cominfra/documentation
cominfra
/
documentation
8
0
Fork 0
Code Issues 5 Pull Requests Activity

Refonte documentation

This commit is contained in:
Adrien Bourmault 2022-12-19 18:09:26 +01:00
parent b3e2e5ffc7
commit dcee60bbdf
No known key found for this signature in database
GPG Key ID: 6EB408FE0ACEC664
16 changed files with 3338 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
pm/anthea.md Normal file
View File

@ -0,0 +1,58 @@
# anthea, machine physique (fontainebleau)
## Matériel
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
CPU : 2 × AMD Opteron 6280SE
RAM : *(à compléter)*
Alimentation : *(à compléter)*
Onduleur : (non)
Casier : *(à compléter)*
Stockage de masse : *(à compléter)*
## Logiciel
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Virtualisation : QEMU/KVM (`libvirt`)
Audit des paquets mensuel : `vrms`
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
Mail Transfer Agent : `postfix`
## Caractéristiques notables
Domaine : anthea.libre-en-communs.org
Adresse ipv4 publique : *(à compléter)*
Adresse ipv4 locale : *(à compléter)*
Adresse ipv6 publique : *(à compléter)*
### Configuration réseau
#### /etc/network/interfaces
<details>
*(à compléter)*
</details>
## Configuration SSH
### /etc/ssh/sshd_config
<details>
*(à compléter)*
</details>
## Configuration MTA
### /etc/postfix/transport
a-lec.org :
* discard:
### /etc/postfix/virtual
@localhost admin@a-lec.org
@mother.libre-en-communs.org admin@a-lec.org

198
pm/aunt.md Normal file
View File

@ -0,0 +1,198 @@
# aunt, machine physique (leparc)
## Matériel
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
CPU : 2 × AMD Opteron 6282SE
RAM : *(à compléter)*
Alimentation : *(à compléter)*
Onduleur : 1 × EATON Ellipse PRO 1200 VA
Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack)
Stockage de masse : 2 × KINGSTON SEDC500M1920G
## Logiciel
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Virtualisation : QEMU/KVM (`libvirt`)
Gestion du onduleur : NUT/UPS
Audit des paquets mensuel : `vrms`
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
Mail Transfer Agent : `postfix`
Réplication de stockage (vm) : `drbd`, `ocfs2`
## Caractéristiques notables
Domaine : aunt.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 locale : 192.168.1.3
Adresse ipv4 interne DRBD : 192.168.254.3
Adresse ipv6 publique : 2001:910:1021::3
### Configuration réseau
#### /etc/network/interfaces
<details>
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug ens9
allow-hotplug ens10
allow-hotplug ens13f0
allow-hotplug ens13f1
# mother!
iface ens13f1 inet static
address 192.168.254.3
post-up /usr/bin/ip link set ens13f1 mtu 9000
# bridge for vm
auto br0
iface br0 inet static
bridge_ports ens13f0
address 192.168.1.3
gateway 192.168.0.1
broadcast 192.168.255.255
netmask 255.255.0.0
iface br0 inet6 static
bridge_ports ens13f0
address 2001:910:1021::3/128
gateway 2001:910:1021::
</details>
## Configuration SSH
### /etc/ssh/sshd_config
<details>
Port 223
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding no
PrintMotd no
TCPKeepAlive yes
PermitTunnel yes
AcceptEnv LANG LC_* GIT_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match User admin666 Address *,!127.0.0.1,!::1
DenyUsers admin666
</details>
## Configuration DRBD
### /etc/drbd.d/drbd1.res
<details>
resource drbd1 {
meta-disk internal;
device /dev/drbd1;
startup {
become-primary-on both;
}
net {
verify-alg sha256;
allow-two-primaries yes;
#fencing resource-and-stonith;
after-sb-0pri discard-zero-changes;
after-sb-1pri discard-secondary;
protocol C;
ko-count 0;
timeout 119;
ping-int 120;
connect-int 120;
#max-epoch-size 20000;
max-buffers 36k;
sndbuf-size 0;
rcvbuf-size 0;
}
handlers {
pri-lost-after-sb "killall virt-backup && umount /opt/sharedfs && drbdadm secondary drbd1";
}
disk {
on-io-error pass_on;
md-flushes;
c-fill-target 10M;
c-max-rate 700M;
c-plan-ahead 0;
c-min-rate 4M;
resync-rate 500M;
}
on mother { # hostname must match `uname -n` output
disk /dev/md1; # Logical Volume on the provided host
address 192.168.254.2:7789; # IP Address to be used to connect to the node with port
}
on aunt { # hostname must match `uname -n` output
disk /dev/md1; # Logical Volume on the provided host
address 192.168.254.3:7789; # IP Address to be used to connect to the node with port
}
}
</details>
### /etc/ocfs2/cluster.conf
<details>
cluster:
name = sharedfs
heartbeat_mode = local
node_count = 2
node:
cluster = sharedfs
number = 0
ip_port = 7777
ip_address = 192.169.254.3
name = aunt
node:
cluster = sharedfs
number = 1
ip_port = 7777
ip_address = 192.169.254.2
name = mother
</details>
## Configuration MTA
### /etc/postfix/transport
a-lec.org :
* discard:
### /etc/postfix/virtual
@localhost admin@a-lec.org
@aunt.libre-en-communs.org admin@a-lec.org

