From 110a4a428203d3cad02ea703add6ca4c09c07b75 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 30 Apr 2024 17:44:41 +0200 Subject: [PATCH 01/18] formatting --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06a03cfa..6207755f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,7 +25,7 @@ The **patch** part is incremented if multiple releases happen the same month ### Added -proftpd: optional configuration of IP whitelists per groups of users +* proftpd: optional configuration of IP whitelists per groups of users ### Changed From 9be5a18c2e7a276a6b54f4c5b415360cc4194cbf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 May 2024 10:27:34 +0200 Subject: [PATCH 02/18] evobackup-client: upstream release 24.05 --- CHANGELOG.md | 2 ++ evobackup-client/files/upstream/CHANGELOG.md | 18 ++++++++++++++---- .../files/upstream/bin/evobackupctl | 11 +++++++---- evobackup-client/files/upstream/lib/main.sh | 2 +- 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6207755f..854ffa94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ The **patch** part is incremented if multiple releases happen the same month ### Changed +* evobackup-client: upstream release 24.05 + ### Fixed ### Removed diff --git a/evobackup-client/files/upstream/CHANGELOG.md b/evobackup-client/files/upstream/CHANGELOG.md index 9d5c1681..a62b459f 100644 --- a/evobackup-client/files/upstream/CHANGELOG.md +++ b/evobackup-client/files/upstream/CHANGELOG.md @@ -23,13 +23,23 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security -## [24.04.1] +## [24.05] - 2022-05-02 + +### Added + +* evobackupctl: update LIBDIR when copying the template + +### Changed + +* evobackupctl: simplify the program path retrieval + +## [24.04.1] - 2022-04-30 ### Fixed * evobackupctl: quote ARGS variable for options parsing. -## [24.04] +## [24.04] - 2022-04-29 ### Added @@ -52,7 +62,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * don't exit the whole program if a sync task can't be done -## [22.12] +## [22.12] - 2022-12-27 ### Changed @@ -77,6 +87,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * Make start_time and stop_time compatible with OpenBSD -## [22.03] +## [22.03] - 2022-04-03 Split client and server parts of the project diff --git a/evobackup-client/files/upstream/bin/evobackupctl b/evobackup-client/files/upstream/bin/evobackupctl index 33996945..02adacb2 100644 --- a/evobackup-client/files/upstream/bin/evobackupctl +++ b/evobackup-client/files/upstream/bin/evobackupctl @@ -1,9 +1,8 @@ #!/usr/bin/env bash # shellcheck disable=SC2155 -readonly PROGNAME=$(basename "${0}") -# shellcheck disable=SC2155 -readonly PROGDIR=$(readlink -m "$(dirname "${0}")") +readonly PROGPATH=$(readlink -m "${0}") +readonly PROGNAME=$(basename "${PROGPATH}") # shellcheck disable=SC2124 readonly ARGS=$@ @@ -78,10 +77,14 @@ copy_template() { if cp "${LIBDIR}/zzz_evobackup.sh" "${dest_path}"; then chmod 750 "${dest_path}" - sed -i "s|@COMMAND@|${PROGDIR}/${PROGNAME} ${ARGS}|" "${dest_path}" + # Insert metadata about the template + sed -i "s|@COMMAND@|${PROGPATH} ${ARGS}|" "${dest_path}" sed -i "s|@DATE@|$(date --iso-8601=seconds)|" "${dest_path}" sed -i "s|@VERSION@|${VERSION}|" "${dest_path}" + # Make sure that the library directory is correct + sed -i "s|^LIBDIR=.\+|LIBDIR=\"${LIBDIR}\"|" "${dest_path}" + printf "New evobackup script has been saved to '%s'.\n" "${dest_path}" printf "Remember to customize it (mail notifications, backup servers…).\n" exit 0 diff --git a/evobackup-client/files/upstream/lib/main.sh b/evobackup-client/files/upstream/lib/main.sh index d4873cb9..f8e29fa0 100644 --- a/evobackup-client/files/upstream/lib/main.sh +++ b/evobackup-client/files/upstream/lib/main.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # shellcheck disable=SC2034,SC2317 -readonly VERSION="24.04.1" +readonly VERSION="24.05" # set all programs to C language (english) export LC_ALL=C From 0397612541b7053ff92282632ebe13e2e9b0a641 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 May 2024 10:27:40 +0200 Subject: [PATCH 03/18] whitespaces --- evobackup-client/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evobackup-client/tasks/install.yml b/evobackup-client/tasks/install.yml index 0e428331..246dcd91 100644 --- a/evobackup-client/tasks/install.yml +++ b/evobackup-client/tasks/install.yml @@ -10,7 +10,7 @@ - name: "Remount /usr if needed" include_role: name: remount-usr - when: evobackup_client__lib_dir is search("/usr") or evobackup_client__bin_dir is search("/usr") + when: evobackup_client__lib_dir is search("/usr") or evobackup_client__bin_dir is search("/usr") - name: copy evobackup libs ansible.builtin.copy: From 1d342f6952b4b20d07d3c94637a9e297e63466d5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 May 2024 16:21:13 +0200 Subject: [PATCH 04/18] apt: add list-upgradable-held-packages.sh --- CHANGELOG.md | 2 + apt/defaults/main.yml | 3 + apt/files/list-upgradable-held-packages.sh | 124 +++++++++++++++++++++ apt/tasks/hold_packages.yml | 23 +++- 4 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 apt/files/list-upgradable-held-packages.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 854ffa94..a111b6e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part is incremented if multiple releases happen the same month ### Added +* apt: add list-upgradable-held-packages.sh + ### Changed * evobackup-client: upstream release 24.05 diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 772a8fb9..95ca8883 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -29,4 +29,7 @@ apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" +apt_list_upgradable_held_enabled: False +apt_list_upgradable_held_special_time: "weekly" + apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" diff --git a/apt/files/list-upgradable-held-packages.sh b/apt/files/list-upgradable-held-packages.sh new file mode 100644 index 00000000..608fbf1e --- /dev/null +++ b/apt/files/list-upgradable-held-packages.