{ "info": { "author": "Matthieu Gallet", "author_email": "github@19pouces.net", "bugtrack_url": null, "classifiers": [], "description": "Penates\n=======\n\nGroup of Ansible tasks for configuring a basic private network with the following services:\n\n * PKI (openssl)\n * LDAP (openldap)\n * DHCP (isc-dhcp-server)\n * DNS (powerdns)\n * NTP (ntpd)\n * Kerberos (MIT kerberos)\n * webservices (PenatesServer)\n * pkinit for users\n\nProcesses\n---------\n\n * a new machine is installed:\n \n * register itself (create Kerberos principal, private key, certificate, PTR DNS record, A/AAAA DNS record, SSHFP DNS record) and get a host keytab\n GET https://directory01.{{ domain }}/no-auth/get_host_keytab/\n * get private key and certificate\n GET https://directory01.{{ domain }}/auth/get_host_certificate/\n * register SSH keys\n POST https://directory01.{{ domain }}/auth/set_ssh_pub/\n * register its MAC address with its (primary) IP address\n GET https://directory01.{{ domain }}/auth/set_dhcp//\n\n * a new service is installed:\n \n * register itself (protocol://hostname:port/) with a description, register CNAME and SRV DNS records\n GET https://directory01.{{ domain }}/auth/set_service////?keytab=&protocol=udp\n * get private key and certificate\n GET https://directory01.{{ domain }}/auth/get_service_certificate////?protocol=udp\n * get keytab\n GET https://directory01.{{ domain }}/auth/get_service_keytab////?protocol=udp\n \n * register a foreign domain name:\n GET https://directory01.{{ domain }}/auth/set_extra_service/\n \n * a new user is created by admin:\n \n * create password\n * create certificate (email, authent)\n * create ssh public key\n * create private key\n\n\nTODO\n====\n\nStep 1\n------\n\n * [OK] IP fixe\n * [OK] set machine keytab/certificate/rsa ssh key\n * [OK] NTP\n * crypto authentication\n * [OK] A/AAAA external records\n * [OK] user creation\n * [OK] group creation\n * [OK] set user password\n * [OK] get self certificate\n * [OK] pkinit : kinit -X \"X509_user_identity=FILE:${cert}\" ${principal} ; kinit -C FILE:${cert} ${principal}\n * [OK] tests pour chaque \u00e9tape\n * [OK] DANE\n * [OK] DNSSEC\n * SMTP\n * [OK] syst\u00e8me (sans auth mais local uniquement)\n * [OK] utilisateur (ldap)\n * [OK] spamassassin\n * [OK] dkim\n * [OK] spf\n * clamav\n * utilisateur (kerberos)\n \n * [OK] IMAP4\n * [OK] utilisateur (ldap)\n * [OK] utilisateur (kerberos)\n\n * [OK] kerberos authent on machines\n * [OK] revoke certificate\n * [OK] sudo for admins\n * [OK] LDAP autz on machines (netgroups)\n * utiliser DNSSEC\n * external DNS config\n\nStep 2\n------\n\n * fail2ban\n * [OK] ssh\n * [OK] dovecot\n * opensmtpd\n * kerberos\n * [OK] logging\n * [OK] centralization\n * [OK] >= warning\n * [OK] logrotate\n * [OK] snmpd\n * [OK] nrpe\n * rkhunter\n * [OK] ISO generation\n * [OK] login\n * [OK] name\n * [OK] password1\n * [OK] password2\n * [OK] encrypt home\n * [OK] configure LVM?\n * [OK] CA generation\n * supervision\n * [OK] shinken\n * [OK] nrpe\n * graphite ?\n * snmp ?\n\n * [OK] TFTP server\n * [OK] ubuntu mirror\n * [OK] moneta mirror\n * pypi mirror\n\nStep 3\n------\n\n * [OK] XML profiles for iOS / OS X\n * [OK] XMPP\n * [OK] proxy HTTP + kerberos\n\nStep 4\n------\n\n * [OK] Plex\n * Seafile\n * IRC bouncer\n * IRC server\n \n\nStep 5\n------\n\n * Gitlab\n * CardDAV & CalDAV\n * Updoc\n * Vagrant mirror\n * Pypi mirror\n * Asterisk\n * Readthedocs\n * iPython Notebook\n \nStep 6\n------\n\n * backup\n * restauration depuis le backup\n * VPN\n * 802.1x\n \nStep 7\n------\n\n * cr\u00e9ation de packages Debian de fa\u00e7on automatique pour :\n\n * plugins Shinken\n * penatesserver\n * updoc\n * moneta\n * pycharm\n * intellij\n\nStep 8\n------\n\n * infrastucture secondaire (LDAP, Kerberos, DNS, DHCP, NTP, SMTP)\n * analyse de logs\n\nTODO\n----\n\n * r\u00e9cup\u00e9ration de la conf pour les DNS secondaires\n * ajouter un password admin sur penatesserver (header/get ?)