forked from evolix/ansible-roles
Merge branch 'buster' into unstable
This commit is contained in:
commit
bea11352be
|
@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release.
|
||||||
### Added
|
### Added
|
||||||
* evocheck: explicit PATH
|
* evocheck: explicit PATH
|
||||||
* evolinux-base: On debian 10 and later, add noexec on /dev/shm
|
* evolinux-base: On debian 10 and later, add noexec on /dev/shm
|
||||||
|
* evolinux-base: default value for "evolinux_ssh_group"
|
||||||
* generate-ldif: support MariaDB 10.3
|
* generate-ldif: support MariaDB 10.3
|
||||||
* listupgrade: install old-kernel-autoremoval script
|
* listupgrade: install old-kernel-autoremoval script
|
||||||
* mysql: activate binary logs by specifying log_bin path
|
* mysql: activate binary logs by specifying log_bin path
|
||||||
|
@ -25,12 +26,14 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* elasticsearch: listen on local interface only by default
|
* elasticsearch: listen on local interface only by default
|
||||||
* evocheck: upstream version 19.09
|
* evocheck : update (version 19.09) from upstream
|
||||||
* evocheck: cron jobs execute in verbose
|
* evocheck: cron jobs execute in verbose
|
||||||
* evomaintenance: upstream version 0.5.1
|
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||||
* evomaintenance: Turn on API by default (instead of DB)
|
* evomaintenance: Turn on API by default (instead of DB)
|
||||||
|
* evomaintenance: upstream version 0.5.1
|
||||||
* php: By default, allow 128M for OpCache (instead of 64M)
|
* php: By default, allow 128M for OpCache (instead of 64M)
|
||||||
* squid: Remove wait time when we turn off squid
|
* squid: Remove wait time when we turn off squid
|
||||||
|
* squid: split systemd tasks into own file
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
* lxc-php: Don't remove the default pool
|
* lxc-php: Don't remove the default pool
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
# deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
||||||
|
deb http://pub.evolix.net/ stretch/
|
||||||
|
|
|
@ -79,6 +79,7 @@ evolinux_packages_diagnostic: True
|
||||||
evolinux_packages_hardware: True
|
evolinux_packages_hardware: True
|
||||||
evolinux_packages_common: True
|
evolinux_packages_common: True
|
||||||
evolinux_packages_stretch: True
|
evolinux_packages_stretch: True
|
||||||
|
evolinux_packages_buster: True
|
||||||
evolinux_packages_serveur_base: True
|
evolinux_packages_serveur_base: True
|
||||||
evolinux_packages_purge_openntpd: True
|
evolinux_packages_purge_openntpd: True
|
||||||
evolinux_packages_purge_locate: True
|
evolinux_packages_purge_locate: True
|
||||||
|
@ -124,6 +125,7 @@ evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_add
|
||||||
evolinux_ssh_match_address: True
|
evolinux_ssh_match_address: True
|
||||||
evolinux_ssh_disable_acceptenv: True
|
evolinux_ssh_disable_acceptenv: True
|
||||||
evolinux_ssh_allow_current_user: False
|
evolinux_ssh_allow_current_user: False
|
||||||
|
evolinux_ssh_group: "evolinux-ssh"
|
||||||
|
|
||||||
### disabled because of a memory leak
|
### disabled because of a memory leak
|
||||||
# # evolinux users
|
# # evolinux users
|
||||||
|
|
|
@ -95,6 +95,16 @@
|
||||||
- evolinux_packages_stretch
|
- evolinux_packages_stretch
|
||||||
- ansible_distribution_major_version | version_compare('9', '>=')
|
- ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- name: Install/Update packages for Buster and later
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- spectre-meltdown-checker
|
||||||
|
- binutils
|
||||||
|
when:
|
||||||
|
- evolinux_packages_buster
|
||||||
|
- ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: Customize logcheck recipient
|
- name: Customize logcheck recipient
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/logcheck/logcheck.conf
|
dest: /etc/logcheck/logcheck.conf
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# only the first instance of the keyword is applied. »
|
# only the first instance of the keyword is applied. »
|
||||||
#
|
#
|
||||||
# We want to allow any user from a list of IP addresses to login with password,
|
# We want to allow any user from a list of IP addresses to login with password,
|
||||||
# but users of the "evolix" group can't login with password from other IP addresses
|
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||||
|
|
||||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
block: |
|
block: |
|
||||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
Match Group evolix
|
Match Group {{ evolinux_internal_group }}
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -t -f %s'