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +##### +# This script will send an email if some packages are on hold +# but have available updates. +##### + +# set all programs to C language (english) +export LC_ALL=C + +# If expansion is attempted on an unset variable or parameter, the shell prints an +# error message, and, if not interactive, exits with a non-zero status. +set -o nounset +# The pipeline's return status is the value of the last (rightmost) command +# to exit with a non-zero status, or zero if all commands exit successfully. +set -o pipefail +# Enable trace mode if called with environment variable TRACE=1 +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +# shellcheck disable=SC2155 +readonly PROGPATH=$(readlink -m "${0}") +# readonly PROGNAME=$(basename "${PROGPATH}") +# # shellcheck disable=SC2124 +# readonly ARGS=$@ + +# Fetch values from evomaintenance configuration +get_evomaintenance_mail() { + grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2 +} +get_fqdn() { + hostname --fqdn +} +get_complete_hostname() { + REAL_HOSTNAME="$(get_fqdn)" + if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then + echo "${HOSTNAME}" + else + echo "${HOSTNAME} (${REAL_HOSTNAME})" + fi +} + +format_mail() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: ${PROGPATH} +To: ${EMAIL_CLIENT:-alert5@evolix.fr} +Subject: Mise a jour manuelle disponible + +Bonjour, + +Un ou plusieurs paquets dont la mise à jour automatique a été +explicitement bloquée ont une nouvelle version disponible. + +Nom du serveur : +${HOSTNAME_TEXT} + +Liste des paquets : +${upgradable_held_packages} + +Pour que nous appliquions ces mises à jour vous devez +nous contacter explicitement, de préférence par ticket, +en mentionnant le serveur et les paquets concernés, +ainsi que les modalités de mise à jour (créneau horaire, +procédure technique…). + +Cordialement + +-- +Evolix +EOTEMPLATE +} + +main() { + held_packages=$(apt-mark showhold) + upgradable_packages=$(apt list --upgradable 2> /dev/null) + + if [ -z "${held_packages}" ]; then + # No packages are on hold + exit 0 + elif [ -z "${upgradable_packages}" ]; then + # No packages are upgradable + exit 0 + fi + + kept_back_output=$(LC_ALL=C apt-get upgrade --dry-run | grep -A 1 'The following packages have been kept back:') + if [ -z "${kept_back_output}" ]; then + # No packages are kept back + exit 0 + fi + + upgradable_held_packages=$(apt list --upgradable 2> /dev/null | grep -f <(echo "${kept_back_output}" | tail -1 | tr ' ' '\n' | sed -e '/^$/d')) + + if [ -z "${upgradable_held_packages}" ]; then + # No held packages are upgradable + exit 0 + fi + + HOSTNAME="$(get_fqdn)" + HOSTNAME_TEXT="$(get_complete_hostname)" + EMAIL_CLIENT="$(get_evomaintenance_mail)" + EMAIL_FROM="equipe@evolix.fr" + MAIL_CONTENT="$(format_mail)" + + SENDMAIL_BIN="$(command -v sendmail)" + + if [ -z "${SENDMAIL_BIN}" ]; then + >&2 echo "ERROR: No \`sendmail' command has been found, can't send mail." + exit 1 + fi + if [ ! -x "${SENDMAIL_BIN}" ]; then + >&2 echo "ERROR: \`${SENDMAIL_BIN}' is not executable, can't send mail." + exit 1 + fi + + echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr" + exit 0 +} + +main diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index e92b7b44..f1848008 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -76,7 +76,16 @@ tags: - apt -- name: Check if Cron is installed +- name: List scripts is installed + ansible.builtin.copy: + src: list-upgradable-held-packages.sh + dest: /usr/share/scripts/list-upgradable-held-packages.sh + force: true + mode: "0755" + tags: + - apt + +- name: Check if cron is installed ansible.builtin.shell: cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'" register: is_cron @@ -101,3 +110,15 @@ tags: - apt when: is_cron.rc == 0 + +- name: List upgradable held packages (script) + ansible.builtin.cron: + cron_file: apt-hold-packages + name: list-upgradable-held-packages + job: "/usr/share/scripts/list-upgradable-held-packages.sh" + user: root + special_time: "{{ apt_list_upgradable_held_special_time | mandatory }}" + state: "{{ apt_list_upgradable_held_enabled | bool | ternary('present', 'absent') }}" + tags: + - apt + when: is_cron.rc == 0 From 5903ff8c81c3e1f70502a30accc2abff74925055 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 May 2024 18:44:30 +0200 Subject: [PATCH 05/18] evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers --- CHANGELOG.md | 1 + evolinux-base/README.md | 2 +- evolinux-base/tasks/ssh.included-files.yml | 95 ++++++++++++++++------ evolinux-base/tasks/ssh.single-file.yml | 94 +++++++++++++-------- 4 files changed, 130 insertions(+), 62 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a111b6e7..fc5741b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part is incremented if multiple releases happen the same month ### Changed * evobackup-client: upstream release 24.05 +* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers ### Fixed diff --git a/evolinux-base/README.md b/evolinux-base/README.md index dbcf7762..486a8dc2 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -37,6 +37,6 @@ Main variables are: * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) * `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`) -* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`) +* `evolinux_ssh_allow_current_user`: don't lock yourself out is there is an AllowUsers or AllowGroups directive (default: `False`) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 6454e390..7fe76346 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -16,34 +16,75 @@ dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf mode: "0644" -- name: "Get current user's