Plein de modif de partout pour être certain que ça va bien se passer lors des différentes màj des playbooks qui vont bien

roles/firewall/templates/firewall.j2

@@ -2,7 +2,7 @@
 config rule
 	option name 'Allow-DHCP-Renew'
 	option src 'wan'
-	option proto 'udp'
+	list proto 'udp'
 	option dest_port '68'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -10,7 +10,7 @@ config rule
 config rule
 	option name 'Allow-Ping'
 	option src 'wan'
-	option proto 'icmp'
+	list proto 'icmp'
 	option icmp_type 'echo-request'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -20,7 +20,7 @@ config rule
 	option src 'wan'
 	option src_ip 'fe80::/10'
 	option src_port '547'
-	option proto 'udp'
+	list proto 'udp'
 	option dest_ip 'fe80::/10'
 	option dest_port '546'
 	option target 'ACCEPT'
@@ -29,7 +29,7 @@ config rule
 config rule
 	option name 'Allow-ICMPv6-Input'
 	option src 'wan'
-	option proto 'icmp'
+	list proto 'icmp'
 	list icmp_type 'echo-request'
 	list icmp_type 'echo-reply'
 	list icmp_type 'destination-unreachable'
@@ -49,7 +49,7 @@ config rule
 	option name 'Allow-ICMPv6-Forward'
 	option src 'wan'
 	option dest '*'
-	option proto 'icmp'
+	list proto 'icmp'
 	list icmp_type 'echo-request'
 	list icmp_type 'echo-reply'
 	list icmp_type 'destination-unreachable'
@@ -61,25 +61,32 @@ config rule
 	option family 'ipv6'
 	option limit '1000/sec'
 
+config rule
+	option name 'Allow-INPUT-SSH'
+	option src 'wan'
+	list proto 'tcp'
+	option dest_port '22'
+	option target 'ACCEPT'
+
 ### DMZ Rules
 ## General Rules
 # ICMP
 config rule
 	option name 'Allow-ICMP'
 	option dest 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option target 'ACCEPT'
 
 config rule
 	option name 'Allow-ICMP'
 	option src 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option target 'ACCEPT'
 
 config rule
 	option name 'Allow-ICMP'
 	option src 'dmz'
-	option proto 'icmp'
+	list proto 'icmp'
 	option dest '*'
 	option target 'ACCEPT'
 
@@ -88,23 +95,42 @@ config rule
 	option name 'Allow-DMZ-DHCP'
 	option dest 'dmz'
 	option dest_port '67-68'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option target 'ACCEPT'
 	option family 'ipv4'
 
 config rule
 	option name 'Allow-DMZ-DHCP'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest_port '67-68'
 	option target 'ACCEPT'
 	option family 'ipv4'
 
