minifirewall: tail template follows symlinks

Note : Files in that folder require the ".options" prefix
Fixes a2f73bb7df

CHANGELOG.md

@@ -4,9 +4,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 This project does not follow semantic versioning.
-The **major** part of the version is aligned with the stable version of Debian.
-The **minor** part changes with big changes (probably incompatible).
-The **patch** part changes incrementally at each release.
+The **major** part of the version is the year
+The **minor** part changes is the month
+The **patch** part changes is incremented if multiple releases happen the same month
 
 ## [Unreleased]
 
@@ -14,12 +14,142 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* minifirewall: tail template follows symlinks
+
 ### Fixed
 
 ### Removed
 
 ### Security
 
+## [22.03] 2022-03-02
+
+### Added
+
+* apt: apt_hold_packages: broadcast message with wall, if present
+* evolinux-base: option to bypass raid-related tasks
+* Explicit permissions for systemd overrides
+* generate-ldif: Add support for php-fpm in containers
+* kvm-host: add missing default value
+* lxc-php: preliminary support for PHP 8.1 container
+* openvpn: now check that openvpn has been restarted since last certificates renewal
+* redis: always install check_redis_instances
+* redis: check_redis_instances tolerates absence of instances
+
+### Changed
+
+* elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
+* evolinux-users: check permissions for /etc/sudoers.d
+* evolinux-users: optimize sudo configuration
+* lxc: Fail if /var is nosuid
+* openvpn: make it compatible with OpenBSD and add some improvements
+
+
+
+## [22.01.3] 2022-01-31
+
+### Changed
+
+* rbenv: install Ruby 3.1.0 by default
+* evolinux-base: backup-server-state: add "force" mode
+
+### Fixed
+
+* evolinux-base: backup-server-state: fix systemctl invocation
+* varnish: update munin plugin to work with recent varnish versions
+
+## [22.01.2] 2022-01-27
+
+### Changed
+
+* evolinux-base: many improvements for backup-server-state script
+* remount-usr: use findmnt to find if usr is a readonly partition
+
+## [22.01] 2022-01-25
+
+### Added
+
+* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
+* apache: new variable for MPM mode (+ updated default config accordingly)
+* apache: prevent accessing Git or "env" related files
+* certbot: add script for manual deploy hooks execution
+* docker-host: install additional dependencies
+* dovecot: switch to TLS 1.2+ and external DH params
+* etc-git: centralize cron jobs in dedicated crontab
+* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
+* evolinux-base: add script backup-server-state
+* evolinux-base: configure top and htop to display the swap column
+* evolinux-base: install molly-guard by default
+* generate-ldif: detect RAID controller
+* generate-ldif: detect mdadm
+* listupgrade: crontab is configurable
+* logstash: logging to syslog is configurable (default: True)
+* mongodb: create munin plugins directory if missing
+* munin: systemd override to unprotect home directory
+* mysql: add evomariabackup 21.11
+* mysql: improve Bullseye compatibility
+* mysql: script "mysql_connections" to display a compact list of connections
+* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
+* nagios-nrpe + evolinux-users: new check for ipmi
+* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
+* nagios-nrpe + evolinux-users: new checks for bkctld
+* nagios-nrpe: new check influxdb
+* openvpn: new role (beta)
+* redis: instance service for Debian 11
+* squid: add *.o.lencr.org to default whitelist
+
+### Changed
+
+* Change version pattern
+* Install python 2 or 3 libraries according to running python version
+* Remove embedded GPG keys only if legacy keyring is present
+* apt: remove workaround for Evolix public repositories with Debian 11
+* apt: upgrade packages after all the configuration is done
+* apt: use the new security repository for Bullseye
+* certbot: silence letsencrypt deprecation warnings
+* elasticsearch: elastic_stack_version = 7.x
+* evoacme: exclude renewal-hooks directory from cron
+* evoadmin-web: simpler PHP packages lists
+* evocheck: upstream release 21.10.4
+* evolinux-base: alert5 comes after the network
+* evolinux-base: force Debian version to buster for Evolix repository (temporary)
+* evolinux-base: install freeipmi by default on dedicated hw
+* evolinux-base: logs are rotated with dateext by default
+* evolinux-base: split dpkg logrotate configuration
+* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
+* evomaintenance: extract a config.yml tasks file
+* evomaintenance: upstream release 22.01
+* filebeat/metricbeat: elastic_stack_version = 7.x
+* kibana: elastic_stack_version = 7.x
+* listupgrade: old-kernel-removal version 21.10
+* listupgrade: upstream release 21.06.3
+* logstash: elastic_stack_version = 7.x
+* mongodb: Allow to specify a mongodb version for buster & bullseye
+* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
+* mongodb: Support version 5.0 (for buster)
+* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
+* nodejs: default to version 16 LTS
+* php: enforce Debian version with assert instead of fail
+* squid: improve default whitelist (more specific patterns)
+* squid: must be started in foreground mode for systemd
+* squid: remove obsolete variable on Squid 4
+
+### Fixed
+
+* evolinux-base: fix alert5.service dependency syntax
+* certbot: sync_remote excludes itself
+* lxc-php: fix config for opensmtpd on bullseye containers
+* mysql : Create a default ~root/.my.cnf for compatibility reasons
+* nginx : fix variable name and debug to actually use nginx-light
+* packweb-apache : Support php 8.0
+* nagios-nrpe: Fix check_nfsserver for buster and bullseye
+
+### Removed
+
+* evocheck: package install is not supported anymore
+* logstash: no more dependency on Java
+* php: remove php-gettext for 7.4
+
 ## [10.6.0] 2021-06-28
 
 ### Added

apache/files/evolinux-defaults.conf

@@ -48,12 +48,23 @@ MaxKeepAliveRequests 10
     Deny from env=GoAway
 </Directory>
 
+<DirectoryMatch "/\.git">
+    # We don't want to let the client know a file exist on the server,
+    # so we return 404 "Not found" instead of 403 "Forbidden".
+    Redirect 404
+</DirectoryMatch>
 
-<Files ~ "\.(inc|bak)$">
-    Require all denied
-</Files>
+# File names starting with
+<FilesMatch "^\.(git|env)">
+    Redirect 404
+</FilesMatch>
 
+# File names ending with
+<FilesMatch "\.(inc|bak)$">
+    Redirect 404
+</FilesMatch>
 
 <LocationMatch "^/evolinux_fpm_status-.*">
     Require all denied
 </LocationMatch>
+

apache/tasks/server_status.yml

@@ -33,6 +33,7 @@
 
 - debug:
     var: apache_serverstatus_suffix
+    verbosity: 1
 
 - name: replace server-status suffix in default site index
   replace:

apt/files/bullseye_backports_preferences

@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=bullseye-backports
+Pin-Priority: 50

apt/files/check_held_packages.sh

@@ -21,7 +21,12 @@ if [ -f ${config_file} ]; then
             if [ -n "${package}" ]; then
                 if is_installed ${package} && ! is_held ${package}; then
                     apt-mark hold ${package}
-                    >&2 echo "Package \`${package}' has been marked \`hold'."
+                    msg="Package \`${package}' has been marked \`hold'."
+                    >&2 echo "${msg}"
+                    wall_bin=$(command -v wall)
+                    if [ -n "${wall_bin}" ]; then
+                        "${wall_bin}" --timeout 5 "${msg}"
+                    fi
                     return_code=1
                 fi
             fi

apt/tasks/basics.yml

@@ -19,6 +19,7 @@
     - /etc/apt/sources.list.d/debian-jessie.list
     - /etc/apt/sources.list.d/debian-stretch.list
     - /etc/apt/sources.list.d/debian-buster.list
+    - /etc/apt/sources.list.d/debian-bullseye.list
     - /etc/apt/sources.list.d/debian-update.list
   when: apt_clean_gandi_sourceslist | bool
   tags:

apt/tasks/config.yml

@@ -39,17 +39,3 @@
   when: apt_remove_aptitude | bool
   tags:
     - apt
-
-- name: Updating APT cache
-  apt:
-    update_cache: yes
-  changed_when: False
-  tags:
-    - apt
-
-- name: Upgrading system
-  apt:
-    upgrade: dist
-  when: apt_upgrade | bool
-  tags:
-    - apt

apt/tasks/evolix_public.yml

@@ -1,10 +1,18 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - apt
+
 - name: Evolix embedded GPG key is absent
   apt_key:
     id: "B8612B5D"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - apt
 

apt/tasks/main.yml

@@ -37,3 +37,17 @@
   when: apt_install_hold_packages | bool
   tags:
     - apt
+
+- name: Updating APT cache
+  apt:
+    update_cache: yes
+  changed_when: False
+  tags:
+    - apt
+
+- name: Upgrading system
+  apt:
+    upgrade: dist
+  when: apt_upgrade | bool
+  tags:
+    - apt

apt/templates/bullseye_backports.list.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}

apt/templates/bullseye_basics.list.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
+deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} 
+deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}

bullseye-detect/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+# Force facts until Debian 11 is released because Ansible is dumb
+- set_fact:
+    ansible_distribution_major_version: 11
+    ansible_distribution: "Debian"
+    ansible_distribution_release: "bullseye"
+  when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"

certbot/files/hooks/deploy/sync_remote.sh

@@ -14,8 +14,15 @@ debug() {
 found_renewed_lineage() {
     test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
 }
+cert_content() {
+    openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
+}
 domain_from_cert() {
-    openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
+    if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
+        cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
+    else
+        cert_content | sed 's/^.*CN\ *=\ *//'
+    fi
 }
 main() {
     if [ -z "${RENEWED_LINEAGE}" ]; then
@@ -40,11 +47,11 @@ main() {
             rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
                 || error "Couldn't sync certificate on ${server}"
 
-            rsync --archive --copy-links --delete --exclude $0 --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
+            rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
                 || error "Couldn't sync hooks on ${server}"
 
             # shellcheck disable=SC2029
-            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=${RENEWED_DOMAINS}; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
+            ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
                 || error "Something went wrong on ${server} for deploy hooks"
         done
     else

certbot/files/hooks/manual-deploy.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -u
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+found_renewed_lineage() {
+    test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
+}
+main() {
+    if [ -z "${RENEWED_LINEAGE:-}" ]; then
+        error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
+    fi
+    if [ "${VERBOSE}" = "1" ]; then
+        xargs_verbose="--verbose"
+    else
+        xargs_verbose=""
+    fi
+    if found_renewed_lineage; then
+        find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c
+    else
+        error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
+    fi
+    
+}
+
+PROGNAME=$(basename "$0")
+VERBOSE=${VERBOSE:-"0"}
+QUIET=${QUIET:-"0"}
+
+hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
+
+main

certbot/files/letsencrypt-auto

@@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
 fi
 VENV_BIN="$VENV_PATH/bin"
 BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
-LE_AUTO_VERSION="1.9.0"
+LE_AUTO_VERSION="1.14.0"
 BASENAME=$(basename $0)
 USAGE="Usage: $BASENAME [OPTIONS]
 A self-updating wrapper script for the Certbot ACME client. When run, updates
@@ -497,7 +497,7 @@ Python36SclIsAvailable() {
 