group" - ansible.builtin.command: - cmd: logname - changed_when: False - register: logname - check_mode: no - when: evolinux_ssh_allow_current_user | bool +# Should we allow the current user? +- name: Allow the current user + block: + - name: "Get current user's login" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no -- name: verify AllowUsers directive - ansible.builtin.command: - cmd: "grep -ER '^AllowUsers' /etc/ssh" - failed_when: False - changed_when: False - register: grep_allowusers_ssh - check_mode: no - when: evolinux_ssh_allow_current_user | bool + - name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no -- name: "Add AllowUsers sshd directive for current user" - ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf - create: yes - line: "AllowUsers {{ logname.stdout }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 + - name: verify AllowGroups directive + ansible.builtin.command: + cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + failed_when: False + changed_when: False + register: grep_allowgroups_ssh + check_mode: no + + # If we have AllowUsers but not AllowGroups, append the user to the list + # (in the first file where we found the directive) + + - name: "Append user to existing AllowUsers sshd directive" + ansible.builtin.replace: + dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}" + regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$' + replace: '\1 {{ _logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - grep_allowgroups_ssh.rc != 0 + + # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list + # (in the first file where we found the directive) + + - name: "Append evolinux ssh group to AllowGroups sshd directive" + ansible.builtin.replace: + dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}" + regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "evolinux ssh group is present" + ansible.builtin.group: + name: "{{ evolinux_ssh_group }}" + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "Add current user to evolinux ssh group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + group: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + when: evolinux_ssh_allow_current_user | bool - ansible.builtin.meta: flush_handlers - -# TODO si allowusers et allowgroups, ajouter utilisateur aux deux -# TODO si allowgroups, ajouter groupe de l’utilisateur diff --git a/evolinux-base/tasks/ssh.single-file.yml b/evolinux-base/tasks/ssh.single-file.yml index e76d792f..1b3802d3 100644 --- a/evolinux-base/tasks/ssh.single-file.yml +++ b/evolinux-base/tasks/ssh.single-file.yml @@ -61,40 +61,66 @@ notify: reload sshd when: ansible_distribution_major_version is version('9', '>=') -- name: "Get current user" - ansible.builtin.command: - cmd: logname - changed_when: False - register: logname - check_mode: no +# Should we allow the current user? +- name: Allow the current user + block: + - name: "Get current user" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no + + - name: verify AllowUsers directive + ansible.builtin.command: + cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowusers_ssh + check_mode: no + + - name: verify AllowGroups directive + ansible.builtin.command: + cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + failed_when: False + changed_when: False + register: grep_allowgroups_ssh + check_mode: no + + # If we have AllowUsers but not AllowGroups, append the user to the list + + - name: "Modify AllowUsers sshd directive for current user" + ansible.builtin.replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$' + replace: '\1 {{ _logname.stdout }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc == 0 + - grep_allowgroups_ssh.rc != 0 + + # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list + + - name: "Add current user to {{ evolinux_ssh_group }} group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + group: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 + + - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + ansible.builtin.replace: + dest: "/etc/ssh/sshd_config" + regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 0 when: evolinux_ssh_allow_current_user | bool -# we must double-escape caracters, because python -- name: verify AllowUsers directive - ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" - failed_when: False - changed_when: False - register: grep_allowusers_ssh - check_mode: no - when: evolinux_ssh_allow_current_user | bool - -- name: "Add AllowUsers sshd directive for current user" - ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ logname.stdout }}" - insertafter: 'Subsystem' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 - -- name: "Modify AllowUsers sshd directive for current user" - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' - replace: '\1 {{ logname.stdout }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 - - ansible.builtin.meta: flush_handlers From 38e498cf9aaf9a6b1fb55821094a9a4e4631e484 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 May 2024 10:17:43 +0200 Subject: [PATCH 06/18] apt: add version in mail headers for list-upgradable-held-packages.sh --- apt/files/list-upgradable-held-packages.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apt/files/list-upgradable-held-packages.sh b/apt/files/list-upgradable-held-packages.sh index 608fbf1e..27c3b418 100644 --- a/apt/files/list-upgradable-held-packages.sh +++ b/apt/files/list-upgradable-held-packages.sh @@ -5,6 +5,8 @@ # but have available updates. ##### +readonly VERSION="24.05" + # set all programs to C language (english) export LC_ALL=C @@ -48,6 +50,7 @@ Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Script: ${PROGPATH} +X-Script-Version: ${VERSION} To: ${EMAIL_CLIENT:-alert5@evolix.fr} Subject: Mise a jour manuelle disponible From cf430f286aa9e1acfd08e4d7236c601a625e54f7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 May 2024 13:24:16 +0200 Subject: [PATCH 07/18] evolinux-base: use long version of grep -r instead of grep -R --- evolinux-base/tasks/ssh.included-files.