbDkzeGowR2ZYZktKalhFY0RtTklhZUl1cVUKRUpDK0Q3YVU4bkdoMlN3WTIrbWlQckFQU0gwSjBxMjhzTHErMXZKWG11MEsxUVZNejErY3hrVER5WVRpTnBwcQpTOXJoWkJoTzNPZEd4Z0ZYSVc5V1dqSStEdXZ3cTJrV1Qwb3VKTHZNbkpDcU5vYkgzVXlHTGg0WmNnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRRE1sb1pITjI4TThIREwKU2t5WkJ5SzhvWEtTcDB0WHFnL3FrM1FpeHQ5UEpnOWduYWs1NThtVEgwemNzQk1VYWd0S1NZdTVqR1BIYVJDdwpXNDdrTGp6TUlLL2RYdWlDRE1nUUN6RFB0cWM2Qm9KQy95UTZHV1VwU2hhSmVQUVVEVFUrT01qY2l3T0tKaTE5CjFKMnR3ZGxpb21FbXZYWUFHcStzSkRVa25WL1FadVBZMlpmcVZibnBwQkt5U0FveklZVUZHN05JOTYrejdNbkgKelVWNG94V1lkQkNjTWNvMllFV3lNU2hhR0hDV3Z3dUtXalZJWXJWSGI1dlQyWVF4NEJseVRrZ0RDWjdtNlYyWApLcFJIalp4cjJJVHh1T0FybzhoZ3FHSGprbnptVGh6ZnZKK1NuWk8xK253OXEvNnM3WXFuQjVFSHZRV0FKSzlSCkYrZDZsOGZTam1iUGs0VGl1cWNqRkljUXprSnVUV2ZSbk1MN0YybXQ4Z0p6azlZR2xpbWNxN2RJN0Q0UUNoQloKdGt1Ny93TmUrSTI2Y0MwM0l5QnR0SFRqeUlvbWJ4K1JVOFJBaGFKNDZtY3Y4ZUdCM0h5L2FWNkREUHpJZ1RzUgpQWTNuekhlYWhmOHJmamNRcDcrZGNuNmxDV0pROW0rQVFNN0hZZGtJdXQ5QlF0aER6aUdkUUt3dkF2YVNXeStGCjdQc2kxUXQwTDhxZ01OT2JDTUl6ZUdCYXg0ZkdZQnJjNFQ3UXFVNzBKakZXWXhQU3NTVTNGbmxYWEttcVNnb2cKaFd3Y2tqWUJCakJnb1E4dmZJNDhqTDlycmJkZWFxSWJXSkRSeXc4R0ZGNDVDMzNQTFFYL3NYQ3daejRiNUdiRgpZNWRzbVBGdFVnUG9TVWtZWm9KVU8waUw3NXhMRVFJREFRQUJBb0lDQUd4bE9FSFZVZ1kyQWwwRFFiQTJncVlVCm1DS3hkbzY4OE8vbExqd2F5RWdrTHpPT2RSSFVDQTNtSUpBd3pmc2I4RjFzdUJZWUZ1bVpkaGtxZVh2V0w2b3IKaTJJcm5kOEJyS0lyZTdJaDRWb3lCcVEra0ZBa0VtQWMrL0hjWHQyYzNkL1lzRHVCZjkrYk9MRVpqRzE2YnBYKwoyS0J3ODJzOHVHVHBUaXJYSXVQRkQrVmQ3RXBoSHo1MkN0M2dvMTdSM0t1SE1LZHhhK3RWZ3RkVW9BRTV6d0JXClJsS3JZcXNLdVFLZlh2VFZUQm5pb05ldDBkdEhTU3JQTEczREtuSk9mTXorUXRNeExyckRYQzN5aGx1ZTRRaVcKMEdGT0JaKzVpRG9HSE04NVZ1bWk2MU56bWN4UnB1aGREYVNUVXowR0lsYzdBQkZzaWRTS0cwVkkrQUVSRi9JNQpyM0IyWFBoQVVTNFVlTCttTVJoNW4xWjAzemY4dnRTbnJydUhTditlT25GMVpmcy9tS0NwSnV3YXFHVU4ycjU5CjR1SUNLeXExeUdWaXhNUFU1Zk9QU3poeVd3dUNyVEIydlZqb2J4OUtwVGZGb1dQbU1nSW1rVDRiZy9oVE5naWQKcm9mMmMrVE12cVBQdERKTnRyNW8vQm5jbFIvMXloOVVYdnZSN1dxT21UcEREZUtRUmZlb253TFhNRW1xbmlVYgpTQzZBWnZ4M05yeE14Sk