 # Try to enable rh-python36 from SCL if it is necessary and possible.
 EnablePython36SCL() {
-  if "$EXISTS" python3.6 > /dev/null 2>/dev/null; then
+  if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then
       return 0
   fi
   if [ ! -f /opt/rh/rh-python36/enable ]; then
@@ -799,15 +799,15 @@ BootstrapMageiaCommon() {
 # that function. If Bootstrap is set to a function that doesn't install any
 # packages BOOTSTRAP_VERSION is not set.
 if [ -f /etc/debian_version ]; then
-  Bootstrap() {
-    BootstrapMessage "Debian-based OSes"
-    BootstrapDebCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/mageia-release ]; then
   # Mageia has both /etc/mageia-release and /etc/redhat-release
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/redhat-release ]; then
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
   # Run DeterminePythonVersion to decide on the basis of available Python versions
   # whether to use 2.x or 3.x on RedHat-like systems.
   # Then, revert LE_PYTHON to its previous state.
@@ -815,7 +815,7 @@ elif [ -f /etc/redhat-release ]; then
   unset LE_PYTHON
   DeterminePythonVersion "NOCRASH"
 
-  RPM_DIST_NAME=`(. /etc/os-release 2>/dev/null && echo $ID) || echo "unknown"`
+  RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
 
   if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
     # 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
@@ -825,7 +825,7 @@ elif [ -f /etc/redhat-release ]; then
   # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
   # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
   # error, RPM_DIST_VERSION is set to "unknown".
-  RPM_DIST_VERSION=$( (. /etc/os-release 2>/dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
+  RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
 
   # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
   # characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
@@ -840,12 +840,7 @@ elif [ -f /etc/redhat-release ]; then
       INTERACTIVE_BOOTSTRAP=1
     fi
 
-    Bootstrap() {
-      BootstrapMessage "Legacy RedHat-based OSes that will use Python3"
-      BootstrapRpmPython3Legacy
-    }
     USE_PYTHON_3=1
-    BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION"
 
     # Try now to enable SCL rh-python36 for systems already bootstrapped
     # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
@@ -864,43 +859,38 @@ elif [ -f /etc/redhat-release ]; then
     fi
 
     if [ "$RPM_USE_PYTHON_3" = 1 ]; then
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes that will use Python3"
-        BootstrapRpmPython3
-      }
       USE_PYTHON_3=1
-      BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION"
-    else
-      Bootstrap() {
-        BootstrapMessage "RedHat-based OSes"
-        BootstrapRpmCommon
-      }
-      BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
     fi
   fi
 
   LE_PYTHON="$prev_le_python"
 elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/arch-release ]; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/manjaro-release ]; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/gentoo-release ]; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif uname | grep -iq FreeBSD ; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif uname | grep -iq Darwin ; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
-  Bootstrap() {
-    ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
-  }
-  BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
+  DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 else
   DEPRECATED_OS=1
+  NO_SELF_UPGRADE=1
 fi
 
 # We handle this case after determining the normal bootstrap version to allow
@@ -1122,15 +1112,17 @@ if [ "$1" = "--le-auto-phase2" ]; then
   if [ "$DEPRECATED_OS" = 1 ]; then
     # Phase 2 damage control mode for deprecated OSes.
     # In this situation, we bypass any bootstrap or certbot venv setup.
-    error "Your system is not supported by certbot-auto anymore."
+    # error "Your system is not supported by certbot-auto anymore."
 
     if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
       VENV_BIN="$OLD_VENV_PATH/bin"
     fi
 
     if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
-      error "Certbot will no longer receive updates."
-      error "Please visit https://certbot.eff.org/ to check for other alternatives."
+      # error "certbot-auto and its Certbot installation will no longer receive updates."
+      # error "You will not receive any bug fixes including those fixing server compatibility"
+      # error "or security problems."
+      # error "Please visit https://certbot.eff.org/ to check for other alternatives."
       "$VENV_BIN/letsencrypt" "$@"
       exit 0
     else
@@ -1497,18 +1489,18 @@ letsencrypt==0.7.0 \
     --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
     --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
 
-certbot==1.9.0 \
-    --hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \
-    --hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57
-acme==1.9.0 \
-    --hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \
-    --hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f
-certbot-apache==1.9.0 \
-    --hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \
-    --hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e
-certbot-nginx==1.9.0 \
-    --hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \
-    --hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65
+certbot==1.14.0 \
+    --hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \
+    --hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb
+acme==1.14.0 \
+    --hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \
+    --hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35
+certbot-apache==1.14.0 \
+    --hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \
+    --hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0
+certbot-nginx==1.14.0 \
+    --hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \
+    --hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597
 
 UNLIKELY_EOF
     # -------------------------------------------------------------------------

certbot/tasks/install-legacy.yml

@@ -8,6 +8,7 @@
 - include_role:
     name: evolix/remount-usr
 
+# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
 - name: Let's Encrypt script is present
   copy:
     src: letsencrypt-auto
@@ -55,5 +56,5 @@
     dest: "/etc/letsencrypt/cli.ini"
     section: null
     option: "no-self-upgrade"
-    value: 0
+    value: "no"
     state: present

certbot/tasks/main.yml

@@ -7,17 +7,17 @@
       - ansible_distribution_major_version is version('8', '>=')
     msg: only compatible with Debian 9+
 
-- name: Install legacy script on Debian 8 and 9
+- name: Install legacy script on Debian 8
   include: install-legacy.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '<')
+    - ansible_distribution_major_version is version('9', '<')
 
-- name: Install package on Debian 10+
+- name: Install package on Debian 9+
   include: install-package.yml
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('10', '>=')
+    - ansible_distribution_major_version is version('9', '>=')
 
 - include: acme-challenge.yml
 
@@ -29,6 +29,14 @@
     owner: root
     group: root
 
+- name: Manual deploy hook is present
+  copy:
+    src: hooks/manual-deploy.sh
+    dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
+    mode: "0700"
+    owner: root
+    group: root
+
 - name: "sync_remote is configured with servers"
   lineinfile:
     dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf

clamav/tasks/main.yml

@@ -6,48 +6,48 @@
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
   loop:
-  - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
-  - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
-  - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
-  - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
-  - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
-  - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
-  - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
-  - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
-  - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
-  - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
-  - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
-  - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
-  - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
-  - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
-  - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
-  - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
-  - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
-  - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
-  - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
-  - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
-  - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
-  - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
-  - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
-  - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
+    - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
+    - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
+    - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
+    - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
+    - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
+    - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
+    - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
+    - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
+    - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
+    - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
+    - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
+    - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
+    - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
+    - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
+    - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
+    - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
+    - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
+    - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
+    - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
+    - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
+    - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
+    - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
+    - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
   tags:
   - clamav
 
@@ -58,17 +58,17 @@
     value: "{{ item.value }}"
     vtype: "{{ item.type }}"
   loop:
-  - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
-  - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
-  - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
-  - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
-  - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
-  - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
-  - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
+    - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
+    - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
+    - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
+    - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
+    - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
+    - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
   tags:
   - clamav
 

docker-host/tasks/main.yml

@@ -36,13 +36,26 @@
     owner: root
     group: root
 
-- name: Install docker and python-docker
+- name: Install Docker
   apt:
     name:
       - docker-ce
-      - python-docker
+      - docker-ce-cli
+      - containerd.io
     update_cache: yes
 
+- name: python-docker is installed
+  apt:
+    name: python-docker
+    state: present
+  when: ansible_python_version is version('3', '<')
+
+- name: python3-docker is installed
+  apt:
+    name: python3-docker
+    state: present
+  when: ansible_python_version is version('3', '>=')
+
 - name: Copy Docker daemon configuration file
   template:
     src: daemon.json.j2

dovecot/tasks/main.yml

@@ -10,6 +10,11 @@
   tags:
   - dovecot
 
+- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
+  openssl_dhparam:
+    path: /etc/ssl/dhparams.pem
+    size: 4096
+
 - name: disable pam auth
   replace:
     dest: /etc/dovecot/conf.d/10-auth.conf
@@ -64,6 +69,15 @@
   tags:
   - dovecot
 
+- name: deploy file for custom configuration
+  template:
+    src: zzz-evolinux-custom.conf.j2
+    dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
+    mode: "0644"
+  notify: reload dovecot
+  tags:
+  - dovecot
+
 - include: munin.yml
   tags:
   - dovecot

dovecot/templates/z-evolinux-defaults.conf.j2

@@ -35,12 +35,27 @@ service login {
 }
 mail_max_userip_connections = 42
 
+# Configuration pour stats dovecot
+service stats {
+    unix_listener stats-reader {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+
+    unix_listener stats-writer {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
+ssl_dh=</etc/ssl/dhparams.pem
 ssl_options = no_compression no_ticket
-ssl_protocols = !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

dovecot/templates/zzz-evolinux-custom.conf.j2

@@ -0,0 +1 @@
+## Put your customized configuration here, verify configuration with "doveconf -n" and /var/log/mail.log

elasticsearch/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 elasticsearch_cluster_name: Null
 elasticsearch_cluster_members: Null

elasticsearch/tasks/configuration.yml

@@ -96,17 +96,25 @@
 
 - name: JVM Heap size (min) is set
   lineinfile:
-    dest: /etc/elasticsearch/jvm.options
+    dest: /etc/elasticsearch/jvm.options.d/evolinux.options
     regexp: "^-Xms"
     line: "-Xms{{ elasticsearch_jvm_xms }}"
+    create: yes
+    owner: root
+    group: elasticsearch
+    mode: 0640
   tags:
     - config
 
 - name: JVM Heap size (max) is set
   lineinfile:
-    dest: /etc/elasticsearch/jvm.options
+    dest: /etc/elasticsearch/jvm.options.d/evolinux.options
     regexp: "^-Xmx"
     line: "-Xmx{{ elasticsearch_jvm_xmx }}"
+    create: yes
+    owner: root
+    group: elasticsearch
+    mode: 0640
   tags:
     - config
 

elasticsearch/tasks/packages.yml

@@ -8,11 +8,20 @@
     - elasticsearch
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - elasticsearch
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - elasticsearch
     - packages
@@ -52,4 +61,4 @@
     name: elasticsearch
     enabled: yes
   tags:
-  - elasticsearch
+    - elasticsearch

elasticsearch/tasks/tmpdir.yml

@@ -26,10 +26,13 @@
 
     - name: change JVM tmpdir (< 6.x)
       lineinfile:
-        dest: /etc/elasticsearch/jvm.options
+        dest: /etc/elasticsearch/jvm.options.d/evolinux.options
         line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
         regexp: "^-Djava.io.tmpdir="
-        insertafter: "## JVM configuration"
+        create: yes
+        owner: root
+        group: elasticsearch
+        mode: 0640
       notify:
         - restart elasticsearch
       tags:
@@ -48,6 +51,7 @@
         - elasticsearch
       when: elastic_stack_version is version('6', '>=')
 