+# SSH rules
+config rule
+	option name 'Allow-DMZ-SSH'
+	option dest 'dmz'
+	list proto 'tcp'
+	option dest_port '22'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-DMZ-Syslog'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['syslog.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '514'
+	list proto 'udp'
+	option target 'ACCEPT'
+
 # DNS Resolution
 config rule
 	option name 'Allow-INPUT-DNS'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest_port '53'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -113,7 +139,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-NTP'
 	option src 'dmz'
-	option proto 'udp'
+	list proto 'udp'
 	option dest 'wan'
 	option dest_port '123'
 	option target 'ACCEPT'
@@ -122,7 +148,8 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-Web'
 	option src 'dmz'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'wan'
 	option dest_port '80 443'
 	option target 'ACCEPT'
@@ -131,7 +158,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-SSH'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_port '22'
 	option target 'ACCEPT'
@@ -143,7 +170,8 @@ config redirect
 	option name 'Allow-INPUT-v4-HTTP'
 	option src 'wan'
 	option src_dport '80'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '80'
@@ -153,7 +181,8 @@ config redirect
 	option name 'Allow-INPUT-v4-HTTPS'
 	option src 'wan'
 	option src_dport '443'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '443'
@@ -164,7 +193,8 @@ config redirect
 config rule
 	option name 'Allow-INPUT-{{ host }}-Web'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
 	option dest_port '80 443'
@@ -177,7 +207,8 @@ config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
 	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'wan'
 	option target 'ACCEPT'
 	option family 'ipv4'
@@ -186,7 +217,8 @@ config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
 	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'wan'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -194,7 +226,8 @@ config rule
 config rule
 	option name 'Allow-INPUT-BT'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '10010'
@@ -205,7 +238,8 @@ config redirect
 	option name 'Allow-INPUT-BT'
 	option src 'wan'
 	option src_dport '10010'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '10010'
@@ -216,7 +250,7 @@ config redirect
 config rule
 	option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
 	option dest_port '8006'
@@ -229,7 +263,8 @@ config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
 	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'wan'
 	option dest_port '5269'
 	option target 'ACCEPT'
@@ -239,7 +274,8 @@ config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
 	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'wan'
 	option dest_port '5269'
 	option target 'ACCEPT'
@@ -249,7 +285,8 @@ config redirect
 	option name 'Allow-INPUT-XMPP-c2s'
 	option src 'wan'
 	option src_dport '5222'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5222'
@@ -259,7 +296,8 @@ config redirect
 	option name 'Allow-INPUT-XMPP-s2s'
 	option src 'wan'
 	option src_dport '5269'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5269'
@@ -268,7 +306,8 @@ config redirect
 config rule
 	option name 'Allow-INPUT-XMPP-c2s+s2s'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '5222 5269'
@@ -279,7 +318,8 @@ config rule
 config rule
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '64738'
@@ -290,7 +330,8 @@ config redirect
 	option name 'Allow-INPUT-mumble'
 	option src 'wan'
 	option src_dport '64738'
-	option proto 'tcpudp'
+	list proto 'tcp'
+	list proto 'udp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '64738'
@@ -301,7 +342,7 @@ config rule
 	option name 'Allow-OUTPUT-SMTP'
 	option src 'dmz'
 	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'wan'
 	option dst_port '25'
 	option target 'ACCEPT'
@@ -310,7 +351,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '25 465 587'
@@ -320,7 +361,7 @@ config rule
 config rule
 	option name 'Allow-INPUT-IMAP+IMAPS'
 	option src 'wan'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
 	option dest_port '143 993'
@@ -331,7 +372,7 @@ config redirect
 	option name 'Allow-INPUT-SMTP'
 	option src 'wan'
 	option src_dport '25'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '25'
@@ -341,7 +382,7 @@ config redirect
 	option name 'Allow-INPUT-SMTPS'
 	option src 'wan'
 	option src_dport '465'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '465'
@@ -351,7 +392,7 @@ config redirect
 	option name 'Allow-INPUT-SUBMISSION'
 	option src 'wan'
 	option src_dport '587'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '587'
@@ -361,7 +402,7 @@ config redirect
 	option name 'Allow-INPUT-IMAP'
 	option src 'wan'
 	option src_dport '143'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'dmz'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '143'
@@ -371,7 +412,7 @@ config redirect
 	option name 'Allow-INPUT-IMAPS'
 	option src 'wan'
 	option src_dport '993'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest 'lan'
 	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
 	option dest_port '993'
@@ -382,7 +423,7 @@ config rule
 	option name 'Allow-INPUT-Munin'
 	option src 'dmz'
 	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
+	list proto 'tcp'
 	option dest_port '4949'
 	option target 'ACCEPT'
 	option family 'ipv4'

roles/mariadb/files/50-server.cnf

@@ -1,137 +0,0 @@
-#
-# These groups are read by MariaDB server.
-# Use it for options that only the server (but not clients) should see
-#
-# See the examples of server my.cnf files in /usr/share/mysql
-
-# this is read by the standalone daemon and embedded servers
-[server]
-
-# this is only for the mysqld standalone daemon
-[mysqld]
-
-#
-# * Basic Settings
-#
-user                    = mysql
-pid-file                = /run/mysqld/mysqld.pid
-socket                  = /run/mysqld/mysqld.sock
-#port                   = 3306
-basedir                 = /usr
-datadir                 = /srv/mysql
-tmpdir                  = /tmp
-lc-messages-dir         = /usr/share/mysql
-default-storage-engine  = InnoDB
-#skip-external-locking
-
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address            = 127.0.0.1
-
-#
-# * Fine Tuning
-#
-key_buffer_size        = 32M
-max_allowed_packet     = 64M
-thread_stack           = 256K
-thread_cache_size      = 8
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched
-myisam_recover_options = BACKUP
-#max_connections        = 100
-#table_cache            = 64
-#thread_concurrency     = 10
-
-#
-# * Query Cache Configuration
-#
-query_cache_limit       = 16M
-query_cache_size        = 64M
-
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file       = /var/log/mysql/mysql.log
-#general_log            = 1
-#
-# Error log - should be very few entries.
-#
-log_error = /var/log/mysql/error.log
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log_file    = /var/log/mysql/mariadb-slow.log
-#long_query_time        = 10
-#log_slow_rate_limit    = 1000
-#log_slow_verbosity     = query_plan
-#log-queries-not-using-indexes
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id              = 1
-#log_bin                = /var/log/mysql/mysql-bin.log
-expire_logs_days        = 10
-max_binlog_size        = 100M
-#binlog_do_db           = include_database_name
-#binlog_ignore_db       = exclude_database_name
-
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-#chroot = /srv/mysql/
-#
-# For generating SSL certificates you can use for example the GUI tool "tinyca".
-#
-#ssl-ca = /etc/mysql/cacert.pem
-#ssl-cert = /etc/mysql/server-cert.pem
-#ssl-key = /etc/mysql/server-key.pem
-#
-# Accept only connections using the latest and most secure TLS protocol version.
-# ..when MariaDB is compiled with OpenSSL:
-#ssl-cipher = TLSv1.2
-# ..when MariaDB is compiled with YaSSL (default in Debian):
-#ssl = on
-
-#
-# * Character sets
-#
-# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
-# utf8 4-byte character set. See also client.cnf
-#
-character-set-server  = utf8mb4
-collation-server      = utf8mb4_general_ci
-
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /srv/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-
-innodb_file_per_table
-innodb_data_file_path=ibdata1:10M:autoextend
-
-#
-# * Unix socket authentication plugin is built-in since 10.0.22-6
-#
-# Needed so the root database user can authenticate without a password but
-# only when running as the unix root user.
-#
-# Also available for other users if required.
-# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
-
-# this is only for embedded server
-[embedded]
-
-# This group is only read by MariaDB servers, not by MySQL.
-# If you use the same .cnf file for MySQL and MariaDB,
-# you can put MariaDB-only options here
-[mariadb]
-
-# This group is only read by MariaDB-10.3 servers.
-# If you use the same .cnf file for MariaDB of different versions,
-# use this group for options that older servers don't understand
-[mariadb-10.3]