9iRkNDQ01rbXNhS3o2VE9jN2FCRU9ocEZaK1VtN3ZhWWpCZE4vTVlDQmxQZEJ2R090CnRJNk43TVJuc0tid09zOE5wU0FZRWVoWkF3M285KzJzaGIrL3hTUnFocGpURE9tY25KSGRSN3B6RnpGZzA0QzYKT01kU09ycTNrdnpHWWlnNnduYkJBb0lCQVFEbnhtbERwbHRyUUdYMXZmcTRzTFBHTnhmbktabVg3SzdvTlEvegp3NlBFKzlwSi8zSU1VL3NXMGFmcDhvQnc1ZndNT21jN0FqL3VEeTBZYks5Mk55VG5OSzBoZzZPcXNodFdYdDZOCjlnU0hCV3ArcG9pMHVxS3pEblhReEpZUzQ5MDVvTmxvdmhabHMvOG1jbm91TmlhSUlHcXQ0L2dOMUZINmN0bDUKMTRrbm1SUDFRNnZzWXNHNXlKSThsNldDTnJzT21RQmFzR0RrWGJ1dzFWTVYxMzhRR3lCUDdVK2J6Sy9vZ1VqQgpiKzY3Q3JSZ0dIRDc0eS9QNVp3MDJMV3F2WWVHZVJhZHMwQUIyNUlqeTVMWHVERkdWUVZsRlNjTGNkNFZSVXdzCnVqWVdqem1CQmJsVE9tMW1vSjRmRm1haGdLM2RiSW12UGFjQkprQXhnbDJ4MGlVcEFvSUJBUURoK0t2TzBxV08KMXZSbklJWmE3TzQ2SWdmN3E4cVdlanhsbmtUamVkYm5xakpxM1VQMHRxZmpid1V2a3J2amhWaHJmR1lVelBrTApINm9seGh5VmpLM0EvYUNPTlNnWXpDd1grWHllSUdtUnpNNlV5aGFzYVFzTHU1dnhYRTBmZ0VxdGxUb3VrZkIvCjBVUm9TTittQjd5VXBKSTBDQkZmZGN0aVR6a2Q5cDRlU2VSZDNHSWFFMU0vUXBSTTVyN2h1S3dkSXdOdDJSeHEKQ2szY3dVd1psZkpSZ1NZL3pjK3VuZFlYYmN5aFFKRTIya29yNVQ4Nll1S1NPcU1RdlhNRkJkSFlMNVJBZzBRYgpQSkxUWm9hNU9qbkc3VHNsaWxFbUVMSUg3eHp4ZStYVEY3MERSdkhuOWlnY2hHbmhkSTEvWU1DbTNuSHlqWVRNCmFML1BlcTRxSVF1cEFvSUJBUUNMMEdiRGhtRHphOStWeEVxd2l2ZUhoTWlJaTlHNWtlOVk2Rmw5SlBGdjdMV2IKbWRyRWtReVFrVnlIaGQveE91czJ2U3gwcmtDK2JLMDVaS2JiMnh3SjFQN3pqcU4yWHdhYXJaUDNjd2I4SkVvLwpxRm9qRzhyMTFLMUJpTFUzSS9uWnY2d213VFJsbVpVN0xpZUNKT3hOaGJDVXdVWnJvVDdxbzhtSTlIb3FSdStCCkxwZFJlNmw5VnY3UVNuSnZBSEVLdDBVOWI5U2pMZUFCSms1K2lJWi93cjFWT2NTaUtYR2NBaEZQanlRbDlLa20KcHRmUk94VW1oazRhbXZmTHpaVXBpM1lYSDRCbkhuc2oyTFAyS1lpZjhyM1VZbFF4VlRrdy82S2FBS0tNTFUzMQpCT3pzeGZ3a3dwTmdFWFZMeTRJV1psa1FPMUs1SU1mc2xjWExkUWN4QW9JQkFRRGR4MUxRRlR1NTJreGEzcmdlCmkwVXdOdkJBMkJWbjVLWmNVWjVvNTg2ODVmUy9uMVF2M0FrZ2xYaXdmVUg4aG9ZR1VEeGNFK1FsUDdtZGd6ZlEKcXhacFFFT1E3cWpnMVpvOUdYWnVOMytGUWs1S0I2R0RLMEZWRFpkNnBrMW5LbUdneGNJcHJNQXVvbk9TS2x1ZQpOeCtsZjNPaXIzeGxoVlhNc2Rac0N2eWEyNGpQZWhtcVgrY25RakFNM2JiZ0VJQ1R4Q1o4YkVhUDZIY012NFh4CjRwSEYzb3hzdUpFcFh1MmRadjBjRWlPemcwQ2lua2VWQlRJN3RHTVFiZTl5TVlrSHRZSzZZbHE0cEpXeDk0RW8KVC9ZZXYveDUxcXZZUVRDSnl1dE1NbjZZMUVhRTdkOUQrdnJaS2poRXQwQ2NrSmZqN3BSRkt4SDRFS0tZZmw1cgpLSzJwQW9JQkFRRFFJOUp4N2YraW53Y1EydWtHckN2bmVJN2VnaXVqWmoxUEdKbTZLMU5hM3ZVT0xJem9iV3dNCk01dmpRcXAweDdFc3BjQXpBSVF6TytQcUNPQ21iMUx6VGVwejhyc2FiRW84Z04rOEV6SkQzdnF2NTNMR0NCMFMKM2RhdHlmZ0xmeGFvYVFTUk9jUWUxYlpwZy9MUzloZ2pmZjlEbUtaZ3VOTzN0eUZhRGJ4MHQ0RS9GZkJkNVNPWApPdU0vZVU5R1ZZdzFJSW1FeGF2bll4eEtzUXd0VlAyQjNYMG9MbFNhemk0bG9Jb21SRE81TEhTUXp0TDZ6UFZrClRUT0JML2t4Umx1K3UvYStXQ2NrNytSKzc3dmU3d0taV2lJNmdyYnpjNW1VSXlHbEpTUjRvRlVSSzhiL20vOHQKVkJBZzhUYllDYms3aG1RWitHN0lac1NQWE9od2lzWHYKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
metadata:
name: test-ssl-secret
namespace: traefik
type: kubernetes.io/tls
- namespace: traefik
apiVersion: v1
kind: Secret
definition:
metadata:
name: traefik-auth-secret-dashboard
type: kubernetes.io/basic-auth
stringData:
username: admin
password: dashboard
- namespace: traefik
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
definition:
metadata:
name: traefik-auth-dashboard
spec:
basicAuth:
secret: traefik-auth-secret-dashboard
- namespace: traefik
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
definition:
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`test.traefik.net`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-auth-dashboard
namespace: traefik
tls:
secretName: test-ssl-secret
- namespace: traefik
apiVersion: v1
kind: Service
definition:
metadata:
name: traefik-service
namespace: traefik
spec:
type: LoadBalancer
externalIPs:
- "{{ kubernetes_load_balancer_public_ip }}"
ports:
- protocol: TCP
port: 443
targetPort: websecure
name: websecure
- protocol: TCP
targetPort: web
port: 80
name: web
selector:
app: traefik
# for github
management_user_list:
- name: stephanegratias
shell: '/bin/bash'
authorized_keys:
- key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane"
exclusive: yes
sudo:
hosts: ALL
as: ALL
commands: ALL
nopasswd: ALL