+    # Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
     - name: change JVM tmpdir (>= 6.x)
       lineinfile:
         dest: /etc/elasticsearch/jvm.options

etc-git/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
-commit_message: Ansible run
+etc_git_default_commit_message: Ansible run
 
 etc_git_monitor_status: True
+etc_git_purge_index_lock_enabled: True
+etc_git_purge_index_lock_age: 86400

etc-git/files/etc-git-optimize

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" gc --quiet
+    fi
+done

etc-git/files/etc-git-status

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -u
+
+repositories="/etc /etc/bind/ /usr/share/scripts"
+
+for repository in ${repositories}; do
+    if [ -d "${repository}/.git" ]; then
+        git --git-dir="${repository}/.git" --work-tree="${repository}" status --short
+    fi
+done

etc-git/files/evocommit

@@ -0,0 +1,265 @@
+#!/bin/sh
+
+set -u
+
+VERSION="21.10"
+
+show_version() {
+    cat <<END
+evocommit version ${VERSION}
+
+Copyright 2021 Evolix <info@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+evocommit comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+evocommit helps properly committing changes in a repository
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: evocommit --repository /path/to/repository --message "add new host"
+
+Options
+     --repository PATH   set the path for the repository
+     --message MESSAGE   set the commit message
+ -V, --version           print version number
+ -v, --verbose           increase verbosity
+ -n, --dry-run           actions are not executed
+     --help              print this message and exit
+     --version           print version and exit
+END
+}
+
+syslog() {
+    if [ -x "${LOGGER_BIN}" ]; then
+        ${LOGGER_BIN} -t "evocommit" "$1"
+    fi
+}
+get_system() {
+    uname -s
+}
+is_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount | grep "${partition}" | grep -q "read-only"
+    elif command -v findmnt >/dev/null; then
+        mountpoint=$(stat -c '%m' $1)
+        findmnt "${mountpoint}" --noheadings --output OPTIONS -O ro
+    else
+        grep /usr /proc/mounts | grep -E '\bro\b'
+    fi
+}
+remount_repository_readwrite() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -w /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,rw ${mountpoint}
+        syslog "Re-mount ${mountpoint} as read-write to commit in repository $1"
+    fi
+}
+remount_repository_readonly() {
+    if [ "$(get_system)" = "OpenBSD" ]; then
+        partition=$(stat -f '%Sd' $1)
+        mount -u -r /dev/${partition} 2>/dev/null
+    else
+        mountpoint=$(stat -c '%m' $1)
+        mount -o remount,ro ${mountpoint} 2>/dev/null
+        syslog "Re-mount ${mountpoint} as read-only after commit to repository $1"
+    fi
+}
+is_dry_run() {
+    test "${DRY_RUN}" = "1"
+}
+is_verbose() {
+    test "${VERBOSE}" = "1"
+}
+is_ansible() {
+    test "${ANSIBLE}" = "1"
+}
+main() {
+    rc=0
+    lock="${GIT_DIR}/index.lock"
+    if [ -f "${lock}" ]; then
+        limit=$(date +"%s" -d "now - 1 hour")
+        updated_at=$(stat -c "%Y" "${lock}")
+        if [ "$updated_at" -lt "$limit" ]; then
+            rm -f "${lock}"
+        fi
+    fi
+
+    git_status=$(${GIT_BIN} status --porcelain)
+
+    if [ -n "${git_status}" ]; then
+        if is_dry_run; then
+            ${GIT_BIN} status
+        else
+            readonly_orig=0
+            # remount mount point read-write if currently readonly
+            if is_repository_readonly "${REPOSITORY}"; then
+                readonly_orig=1;
+                remount_repository_readwrite "${REPOSITORY}";
+            fi
+            author=$(logname)
+            email=$(git config --get user.email)
+            email=${email:-"${author}@evolix.net"}
+
+            # commit changes
+            git_add_result=$(${GIT_BIN} add --all)
+            git_add_rc=$?
+
+            if is_ansible; then
+                if [ ${git_add_rc} -ne 0 ]; then
+                    printf "FAILED: %s\n%s" "can't add changes in ${REPOSITORY}" "${git_add_result}"
+                    rc=1
+                fi
+            fi
+
+            git_commit_result=$(${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>")
+            git_commit_rc=$?
+
+            if is_ansible; then
+                if [ ${git_commit_rc} -eq 0 ]; then
+                    printf "CHANGED: %s\n" "commit done in ${REPOSITORY} with \`${MESSAGE}'"
+                else
+                    printf "FAILED: %s\n%s" "can't commit in ${REPOSITORY} \`${MESSAGE}'" "${git_commit_result}"
+                    rc=1
+                fi
+            fi
+
+            # remount mount point read-only if it was before
+            if [ ${readonly_orig} -eq 1 ]; then
+                remount_repository_readonly "${REPOSITORY}"
+            fi
+        fi
+    else
+        if is_ansible; then
+            printf "INFO: %s\n" "no commit in ${REPOSITORY}'"
+        fi
+    fi
+
+    unset GIT_DIR
+    unset GIT_WORK_TREE
+
+    exit ${rc}
+}
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case ${1:-''} in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --message)
+            # message options, with value speparated by space
+            if [ -n "$2" ]; then
+                MESSAGE=$2
+                shift
+            else
+                printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --message=?*)
+            # message options, with value speparated by =
+            MESSAGE=${1#*=}
+            ;;
+        --message=)
+            # message options, without value
+            printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        --repository)
+            # repository options, with value speparated by space
+            if [ -n "$2" ]; then
+                REPOSITORY=$2
+                shift
+            else
+                printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --repository=?*)
+            # repository options, with value speparated by =
+            REPOSITORY=${1#*=}
+            ;;
+        --repository=)
+            # repository options, without value
+            printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+        -n|--dry-run)
+            # disable actual commands
+            DRY_RUN=1
+            ;;
+        -v|--verbose)
+            # print verbose information
+            VERBOSE=1
+            ;;
+        --ansible)
+            # print information for Ansible
+            ANSIBLE=1
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+if [ -z "${MESSAGE}" ]; then
+    echo "Error: missing message parameter" >&2
+    show_usage
+    exit 1
+fi
+if [ -z "${REPOSITORY}" ]; then
+    echo "Error: missing repository parameter" >&2
+    show_usage
+    exit 1
+fi
+DRY_RUN=${DRY_RUN:-0}
+VERBOSE=${VERBOSE:-0}
+ANSIBLE=${ANSIBLE:-0}
+
+GIT_BIN=$(command -v git)
+readonly GIT_BIN
+
+LOGGER_BIN=$(command -v logger)
+readonly LOGGER_BIN
+
+export GIT_DIR="${REPOSITORY}/.git"
+export GIT_WORK_TREE="${REPOSITORY}"
+
+if [ -d "${GIT_DIR}" ]; then
+    main
+else
+    echo "There is no Git repository in '${REPOSITORY}'" >&2
+    exit 1
+fi

etc-git/files/optimize-etc-git

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-git --git-dir /etc/.git gc --quiet

etc-git/tasks/commit.yml

@@ -1,25 +1,52 @@
 ---
 
+# /etc
 - name: Is /etc a git repository
   stat:
     path: /etc/.git
   register: _etc_git
 
-- include: do_commit.yml
-  vars:
-    git_folder: "/etc"
+- name: "evocommit /etc"
+  command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _etc_git_commit.stdout
+    - "'CHANGED:' in _etc_git_commit.stdout"
+  ignore_errors: yes
+  register: _etc_git_commit
   when:
     - _etc_git.stat.exists
     - _etc_git.stat.isdir
 
+# /etc/bind
+- name: Is /etc/bind a git repository
+  stat:
+    path: /etc/bind/.git
+  register: _etc_bind_git
+
+- name: "evocommit /etc/bind"
+  command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _etc_bind_git_commit.stdout
+    - "'CHANGED:' in _etc_bind_git_commit.stdout"
+  ignore_errors: yes
+  register: _etc_bind_git_commit
+  when:
+    - _etc_bind_git.stat.exists
+    - _etc_bind_git.stat.isdir
+
+# /usr/share/scripts
 - name: Is /usr/share/scripts a git repository
   stat:
     path: /usr/share/scripts/.git
   register: _usr_share_scripts_git
 
-- include: do_commit.yml
-  vars:
-    git_folder: "/usr/share/scripts"
+- name: "evocommit /usr/share/scripts"
+  command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
+  changed_when:
+    - _usr_share_scripts_git_commit.stdout
+    - "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
+  ignore_errors: yes
+  register: _usr_share_scripts_git_commit
   when:
     - _usr_share_scripts_git.stat.exists
     - _usr_share_scripts_git.stat.isdir

etc-git/tasks/do_commit.yml

@@ -1,63 +0,0 @@
----
-
-- name: "Remount /usr if needed"
-  include_role:
-    name: remount-usr
-  when: git_folder is match('/usr/.*')
-
-- name: "is {{ git_folder }} clean?"
-  command: git status --porcelain
-  args:
-    chdir: "{{ git_folder }}"
-  changed_when: False
-  register: git_status
-  when: not ansible_check_mode
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- debug:
-    var: git_status
-    verbosity: 3
-  tags:
-    - etc-git
-    - commit
-
-- name: fetch current Git user.email
-  git_config:
-    name: user.email
-    repo: "{{ git_folder }}"
-  register: git_config_user_email
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- name: "set commit author"
-  set_fact:
-    commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
-    commit_email:  '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
-  tags:
-    - etc-git
-    - commit
-
-- name: "{{ git_folder }} modifications are committed"
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
-  args:
-    chdir: "{{ git_folder }}"
-  register: commit_end_run
-  when:
-    - not ansible_check_mode
-    - git_status.stdout | length > 0
-  ignore_errors: yes
-  tags:
-    - etc-git
-    - commit
-
-- debug:
-    var: commit_end_run
-    verbosity: 4
-  tags:
-    - etc-git
-    - commit

etc-git/tasks/main.yml

@@ -7,6 +7,18 @@
   tags:
     - etc-git
 
+- include_role:
+    name: evolix/remount-usr
+
+- name: "evocommit script is installed"
+  copy:
+    src: evocommit
+    dest: /usr/local/bin/evocommit
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - include: repository.yml
   vars:
     repository_path: "/etc"
@@ -32,6 +44,24 @@
     - _usr_share_scripts.stat.isdir
     - ansible_distribution_major_version is version('10', '>=')
 
+- name: "etc-git-optimize script is installed"
+  copy:
+    src: etc-git-optimize
+    dest: /usr/share/scripts/etc-git-optimize
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
+- name: "etc-git-status script is installed"
+  copy:
+    src: etc-git-status
+    dest: /usr/share/scripts/etc-git-status
+    mode: "0755"
+    force: yes
+  tags:
+    - etc-git
+
 - name: Check if cron is installed
   shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
   args:
@@ -41,29 +71,44 @@
   check_mode: no
   register: is_cron_installed
 