\n \n * serveur d'installation :\n \n * DHCP\n * miroir Ubuntu\n * miroir Moneta pour les paquets suppl\u00e9mentaires\n * serveur TFTP\n * g\u00e9n\u00e9ration des clefs\n \n * poste d'administration\n * remove machine\n * remove service\n * remove external service\n * disable user\n \n \nKerberos Heimdal : backend LDAP -> bug dans Heimdal 1.6\nMail : remplacer opensmtpd par postfix + kerberos\n\nPour chaque service :\n\n * [OK] check nrpe pour v\u00e9rifier que le process existe (1/h)\n * [OK] check nrpe pour la validit\u00e9 du certificat (1/j)\n * check nrpe pour la validit\u00e9 du keytab (+ groupe) (1/j)\n * check nrpe firewall ouvert pour le port (1/j)\n * check pour la qualit\u00e9 du SSL (1/j)\n * enregistrement aupr\u00e8s de PenatesServer\n * sauvegarde dans /var/backups\n * logs dans syslog en ERROR\n * fail2ban\n * r\u00e9cup\u00e9ration de la sauvegarde \u00e0 l'installation (+cr\u00e9ation d'un fichier pour ne le faire qu'une fois)\n\nNotes\n-----\n\n ldapsearch -x '(&(objectClass=posixAccount)(memberof=cn=Administrators,ou=CoreGroups,dc=test,dc=example,dc=org))' -LLL\n ldapsearch -x '(&(objectClass=posixAccount)(memberof=cn=Users,ou=CoreGroups,dc=test,dc=example,dc=org))' -LLL\n\n\nbootstrap\n=========\n\nDeux cas sont possibles pour l'initialisation :\n\n * serveur DHCP, acc\u00e8s internet et machine avec ansible\n * machine avec ansible uniquement, sans acc\u00e8s internet\n \nDans tous les cas, il est n\u00e9cessaire de disposer d'une machine fonctionnelle avec Ubuntu. Cette machine sera \u00e9galement \nutilis\u00e9e pour servir de miroir Ubuntu dans le cas 2. De plus, dans le cas 2, il est n\u00e9cessaire de pr\u00e9voir un moyen de \nstockage externe qui servira aux transferts des mises \u00e0 jour.\n \n Proc\u00e9dure compl\u00e8te :\n - pr\u00e9paration de la machine de bootstrap, qui contiendra les clefs\n \n - `generate_ca.yml` : pr\u00e9pare les clefs publiques et priv\u00e9es, ainsi que les certificats\n - `generate_iso.yml` : pr\u00e9pare l'image d'installation \n - `bootstrap.yml` : pr\u00e9pare la machine d'abord connect\u00e9e \u00e0 l'ancien r\u00e9seau puis qui permettra de cr\u00e9er le nouveau \n\n * cas 1) \n * reg\u00e9n\u00e8re les diff\u00e9rents paquets tierce-partie\n * installe Apache et fait un miroir Ubuntu avec les paquets tierce-partie\n * cas 2) \n * installe un serveur DHCP avec le netboot \n * clone du miroir officiel Ubuntu (environ 700 Go \u00e0 t\u00e9l\u00e9charger)\n * reg\u00e9n\u00e8re les diff\u00e9rents paquets tierce-partie\n * installe Apache avec la copie du miroir et fait un miroir Ubuntu avec les paquets tierce-partie\n\n - `common_pass_1.yml` \n installation de la machine qui servira de serveur principal avec comme sources.list la machine de bootstrap\n \n - installation du serveur d'installation\n\nProc\u00e9dure de bootstrap\n----------------------\n\n * cr\u00e9ation d'un miroir complet sur une clef USB\n * mise en place d'un DHCP facultatif\n * si la clef est pr\u00e9sente, on utilise ce miroir\n * copie de la clef sur le miroir ubuntu quand il est d\u00e9fini\n * miroir ubuntu sur internet ou clef USB", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "UNKNOWN", "keywords": null, "license": "CeCILL-B", "maintainer": null, "maintainer_email": null, "name": "penates", "package_url": "https://pypi.org/project/penates/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/penates/", "project_urls": { "Download": "UNKNOWN", "Homepage": "UNKNOWN" }, "release_url": "https://pypi.org/project/penates/0.2.0/", "requires_dist": null, "requires_python": null, "summary": "Suite", "version": "0.2.0" }, "last_serial": 1939230, "releases": { "0.2.0": [ { "comment_text": "", "digests": { "md5": "0b188588003fe9dfff43fe3d7ef2d232", "sha256": "52bcb326e0f380a51b82bfed2a9f9cf20ce1499e229d494b15ce6aafabe0bf2e" }, "downloads": -1, "filename": "penates-0.2.0.tar.gz", "has_sig": false, "md5_digest": "0b188588003fe9dfff43fe3d7ef2d232", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15395, "upload_time": "2016-02-04T10:33:42", "url": "https://files.pythonhosted.org/packages/bc/ee/d346f79858ba141879b52468c46581dd6995b09978aba1a2e2fd55a4f2d5/penates-0.2.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "0b188588003fe9dfff43fe3d7ef2d232", "sha256": "52bcb326e0f380a51b82bfed2a9f9cf20ce1499e229d494b15ce6aafabe0bf2e" }, "downloads": -1, "filename": "penates-0.2.0.tar.gz", "has_sig": false, "md5_digest": "0b188588003fe9dfff43fe3d7ef2d232", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15395, "upload_time": "2016-02-04T10:33:42", "url": "https://files.pythonhosted.org/packages/bc/ee/d346f79858ba141879b52468c46581dd6995b09978aba1a2e2fd55a4f2d5/penates-0.2.0.tar.gz" } ] }