14
hosts
View File

@@ -17,6 +17,14 @@ ovh01 ansible_host=5.135.181.11 ansible_user=stephane
control control
worker worker
[vagrant] [docker_swarm_manager]
v1 ansible_host=192.168.121.2 ansible_user=vagrant ansible_ssh_pass=vagrant v1 ansible_host=192.168.121.68 ansible_user=vagrant ansible_ssh_pass=vagrant
v2 ansible_host=192.168.121.240 ansible_user=vagrant ansible_ssh_pass=vagrant ovh01 ansible_host=5.135.181.11 ansible_user=stephane
[docker_swarm_worker]
v2 ansible_host=192.168.121.128 ansible_user=vagrant ansible_ssh_pass=vagrant
scale01 ansible_host=163.172.209.36 ansible_user=stephane
[vagrant:children]
docker_swarm_manager
docker_swarm_worker

14
paused.conf Normal file
View File

@@ -0,0 +1,14 @@
# resume information
resume-index = 69
seed = 12653686914129623649
rate = 100
shard = 1/1
nocapture = servername
adapter-ip = 172.29.219.224
# TARGET SELECTION (IP, PORTS, EXCLUDES)
ports = 443
range = 163.172.80.0/24

39
portainer-agent-stack.yml Normal file
View File

@@ -0,0 +1,39 @@
version: '3.2'
services:
agent:
image: portainer/agent:2.19.5
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:2.19.5
command: -H tcp://tasks.agent:9001 --tlsskipverify
ports:
- "9443:9443"
- "9000:9000"
- "8000:8000"
volumes:
- portainer_data:/data
networks:
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
networks:
agent_network:
driver: overlay
attachable: true
volumes:
portainer_data:

91
portainer-traefik-agent.yml Normal file
View File

@@ -0,0 +1,91 @@
version: '3.2'
services:
traefik:
image: "traefik:latest"
command:
- --entrypoints.web.address=:80
- --entryPoints.web.forwardedHeaders.insecure=true
- --entrypoints.websecure.address=:443
- --providers.docker=true
- --providers.swarm=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=public
- --api=true
- --api.dashboard=true
- --api.insecure=true
- --log.level=INFO
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.test.com`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.services.dashboard.loadbalancer.server.port=8080"
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
networks:
- public
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
agent:
image: portainer/agent:latest
environment:
# REQUIRED: Should be equal to the service name prefixed by "tasks." when
# deployed inside an overlay network
AGENT_CLUSTER_ADDR: tasks.agent
# AGENT_PORT: 9001
# LOG_LEVEL: debug
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker/volumes:/var/lib/docker/volumes
networks:
- agent_network
deploy:
mode: global
placement:
constraints: [node.platform.os == linux]
portainer:
image: portainer/portainer-ce:latest
command: -H tcp://tasks.agent:9001 --tlsskipverify
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- data:/data
- /etc/localtime:/etc/localtime
networks:
- public
- agent_network
deploy:
mode: replicated
replicas: 1
placement:
constraints: [node.role == manager]
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.test.com`)"
- "traefik.http.routers.portainer.entrypoints=web"
- "traefik.http.routers.portainer.service=portainer"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
# Edge
- "traefik.http.routers.edge.rule=Host(`edge.test.com`)"
- "traefik.http.routers.edge.entrypoints=web"
- "traefik.http.services.edge.loadbalancer.server.port=8000"
- "traefik.http.routers.edge.service=edge"
networks:
public:
external: true
agent_network:
external: true
attachable: true
volumes:
data:

3
roles/.gitignore vendored
View File

@@ -45,4 +45,5 @@ robertdebock.update
ansible-role-labocbz-install-grafana ansible-role-labocbz-install-grafana
cloudalchemy.grafana cloudalchemy.grafana
CTL-Fed-Security.ansible-grafana CTL-Fed-Security.ansible-grafana
thomasjpfan.docker-swarm thomasjpfan.docker-swarm
asg1612.dockerswarm