-- name: Optimize script is installed in monthly crontab
-  copy:
-    src: optimize-etc-git
-    dest: /etc/cron.monthly/optimize-etc-git
-    mode: "0750"
-    force: no
+- block:
+  - name: Legacy cron jobs for /etc/.git status are absent 
+    file:
+      dest: "{{ item }}"
+      state: absent
+    loop:
+      - /etc/cron.monthly/optimize-etc-git
+      - /etc/cron.d/etc-git-status
+
+  - name: Cron job for monthly git optimization
+    cron:
+      name: "Monthly optimization"
+      cron_file: etc-git
+      special_time: "monthly"
+      user: root
+      job: "/usr/share/scripts/etc-git-optimize"
+
+  - name: Cron job for hourly git status
+    cron:
+      name: "Hourly warning for unclean Git repository if nobody is connected"
+      cron_file: etc-git
+      special_time: "hourly"
+      user: root
+      job: "who > /dev/null || /usr/share/scripts/etc-git-status"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
+
+  - name: Cron job for daily git status
+    cron:
+      name: "Daily warning for unclean Git repository"
+      cron_file: etc-git
+      user: root
+      job: "/usr/share/scripts/etc-git-status"
+      minute: "21"
+      hour: "21"
+      weekday: "*"
+      day: "*"
+      month: "*"
+      state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
   when: is_cron_installed.rc == 0
   tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is installed
-  template:
-    src: etc-git-status.j2
-    dest: /etc/cron.d/etc-git-status
-    mode: "0644"
-  when: is_cron_installed.rc == 0 and etc_git_monitor_status
-  tags:
-    - etc-git
-
-- name: Cron job for /etc/.git status is removed
-  file:
-    dest: /etc/cron.d/etc-git-status
-    state: absent
-  when: is_cron_installed.rc == 0 and not etc_git_monitor_status
-  tags:
-    - etc-git
+    - etc-git

etc-git/tasks/repository.yml

@@ -70,4 +70,4 @@
   register: git_commit
   when: git_log.rc != 0 or (git_init is defined and git_init is changed)
   tags:
-    - etc-git
+    - etc-git

etc-git/templates/etc-git-status.j2

@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
-21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short

evoacme/files/evoacme.cron

@@ -15,12 +15,13 @@ find "${CRT_DIR}" \
     -maxdepth 1 \
     -mindepth 1 \
     -type d \
-    ! -path "*accounts" \
-    ! -path "*archive" \
-    ! -path "*csr" \
-    ! -path "*hooks" \
-    ! -path "*keys" \
-    ! -path "*live" \
-    ! -path "*renewal" \
+    ! -path "${CRT_DIR}/accounts" \
+    ! -path "${CRT_DIR}/archive" \
+    ! -path "${CRT_DIR}/csr" \
+    ! -path "${CRT_DIR}/hooks" \
+    ! -path "${CRT_DIR}/keys" \
+    ! -path "${CRT_DIR}/live" \
+    ! -path "${CRT_DIR}/renewal" \
+    ! -path "${CRT_DIR}/renewal-hooks" \
     -printf "%f\n" \
         | xargs --max-args=1 --no-run-if-empty evoacme

evocheck/README.md

@@ -16,6 +16,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
 ## Variables
 
 We can force install via :
-* `evocheck_force_install: local` : will copy the script provided by the role
-* `evocheck_force_install: package` : will install the package via repositories
 * `evocheck_update_crontab` : will update the crontab (default: `True`)

evocheck/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
-evocheck_force_install: False
+
 evocheck_update_crontab: True
 evocheck_bin_dir: /usr/share/scripts

evocheck/files/evocheck.sh

@@ -4,7 +4,8 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-readonly VERSION="20.12"
+VERSION="21.10.4"
+readonly VERSION
 
 # base functions
 
@@ -12,7 +13,7 @@ show_version() {
     cat <<END
 evocheck version ${VERSION}
 
-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2021 Evolix <info@evolix.fr>,
                     Romain Dessort <rdessort@evolix.fr>,
                     Benoit Série <bserie@evolix.fr>,
                     Gregory Colpart <reg@evolix.fr>,
@@ -62,6 +63,8 @@ detect_os() {
                 8) DEBIAN_RELEASE="jessie";;
                 9) DEBIAN_RELEASE="stretch";;
                 10) DEBIAN_RELEASE="buster";;
+                11) DEBIAN_RELEASE="bullseye";;
+                12) DEBIAN_RELEASE="bookworm";;
             esac
         fi
     elif [ "$(uname -s)" = "OpenBSD" ]; then
@@ -71,7 +74,7 @@ detect_os() {
 }
 
 is_debian() {
-  test -n "${DEBIAN_RELEASE}"
+    test -n "${DEBIAN_RELEASE}"
 }
 is_debian_lenny() {
     test "${DEBIAN_RELEASE}" = "lenny"
@@ -91,6 +94,12 @@ is_debian_stretch() {
 is_debian_buster() {
     test "${DEBIAN_RELEASE}" = "buster"
 }
+is_debian_bullseye() {
+    test "${DEBIAN_RELEASE}" = "bullseye"
+}
+is_debian_bookworm() {
+    test "${DEBIAN_RELEASE}" = "bookworm"
+}
 debian_release() {
     printf "%s" "${DEBIAN_RELEASE}"
 }
@@ -109,7 +118,7 @@ is_pack_samba(){
 }
 is_installed(){
     for pkg in "$@"; do
-        dpkg -l "$pkg" 2>/dev/null | grep -q -E '^(i|h)i' || return 1
+        dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
     done
 }
 minifirewall_file() {
@@ -147,7 +156,7 @@ check_lsbrelease(){
         ## only the major version matters
         lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
         rhs=$(cut -d "." -f 1 < /etc/debian_version)
-        test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
+        test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})"
     else
         failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
     fi
@@ -165,7 +174,7 @@ check_dpkgwarning() {
             test -e /etc/apt/apt.conf \
                 && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
         fi
-    elif is_debian_stretch || is_debian_buster; then
+    elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         test -e /etc/apt/apt.conf.d/z-evolinux.conf \
             || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
     fi
@@ -211,7 +220,6 @@ check_vartmpfs() {
     else
         df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
     fi
-    
 }
 check_serveurbase() {
     is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
@@ -224,8 +232,19 @@ check_syslogconf() {
         || failed "IS_SYSLOGCONF" "syslog evolix config file missing"
 }
 check_debiansecurity() {
-    grep -q "^deb.*security" /etc/apt/sources.list \
-        || failed "IS_DEBIANSECURITY" "missing debian security repository"
+    if is_debian_bullseye; then
+        # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
+        pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main"
+    elif is_debian_buster; then
+        pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
+    elif is_debian_stretch; then
+        pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
+    else
+        pattern="^deb.*security"
+    fi
+
+    source_file="/etc/apt/sources.list"
+    grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
 }
 check_aptitudeonly() {
     if is_debian_squeeze || is_debian_wheezy; then
@@ -234,13 +253,13 @@ check_aptitudeonly() {
     fi
 }
 check_aptitude() {
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
     fi
 }
 check_aptgetbak() {
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
-        test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "missing dpkg-divert apt-get.bak"
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
+        test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)"
     fi
 }
 check_apticron() {
@@ -276,7 +295,7 @@ check_mountfstab() {
     fi
 }
 check_listchangesconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed apt-listchanges; then
             failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9"
         fi
@@ -296,7 +315,7 @@ check_customcrontab() {
     test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
         || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
 }
 check_diskperf() {
@@ -307,7 +326,7 @@ check_tmoutprofile() {
     grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
 }
 check_alert5boot() {
-    if is_debian_buster; then
+    if is_debian_buster || is_debian_bullseye; then
         grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
         test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
         systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
@@ -320,7 +339,7 @@ check_alert5boot() {
     fi
 }
 check_alert5minifw() {
-    if is_debian_buster; then
+    if is_debian_buster || is_debian_bullseye; then
         grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \
             || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing"
     else
@@ -336,6 +355,13 @@ check_minifw() {
     /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
         || failed "IS_MINIFW" "minifirewall seems not starded"
 }
+check_minifw_includes() {
+    if is_debian_bullseye; then
+        if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then
+            failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/"
+        fi
+    fi
+}
 check_nrpeperms() {
     if [ -d /etc/nagios ]; then
         nagiosDir="/etc/nagios"
@@ -357,7 +383,11 @@ check_nrpedisks() {
     test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
 }
 check_nrpepid() {
-    if ! is_debian_squeeze; then
+    if is_debian_bullseye; then
+        { test -e /etc/nagios/nrpe.cfg \
+            && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
+        } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
+    elif ! is_debian_squeeze; then
         { test -e /etc/nagios/nrpe.cfg \
             && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
         } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
@@ -372,7 +402,7 @@ check_grsecprocs() {
 }
 check_apachemunin() {
     if test -e /etc/apache2/apache2.conf; then
-        if is_debian_stretch || is_debian_buster; then
+        if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
             { test -h /etc/apache2/mods-enabled/status.load \
                 && test -h /etc/munin/plugins/apache_accesses \
                 && test -h /etc/munin/plugins/apache_processes \
@@ -392,17 +422,20 @@ check_apachemunin() {
 check_mysqlutils() {
     MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
     if is_installed mysql-server; then
-        # You can configure MYSQL_ADMIN in evocheck.cf
-        if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
-            failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
+        # With Debian 11 and later, root can connect to MariaDB with the socket
+        if is_debian_wheezy || is_debian_jessie ||  is_debian_stretch || is_debian_buster; then
+            # You can configure MYSQL_ADMIN in evocheck.cf
+            if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then
+                failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf"
+            fi
         fi
         if ! test -x /usr/bin/mytop; then
             if ! test -x /usr/local/bin/mytop; then
                 failed "IS_MYSQLUTILS" "mytop binary missing"
             fi
         fi
-        if ! grep -qs debian-sys-maint /root/.mytop; then
-            failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
+        if ! grep -qs '^user *=' /root/.mytop; then
+            failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop"
         fi
     fi
 }
@@ -431,7 +464,7 @@ check_muninlogrotate() {
 }
 # Verification de l'activation de Squid dans le cas d'un pack mail
 check_squid() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         squidconffile="/etc/squid/evolinux-custom.conf"
     else
         squidconffile="/etc/squid*/squid.conf"
@@ -444,7 +477,8 @@ check_squid() {
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
             && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
-        } || failed "IS_SQUID" "missing squid rules in minifirewall"
+        } || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \
+          || failed "IS_SQUID" "missing squid rules in minifirewall"
     fi
 }
 check_evomaintenance_fw() {
@@ -473,7 +507,7 @@ check_log2mailrunning() {
     fi
 }
 check_log2mailapache() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         conf=/etc/log2mail/config/apache
     else
         conf=/etc/log2mail/config/default
@@ -532,10 +566,10 @@ check_network_interfaces() {
 }
 # Verify if all if are in auto
 check_autoif() {
-    if is_debian_stretch || is_debian_buster; then
-        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
+        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
     else
-        interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
+        interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
     fi
     for interface in $interfaces; do
         if ! grep -q "^auto $interface" /etc/network/interfaces; then
@@ -569,6 +603,7 @@ check_evobackup_exclude_mount() {
             failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
         done
     done
+    rm -rf "${excludes_file}"
 }
 # Verification de la presence du userlogrotate
 check_userlogrotate() {
@@ -681,6 +716,7 @@ check_backupuptodate() {
     backup_dir="/home/backup"
     if [ -d "${backup_dir}" ]; then
         if [ -n "$(ls -A ${backup_dir})" ]; then
+            # shellcheck disable=SC2231
             for file in ${backup_dir}/*; do
                 limit=$(date +"%s" -d "now - 2 day")
                 updated_at=$(stat -c "%Y" "$file")
@@ -771,7 +807,7 @@ check_tune2fs_m5() {
     done
 }
 check_evolinuxsudogroup() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if grep -q "^evolinux-sudo:" /etc/group; then
             grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
                 || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
@@ -779,7 +815,7 @@ check_evolinuxsudogroup() {
     fi
 }
 check_userinadmgroup() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
         for user in $users; do
             if ! groups "$user" | grep -q adm; then
@@ -790,7 +826,7 @@ check_userinadmgroup() {
     fi
 }
 check_apache2evolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if test -d /etc/apache2; then
             { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
                 && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
@@ -800,7 +836,7 @@ check_apache2evolinuxconf() {
     fi
 }
 check_backportsconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         grep -qsE "^[^#].*backports" /etc/apt/sources.list \
             && failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
         if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
@@ -810,7 +846,7 @@ check_backportsconf() {
     fi
 }
 check_bind9munin() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed bind9; then
             { test -L /etc/munin/plugins/bind9 \
                 && test -e /etc/munin/plugin-conf.d/bind9;
@@ -819,7 +855,7 @@ check_bind9munin() {
     fi
 }
 check_bind9logrotate() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed bind9; then
             test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
         fi
@@ -840,7 +876,7 @@ check_broadcomfirmware() {
 check_hardwareraidtool() {
     LSPCI_BIN=$(command -v lspci)
     if [ -x "${LSPCI_BIN}" ]; then
-        if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
+        if ${LSPCI_BIN} | grep -q 'MegaRAID'; then
             # shellcheck disable=SC2015
             is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
                 || failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
@@ -853,7 +889,7 @@ check_hardwareraidtool() {
     fi
 }
 check_log2mailsystemdunit() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         systemctl -q is-active log2mail.service \
             || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running"
         test -f /etc/systemd/system/log2mail.service \
@@ -869,7 +905,7 @@ check_listupgrade() {
         || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable"
 }
 check_mariadbevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed mariadb-server; then
             { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
                 && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
@@ -945,6 +981,7 @@ check_elastic_backup() {
     fi
 }
 check_mariadbsystemdunit() {
+    # TODO: check if it is still needed for bullseye
     if is_debian_stretch || is_debian_buster; then
         if is_installed mariadb-server; then
             if systemctl -q is-active mariadb.service; then
@@ -955,7 +992,7 @@ check_mariadbsystemdunit() {
     fi
 }
 check_mysqlmunin() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed mariadb-server; then
             for file in mysql_bytes mysql_queries mysql_slowqueries \
                 mysql_threads mysql_connections mysql_files_tables \
@@ -973,7 +1010,7 @@ check_mysqlmunin() {
     fi
 }
 check_mysqlnrpe() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed mariadb-server; then
             nagios_file=~nagios/.my.cnf
             if ! test -f ${nagios_file}; then
@@ -989,9 +1026,10 @@ check_mysqlnrpe() {
     fi
 }
 check_phpevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
-        is_debian_stretch && phpVersion="7.0"
-        is_debian_buster && phpVersion="7.3"
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
+        is_debian_stretch  && phpVersion="7.0"
+        is_debian_buster   && phpVersion="7.3"
+        is_debian_bullseye && phpVersion="7.4"
         if is_installed php; then
             { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
                 && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
@@ -1000,15 +1038,15 @@ check_phpevolinuxconf() {
     fi
 }
 check_squidlogrotate() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed squid; then
-            grep -q monthly /etc/logrotate.d/squid \
+            grep -q -e monthly -e daily /etc/logrotate.d/squid \
                 || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
         fi
     fi
 }
 check_squidevolinuxconf() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if is_installed squid; then
             { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
                 && test -f /etc/squid/evolinux-defaults.conf \
@@ -1044,7 +1082,7 @@ check_duplicate_fs_label() {
     fi
 }
 check_evolix_user() {
-    grep -q "evolix:" /etc/passwd \
+    grep -q -E "^evolix:" /etc/passwd \
         && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
 }
 check_evoacme_cron() {
@@ -1083,7 +1121,7 @@ check_apache_confenabled() {
     # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
     # must be replaced by conf-available/ and config files symlinked
     # to conf-enabled/
-    if is_debian_jessie || is_debian_stretch || is_debian_buster; then
+    if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if [ -f /etc/apache2/apache2.conf ]; then
             test -d /etc/apache2/conf.d/ \
                 && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists"
@@ -1095,7 +1133,7 @@ check_apache_confenabled() {
 check_meltdown_spectre() {
     # For Stretch, detection is easy as the kernel use
     # /sys/devices/system/cpu/vulnerabilities/
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         for vuln in meltdown spectre_v1 spectre_v2; do
             test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
                 || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln"
@@ -1148,7 +1186,7 @@ check_usrsharescripts() {
     test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
             grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
                 || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
@@ -1159,7 +1197,7 @@ check_sshpermitrootno() {
     fi
 }
 check_evomaintenanceusers() {
-    if is_debian_stretch || is_debian_buster; then
+    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
         users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
     else
         if [ -f /etc/sudoers.d/evolinux ]; then
@@ -1295,6 +1333,154 @@ check_nginx_letsencrypt_uptodate() {
     fi
 }
 