58
pm/britt.md Normal file
View File

@ -0,0 +1,58 @@
# britt, machine physique (gisors)
## Matériel
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
CPU : 1 × AMD Opteron 6280SE
RAM : *(à compléter)*
Alimentation : *(à compléter)*
Onduleur : (non)
Casier : *(à compléter)*
Stockage de masse : *(à compléter)*
## Logiciel
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Virtualisation : QEMU/KVM (`libvirt`)
Audit des paquets mensuel : `vrms`
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
Mail Transfer Agent : `postfix`
## Caractéristiques notables
Domaine : britt.libre-en-communs.org
Adresse ipv4 publique : *(à compléter)*
Adresse ipv4 locale : *(à compléter)*
Adresse ipv6 publique : *(à compléter)*
### Configuration réseau
#### /etc/network/interfaces
<details>
*(à compléter)*
</details>
## Configuration SSH
### /etc/ssh/sshd_config
<details>
*(à compléter)*
</details>
## Configuration MTA
### /etc/postfix/transport
a-lec.org :
* discard:
### /etc/postfix/virtual
@localhost admin@a-lec.org
@mother.libre-en-communs.org admin@a-lec.org

194
pm/mother.md Normal file
View File

@ -0,0 +1,194 @@
# mother, machine physique (leparc)
## Matériel
Carte mère : 1 × Asus KGPN-D16 Rev 1.03G
CPU : 2 × AMD Opteron 6282SE
RAM : 4 × Crucial RDIMM 16Go CT2K16G3ERSLD4160B
Alimentation : 1 × Antec NE700G ZEN EC
Onduleur : 1 × EATON Ellipse PRO 1600 VA
Casier : 1 × Inter-Tech IPC 4U-4129-N SSI-EEB (Rack)
Stockage de masse : 2 × KINGSTON SEDC500M1920G 2 To
## Logiciel
Micro-programme : Coreboot 4.6 + SeaBIOS, sans blob privateur
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Virtualisation : QEMU/KVM (`libvirt`)
Gestion du onduleur : NUT/UPS
Audit des paquets mensuel : `vrms`
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `tig`, `lm-sensors`, `fancontrol`, `screen`
Mail Transfer Agent : `postfix`
Réplication de stockage (vm) : `drbd`, `ocfs2`
## Caractéristiques notables
Domaine : mother.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 locale : 192.168.1.2
Adresse ipv4 interne DRBD : 192.168.254.2
Adresse ipv6 publique : 2001:910:1021::2
### Configuration réseau
#### /etc/network/interfaces
<details>
auto lo br0
iface lo inet loopback
# The primary network interface
allow-hotplug ens10
allow-hotplug ens9
allow-hotplug ens13f0
allow-hotplug ens13f1
# aunt
iface ens13f1 inet static
address 192.168.254.2
post-up /usr/bin/ip link set ens13f1 mtu 9000
# bridge for vm
iface br0 inet static
bridge_ports ens13f0
address 192.168.1.2
gateway 192.168.0.1
broadcast 192.168.255.255
netmask 255.255.0.0
iface br0 inet6 static
bridge_ports ens13f0
address 2001:910:1021:0::2/128
gateway 2001:910:1021::1
</details>
## Configuration SSH
### /etc/ssh/sshd_config
<details>
Port 222
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding no
PrintMotd no
TCPKeepAlive yes
PermitTunnel yes
AcceptEnv LANG LC_* GIT_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match User admin666 Address *,!127.0.0.1,!::1
DenyUsers admin666
</details>
## Configuration DRBD
### /etc/drbd.d/drbd1.res
<details>
resource drbd1 {
meta-disk internal;
device /dev/drbd1;
startup {
become-primary-on both;
}
net {
verify-alg sha256;
allow-two-primaries yes;
after-sb-0pri discard-zero-changes;
after-sb-1pri discard-secondary;
protocol C;
ko-count 0;
timeout 119;
ping-int 120;
connect-int 120;
max-buffers 36k;
sndbuf-size 0;
rcvbuf-size 0;
}
handlers {
pri-lost-after-sb "killall virt-backup";
}
disk {
on-io-error pass_on;
md-flushes;
c-fill-target 10M;
c-max-rate 700M;
c-plan-ahead 0;
c-min-rate 4M;
resync-rate 500M;
}
on mother { # hostname must match `uname -n` output
disk /dev/md1; # Logical Volume on the provided host
address 192.168.254.2:7789; # IP Address to be used to connect to the node with port
}
on aunt { # hostname must match `uname -n` output
disk /dev/md1; # Logical Volume on the provided host
address 192.168.254.3:7789; # IP Address to be used to connect to the node with port
}
}
</details>
### /etc/ocfs2/cluster.conf
<details>
cluster:
name = sharedfs
heartbeat_mode = local
node_count = 2
node:
cluster = sharedfs
number = 0
ip_port = 7777
ip_address = 192.168.254.3
name = aunt
node:
cluster = sharedfs
number = 1
ip_port = 7777
ip_address = 192.168.254.2
name = mother
</details>
## Configuration MTA
### /etc/postfix/transport
a-lec.org :
* discard:
### /etc/postfix/virtual
@localhost admin@a-lec.org
@mother.libre-en-communs.org admin@a-lec.org