73
roles/requirements.yml
View File

@@ -7,44 +7,45 @@
# DOCKER # DOCKER
- src: geerlingguy.docker - src: geerlingguy.docker
# CONTAINERD # CONTAINERD
- src: geerlingguy.containerd # - src: geerlingguy.containerd
# KUBERNETES # # KUBERNETES
- src: git+https://github.com/garutilorenzo/ansible-role-linux-kubernetes.git # - src: git+https://github.com/garutilorenzo/ansible-role-linux-kubernetes.git
- src: geerlingguy.kubernetes # - src: geerlingguy.kubernetes
# PIP # PIP
- src: geerlingguy.pip - src: geerlingguy.pip
- src: asg1612.dockerswarm
# SYSTEM # SYSTEM
- src: tumf.systemd-service # - src: tumf.systemd-service
# SSH client side # # SSH client side
# PACKAGE # # PACKAGE
- src: GROG.package # - src: GROG.package
# IPTABLES # # IPTABLES
- src: geerlingguy.firewall # - src: geerlingguy.firewall
# LOG ROTATE # # LOG ROTATE
- src: nickhammond.logrotate # - src: nickhammond.logrotate
- src: ome.logrotate # - src: ome.logrotate
# FAIL2BAN # # FAIL2BAN
- src: robertdebock.fail2ban # - src: robertdebock.fail2ban
# BACKUP # # BACKUP
- src: ome.rsync_server # - src: ome.rsync_server
- src: ome.selinux_utils # - src: ome.selinux_utils
# HELM # # HELM
- src: geerlingguy.helm # - src: geerlingguy.helm
## SETUP # ## SETUP
- src: buluma.lynis # - src: buluma.lynis
- src: maxlareo.rkhunter # - src: maxlareo.rkhunter
- src: maxlareo.chkrootkit # - src: maxlareo.chkrootkit
- src: robertdebock.auditd # - src: robertdebock.auditd
- src: robertdebock.update # - src: robertdebock.update
# - src: buluma.auditd # # - src: buluma.auditd
# version: v1.0.10 # # version: v1.0.10
# - src: jnv.unattended-upgrades # # - src: jnv.unattended-upgrades
# - src: dominion_solutions.netbird # # - src: dominion_solutions.netbird
# version: 0.1.6 # # version: 0.1.6
- name: ansible_unattended_upgrades # - name: ansible_unattended_upgrades
src: git+https://gitlab.epfl.ch/ansible-sti-roles/ansible-unattended-upgrades.git # src: git+https://gitlab.epfl.ch/ansible-sti-roles/ansible-unattended-upgrades.git
- name: ansible-role-labocbz-install-grafana # - name: ansible-role-labocbz-install-grafana
src: git+https://gitlab.com/cbz-d-velop/public-ansible/ansible-role-labocbz-install-grafana.git # src: git+https://gitlab.com/cbz-d-velop/public-ansible/ansible-role-labocbz-install-grafana.git
- src: thomasjpfan.docker-swarm # - src: thomasjpfan.docker-swarm