+check_lxc_container_resolv_conf() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
+
+       for container in $container_list; do
+            if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
+
+                while read -r resolver; do
+                    if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then
+                        failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf"
+                    fi
+                done <<< "${current_resolvers}"
+
+            else
+                failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
+            fi
+        done 
+    fi
+}
+download_versions() {
+    local file
+    file=${1:-}
+
+    ## The file is supposed to list programs : each on a line, then its latest version number
+    ## Examples:
+    # evoacme 21.06
+    # evomaintenance 0.6.4
+
+    if is_debian; then
+        versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
+    elif is_openbsd; then
+        versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
+    else
+        failed "IS_VERSIONS_CHECK" "error determining os release"
+    fi
+
+    # fetch timeout, in seconds
+    timeout=10
+
+    if command -v curl > /dev/null; then
+        curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
+    elif command -v wget > /dev/null; then
+        wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
+    elif command -v GET; then
+        GET -t ${timeout}s "${versions_url}" > "${versions_file}"
+    else
+        failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET"
+    fi
+    test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}"
+}
+get_command() {
+    local program
+    program=${1:-}
+
+    case "${program}" in
+        ## Special cases where the program name is different than the command name
+        evocheck) echo "${0}" ;;
+        evomaintenance) command -v "evomaintenance.sh" ;;
+        listupgrade) command -v "evolistupgrade.sh" ;;
+        old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
+        mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
+
+        ## General case, where the program name is the same as the command name
+        *) command -v "${program}" ;;
+    esac
+}
+get_version() {
+    local program
+    local command
+    program=${1:-}
+    command=${2:-}
+
+    case "${program}" in
+        ## Special case if `command --version => 'command` is not the standard way to get the version
+        # my_command)
+        #    /path/to/my_command --get-version 
+        #    ;;
+
+        add-vm)
+            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            ;;
+        ## Let's try the --version flag before falling back to grep for the constant
+        kvmstats)
+            if ${command} --version > /dev/null 2> /dev/null; then
+                 ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
+            else
+                grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
+            fi
+            ;;
+
+        ## General case to get the version
+        *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
+    esac
+}
+check_version() {
+    local program
+    local expected_version
+    program=${1:-}
+    expected_version=${2:-}
+
+    command=$(get_command "${program}")
+    if [ -n "${command}" ]; then
+        # shellcheck disable=SC2086
+        actual_version=$(get_version "${program}" "${command}")
+        # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
+        if [ -z "${actual_version}" ]; then
+            failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
+        elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
+            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}"
+        elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then
+            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index."
+        else
+            : # Version check OK
+        fi
+    fi
+}
+add_to_path() {
+    local new_path
+    new_path=${1:-}
+
+    echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
+}
+check_versions() {
+    versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
+    # shellcheck disable=SC2064
+    trap "rm -f ${versions_file}" 0
+    download_versions "${versions_file}"
+    add_to_path "/usr/share/scripts"
+
+    grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
+        local program
+        local version
+        program=$(echo "${line}" | cut -d ' ' -f 1)
+        version=$(echo "${line}" | cut -d ' ' -f 2)
+
+        if [ -n "${program}" ]; then
+            if [ -n "${version}" ]; then
+                check_version "${program}" "${version}"
+            else
+                failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}"
+            fi
+        fi
+    done
+
+    rm -f "${versions_file}"
+}
+
 main() {
     # Default return code : 0 = no error
     RC=0
@@ -1349,6 +1535,8 @@ main() {
         test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
         test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
         test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
+        # Enable when minifirewall is released
+        test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
         test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
         test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
         test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
@@ -1421,6 +1609,8 @@ main() {
         test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
         test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
         test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
+        test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
+        test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
     fi
 
     #-----------------------------------------------------------
@@ -1528,10 +1718,13 @@ main() {
     exit ${RC}
 }
 
+PROGNAME=$(basename "$0")
 # shellcheck disable=SC2034
-readonly PROGNAME=$(basename "$0")
-# shellcheck disable=2124
-readonly ARGS=$@
+readonly PROGNAME
+
+# shellcheck disable=SC2124
+ARGS=$@
+readonly ARGS
 
 # Disable LANG*
 export LANG=C
@@ -1557,6 +1750,7 @@ while :; do
             IS_KERNELUPTODATE=0
             IS_UPTIME=0
             IS_MELTDOWN_SPECTRE=0
+            IS_CHECK_VERSIONS=0
             ;;
         -v|--verbose)
             VERBOSE=1

evocheck/tasks/install_package.yml

@@ -1,5 +0,0 @@
----
-- name: install evocheck from package
-  apt:
-    name: evocheck
-    state: present

evocheck/tasks/main.yml

@@ -1,10 +1,13 @@
 ---
 
-- include: install_local.yml
-  when: evocheck_force_install == "local"
+- name: Package install is not supported anymore
+  fail:
+    msg: Package install is not supported anymore
+  when: 
+    - evocheck_force_install is defined
+    - evocheck_force_install == "package"
 
-- include: install_package.yml
-  when: evocheck_force_install == "package"
+- include: install.yml
 
 - include: cron.yml
   when: evocheck_update_crontab | bool

evolinux-base/defaults/main.yml

@@ -78,6 +78,7 @@ evolinux_packages_include: True
 evolinux_packages_system: True
 evolinux_packages_diagnostic: True
 evolinux_packages_hardware: True
+evolinux_packages_hardware_raid: True
 evolinux_packages_common: True
 evolinux_packages_stretch: True
 evolinux_packages_buster: True
@@ -89,6 +90,7 @@ evolinux_packages_invalid_mta: True
 evolinux_packages_delete_nfs: True
 evolinux_packages_listchanges: True
 evolinux_packages_logcheck_recipient: False
+evolinux_packages_delete_aptlistchanges: True
 
 # system
 
@@ -164,8 +166,10 @@ evolinux_logs_include: True
 
 evolinux_logs_logrotate_confs: True
 evolinux_logs_default_rotate: True
+evolinux_logs_default_dateext : True
 evolinux_logs_disable_logrotate_rsyslog: True
 evolinux_logs_rsyslog_conf: True
+evolinux_logrotate_dateformat: "-%Y%m%d%H"
 
 # default www
 
@@ -206,7 +210,6 @@ evolinux_fail2ban_include: False
 # Evocheck
 
 evolinux_evocheck_include: True
-evolinux_evocheck_force_install: "local"
 