8
sites/leparc.md
View File

@ -21,8 +21,12 @@ IPv6 : 2001:910:1021::/48
``` ```
Il accueille les machines physiques suivantes : Il accueille les machines physiques suivantes :
- [`mother.libre-en-communs.org`]() ; - [`mother.libre-en-communs.org`](../pm/mother.md) ;
- [`aunt.libre-en-communs.org`](). - [`aunt.libre-en-communs.org`](../pm/aunt.md).
Ces machines physiques sont couplées pour permettre une migration transparente
des machines virtuelles. Nous utilisons l'hyperviseur `KVM/libvirt` et `DRBD`
pour ce faire.
## Matériel annexe ## Matériel annexe

118
vm/audio.md Normal file
View File

@ -0,0 +1,118 @@
# Machine virtuelle AUDIO
## Système
### Matériel virtuel
CPU : 1
RAM : 957384 KB
Stockage de masse : 50 Gio
Swap : désactivé
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : dns.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.186
Adresse ipv6 publique : 2001:910:1021::186
## Serveur web (installation basique)
Installation d'un service nginx pour :
- la gestion des certificats SSL ;
- l'installation d'une page d'information sur comment se connecter au Mumble ;
- la possible installation d'un service client web pour Mumble ;
- l'éventuel déploiement de StatoolInfos ;
- …
Installer les paquets :
```
apt-get install nginx python3-certbot-nginx
```
Ouvrir les ports http (80) et https (443) :
```
ufw allow 'Nginx HTTP'
ufw allow 'Nginx HTTPS'
```
Configurer a minima le site web dans `/etc/nginx/sites-available/audio.a-lec.org` :
```
server
{
listen 80;
listen [::]:80;
server_name audio.a-lec.org;
access_log /var/log/nginx/audio.a-lec.org-access.log;
error_log /var/log/nginx/audio.a-lec.org-error.log;
}
```
Activer la configuration :
```
cd /etc/nginx/sites-enabled/
ln -s ../sites-available/audio.a-lec.org
```
Vérifier que c'est bon et recharger :
```
nginx -t && systemctl reload nginx
```
Configurer le certificat SSl :
```
certbot --nginx
```
Mettre beau le fichier `/etc/nginx/sites-enabled/audio.a-lec.org` :
```
server
{
listen 80;
listen [::]:80;
server_name audio.a-lec.org;
access_log /var/log/nginx/audio.a-lec.org-access.log;
error_log /var/log/nginx/audio.a-lec.org-error.log;
return 302 https://$host$request_uri;
}
server
{
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name audio.a-lec.org;
access_log /var/log/nginx/audio.a-lec.org-access.log;
error_log /var/log/nginx/audio.a-lec.org-error.log;
ssl_certificate /etc/letsencrypt/live/audio.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/audio.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
root /var/www/audio.a-lec.org;
location = /
{
index index.xhtml;
}
}
```
Vérifier que c'est bon et recharger :
```
nginx -t && systemctl reload nginx
```

33
vm/dns.md Normal file
View File

@ -0,0 +1,33 @@
## Machine virtuelle DNS
Cette machine est le serveur DNS autorité de l'association.
### Matériel virtuel
CPU : xxx
RAM : xxx Mio
Stockage de masse : 10 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
DNS : `bind`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : dns.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.242
Adresse ipv6 publique : 2001:910:1021::242
### Configuration système de fichier partagé en écriture
#### /etc/fstab (extrait)
<details>
/vm_sharedfs /opt/vm_sharedfs 9p trans=virtio,version=9p2000.L,rw 0 0
</details>

328
vm/generic.md Normal file
View File

@ -0,0 +1,328 @@
## Machine virtuelle GENERIC
#### (c'est-à-dire le modèle de toutes les machines virtuelles)
...
### Matériel virtuel
CPU : 1
RAM : 1000 Mio
Stockage de masse : 50 Gio (fichier `sparse` i.e les zéros ne sont pas écrits sur le disque)
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : dns.libre-en-communs.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.4
Adresse ipv6 publique : 2001:910:1021::4
### Configuration réseau
#### /etc/network/interfaces
<details>
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet static
address 192.168.1.4/32
broadcast 192.168.255.255
gateway 192.168.0.1
netmask 255.255.0.0
iface enp1s0 inet6 static
address 2001:910:1021::4/128
gateway 2001:910:1021::
</details>
### Configuration SSH
#### /etc/ssh/sshd_config
<details>
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