97
scan.yml
View File

@@ -1,11 +1,21 @@
--- ---
- name: Scan - name: Scan
hosts: tower hosts: localhost
become: true become: true
gather_facts: false gather_facts: false
vars: vars:
user: staffadmin
token: !vault |
$ANSIBLE_VAULT;1.2;AES256;prod
35343365393734313034383961616333633265623037303436653739613935366666373237366562
3663316563663439363333396530376139663731346637390a366335333732303134316364363130
30313631343534643866383336623837363433303032376264373139306464313866313034663636
3961303030373531380a343061326437343066663665613833623533376437326630326432363566
37653135666331633532653436656461396131623736353962643632316135633562346631313036
6137356332636431643830666461333862613835336631333037
# 163.172.0.0/24 # 163.172.0.0/24
target_network: 163.172.83.0/24 target_network: 163.172.80.0/28
ansible_user: stephane ansible_user: stephane
ansible_password: stephane ansible_password: stephane
ansible_become_password: stephane ansible_become_password: stephane
@@ -26,38 +36,36 @@
pre_tasks: pre_tasks:
- ansible.builtin.git: - ansible.builtin.git:
repo: https://github.com/danielmiessler/SecLists.git repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
dest: "{{ playbook_dir }}/SecLists" dest: "{{ playbook_dir }}/scan"
single_branch: yes single_branch: yes
force: true force: true
delegate_to: localhost delegate_to: localhost
# - ansible.builtin.git:
# repo: https://github.com/danielmiessler/SecLists.git
# dest: "{{ playbook_dir }}/SecLists"
# single_branch: yes
# force: true
# delegate_to: localhost
# apt install masscan # apt install masscan
- ansible.builtin.command: - ansible.builtin.command:
cmd: "masscan {{ target_network }} -p443 --rate=100000" cmd: "masscan {{ target_network }} -p443"
become: true become: true
register: scan_output register: scan_output
delegate_to: localhost delegate_to: localhost
# # - name: Simple A record (IPV4 address) lookup for example.com - debug:
# # ansible.builtin.debug: msg: "{{ item }}"
# # msg: "{{ lookup('community.general.dig', 'example.com.')}}" loop: "{{ scan_output.stdout_lines }}"
# - "{{ cert.not_after }}"
# - debug: # - "{{ ansible_date_time.iso8601_basic }}"
# msg: "{{ item.split('on')[-1].strip() }}" tags: test
# loop: "{{ scan_output.stdout_lines }}" delegate_to: localhost
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
# - debug:
# msg: "{{ item }}"
# loop: "{{ scan_output.stdout_lines }}"
# # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test
- name: Get a cert from an https por - name: Get a cert from an https por
community.crypto.get_certificate: community.crypto.get_certificate:
@@ -70,12 +78,21 @@
register: cert register: cert
tags: test tags: test
# item.subject.CN
- debug:
msg: "{{ item.item.split('on')[-1].strip() }}"
loop: "{{ cert.results }}"
# - "{{ cert.not_after }}"
# - "{{ ansible_date_time.iso8601_basic }}"
tags: test
delegate_to: localhost
# apt install masscan # apt install masscan
- ansible.builtin.command: - ansible.builtin.command:
cmd: "ffuf -w SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u https://{{ item.split('on')[-1].strip() }}/FUZZ -s" cmd: " dirsearch -u https://{{ item.item.split('on')[-1].strip() }} -i 200 -t 100"
become: true become: true
loop: "{{ scan_output.stdout_lines }}" loop: "{{ cert.results }}"
ignore_errors: true ignore_errors: true
register: fuff register: fuff
delegate_to: localhost delegate_to: localhost
@@ -88,7 +105,10 @@
# # loop: "{{ scan443.stdout_lines }}" # # loop: "{{ scan443.stdout_lines }}"
# # - "{{ cert.not_after }}" # # - "{{ cert.not_after }}"
# # - "{{ ansible_date_time.iso8601_basic }}" # # - "{{ ansible_date_time.iso8601_basic }}"
# tags: test # tags: test
- debug: - debug:
msg: " URL =======> {{ item.subject }} || Host ====> {{ item.invocation.module_args.host }} || port ======> {{ item.invocation.module_args.port }} || proxy_port =========> {{ item.invocation.module_args.proxy_port }}" msg: " URL =======> {{ item.subject }} || Host ====> {{ item.invocation.module_args.host }} || port ======> {{ item.invocation.module_args.port }} || proxy_port =========> {{ item.invocation.module_args.proxy_port }}"
@@ -99,19 +119,40 @@
# - "{{ ansible_date_time.iso8601_basic }}" # - "{{ ansible_date_time.iso8601_basic }}"
tags: test tags: test
ignore_errors: true ignore_errors: true
delegate_to: localhost
- debug: - debug:
msg: " host: {{ item.cmd }} ||||||| chemin : {{ item.stdout_lines }}" msg: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}"
loop: "{{ fuff.results }}" loop: "{{ fuff.results }}"
# when: item.subject is defined # when: item.stdout_lines is search('200 -')
# loop: "{{ scan443.stdout_lines }}" # loop: "{{ scan443.stdout_lines }}"
# - "{{ cert.not_after }}" # - "{{ cert.not_after }}"
# - "{{ ansible_date_time.iso8601_basic }}" # - "{{ ansible_date_time.iso8601_basic }}"
tags: test tags: test
ignore_errors: true ignore_errors: true
delegate_to: localhost
- name: Copy a "sudoers" file on the remote machine for editing
ansible.builtin.copy:
src: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}"
dest: "{{ playbook_dir }}/scan/{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1].split('/')[-2] }}"
remote_src: yes
loop: "{{ fuff.results }}"
delegate_to: localhost
- name: Push backup to git
ansible.builtin.shell: |
git config user.email "stephane.gratiasquiquandon@gmail.com"
git config user.name "staffadmin"
git add .
git commit -m "Push scan with access token"
git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git
args:
chdir: "{{ playbook_dir }}/scan/"
run_once: true
delegate_to: localhost
# https://github.com/danielmiessler/SecLists.git # https://github.com/danielmiessler/SecLists.git