 # Listupgrade
 
@@ -218,3 +221,6 @@ evolinux_generateldif_include: True
 
 # Cron check_hpraid
 evolinux_cron_checkhpraid_frequency: daily
+
+# Motd
+evolinux_motd_include: True

evolinux-base/files/alert5.service

@@ -1,9 +1,10 @@
 [Unit]
 Description=Evolix alert5 script
+After=network.target
 
 [Service]
 Type=oneshot
 ExecStart=/usr/share/scripts/alert5.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

evolinux-base/files/backup-server-state.sh

@@ -0,0 +1,1019 @@
+#!/bin/sh
+
+PROGNAME="backup-server-state"
+
+VERSION="22.01.3"
+readonly VERSION
+
+backup_dir=
+rc=0
+
+# base functions
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2022 Evolix <info@evolix.fr>,
+                    Jérémy Lecour <jlecour@evolix.fr>
+                    and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public License v3.0 for details.
+END
+}
+show_help() {
+    cat <<END
+${PROGNAME} is making backup copies of information related to the state of the server.
+
+Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
+
+Options
+ -d, --backup-dir     path to the directory where the backup will be stored
+ -f, --force          keep existing backup directory and its content
+     --etc            backup copy of /etc
+     --no-etc         no backup copy of /etc (default)
+     --dpkg           backup copy of /var/lib/dpkg
+     --no-dpkg        no backup copy of /var/lib/dpkg (default)
+     --apt-states     backup copy of apt extended states (default)
+     --no-apt-states  no backup copy of apt extended states
+     --apt-config     backup copy of apt configuration (default)
+     --no-apt-config  no backup copy of apt configuration
+     --packages       backup copy of dpkg selections (default)
+     --no-packages    no backup copy of dpkg selections
+     --processes      backup copy of process list (default)
+     --no-processes   no backup copy of process list
+     --uptime         backup of uptime value (default)
+     --no-uptime      no backup of uptime value
+     --netstat        backup copy of netstat (default)
+     --no-netstat     no backup copy of netstat
+     --netcfg         backup copy of network configuration (default)
+     --no-netcfg      no backup copy of network configuration
+     --iptables       backup copy of iptables (default)
+     --no-iptables    no backup copy of iptables
+     --sysctl         backup copy of sysctl values (default)
+     --no-sysctl      no backup copy of sysctl values
+     --virsh          backup copy of virsh list (default)
+     --no-virsh       no backup copy of virsh list
+     --lxc            backup copy of lxc list (default)
+     --no-lxc         no backup copy of lxc list
+     --disks          backup copy of MBR and partitions (default)
+     --no-disks       no backup copy of MBR and partitions
+     --mount          backup copy of mount points (default)
+     --no-mount       no backup copy of mount points
+     --df             backup copy of disk usage (default)
+     --no-df          no backup copy of disk usage
+     --dmesg          backup copy of dmesg (default)
+     --no-dmesg       no backup copy of dmesg
+     --mysql          backup copy of mysql processes (default)
+     --no-mysql       no backup copy of mysql processes
+     --services       backup copy of services states (default)
+     --no-services    no backup copy of services states
+ -v, --verbose        print details about backup steps
+ -V, --version        print version and exit
+ -h, --help           print this message and exit
+END
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ]; then
+        echo "$1"
+    fi
+}
+
+create_backup_dir() {
+    debug "Create ${backup_dir}"
+
+    last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* mkdir/chmod OK"
+    else
+        debug "* mkdir/chmod ERROR :"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_etc() {
+    debug "Backup /etc"
+
+    rsync_bin=$(command -v rsync)
+
+    if [ -n "${rsync_bin}" ]; then
+        last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* rsync OK"
+        else
+            debug "* rsync ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* rsync not found"
+        last_result=$(cp -r /etc "${backup_dir}/ && rm -rf ${backup_dir}/etc/.git")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* cp OK"
+        else
+            debug "* cp ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_apt_states() {
+    apt_dir="/"
+    apt_dir_state="var/lib/apt"
+    apt_dir_state_extended_states="extended_states"
+
+    apt_config_bin=$(command -v apt-config)
+
+    if [ -n "${apt_config_bin}" ]; then
+        eval "$(${apt_config_bin} shell apt_dir Dir)"
+        eval "$(${apt_config_bin} shell apt_dir_state Dir::State)"
+        eval "$(${apt_config_bin} shell apt_dir_state_extended_states Dir::State::extended_states)"
+    fi
+    extended_states="${apt_dir}/${apt_dir_state}/${apt_dir_state_extended_states}"
+
+    if [ -f "${extended_states}" ]; then
+        debug "Backup APT states"
+
+        last_result=$(cp -r "${extended_states}" "${backup_dir}/apt-extended-states.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* cp OK"
+        else
+            debug "* cp ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_apt_config() {
+    debug "Backup APT config"
+
+    apt_config_bin=$(command -v apt-config)
+
+    if [ -n "${apt_config_bin}" ]; then
+        last_result=$(${apt_config_bin} dump > "${backup_dir}/apt-config.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* apt-config OK"
+        else
+            debug "* apt-config ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* apt-config is not found"
+    fi
+}
+
+backup_dpkg_full() {
+    debug "Backup DPkg full state"
+
+    dir_state_status="/var/lib/dpkg/status"
+
+    apt_config_bin=$(command -v apt-config)
+
+    if [ -n "${apt_config_bin}" ]; then
+        eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
+    fi
+
+    dpkg_dir=$(dirname "${dir_state_status}")
+
+    last_result=$(mkdir -p "${backup_dir}${dpkg_dir}" && chmod -R 755 "${backup_dir}${dpkg_dir}")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* mkdir/chmod OK"
+    else
+        debug "* mkdir/chmod ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+
+    rsync_bin=$(command -v rsync)
+
+    if [ -n "${rsync_bin}" ]; then
+        last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${backup_dir}${dpkg_dir}/")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* rsync OK"
+        else
+            debug "* rsync ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* rsync not found"
+
+        last_result=$(cp -r "${dpkg_dir}/*" "${backup_dir}${dpkg_dir}/" && rm -rf "${backup_dir}${dpkg_dir}/*-old")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* cp OK"
+        else
+            debug "* cp ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_dpkg_status() {
+    debug "Backup DPkg status"
+
+    dir_state_status="/var/lib/dpkg/status"
+
+    apt_config_bin=$(command -v apt-config)
+
+    if [ -n "${apt_config_bin}" ]; then
+        eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
+    fi
+
+    last_result=$(cp "${dir_state_status}" "${backup_dir}/dpkg-status.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* cp OK"
+    else
+        debug "* cp ERROR :"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_packages() {
+    debug "Backup list of installed package"
+
+    dpkg_bin=$(command -v dpkg)
+
+    if [ -n "${dpkg_bin}" ]; then
+        last_result=$(${dpkg_bin} --get-selections "*" > "${backup_dir}/current_packages.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* dpkg OK"
+        else
+            debug "* dpkg ERROR :"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* dpkg not found"
+    fi
+}
+
+backup_uname() {
+    debug "Backup uname"
+
+    last_result=$(uname -a > "${backup_dir}/uname.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* uname OK"
+    else
+        debug "* uname ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_uptime() {
+    debug "Backup uptime"
+
+    last_result=$(uptime > "${backup_dir}/uptime.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* uptime OK"
+    else
+        debug "* uptime ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+}
+
+backup_processes() {
+    debug "Backup process list"
+
+    last_result=$(ps fauxw > "${backup_dir}/ps.txt")
+    last_rc=$?
+
+    if [ ${last_rc} -eq 0 ]; then
+        debug "* ps OK"
+    else
+        debug "* ps ERROR"
+        debug "${last_result}"
+        rc=10
+    fi
+
+    pstree_bin=$(command -v pstree)
+
+    if [ -n "${pstree_bin}" ]; then
+        last_result=$(${pstree_bin} -pan > "${backup_dir}/pstree.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* pstree OK"
+        else
+            debug "* pstree ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    fi
+}
+
+backup_netstat() {
+    debug "Backup network status"
+
+    ss_bin=$(command -v ss)
+
+    if [ -n "${ss_bin}" ]; then
+        last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* ss OK"
+        else
+            debug "* ss ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* ss not found"
+    fi
+
+    netstat_bin=$(command -v netstat)
+
+    if [ -n "${netstat_bin}" ]; then
+        last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* netstat OK"
+        else
+            debug "* netstat ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* netstat not found"
+    fi
+}
+
+backup_netcfg() {
+    debug "Backup network configuration"
+
+    ip_bin=$(command -v ip)
+
+    if [ -n "${ip_bin}" ]; then
+        last_result=$(${ip_bin} address show > "${backup_dir}/ip-address.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* ip address OK"
+        else
+            debug "* ip address ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+
+        last_result=$(${ip_bin} route show > "${backup_dir}/ip-route.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* ip route OK"
+        else
+            debug "* ip route ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* ip not found"
+
+        ifconfig_bin=$(command -v ifconfig)
+
+        if [ -n "${ifconfig_bin}" ]; then
+            last_result=$(${ifconfig_bin} > "${backup_dir}/ifconfig.txt")
+            last_rc=$?
+
+            if [ ${last_rc} -eq 0 ]; then
+                debug "* ifconfig OK"
+            else
+                debug "* ifconfig ERROR"
+                debug "${last_result}"
+                rc=10
+            fi
+        else
+            debug "* ifconfig not found"
+        fi
+    fi
+}
+
+backup_iptables() {
+    debug "Backup iptables"
+
+    iptables_bin=$(command -v iptables)
+
+    if [ -n "${iptables_bin}" ]; then
+        last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* iptables OK"
+        else
+            debug "* iptables ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* iptables not found"
+    fi
+
+    iptables_save_bin=$(command -v iptables-save)
+
+    if [ -n "${iptables_save_bin}" ]; then
+        last_result=$(${iptables_save_bin} > "${backup_dir}/iptables-save.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* iptables-save OK"
+        else
+            debug "* iptables-save ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* iptables-save not found"
+    fi
+}
+
+backup_sysctl() {
+    debug "Backup sysctl values"
+
+    sysctl_bin=$(command -v sysctl)
+
+    if [ -n "${sysctl_bin}" ]; then
+        last_result=$(${sysctl_bin} -a | sort -h > "${backup_dir}/sysctl.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* sysctl OK"
+        else
+            debug "* sysctl ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* sysctl not found"
+    fi
+}
+
+backup_virsh() {
+    debug "Backup virsh list"
+
+    virsh_bin=$(command -v virsh)
+
+    if [ -n "${virsh_bin}" ]; then
+        last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* virsh list OK"
+        else
+            debug "* virsh list ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* virsh not found"
+    fi
+}
+
+backup_lxc() {
+    debug "Backup lxc list"
+
+    lxc_ls_bin=$(command -v lxc-ls)
+
+    if [ -n "${lxc_ls_bin}" ]; then
+        last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* lxc list OK"
+        else
+            debug "* lxc list ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* lxc-ls not found"
+    fi
+}
+
+backup_disks() {
+    debug "Backup disks"
+
+    lsblk_bin=$(command -v lsblk)
+    awk_bin=$(command -v awk)
+
+    if [ -n "${lsblk_bin}" ] && [ -n "${awk_bin}" ]; then
+        disks=$(${lsblk_bin} -l | grep disk | grep -v -E '(drbd|fd[0-9]+)' | ${awk_bin} '{print $1}')
+        for disk in ${disks}; do
+            dd_bin=$(command -v dd)
+            if [ -n "${dd_bin}" ]; then
+                last_result=$(${dd_bin} if="/dev/${disk}" of="${backup_dir}/MBR-${disk}" bs=512 count=1 2>&1)
+                last_rc=$?
+
+                if [ ${last_rc} -eq 0 ]; then
+                    debug "* dd ${disk} OK"
+                else
+                    debug "* dd ${disk} ERROR"
+                    debug "${last_result}"
+                    rc=10
+                fi
+            else
+                debug "* dd not found"
+            fi
+            fdisk_bin=$(command -v fdisk)
+            if [ -n "${fdisk_bin}" ]; then
+                last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${backup_dir}/partitions-${disk}" 2>&1)
+                last_rc=$?
+
+                if [ ${last_rc} -eq 0 ]; then
+                    debug "* fdisk ${disk} OK"
+                else
+                    debug "* fdisk ${disk} ERROR"
+                    debug "${last_result}"
+                    rc=10
+                fi
+            else
+                debug "* fdisk not found"
+            fi
+        done
+        cat "${backup_dir}"/partitions-* > "${backup_dir}/partitions"
+    else
+        if [ -n "${lsblk_bin}" ]; then
+            debug "* lsblk not found"
+        fi
+        if [ -n "${awk_bin}" ]; then
+            debug "* awk not found"
+        fi
+    fi
+}
+
+backup_mount() {
+    debug "Backup mount points"
+
+    findmnt_bin=$(command -v findmnt)
+
+    if [ -n "${findmnt_bin}" ]; then
+        last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* mount points OK"
+        else
+            debug "* mount points ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* findmnt not found"
+
+        mount_bin=$(command -v mount)
+
+        if [ -n "${mount_bin}" ]; then
+            last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
+            last_rc=$?
+
+            if [ ${last_rc} -eq 0 ]; then
+                debug "* mount points OK"
+            else
+                debug "* mount points ERROR"
+                debug "${last_result}"
+                rc=10
+            fi
+        else
+            debug "* mount not found"
+        fi
+    fi
+}
+
+backup_df() {
+    debug "Backup df"
+
+    df_bin=$(command -v df)
+
+    if [ -n "${df_bin}" ]; then
+        last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* df OK"
+        else
+            debug "* df ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* df not found"
+    fi
+}
+
+backup_dmesg() {
+    debug "Backup dmesg"
+
+    dmesg_bin=$(command -v dmesg)
+
+    if [ -n "${dmesg_bin}" ]; then
+        last_result=$(${dmesg_bin} > "${backup_dir}/dmesg.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* dmesg OK"
+        else
+            debug "* dmesg ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* dmesg not found"
+    fi
+}
+
+backup_mysql_processes() {
+    debug "Backup mysql processes"
+
+    mysqladmin_bin=$(command -v mysqladmin)
+
+    if [ -n "${mysqladmin_bin}" ]; then
+        last_result=$(${mysqladmin_bin} --verbose processlist > "${backup_dir}/mysql-processlist.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* mysqladmin OK"
+        else
+            debug "* mysqladmin ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* mysqladmin not found"
+    fi
+}
+
+backup_systemctl() {
+    debug "Backup services"
+
+    systemctl_bin=$(command -v systemctl)
+
+    if [ -n "${systemctl_bin}" ]; then
+        last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${backup_dir}/systemctl-failed-services.txt")
+        last_rc=$?
+
+        if [ ${last_rc} -eq 0 ]; then
+            debug "* failed services OK"
+        else
+            debug "* failed services ERROR"
+            debug "${last_result}"
+            rc=10
+        fi
+    else
+        debug "* systemctl not found"
+    fi
+}
+
+
+main() {
+    if [ -z "${backup_dir}" ]; then
+        echo "ERROR: You must provide the --backup-dir argument" >&2
+        exit 1
+    fi
+
+    if [ -d "${backup_dir}" ]; then
+        if [ "${FORCE}" != "1" ]; then
+            echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
+            exit 2
+        fi
+    else
+        create_backup_dir
+    fi
+
+    if [ "${DO_ETC}" -eq 1 ]; then
+        backup_etc
+    fi
+    if [ "${DO_DPKG_FULL}" -eq 1 ]; then
+        backup_dpkg_full
+    fi
+    if [ "${DO_DPKG_STATUS}" -eq 1 ]; then
+        backup_dpkg_status
+    fi
+    if [ "${DO_APT_STATES}" -eq 1 ]; then
+        backup_apt_states
+    fi
+    if [ "${DO_APT_CONFIG}" -eq 1 ]; then
+        backup_apt_config
+    fi
+    if [ "${DO_PACKAGES}" -eq 1 ]; then
+        backup_packages
+    fi
+    if [ "${DO_PROCESSES}" -eq 1 ]; then
+        backup_processes
+    fi
+    if [ "${DO_UPTIME}" -eq 1 ]; then
+        backup_uptime
+    fi
+    if [ "${DO_UNAME}" -eq 1 ]; then
+        backup_uname
+    fi
+    if [ "${DO_NETSTAT}" -eq 1 ]; then
+        backup_netstat
+    fi
+    if [ "${DO_NETCFG}" -eq 1 ]; then
+        backup_netcfg
+    fi
+    if [ "${DO_IPTABLES}" -eq 1 ]; then
+        backup_iptables
+    fi
+    if [ "${DO_SYSCTL}" -eq 1 ]; then
+        backup_sysctl
+    fi
+    if [ "${DO_VIRSH}" -eq 1 ]; then
+        backup_virsh
+    fi
+    if [ "${DO_LXC}" -eq 1 ]; then
+        backup_lxc
+    fi
+    if [ "${DO_DISKS}" -eq 1 ]; then
+        backup_disks
+    fi
+    if [ "${DO_MOUNT}" -eq 1 ]; then
+        backup_mount
+    fi
+    if [ "${DO_DF}" -eq 1 ]; then
+        backup_df
+    fi
+    if [ "${DO_DMESG}" -eq 1 ]; then
+        backup_dmesg
+    fi
+    if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then
+        backup_mysql_processes
+    fi
+    if [ "${DO_SYSTEMCTL}" -eq 1 ]; then
+        backup_systemctl
+    fi
+
+
+    debug "=> Your backup is available at ${backup_dir}"
+    exit ${rc}
+}
+
+# parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        -v|--verbose)
+            VERBOSE=1
+            ;;
+
+        -f|--force)
+            FORCE=1
+            ;;
+
+        -d|--backup-dir)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                backup_dir=$2
+                shift
+            else
+                printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --backup-dir=?*)
+            # with value speparated by =
+            backup_dir=${1#*=}
+            ;;
+        --backup-dir=)
+            # without value
+            printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        --etc)
+            DO_ETC=1
+            ;;
+        --no-etc)
+            DO_ETC=0
+            ;;
+
+        --dpkg-full)
+            DO_DPKG_FULL=1
+            ;;
+        --no-dpkg-full)
+            DO_DPKG_FULL=0
+            ;;
+
+        --dpkg-status)
+            DO_DPKG_STATUS=1
+            ;;
+        --no-dpkg-status)
+            DO_DPKG_STATUS=0
+            ;;
+
+        --apt-states)
+            DO_APT_STATES=1
+            ;;
+        --no-apt-states)
+            DO_APT_STATES=0
+            ;;
+
+        --apt-config)
+            DO_APT_CONFIG=1
+            ;;
+        --no-apt-config)
+            DO_APT_CONFIG=0
+            ;;
+
+        --packages)
+            DO_PACKAGES=1
+            ;;
+        --no-packages)
+            DO_PACKAGES=0
+            ;;
+
+        --processes)
+            DO_PROCESSES=1
+            ;;
+        --no-processes)
+            DO_PROCESSES=0
+            ;;
+
+        --uptime)
+            DO_UPTIME=1
+            ;;
+        --no-uptime)
+            DO_UPTIME=0
+            ;;
+
+        --uname)
+            DO_UNAME=1
+            ;;
+        --no-uname)
+            DO_UNAME=0
+            ;;
+
+        --netstat)
+            DO_NETSTAT=1
+            ;;
+        --no-netstat)
+            DO_NETSTAT=0
+            ;;
+
+        --netcfg)
+            DO_NETCFG=1
+            ;;
+        --no-netcfg)
+            DO_NETCFG=0
+            ;;
+
+        --iptables)
+            DO_IPTABLES=1
+            ;;
+        --no-iptables)
+            DO_IPTABLES=0
+            ;;
+
+        --sysctl)
+            DO_SYSCTL=1
+            ;;
+        --no-sysctl)
+            DO_SYSCTL=0
+            ;;
+
+        --virsh)
+            DO_VIRSH=1
+            ;;
+        --no-virsh)
+            DO_VIRSH=0
+            ;;
+
+        --lxc)
+            DO_LXC=1
+            ;;
+        --no-lxc)
+            DO_LXC=0
+            ;;
+
+        --disks)
+            DO_DISKS=1
+            ;;
+        --no-disks)
+            DO_DISKS=0
+            ;;
+
+        --mount)
+            DO_MOUNT=1
+            ;;
+        --no-mount)
+            DO_MOUNT=0
+            ;;
+
+        --df)
+            DO_DF=1
+            ;;
+        --no-df)
+            DO_DF=0
+            ;;
+
+        --dmesg)
+            DO_DMESG=1
+            ;;
+        --no-dmesg)
+            DO_DMESG=0
+            ;;
+
+        --mysql-processes)
+            DO_MYSQL_PROCESSES=1
+            ;;
+        --no-mysql-processes)
+            DO_MYSQL_PROCESSES=0
+            ;;
+
+        --systemctl)
+            DO_SYSTEMCTL=1
+            ;;
+        --no-systemctl)
+            DO_SYSTEMCTL=0
+            ;;
+
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*)
+            # ignore unknown options
+            printf 'WARN: Unknown option : %s\n' "$1" >&2
+            exit 1
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+# Default values
+: "${VERBOSE:=0}"
+: "${FORCE:=0}"
+: "${DO_ETC:=0}"
+: "${DO_DPKG_FULL:=0}"
+: "${DO_DPKG_STATUS:=1}"
+: "${DO_APT_STATES:=1}"
+: "${DO_APT_CONFIG:=1}"
+: "${DO_PACKAGES:=1}"
+: "${DO_PROCESSES:=1}"
+: "${DO_UNAME:=1}"
+: "${DO_UPTIME:=1}"
+: "${DO_NETSTAT:=1}"
+: "${DO_NETCFG:=1}"
+: "${DO_IPTABLES:=1}"
+: "${DO_SYSCTL:=1}"
+: "${DO_VIRSH:=1}"
+: "${DO_LXC:=1}"
+: "${DO_DISKS:=1}"
+: "${DO_MOUNT:=1}"
+: "${DO_DF:=1}"
+: "${DO_DMESG:=1}"
+: "${DO_MYSQL_PROCESSES:=1}"
+: "${DO_SYSTEMCTL:=1}"
+
+export LC_ALL=C
+
+set -u
+
+main