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 7fe76346..0f90a01f 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -28,7 +28,7 @@ - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -36,7 +36,7 @@ - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep --extended-regexp --dereference-recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d" failed_when: False changed_when: False register: grep_allowgroups_ssh From d4343833c951f60d5e38a4abda22630a988d5620 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 May 2024 10:33:47 +0200 Subject: [PATCH 08/18] evobackup-client: fix lib path --- evobackup-client/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evobackup-client/tasks/install.yml b/evobackup-client/tasks/install.yml index 246dcd91..680a6339 100644 --- a/evobackup-client/tasks/install.yml +++ b/evobackup-client/tasks/install.yml @@ -14,7 +14,7 @@ - name: copy evobackup libs ansible.builtin.copy: - src: upstream/lib + src: upstream/lib/ dest: "{{ evobackup_client__lib_dir }}/" force: True mode: "0644" From 63c09e2ae5eddfd076d8517fa5281a9ba7fbffe6 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 6 May 2024 17:00:02 +0200 Subject: [PATCH 09/18] apt: use archive.debian.org with Buster --- apt/templates/buster_backports.list.j2 | 2 +- apt/templates/buster_basics.list.j2 | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apt/templates/buster_backports.list.j2 b/apt/templates/buster_backports.list.j2 index 94303ef2..edec58a9 100644 --- a/apt/templates/buster_backports.list.j2 +++ b/apt/templates/buster_backports.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }} +deb http://archive.debian.org/debian buster-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/buster_basics.list.j2 b/apt/templates/buster_basics.list.j2 index b392ce58..106d2e16 100644 --- a/apt/templates/buster_basics.list.j2 +++ b/apt/templates/buster_basics.list.j2 @@ -1,5 +1,4 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian buster {{ apt_basics_components | mandatory }} deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }} From e0f81f14d071739b719a8dc3dbb23efcbfc1e42e Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 6 May 2024 17:02:46 +0200 Subject: [PATCH 10/18] Changelog entry for previous commit --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc5741b6..f3454c23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,8 @@ The **patch** part is incremented if multiple releases happen the same month ### Fixed +* apt: use archive.debian.org with Buster + ### Removed ### Security From 5be04c36eea6047cba35870e28ca13367d498834 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 7 May 2024 15:08:42 +0200 Subject: [PATCH 11/18] comments --- evolinux-base/tasks/ssh.included-files.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 0f90a01f..d134e857 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -85,6 +85,9 @@ when: - grep_allowusers_ssh.rc != 0 - grep_allowgroups_ssh.rc == 0 + + # If we don't have AllowGroups nor AllowUsers, do nothing + when: evolinux_ssh_allow_current_user | bool - ansible.builtin.meta: flush_handlers From 346317081e0c7fc07daec928b7b2fc120ff3e3d1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 7 May 2024 15:11:09 +0200 Subject: [PATCH 12/18] evolinux-users: improve SSH configuration --- CHANGELOG.md | 1 + evolinux-users/tasks/ssh.yml | 103 ++++++++++++++++++++--- evolinux-users/tasks/ssh_allowgroups.yml | 45 ++++++---- evolinux-users/tasks/ssh_allowusers.yml | 55 +++++++++--- 4 files changed, 159 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3454c23..c939b93a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part is incremented if multiple releases happen the same month * evobackup-client: upstream release 24.05 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers +* evolinux-users: improve SSH configuration ### Fixed diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 9a696901..d630bccb 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -1,8 +1,23 @@ --- +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +- ansible.builtin.debug: + var: _ssh_config_paths + verbosity: 1 + +############################ +# AllowUsers or AllowGroups +############################ + - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -Er '^AllowGroups' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -14,7 +29,7 @@ - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -Er '^AllowUsers' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -42,12 +57,14 @@ var: ssh_allowusers verbosity: 1 -- ansible.builtin.include: ssh_allowgroups.yml +- name: Configure SSH in AllowGroups mode + ansible.builtin.include: ssh_allowgroups.yml when: - ssh_allowgroups - not ssh_allowusers -- ansible.builtin.include: ssh_allowusers.yml +- name: Configure SSH in AllowUsers mode + ansible.builtin.include: ssh_allowusers.