AcceptEnv LANG LC_* GIT_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match Group ssh-login
PasswordAuthentication yes
</details>
#### /etc/hosts.allow
sshd: 192.168.1.0/24, [2001:910:1021::]/48
#### /etc/hosts.deny
sshd: ALL
### Pare-feu
Installation :
```
apt-get install ufw
```
Ouvrir le port SSH :
```
ufw allow SSH
ufw enable
systemclt enable ufw
```
### Configuration SUDO
#### /etc/sudoers
<details>
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults env_keep += "GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL"
Defaults mail_badpass, insults
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
</details>
### Configuration MTA
#### /etc/postfix/transport
a-lec.org :
* discard:
#### /etc/postfix/virtual
@localhost admin@a-lec.org
@generic.a-lec.org admin@a-lec.org
### Configuration système de fichier partagé
#### /etc/fstab (extrait)
<details>
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
</details>
### Configurations bashrc
#### /etc/skel/.bashrc (et /home/admin666/.bashrc)
<details>
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\H:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
alias dir='dir --color=auto'
alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -l'
alias la='ls -A'
#alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
</details>
#### /root/.bashrc
<details>
# ~/.bashrc: executed by bash(1) for non-login shells.
# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
PS1='\[\033[01;32m\]=(^-^)=${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\H\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
# umask 022
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
# eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
</details>

117
vm/gestion.md Normal file
View File

@ -0,0 +1,117 @@
## Machine virtuelle GESTION
Cette machine est destinée à accueillir le logiciel de comptabilité et gestion des membres de l'association.
### Matériel virtuel
CPU : 4
RAM : 3000 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Compta et gestion des membres : `garradin`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : gestion.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.236
Adresse ipv6 publique : 2001:910:1021::236
### Configuration serveur web (nginx)
<details>
server {
server_name coffre.a-lec.org;
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8000;
}
listen 443 ssl http2 proxy_protocol; # managed by Certbot
listen [::]:443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/coffre.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/coffre.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = coffre.a-lec.org) {
return 302 https://$host$request_uri;
} # managed by Certbot
server_name coffre.a-lec.org;
listen 80;
return 404; # managed by Certbot
}
server {
root /usr/share/garradin/www; # Remplacer par le chemin adéquat vers le dossier public de garradin (ici c'est le défaut du paquet Debian)
server_name gestion.a-lec.org; # Remplacer par votre nom de domaine
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
location / {
try_files $uri $uri/ /_route.php?$query_string;
index index.php /_route.php;
}
location ~ \.php {
try_files $uri $uri/ /_route.php?$query_string;
include fastcgi.conf;
#fastcgi_pass 127.0.0.1:9000; # Si vous utilisez PHP-FPM (ou autre) en mode TCP et non sur une socket
fastcgi_pass unix:/var/run/php/php7.4-garradin.sock; # Si vous utilisez PHP-FPM en mode socket
}
listen 443 ssl proxy_protocol; # managed by Certbot
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/gestion.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/gestion.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = gestion.a-lec.org) {
return 302 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name gestion.a-lec.org;
return 404; # managed by Certbot
}
</details>

96
vm/git.md Normal file
View File

@ -0,0 +1,96 @@
## Machine virtuelle GIT
Cette machine est destinée à accueillir la forge logicielle de l'association, qui permet à différents projets de bénéficier d'un outil de travail supportant des fonctions avancées (comme la CI et les hooks avancés), mais également à l'association de publier différents documents nécessaire à son activité.