64
swarm.yml
View File

@@ -1,8 +1,11 @@
--- ---
- name: Swarm - name: Swarm
hosts: testswarm hosts: control
become: true become: true
#
# corentinth/it-tools:latest => dinguerie
#
# apt-get install sshpass # apt-get install sshpass
@@ -48,8 +51,6 @@
# - { role: thomasjpfan.docker-swarm, tags: pip } # - { role: thomasjpfan.docker-swarm, tags: pip }
tasks:
# # touch /etc/docker/daemon.json # # touch /etc/docker/daemon.json
# - ansible.builtin.include_role: # - ansible.builtin.include_role:
# name: softing.swarm.softing_swarm_server # name: softing.swarm.softing_swarm_server
@@ -59,31 +60,40 @@
# swarm_server_ca_domain: "{{ domain }}" # swarm_server_ca_domain: "{{ domain }}"
# swarm_server_ca_folder: "/resources/swarm" # swarm_server_ca_folder: "/resources/swarm"
- ansible.builtin.include_role:
name: softing.swarm.softing_swarm_certs
apply:
become: false
delegate_to: "localhost"
run_once: true
vars:
swarm_certs_domain: "swarm.domain.com"
swarm_certs_folder: "{{ playbook_dir }}/resources/swarm"
swarm_certs_nodes:
- ip: 192.168.50.4
hostname: manager
domain: domain.com
- ip: 192.168.50.40
hostname: worker1
domain: domain.com
- ip: 192.168.50.44
hostname: worker2
domain: domain.com
- ansible.builtin.include_role:
name: softing.swarm.softing_swarm_initialize roles:
public: yes - { role: geerlingguy.pip, tags: pip }
vars: - { role: geerlingguy.docker, tags: docker }
swarm_master_ip: 192.168.50.4 - { role: asg1612.dockerswarm, tags: swarm }
tasks:
# - ansible.builtin.include_role:
# name: softing.swarm.softing_swarm_certs
# apply:
# become: false
# delegate_to: "localhost"
# run_once: true
# vars:
# swarm_certs_domain: "swarm.domain.com"
# swarm_certs_folder: "{{ playbook_dir }}/resources/swarm"
# swarm_certs_nodes:
# - ip: 192.168.50.4
# hostname: manager
# domain: domain.com
# - ip: 192.168.50.40
# hostname: worker1
# domain: domain.com
# - ip: 192.168.50.44
# hostname: worker2
# domain: domain.com
# - ansible.builtin.include_role:
# name: softing.swarm.softing_swarm_initialize
# public: yes
# vars:
# swarm_master_ip: 192.168.50.4
# - ansible.builtin.include_role: # - ansible.builtin.include_role:
# name: "softing_swarm_worker" # name: "softing_swarm_worker"