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" @@ -56,7 +73,24 @@ - ssh_allowusers - not ssh_allowgroups -- name: disable root login +# Do this again, to update the value + +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +################## +# PermitRootLogin +################## + +### For Debian < 12 +# if there is a commented value for PermitRootLogin +# we replace it with a "no" + +- name: Root login is disabled (Debian < 12) ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' @@ -64,11 +98,15 @@ notify: reload sshd when: - evolinux_root_disable_ssh | bool - - ansible_distribution_major_version is version('11', '<=') + - ansible_distribution_major_version is version('12', '<') + +### For Debian >= 12 +# if there is no value for PermitRootLogin (anywhere) +# we add a "no" in z-evolinux-users.conf - name: verify PermitRootLogin directive (Debian >= 12) ansible.builtin.command: - cmd: "grep -Er '^PermitRootLogin' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no @@ -76,12 +114,7 @@ when: - ansible_distribution_major_version is version('12', '>=') -# TODO avertir lorsque PermitRootLogin est déjà configuré? -- ansible.builtin.debug: - var: grep_permitrootlogin_ssh - verbosity: 1 - -- name: disable root login (Debian >= 12) +- name: Root login is disabled (Debian >= 12) ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/z-evolinux-users.conf line: "PermitRootLogin no" @@ -93,6 +126,48 @@ when: - evolinux_root_disable_ssh | bool - ansible_distribution_major_version is version('12', '>=') - - grep_permitrootlogin_ssh.rc == 1 + - grep_permitrootlogin_ssh.rc != 0 + +##################### +# Allow current user +##################### + +- name: Allow current user + block: + - name: Check if evolinux ssh group is used + ansible.builtin.command: + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}" + changed_when: False + failed_when: False + check_mode: no + register: grep_evolinux_group_ssh + + - debug: + var: grep_evolinux_group_ssh + + - name: "Get current user's login" + ansible.builtin.command: + cmd: logname + changed_when: False + register: _logname + check_mode: no + + - debug: + var: evolinux_ssh_group + + - debug: + var: evolinux_ssh_allow_current_user + + - name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group" + ansible.builtin.user: + name: "{{ _logname.stdout }}" + groups: "{{ evolinux_ssh_group }}" + append: yes + when: + - grep_evolinux_group_ssh.rc == 0 + when: + - evolinux_ssh_group is defined + - evolinux_ssh_group | length > 0 + - evolinux_ssh_allow_current_user | bool - ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 11446b4d..bbd0e78f 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -1,18 +1,27 @@ --- +### # this check must be repeated for each user # even if it's been done before + +- name: Fetch SSHd config files + ansible.builtin.command: + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -Er '^AllowGroups' /etc/ssh" + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh - when: - - ansible_distribution_major_version is version('11', '<=') -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" +### + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowGroups {{ evolinux_ssh_group }}" @@ -21,25 +30,25 @@ notify: reload sshd when: - ansible_distribution_major_version is version('11', '<=') - - grep_allowgroups_ssh.rc != 0 + - grep_allowgroups_ssh.rc == 1 # Not found + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "\nAllowGroups {{ evolinux_ssh_group }}" + validate: '/usr/sbin/sshd -t -f %s' + create: yes + notify: reload sshd + when: + - ansible_distribution_major_version is version('12', '>=') + - grep_allowgroups_ssh.rc == 1 # Not found - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}" regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - - ansible_distribution_major_version is version('11', '<=') - - grep_allowgroups_ssh.rc == 0 - -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config.d/z-evolinux-users.conf - line: "AllowGroups {{ evolinux_ssh_group }}" - create: yes - mode: "0644" - validate: '/usr/sbin/sshd -t -f %s' - when: - - ansible_distribution_major_version is version('12', '>=') + - grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2 diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml index 00827a46..d9ccd1f1 100644 --- a/evolinux-users/tasks/ssh_allowusers.yml +++ b/evolinux-users/tasks/ssh_allowusers.yml @@ -1,55 +1,84 @@ --- -# this check must be repeated for each user +### +# these checks must be repeated for each user # even if it's been done before -- name: verify AllowUsers directive + +- name: Fetch SSHd config files ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)" + changed_when: False + check_mode: no + register: _ssh_config_paths + +- name: Verify AllowUsers directive + ansible.builtin.command: + cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_allowusers_ssh -- name: "Add AllowUsers sshd directive with '{{ user.name }}'" +### + +- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc != 0 + when: + - grep_allowusers_ssh.rc != 0 + - ansible_distribution_major_version is version('12', '<') + +- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)" + ansible.builtin.lineinfile: + dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "\nAllowUsers {{ user.name }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - grep_allowusers_ssh.rc != 0 + - ansible_distribution_major_version is version('12', '>=') - name: "Append '{{ user.name }}' to AllowUsers sshd directive" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}" regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$' replace: '\1 {{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowusers_ssh.rc == 0 + when: + - grep_allowusers_ssh.rc == 0 - name: "verify Match User directive" ansible.builtin.command: - cmd: "grep -E '^Match User' /etc/ssh/sshd_config" + cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}" changed_when: False failed_when: False check_mode: no register: grep_matchuser_ssh -- name: "Add Match User sshd directive with '{{ user.name }}'" +- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config line: "\nMatch User {{ user.name }}\n PasswordAuthentication no" insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc != 0 + when: + - grep_matchuser_ssh.rc != 0 + - ansible_distribution_major_version is version('10', '<=') -- name: "Append '{{ user.name }}' to Match User's sshd directive" +- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)" ansible.builtin.replace: - dest: /etc/ssh/sshd_config + dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}" regexp: '^(Match User ((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_matchuser_ssh.rc == 0 + when: + - grep_matchuser_ssh.rc == 0 + - ansible_distribution_major_version is version('10', '<=') From c1dc380e85b699f2c2726ee3a4a300ded4380e83 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 10 May 2024 17:50:37 +0200 Subject: [PATCH 13/18] Update nodesource repository --- nodejs/files/nodesource.asc | 75 +++++++++----------------- nodejs/tasks/main.yml | 2 +- nodejs/templates/nodesource.sources.j2 | 4 +- 3 files changed, 29 insertions(+), 52 deletions(-) diff --git a/nodejs/files/nodesource.asc b/nodejs/files/nodesource.asc index 1dc1d101..b7637b89 100644 --- a/nodejs/files/nodesource.asc +++ b/nodejs/files/nodesource.asc @@ -1,52 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 -Comment: GPGTools - https://gpgtools.org -mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+ -W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs -fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy -qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7 -89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD -Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7 -C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/ -G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc -Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft -qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm -EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB -tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2 -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy -jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ -kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1 -GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm -XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU -VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka -1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI -IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc -pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn -xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y -gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI -AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ -fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ -Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh -41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea -JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD -xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi -vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/ -aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o -QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK -yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3 -QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek -fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK -CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec -0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1 -PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh -qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15 -ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac -hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb -DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4 -xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu -G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd -sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy -/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g== -=CLGF +mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B +hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM +Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32 +9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR +TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z +E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk +LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc +NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o +xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk +Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4 +hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg +BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5 +AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u +JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu +ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi +0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp +Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ +YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb +DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE +IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet +y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao +x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2 +K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw +FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa +=MARt -----END PGP PUBLIC KEY BLOCK----- diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index f79f058c..15612fac 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -24,7 +24,7 @@ - name: Add NodeJS repository (Debian <12) ansible.builtin.apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} nodistro main" filename: nodesource update_cache: yes state: present diff --git a/nodejs/templates/nodesource.sources.j2 b/nodejs/templates/nodesource.sources.j2 index 02a4653a..8b9bed6f 100644 --- a/nodejs/templates/nodesource.sources.j2 +++ b/nodejs/templates/nodesource.sources.j2 @@ -2,7 +2,7 @@ Types: deb URIs: https://deb.nodesource.com/{{ nodejs_apt_version }} -Suites: {{ ansible_distribution_release }} +Suites: nodistro Components: main Signed-by: {{ apt_keyring_dir }}/nodesource.asc -Enabled: yes \ No newline at end of file +Enabled: yes From 4128962d05016797d8313a9def2a30c63e3afbe5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 13 May 2024 10:22:03 +0200 Subject: [PATCH 14/18] whitespaces --- vrrpd/tasks/ip.