### Matériel virtuel
CPU : 2
RAM : 4096 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Forge logicielle : `gitlab-ce`
Mail Transfer Agent : `postfix`
### Caractéristiques notables
Domaine : git.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.131
Adresse ipv6 publique : 2001:910:1021::131
### Configuration serveur web (nginx)
<details>
# GITLAB
upstream gitlab-workhorse {
# On GitLab versions before 13.5, the location is
# `/var/opt/gitlab/gitlab-workhorse/socket`. Change the following line
# accordingly.
server unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0;
}
## Redirects all HTTP traffic to the HTTPS host
server {
## Either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
## to be served if you visit any address that your server responds to, eg.
## the ip address of the server (http://x.x.x.x/)
listen 0.0.0.0:80;
listen [::]:80 ipv6only=on default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 302 https://git.a-lec.org$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen 0.0.0.0:443 ssl proxy_protocol;
listen [::]:443 ipv6only=on ssl default_server;
server_name git.a-lec.org; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
ssl_certificate /etc/letsencrypt/live/git.a-lec.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.a-lec.org/privkey.pem;
## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
client_max_body_size 0;
gzip off;
## https://github.com/gitlabhq/gitlabhq/issues/694
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://gitlab-workhorse;
}
}
</details>

163
vm/mail.md Normal file
View File

@ -0,0 +1,163 @@
## Machine virtuelle MAIL
Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.
### Matériel virtuel
CPU : 2
RAM : 1000 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Serveur IMAP (et authentification) : `courier`
Mail Transfer Agent : `postfix`
Webmail : `roundcube` (**upstream**)
Serveur http : `nginx`
### Caractéristiques notables
Domaine : mail.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.201
Adresse ipv6 publique : 2001:910:1021::201
### Configuration MTA
<details>
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
\# Debian specific: Specifying a file name will cause the first
\# line of that file to be used as the name. The Debian default
\# is /etc/mailname.
\#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
\# appending .domain is the MUA's job.
append_dot_mydomain = no
\# Uncomment the next line to generate "delayed mail" warnings
\#delay_warning_time = 4h
readme_directory = no
\# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
\# fresh installs.
compatibility_level = 2
\# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
\# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
\# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain
myhostname = mail.a-lec.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, a-lec.org, mail.a-lec.org, localhost, os-k.eu
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.169.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command =
\## DKIM
smtpd_milters = unix:var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
\## Ralentissement pour les serveurs problématiques
transport_maps = hash:/etc/postfix/transport
slow_destination_concurrency_limit = 3
slow_destination_rate_delay = 3s
maximal_queue_lifetime = 1d
\## Forwarding pour mails du bureau
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
message_size_limit = 524288000
smtp_helo_name = $mydomain
</details>
### Configuration serveur web (nginx)
<details>
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
listen 443 ssl proxy_protocol;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Add index.php to the list if you are using PHP
root /var/www/html/roundcube;
server_name mail.a-lec.org;
client_max_body_size 100M;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ^~ /data {
deny all;
}
}
</details>

1673
vm/routeur.md Normal file
View File

File diff suppressed because it is too large Load Diff

130
vm/toot.md Normal file
View File

@ -0,0 +1,130 @@