|
validate: '/usr/sbin/sshd -t -f %s'
|
||||||
|
|
|
@ -10,7 +10,7 @@ is_alert5_enabled() {
|
||||||
if test -f /etc/init.d/alert5; then
|
if test -f /etc/init.d/alert5; then
|
||||||
test -f /etc/rc2.d/S*alert5
|
test -f /etc/rc2.d/S*alert5
|
||||||
else
|
else
|
||||||
systemctl is-active alert5 | grep -q "^active$"
|
systemctl is-enabled alert5 -q
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,14 +24,23 @@
|
||||||
- mysql
|
- mysql
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "Install depends for mytop (Debian 9 or later)"
|
- name: "Install depends for mytop (stretch)"
|
||||||
apt:
|
apt:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
with_items:
|
with_items:
|
||||||
- mariadb-client-10.1
|
- mariadb-client-10.1
|
||||||
- libconfig-inifiles-perl
|
- libconfig-inifiles-perl
|
||||||
- libterm-readkey-perl
|
- libterm-readkey-perl
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_release == "stretch"
|
||||||
|
|
||||||
|
- name: "Install depends for mytop (Debian 10 or later)"
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- mariadb-client-10.3
|
||||||
|
- libconfig-inifiles-perl
|
||||||
|
- libterm-readkey-perl
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: Read debian-sys-maint password
|
- name: Read debian-sys-maint password
|
||||||
shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
|
shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
|
||||||
|
|
|
@ -60,4 +60,3 @@
|
||||||
with_items:
|
with_items:
|
||||||
- evolinux-evasive
|
- evolinux-evasive
|
||||||
- evolinux-modsec
|
- evolinux-modsec
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,7 @@
|
||||||
file:
|
file:
|
||||||
dest: /etc/phpmyadmin/
|
dest: /etc/phpmyadmin/
|
||||||
group: www-data
|
group: www-data
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
||||||
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
||||||
|
@ -65,4 +66,3 @@
|
||||||
with_items:
|
with_items:
|
||||||
- /var/log/evolix.log
|
- /var/log/evolix.log
|
||||||
- /etc/warnquota.conf
|
- /etc/warnquota.conf
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,23 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install phpmyadmin
|
- name: Install apg
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: apg
|
||||||
state: present
|
|
||||||
with_items:
|
- name: Install phpmyadmin (Debian <=9)
|
||||||
- phpmyadmin
|
apt:
|
||||||
- apg
|
name: phpmyadmin
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '<=')
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
# /!\ Warning: this is a temporary hack as phpmyadmin for Buster is not yet
|
||||||
|
# available
|
||||||
|
- name: Install phpmyadmin using sid package (Debian >=10)
|
||||||
|
apt:
|
||||||
|
deb: http://mirror.evolix.org/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- name: Check if phpmyadmin default configuration is present
|
- name: Check if phpmyadmin default configuration is present
|
||||||
stat:
|
stat:
|
||||||
|
|
|
@ -9,4 +9,7 @@
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- include: main_stretch.yml
|
- include: main_stretch.yml
|
||||||
|
when: ansible_distribution_release == "stretch"
|
||||||
|
|
||||||
|
- include: main_buster.yml
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
95
php/tasks/main_buster.yml
Normal file
95
php/tasks/main_buster.yml
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Set variables (Debian 10 or later)"
|
||||||
|
set_fact:
|
||||||
|
php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini
|
||||||
|
php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini
|
||||||
|
php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini
|
||||||
|
php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini
|
||||||
|
php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini
|
||||||
|
php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini
|
||||||
|
php_fpm_defaults_conf_file: /etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf
|
||||||
|
php_fpm_custom_conf_file: /etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf
|
||||||
|
php_fpm_service_name: php7.3-fpm
|
||||||
|
|
||||||
|
# Packages
|
||||||
|
|
||||||
|
- name: "Set package list (Debian 9 or later)"
|
||||||
|
set_fact:
|
||||||
|
php_stretch_packages:
|
||||||
|
- php-cli
|
||||||
|
- php-gd
|
||||||
|
- php-intl
|
||||||
|
- php-imap
|
||||||
|
- php-ldap
|
||||||
|
- php-mysql
|
||||||
|
# php-mcrypt is no longer packaged for PHP 7.2
|
||||||
|
- php-pgsql
|
||||||
|
- php-gettext
|
||||||
|
- php-curl
|
||||||
|
- php-ssh2
|
||||||
|
- php-zip
|
||||||
|
- composer
|
||||||
|
- libphp-phpmailer
|
||||||
|
|