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index a7b645cb..3b3524cc 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -31,11 +31,11 @@ marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}" block: | {% if vrrp_address.peers | default([]) | length <= 0 %} - /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }} + /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }} {% else %} - {% for peer in vrrp_address.peers %} - /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }} - {% endfor %} + {% for peer in vrrp_address.peers %} + /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }} + {% endfor %} {% endif %} create: yes mode: "0600" From 22f7a6b83117c04167fd9bda47bcc8fb3a118626 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 14 May 2024 08:24:57 +0200 Subject: [PATCH 15/18] evobackup-client: upstream release 24.05.1 --- CHANGELOG.md | 2 +- evobackup-client/files/upstream/CHANGELOG.md | 6 ++++++ evobackup-client/files/upstream/lib/main.sh | 2 +- evobackup-client/files/upstream/lib/utilities.sh | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c939b93a..8238769f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ The **patch** part is incremented if multiple releases happen the same month ### Changed -* evobackup-client: upstream release 24.05 +* evobackup-client: upstream release 24.05.1 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers * evolinux-users: improve SSH configuration diff --git a/evobackup-client/files/upstream/CHANGELOG.md b/evobackup-client/files/upstream/CHANGELOG.md index a62b459f..d2e506e1 100644 --- a/evobackup-client/files/upstream/CHANGELOG.md +++ b/evobackup-client/files/upstream/CHANGELOG.md @@ -23,6 +23,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [24.05.1] - 2022-05-14 + +### Fixed + +* client: fix shell syntax error + ## [24.05] - 2022-05-02 ### Added diff --git a/evobackup-client/files/upstream/lib/main.sh b/evobackup-client/files/upstream/lib/main.sh index f8e29fa0..999521e6 100644 --- a/evobackup-client/files/upstream/lib/main.sh +++ b/evobackup-client/files/upstream/lib/main.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # shellcheck disable=SC2034,SC2317 -readonly VERSION="24.05" +readonly VERSION="24.05.1" # set all programs to C language (english) export LC_ALL=C diff --git a/evobackup-client/files/upstream/lib/utilities.sh b/evobackup-client/files/upstream/lib/utilities.sh index e14a4341..58c6bcca 100644 --- a/evobackup-client/files/upstream/lib/utilities.sh +++ b/evobackup-client/files/upstream/lib/utilities.sh @@ -105,7 +105,7 @@ test_server() { pick_server() { local -i increment=${1:-0} local -i list_length=${#SERVERS[@]} - local sync_name=${2:""} + local sync_name=${2:-""} if (( increment >= list_length )); then # We've reached the end of the list From 24f1e721473b644f3cd05e66fe86bb57f4c2ef9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 May 2024 11:33:44 +0200 Subject: [PATCH 16/18] evomaintenance: upstream release 24.05 --- CHANGELOG.md | 1 + evomaintenance/files/evomaintenance.sh | 14 +++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8238769f..19d2a822 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part is incremented if multiple releases happen the same month * evobackup-client: upstream release 24.05.1 * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers * evolinux-users: improve SSH configuration +* evomaintenance: upstream release 24.05 ### Fixed diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 3ddbdf76..6846d3d2 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -1,12 +1,12 @@ #!/bin/sh -VERSION="23.10.1" +VERSION="24.05" show_version() { cat <, +Copyright 2007-2024 Evolix , Gregory Colpart , Jérémy Lecour , Brice Waegeneire , @@ -437,6 +437,14 @@ while :; do printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2 exit 1 ;; + --no-evocheck) + # disable evocheck hook + EVOCHECK=0 + ;; + --evocheck) + # enable evocheck hook + EVOCHECK=1 + ;; --no-commit) # disable commit hook HOOK_COMMIT=0 @@ -581,7 +589,7 @@ GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts" # Add /etc directories from lxc containers if they are git directories if [ -d /var/lib/lxc ]; then - GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')" + GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find -L /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')" fi # initialize variable From f05c8c03c9331a96a65801473b1599ecec4123b7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 May 2024 13:50:32 +0200 Subject: [PATCH 17/18] evomaintenance: move upstream files into upstream folder --- CHANGELOG.md | 1 + evomaintenance/files/evomaintenance.tpl | 33 ------ evomaintenance/files/upstream/CHANGELOG.md | 100 ++++++++++++++++++ evomaintenance/files/upstream/README.md | 30 ++++++ .../files/{ => upstream}/evomaintenance.sh | 0 .../tasks/install_vendor_debian.yml | 11 +- 6 files changed, 135 insertions(+), 40 deletions(-) delete mode 100644 evomaintenance/files/evomaintenance.tpl create mode 100644 evomaintenance/files/upstream/CHANGELOG.md create mode 100644 evomaintenance/files/upstream/README.md rename evomaintenance/files/{ => upstream}/evomaintenance.sh (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19d2a822..f3383389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part is incremented if multiple releases happen the same month * evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers * evolinux-users: improve SSH configuration * evomaintenance: upstream release 24.05 +* evomaintenance: move upstream files into upstream folder ### Fixed diff --git a/evomaintenance/files/evomaintenance.tpl b/evomaintenance/files/evomaintenance.tpl deleted file mode 100644 index ddddd7b6..00000000 --- a/evomaintenance/files/evomaintenance.tpl +++ /dev/null @@ -1,33 +0,0 @@ -From: __FULLFROM__ -Content-Type: text/plain; charset=UTF-8 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -To: __TO__ -Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__) - -Bonjour, - -Une intervention vient de se terminer sur votre serveur. -Voici les renseignements sur l'intervention : - -Nom du serveur : __HOSTNAME__ -Personne ayant réalisée l'intervention : __USER__ -Intervention réalisée depuis : __IP__ -Début de l'intervention : __BEGIN_DATE__ -Fin de l'intervention : __END_DATE__ - -### -Renseignements sur l'intervention : -__TEXTE__ -### - -__GIT_COMMITS__ - -Pour réagir à cette intervention, vous pouvez répondre à ce message -(sur l'adresse mail __FROM__). En cas d'urgence, utilisez -l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte -(__URGENCYTEL__) - -Cordialement, --- -__FULLFROM__ diff --git a/evomaintenance/files/upstream/CHANGELOG.md b/evomaintenance/files/upstream/CHANGELOG.md new file mode 100644 index 00000000..5e0a599a --- /dev/null +++ b/evomaintenance/files/upstream/CHANGELOG.md @@ -0,0 +1,100 @@ +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**. + +## [Unreleased] + +### Added + +Add missing (but documented) `--(no-)evocheck` options + +### Changed + +### Deprecated + +### Removed + +### Fixed + +### Security + +## [23.10.1] - 2023-10-09 + +### Fixed + +* Use a special variable name since USER is always defined from the environment + +## [23.10] - 2023-10-09 + +### Added + +* Force a user name with `-u,--user` option (default is still `logname(1)`). +* More people credited + +### Deprecated + +* `--autosysadmin` is replaced by `--user autosysadmin` + + + +## [22.07] - 2022-07-05 + +### Added + +* Add `--autosysadmin` flag +* Commit change in /etc of lxc containers + +### Changed + +### Deprecated + +### Removed + +### Fixed + +### Security + +## [22.01] - 2022-01-25 + +### Added + +* version/host/user headers in sent email + +### Changed + +New version pattern + +## [0.6.4] - 2021-06-17 + +### Added + +* fallback if findmnt is absent + +## [0.6.3] - 2020-02-02 + +### Added + +* Notify syslog when partitions are re-mounted (Linux) + +## [0.6.2] - 2020-02-02 + +### Fixed + +* better detection of read-only partitions (Linux) + +## [0.6.0] - 2019-11-05 + +### Added + +* commit changes in /usr/share/scripts/ if needed + +## Previous changelog + +* 0.5.0 : options et mode interactif pour l'exécution des actions, meilleure compatibilité POSIX +* 0.4.1 : Utilisation de "printf" à la place de "echo" pour mieux gérer les sauts de ligne +* 0.4.0 : Amélioration de la récupération d'information (plus de cas gérés). Infos Git avant la saisie. +* 0.3.0 : Écriture dans un fichier de log, amélioration de la récupération d'informations, amélioration de la syntaxe shell +* 0.2.7 : Correction d'un bug lors de l'utilisation de '&' dans le texte +* 0.2.6 : Precision du charset dans les entetes du mail +* 0.2.5 : Correction d'un bug avec le path de sendmail sous OpenBSD +* 0.2.4 : Correction d'un bug lors de l'utilisation de '/' dans le texte +* 0.2.3 : Correction d'un bug avec $REALM diff --git a/evomaintenance/files/upstream/README.md b/evomaintenance/files/upstream/README.md new file mode 100644 index 00000000..07ec14d3 --- /dev/null +++ b/evomaintenance/files/upstream/README.md @@ -0,0 +1,30 @@ +# Evomaintenance + +```.plain +$ evomaintenance --help +evomaintenance is a program that helps reporting what you've done on a server + +Usage: evomaintenance + or evomaintenance --message="add new host" + or evomaintenance --no-api --no-mail --no-commit + or echo "add new vhost" | evomaintenance + +Options + -m, --message=MESSAGE set the message from the command line + --mail enable the mail hook (default) + --no-mail disable the mail hook + --db enable the database hook + --no-db disable the database hook (default) + --api enable the API hook (default) + --no-api disable the API hook + --commit enable the commit hook (default) + --no-commit disable the commit hook + --evocheck enable evocheck execution (default) + --no-evocheck disable evocheck execution + --auto use "auto" mode + --no-auto use "manual" mode (default) + -v, --verbose increase verbosity + -n, --dry-run actions are not executed + --help print this message and exit + --version print version and exit +``` diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/upstream/evomaintenance.sh similarity index 100% rename from evomaintenance/files/evomaintenance.sh rename to evomaintenance/files/upstream/evomaintenance.sh diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index 7241081c..78fcabac 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -35,15 +35,12 @@ - name: Evomaintenance script and template are installed ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" + src: "upstream/evomaintenance.sh" + dest: "/usr/share/scripts/" owner: root group: root - mode: "{{ item.mode }}" + mode: "0700" force: true backup: yes - loop: - - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } - - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' } tags: - - evomaintenance \ No newline at end of file + - evomaintenance From 2e529524f7d8f03748ee1207253af61e51f89604 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 15 May 2024 14:16:03 +0200 Subject: [PATCH 18/18] Release 24.05 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3383389..a6c053cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,18 @@ The **patch** part is incremented if multiple releases happen the same month ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [24.05] 2024-05-15 + +### Added + * apt: add list-upgradable-held-packages.sh ### Changed @@ -27,10 +39,6 @@ The **patch** part is incremented if multiple releases happen the same month * apt: use archive.debian.org with Buster -### Removed - -### Security - ## [24.04] 2024-04-30 ### Added