roles/mariadb/files/override.conf

@@ -0,0 +1,2 @@
+[Service]
+LimitNOFILE=infinity

roles/mariadb/handlers/main.yml

@@ -2,3 +2,6 @@
   service:
       name: mariadb
       state: restarted
+
+- name: daemon-reload
+  command: systemctl daemon-reload

roles/mariadb/tasks/main.yml

@@ -72,6 +72,20 @@
       - "mysql -e \"FLUSH PRIVILEGES;\""
       - touch ~/mysql_secure_installation
 
+- name: Create MariaDB service dir
+  file:
+    path: /etc/systemd/system/mariadb.service.d/
+    state: directory
+    mode: 0755
+
+- name: Create MariaDB service override
+  copy:
+    src: files/override.conf
+    dest: /etc/systemd/system/mariadb.service.d/override.conf
+  notify:
+    - restart mariadb
+    - daemon-reload
+
 - name: install backup script
   copy:
       src: files/backup_mysql.sh

roles/spamassassin/files/local.cf

@@ -97,6 +97,7 @@ score		LOCAL_BITCOIN	10.0
 whitelist_from *@chichiclothing.com
 
 # Blacklist manuel
+blacklist_from *@sintoskym.es
 blacklist_from *@comention.ch
 blacklist_from *@tipontale.it
 blacklist_from *@totalshape.com

roles/system/files/ssh/work.id_rsa.pub

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkSaRN59sJo1ncJekhBpRjn5NzeHa+VJpT1M/3ypmRtDbkRz6GOFArOL0yPVnHhLNuO/9gueBGB0MNnt7+2be5S5XfsiNHXMB5D+omgH+nu1DR773Rm65SdduLShW8bIyg37WMP5sssi9C5uYr5QJcgrKzYDf715HQazvcKD0zdYJWKd/AwbsuouB2FzTMNxv1nmH6DiPFmTzlVei/HN1CHapQPPGnsNyG3JdaS6aUC88HpYrX/ALOEPsrsdc5HXtuCM+qkCHNHtejBhEniKcBj2ijJa8j9z+FUenNtIIIkDw1SfjzmH/1pmd9HOQlLaahiwBpbZ93mvBk0QoxvRGMjPdhPsVfbJk4NJceCv6FUrsfNa2kMHKCGd7KY6DLo1nUg6EBuYM3KxBp/ZWdMdFlnYLst2kDHNikbO8TzK4aU/9XZhmclwbsAVDQM8GDZvf1el+nN/qQr8WlxFBOSmqPqFQfpxBJgS8oJmCK+42IQcr+YSk+8or0OhI4jnOTlaM= cveret@scaleway.com

roles/system/files/ssh/work_old.id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzxdkNy1r7j79Lv9OdKHvpNr1LmHOz6np0w8JGH63kH/1y330aRu4p90mf4QZrnPsUx1nYUKWgaR5XNka3OOgh9/r8bskymteIPnx88oSG+c8bEowwNbevA8JURRh7FG/jWuclyngQW0nuplZgaCB6GuA68nYQSnFTw1xHg7Qbx7wukrsZz0dIDOTFUIcNRBabzjchP8vyDDB1jPw5ghK7VxTDSx8I6H+BhJydsCz1TJqvWvc8Z3X9yH5/OXp26rpSFkhCyDxV//9XXZvCsqjmz3KRvN0IwLMgQZZkDyDORunEg+OpSES++n0FN85tyf1BT6y8P5CcrJWMnS3fMJib

roles/system/tasks/sshd.yml

@@ -16,3 +16,9 @@
       user: root
       state: present
       key: "{{ lookup('file', 'ssh/work.id_rsa.pub') }}"
+
+- name: remove old work key
+  authorized_key:
+    user: root
+    state: absent
+    key: "{{ lookup('file', 'ssh/work_old.id_rsa.pub')}}"