||||||
|
- include: sury_pre.yml
|
||||||
|
when: php_sury_enable
|
||||||
|
|
||||||
|
- name: "Install PHP packages (Debian 9 or later)"
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items: "{{ php_stretch_packages }}"
|
||||||
|
|
||||||
|
- name: "Install mod_php packages (Debian 9 or later)"
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- libapache2-mod-php
|
||||||
|
- php
|
||||||
|
when: php_apache_enable
|
||||||
|
|
||||||
|
- name: "Install PHP FPM packages (Debian 9 or later)"
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- php-fpm
|
||||||
|
- php
|
||||||
|
when: php_fpm_enable
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
|
||||||
|
- name: Enforce permissions on PHP directory
|
||||||
|
file:
|
||||||
|
dest: "{{ item }}"
|
||||||
|
mode: "0755"
|
||||||
|
with_items:
|
||||||
|
- /etc/php
|
||||||
|
- /etc/php/7.3
|
||||||
|
|
||||||
|
- include: config_cli.yml
|
||||||
|
- name: Enforce permissions on PHP cli directory
|
||||||
|
file:
|
||||||
|
dest: /etc/php/7.3/cli
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- include: config_fpm.yml
|
||||||
|
when: php_fpm_enable
|
||||||
|
- name: Enforce permissions on PHP fpm directory
|
||||||
|
file:
|
||||||
|
dest: /etc/php/7.3/fpm
|
||||||
|
mode: "0755"
|
||||||
|
when: php_fpm_enable
|
||||||
|
|
||||||
|
- include: config_apache.yml
|
||||||
|
when: php_apache_enable
|
||||||
|
- name: Enforce permissions on PHP apache2 directory
|
||||||
|
file:
|
||||||
|
dest: /etc/php/7.3/apache2
|
||||||
|
mode: "0755"
|
||||||
|
when: php_apache_enable
|
||||||
|
|
||||||
|
- include: sury_post.yml
|
||||||
|
when: php_sury_enable
|
22
squid/files/squid.service
Normal file
22
squid/files/squid.service
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
## Copyright (C) 1996-2019 The Squid Software Foundation and contributors
|
||||||
|
##
|
||||||
|
## Squid software is distributed under GPLv2+ license and includes
|
||||||
|
## contributions from numerous individuals and organizations.
|
||||||
|
## Please see the COPYING and CONTRIBUTORS files for details.
|
||||||
|
##
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Squid Web Proxy Server
|
||||||
|
Documentation=man:squid(8)
|
||||||
|
After=network.target network-online.target nss-lookup.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
PIDFile=/var/run/squid.pid
|
||||||
|
ExecStartPre=/usr/sbin/squid --foreground -z
|
||||||
|
ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
KillMode=mixed
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -134,6 +134,9 @@
|
||||||
notify: "reload squid"
|
notify: "reload squid"
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
|
- include: systemd.yml
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
- include: logrotate_jessie.yml
|
- include: logrotate_jessie.yml
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
|
14
squid/tasks/systemd.yml
Normal file
14
squid/tasks/systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Set custom systemd unit service (Debian 10 or later)"
|
||||||
|
copy:
|
||||||
|
src: squid.service
|
||||||
|
dest: /etc/systemd/system/squid.service
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
|
- name: "Reload systemd and restart squid (Debian 10 or later)"
|
||||||
|
systemd:
|
||||||
|
name: squid
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: yes
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
|
@ -4,15 +4,37 @@
|
||||||
name: apt
|
name: apt
|
||||||
tasks_from: evolix_public.yml
|
tasks_from: evolix_public.yml
|
||||||
|
|
||||||
- name: Install PHP packages
|
- name: Install PHP packages (Debian 10 and later)
|
||||||
|
apt:
|
||||||
|
name: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- php-pear
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
|
# /!\ Warning, this is a temporary hack
|
||||||
|
- include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
# /!\ Warning, this is a temporary hack
|
||||||
|
- name: Install PHP packages from sid (Debian 10 and later)
|
||||||
|
apt:
|
||||||
|
deb: '{{ item }}'
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb'
|
||||||
|
when: ansible_distribution_major_version | version_compare('10', '>=')
|
||||||
|
|
||||||
|
- name: Install PHP packages (stretch)
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
with_items:
|
||||||
- php-pear
|
- php-pear
|
||||||
- php-log
|
- php-log
|
||||||
|
when: ansible_distribution_release == "stretch"
|
||||||
|
|
||||||
- name: Install PHP5 packages
|
- name: Install PHP5 packages (jessie)
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
|
|
Loading…
Reference in a new issue