evolinux-base/files/htoprc

@@ -0,0 +1,2 @@
+# Force the SWAP column to the right of the CPU one
+fields=0 48 17 18 38 39 40 119 2 46 47 49 1

evolinux-base/files/logs/logrotate.d/alternatives

@@ -0,0 +1,9 @@
+/var/log/alternatives.log {
+    monthly
+    rotate 120
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 644 root root
+}

evolinux-base/files/logs/logrotate.d/dpkg

@@ -6,14 +6,4 @@
     missingok
     notifempty
     create 644 root root
-}
-/var/log/alternatives.log {
-    monthly
-    rotate 120
-    compress
-    delaycompress
-    missingok
-    notifempty
-    create 644 root root
-}
-
+}

evolinux-base/files/logs/logrotate.disabled/ldap

@@ -2,8 +2,8 @@
         weekly
         missingok
         rotate 3
-	compress
-	notifempty
+        compress
+        notifempty
         create 640 root adm
 }
 

evolinux-base/files/logs/logrotate.disabled/procmail

@@ -1,11 +1,7 @@
 /var/log/procmail.log {
     daily
     rotate 365
-    dateext
-    dateyesterday
-    dateformat .%Y%m%d
     missingok
-    rotate 365
     create 640 root adm
 }
 

evolinux-base/files/topdefaultrc

@@ -0,0 +1,15 @@
+top's Config File (Linux processes with windows)
+Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
+Def     fieldscur=ķ&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
+        winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
+        summclr=1, msgsclr=1, headclr=3, taskclr=1
+Job     fieldscur=(Ļ@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
+        winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
+        summclr=6, msgsclr=6, headclr=7, taskclr=6
+Mem     fieldscur=<MBND34&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
+        winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
+        summclr=5, msgsclr=5, headclr=4, taskclr=5
+Usr     fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
+        winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
+        summclr=3, msgsclr=3, headclr=2, taskclr=3
+Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0

evolinux-base/meta/main.yml

@@ -14,6 +14,7 @@ galaxy_info:
         - jessie
         - stretch
         - buster
+        - bullseye
 
   galaxy_tags: []
     # List tags for your role here, one per line. A tag is

evolinux-base/tasks/fstab.yml

@@ -1,5 +1,6 @@
 ---
 # TODO: trouver comment faire une copie initiale de /etc/fstab
+#   - piste : paramètre "backup" du module mount https://docs.ansible.com/ansible/latest/collections/ansible/posix/mount_module.html
 # TODO: try to use the custom mount_uuid module for a different approach
 
