From fe3d5913f390d080831d1ecbea43a7c74ed55190 Mon Sep 17 00:00:00 2001
From: "iliya.saroukha" <iliya.saroukhanian@etu.hesge.ch>
Date: Tue, 18 Mar 2025 12:51:43 +0100
Subject: [PATCH] feat: rendu
---
README.md | 204 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 203 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index ab0e2aa..506709a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
# Network automation avec `ansible`
-## Commandes _ad-hoc_
+## Topologie
+
+### Commandes _ad-hoc_
- Installez ansible sur votre laptop puis vérifiez que les machines sont bien
joignables avec la commande :
@@ -75,3 +77,203 @@ Expliquez et donner des exemples.
où il ne transfère pas de code `python` sur l'hôte distant. La commande
spécifié sera exécuté par le daemon `sshd` en créant un processus enfant
sur la machine distante
+
+## Routage et adressage
+
+### Playbook `ansible`
+
+```yaml
+---
+- name: Configure network interfaces
+ hosts: all
+ become: true
+ vars:
+ interfaces:
+ H1:
+ - name: "eth0"
+ address: "1.0.0.3"
+ netmask: "255.255.255.0"
+ gateway: "1.0.0.1"
+
+ H2:
+ - name: "eth0"
+ address: "3.0.0.3"
+ netmask: "255.255.255.0"
+ gateway: "3.0.0.2"
+
+ R1:
+ - name: eth1
+ address: "1.0.0.1"
+ netmask: "255.255.255.0"
+ - name: eth0
+ address: "2.0.0.1"
+ netmask: "255.255.255.0"
+
+ R2:
+ - name: eth0
+ address: "2.0.0.2"
+ netmask: "255.255.255.0"
+ - name: eth1
+ address: "3.0.0.2"
+ netmask: "255.255.255.0"
+
+ routes:
+ R1:
+ - network: "3.0.0.0/24"
+ via: "2.0.0.2"
+
+ R2:
+ - network: "1.0.0.0/24"
+ via: "2.0.0.1"
+
+ tasks:
+ - name: Ensure /etc/network/interfaces.d exists
+ ansible.builtin.file:
+ path: /etc/network/interfaces.d
+ state: directory
+ mode: '0755'
+
+ - name: Configure network interfaces
+ ansible.builtin.template:
+ src: "templates/netconfig.j2"
+ dest: "/etc/network/interfaces.d/{{ inventory_hostname }}"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ notify: Restart networking
+
+ - name: Restart networking before pinging
+ ansible.builtin.meta: flush_handlers
+
+ - name: H1 pings H2
+ ansible.builtin.command:
+ cmd: ping -c 3 3.0.0.3
+ register: ping_result
+ changed_when: false
+ failed_when: ping_result.rc != 0
+ when: inventory_hostname == "H1"
+
+ - name: H2 pings H1
+ ansible.builtin.command:
+ cmd: ping -c 3 1.0.0.3
+ register: ping_result
+ changed_when: false
+ failed_when: ping_result.rc != 0
+ when: inventory_hostname == "H2"
+
+ handlers:
+ - name: Restart networking
+ ansible.builtin.systemd:
+ name: networking
+ state: restarted
+ enabled: true
+
+```
+
+- À quoi servent les options `--syntax-check` et `--check` de la commande ansible-playbook ?
+ - `--syntax-check` permet de vérifier la syntaxe d'un playbook `ansible
+ sans l'exécuter en tant que tel
+ - `--check` est un mode "d'émulation" de l'exécution du playbook (e.g.
+ connexion aux hôtes) sans effectuer les modifications spécifiées dans le
+ playbook
+
+
+## Tunnel WireGuard et serveur web
+
+### `ansible-vault`
+
+```bash
+ansible-vault create secrets/wireguard_keys.yml
+```
+
+```yaml
+---
+private_keys:
+ H1: "aLU6ekCVmx1S/C2Ld+TCbfBtfg0+TDLqTdBmeX9C/24="
+ H2: "IIjII5Iwmw06jklOTjPqt6vJbYHAdf1cDaa8YFKf5lA="
+```
+
+### Playbook
+
+```yaml
+---
+- name: WireGuard Tunnel
+ hosts: all
+ become: true
+ vars_files:
+ - ./secrets/wireguard_keys.yml
+ vars:
+ interfaces:
+ H1:
+ eth0:
+ address: "1.0.0.3"
+ netmask: "255.255.255.0"
+ wg0:
+ address: "10.0.0.1"
+ port: 51820
+ netmask: "255.255.255.0"
+
+ H2:
+ eth0:
+ address: "3.0.0.3"
+ netmask: "255.255.255.0"
+ wg0:
+ address: "10.0.0.2"
+ port: 51820
+ netmask: "255.255.255.0"
+
+ keys:
+ H1:
+ private:
+ key: "{{ private_keys.H1 }}"
+ public:
+ key: "OMlLks+cwFWshIcrcZK+RJUf841Ra3lcdVLTcxwetUs="
+ H2:
+ private:
+ key: "{{ private_keys.H2 }}"
+ public:
+ key: "PtT28gd4JRts2KZlumjTG2cMWsEWXEN+lM4EsXJUjDY="
+
+ tasks:
+ - name: Setup WireGuard hosts
+ ansible.builtin.template:
+ src: "templates/wireguard.j2"
+ dest: "/etc/wireguard/wg0.conf"
+ owner: "root"
+ group: "root"
+ mode: "0644"
+ when: inventory_hostname == "H1" or inventory_hostname == "H2"
+
+ - name: Enable WireGuard service
+ ansible.builtin.systemd:
+ name: wg-quick@wg0
+ state: restarted
+ enabled: true
+
+ - name: Restrict access to webpage via tunnel
+ ansible.builtin.command:
+ cmd: "sed -i 's/listen 80/listen 10.0.0.2:80/' /etc/nginx/sites-enabled/default"
+ when: inventory_hostname == "H2"
+ notify: Restart nginx
+
+ - name: Testing connectivity
+ ansible.builtin.command:
+ cmd: "wget 10.0.0.2 -O h2.html"
+ when: inventory_hostname == "H1"
+
+ handlers:
+ - name: Restart nginx
+ ansible.builtin.systemd:
+ name: nginx
+ state: restarted
+ enabled: true
+
+```
+
+## Exécution de toute la configuration
+
+```bash
+ansible-playbook prereqs_wireguard.play.yml -i wireguard.ini
+ansible-playbook first.play.yml -i inventory.ini
+ansible-playbook wireguard.play.yml -i inventory.ini
+```
--
GitLab