## Machine virtuelle TOOT
Cette machine est destinée à accueillir l'instance Mastodon de l'association.
### Matériel virtuel
CPU : 3
RAM : 2048 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
Base do donnée : PostgreSQL
Serveur Web: NGINX
### Caractéristiques notables
Domaine : toot.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.173
Adresse ipv6 publique : 2001:910:1021::173
### Comptes
Administrateur: admin
Modérateurs: neox, echolib
Ouverture de compte: tout membre de l'association
### Visibilité
Instance publique
### Configuration serveur web (nginx)
<details>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name toot.a-lec.org;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl proxy_protocol default_server;
listen [::]:443 ssl http2 default_server;
server_name toot.a-lec.org;
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
ssl_certificate /etc/letsencrypt/live/toot.a-lec.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/toot.a-lec.org/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
root /home/mastodon/live/public;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header Strict-Transport-Security "max-age=31536000";
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://127.0.0.1:3000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass http://127.0.0.1:4000;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}
</details>

25
vm/tootest.md Normal file
View File

@ -0,0 +1,25 @@
## Machine virtuelle TOOTEST
Cette machine est destinée à accueillir l'instance Mastodon de test.
### Matériel virtuel
CPU : x
RAM : xxx Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
Base do donnée : PostgreSQL
Serveur Web: NGINX
### Caractéristiques notables
Domaine : toot.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.232
Adresse ipv6 publique : 2001:910:1021::232

117
vm/www.md Normal file
View File

@ -0,0 +1,117 @@
## Machine virtuelle WWW
Cette machine est destinée à accueillir le site web de l'association
### Matériel virtuel
CPU : 1
RAM : 1000 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
Serveur http : `nginx`
Gestionnaire FastCGI : `php-fpm` version 7.4
### Caractéristiques notables
Domaine : www.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.188
Adresse ipv6 publique : 2001:910:1021::188
### Configuration du serveur web (nginx)
<details>
server {
set_real_ip_from 192.169.1.1;
real_ip_header proxy_protocol;
# SSL configuration
#
listen 443 ssl proxy_protocol default_server;
listen [::]:443 ssl default_server;
root /var/www/html;
ssl_certificate /etc/letsencrypt/live/www.a-lec.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.a-lec.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
server_name www.a-lec.org;
location /.well-known/host-meta {
default_type 'application/xrd+xml';
add_header Access-Control-Allow-Origin '*' always;
}
location /.well-known/host-meta.json {
default_type 'application/jrd+json';
add_header Access-Control-Allow-Origin '*' always;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ $uri.html $uri/index.php?q=$uri&$args =404;
}
ssi on;
ssi_last_modified on;
# pass PHP scripts to FastCGI server
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
listen [::]:80;
server_name www.a-lec.org;
return 302 https://www.a-lec.org$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name a-lec.org;
return 302 https://www.a-lec.org$request_uri;
}
server {
listen 443 ssl proxy_protocol;
listen [::]:443 ssl;
server_name a-lec.org;
return 302 https://www.a-lec.org$request_uri;
ssl_certificate /etc/letsencrypt/live/a-lec.org-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/a-lec.org-0001/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
</details>

24
vm/xmpp.md Normal file
View File

@ -0,0 +1,24 @@
## Machine virtuelle XMPP
Cette machine est destinée à accueillir le service XMPP
### Matériel virtuel
CPU : 1
RAM : 1000 Mio
Stockage de masse : 50 Gio
### Logiciel
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
Mail Transfer Agent : `postfix`
Serveur XMPP : `ejabberd`
### Caractéristiques notables
Domaine : xmpp.a-lec.org
Adresse ipv4 publique : 80.67.176.33
Adresse ipv4 interne : 192.168.1.211
Adresse ipv6 publique : 2001:910:1021::211