 - name: Fetch fstab content

evolinux-base/tasks/hardware.yml

@@ -3,6 +3,8 @@
   apt:
     name: pciutils
     state: present
+  tags:
+    - packages
 
 ## Broadcom NetXtreme II
 
@@ -12,6 +14,8 @@
   register: broadcom_netextreme_search
   failed_when: False
   changed_when: False
+  tags:
+    - packages
 
 # TODO: add the "non-free" part to the existing sources
 # instead of adding a new source
@@ -22,18 +26,43 @@
     tasks_from: basics.yml
   vars:
     apt_basics_components: "main contrib non-free"
+  tags:
+    - packages
   when: broadcom_netextreme_search.rc == 0
 
+
+## Dedicated hardware
+- name: Install freepmi when it's dedicated hardware
+  apt:
+    name:
+      - libipc-run-perl
+      - freeipmi
+    state: present
+  tags:
+    - packages
+  when: ansible_virtualization_role == "host"
+
 ## RAID
 # Dell and others: MegaRAID SAS
 # HP gen <10: Hewlett-Packard Company Smart Array
 # HP gen >=10: Adaptec Smart Storage PQI
 - name: Detect if RAID is installed
-  shell: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
+  shell:
+    cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
+    executable: /bin/bash
   check_mode: no
   register: raidmodel
   changed_when: "'FAILED' in raidmodel.stdout"
   failed_when: "'FAILED' in raidmodel.stdout"
+  tags:
+    - packages
+
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - packages
 
 - name: HPE Smart Storage Administrator (ssacli) is present
   block:
@@ -42,6 +71,9 @@
         id: "26C2B797"
         keyring: /etc/apt/trusted.gpg
         state: absent
+      when: _trusted_gpg_keyring.stat.exists
+      tags:
+        - packages
 
     - name: HPE GPG key is installed
       copy:
@@ -51,17 +83,25 @@
         mode: "0644"
         owner: root
         group: root
+      tags:
+        - packages
 
     - name: Add HPE repository
       apt_repository:
         repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
         state: present
+      tags:
+        - packages
+
     - name: Install HPE Smart Storage Administrator (ssacli)
       apt:
         name: ssacli
+      tags:
+        - packages
   when:
     - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
     - "'Adaptec Smart Storage PQI' in raidmodel.stdout"
+    - evolinux_packages_hardware_raid | bool
 
 # NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role
 # So, if nagios-nrpe role is not installed it will not work
@@ -72,6 +112,8 @@
         src: check_hpraid.cron.sh
         dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid
         mode: "0755"
+      tags:
+        - config
   when: "'Adaptec Smart Storage PQI' in raidmodel.stdout"
 
 - name: Install and configure cciss-vol-status (HP gen <10)
@@ -80,12 +122,16 @@
       apt:
         name: cciss-vol-status
         state: present
+      tags:
+        - packages
 
     - name: cciss-vol-statusd init script is present (HP gen <10)
       template:
         src: hardware/cciss-vol-statusd.j2
         dest: /etc/init.d/cciss-vol-statusd
         mode: "0755"
+      tags:
+        - packages
 
     - name: Configure cciss-vol-statusd (HP gen <10)
       lineinfile:
@@ -93,22 +139,31 @@
         line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
         regexp: 'MAILTO='
         create: yes
+      tags:
+        - config
 
     - name: Enable cciss-vol-status in systemd (HP gen <10)
       service:
         name: cciss-vol-statusd
         enabled: true
         state: restarted
-  when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
+      tags:
+        - packages
+        - config
+  when:
+    - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
+    - evolinux_packages_hardware_raid | bool
 
-- name: MegaRAID SAS package is present
+- name: MegaCLI SAS package is present
   block:
     - name: HWRaid embedded GPG key is absent
       apt_key:
         id: "23B3D3B4"
         keyring: /etc/apt/trusted.gpg
         state: absent
-      when: ansible_distribution_major_version is version('9', '>=')
+      tags:
+        - packages
+      when: _trusted_gpg_keyring.stat.exists
 
     - name: HWRaid GPG key is installed
       copy:
@@ -118,12 +173,16 @@
         mode: "0644"
         owner: root
         group: root
+      tags:
+        - packages
       when: ansible_distribution_major_version is version('9', '>=')
 
     - name: Add HW tool repository
       apt_repository:
         repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
         state: present
+      tags:
+        - packages
 
     - name: Install packages for DELL/LSI hardware
       apt:
@@ -131,18 +190,27 @@
           - megacli
           - megaclisas-status
         allow_unauthenticated: yes
+      tags:
+        - packages
 
     - name: Configure packages for DELL/LSI hardware
       template:
         src: hardware/megaclisas-statusd.j2
         dest: /etc/default/megaclisas-statusd
         mode: "0755"
+      tags:
+        - config
 
     - name: Enable DELL/LSI hardware in systemd
       service:
         name: megaclisas-statusd
         enabled: true
-        state: started
-  when: "'MegaRAID SAS' in raidmodel.stdout"
+        state: restarted
+      tags:
+        - packages
+        - config
+  when:
+    - "'MegaRAID' in raidmodel.stdout"
+    - evolinux_packages_hardware_raid | bool
 
 - meta: flush_handlers

evolinux-base/tasks/htop.yml

@@ -0,0 +1,6 @@
+---
+- name: Deploy htop configuration
+  copy:
+    src: htoprc
+    dest: /etc/htoprc
+    mode: "0644"

evolinux-base/tasks/kernel.yml

@@ -8,8 +8,8 @@
     state: present
     reload: yes
   loop:
-  - { name: kernel.panic_on_oops, value: 1 }
-  - { name: kernel.panic, value: 60 }
+    - { name: kernel.panic_on_oops, value: 1 }
+    - { name: kernel.panic, value: 60 }
   when: evolinux_kernel_reboot_after_panic | bool
 
 - name: Don't reboot after panic
@@ -19,14 +19,14 @@
     state: absent
     reload: yes
   loop:
-  - kernel.panic_on_oops
-  - kernel.panic
+    - kernel.panic_on_oops
+    - kernel.panic
   when: not evolinux_kernel_reboot_after_panic | bool
 
 - name: Disable net.ipv4.tcp_timestamps
   sysctl:
     name: net.ipv4.tcp_timestamps
-    value: 0
+    value: '0'
     sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
     state: present
     reload: yes

evolinux-base/tasks/logs.yml

@@ -30,11 +30,34 @@
     dest: /etc/logrotate.d/zsyslog
   when: evolinux_logs_logrotate_confs | bool
 
-- name: Configure logrotate.conf
+- name: Configure logrotate.conf default rotate value
   replace:
     dest: /etc/logrotate.conf
     regexp: "rotate [0-9]+"
     replace: "rotate 12"
   when: evolinux_logs_default_rotate | bool
 
+- name: Enable logrotate.conf dateext option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "dateext"
+    regexp: "^#?\\s*dateext"
+  when: evolinux_logs_default_dateext | bool
+
+- name: Enable logrotate.conf dateformat option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
+    regexp: "^#?\\s*dateformat.*"
+    insertafter: 'dateext'
+  when: evolinux_logs_default_dateext | bool
+
+- name: Disable logrotate.conf dateyesterday option
+  lineinfile:
+    dest: /etc/logrotate.conf
+    line: "# dateyesterday"
+    regexp: "^\\s*dateyesterday"
+    insertafter: 'dateext'
+  when: evolinux_logs_default_dateext | bool
+
 - meta: flush_handlers

evolinux-base/tasks/main.yml

@@ -13,6 +13,7 @@
   vars:
     apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
     apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
+    apt_upgrade: "{{ evolinux_apt_upgrade }}"
   when: evolinux_apt_include | bool
 
 - name: /etc versioning with Git
@@ -97,6 +98,9 @@
   when: evolinux_log2mail_include | bool
 
 - include: motd.yml
+  when: evolinux_motd_include | bool
+
+- include: utils.yml
 
 - name: Munin
   include_role:
@@ -116,8 +120,6 @@
 - name: Evocheck
   include_role:
     name: evolix/evocheck
-  vars:
-    evocheck_force_install: "{{ evolinux_evocheck_force_install }}"
   when: evolinux_evocheck_include | bool
 
 - name: Listupgrade
@@ -129,3 +131,7 @@
   include_role:
     name: evolix/generate-ldif
   when: evolinux_generateldif_include | bool
+
+- include: top.yml
+
+- include: htop.yml

evolinux-base/tasks/packages.yml

@@ -16,6 +16,7 @@
       - ssl-cert
       - ca-certificates
       - rename
+      - dmidecode
   when: evolinux_packages_system | bool
 
 - name: Install/Update diagnostic tools
@@ -34,6 +35,7 @@
       - telnet
       - traceroute
       - man
+      - molly-guard
   when: evolinux_packages_diagnostic | bool
 
 - name: Install/Update hardware tools
@@ -143,5 +145,6 @@
   when:
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version is version('9', '>=')
+    - evolinux_packages_delete_aptlistchanges
 
 - meta: flush_handlers

evolinux-base/tasks/system.yml

@@ -119,10 +119,10 @@
     regexp:  "{{ item.regexp }}"
     replace: "{{ item.replace }}"
   loop:
-  - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
-  - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
-  - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^17((\s*\*){4})',         replace: '{{ 59|random(start=1) }}\1' }
+    - { regexp: '^25\s*6((\s*\*){3})',     replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
+    - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
   when:
     - is_cron_installed.rc == 0
     - evolinux_system_cron_random | bool
@@ -153,7 +153,7 @@
 
 
 
-- name: Install alert5 init script (buster)
+- name: Install alert5 init script (buster and later)
   template:
     src: system/alert5.sh.j2
     dest: /usr/share/scripts/alert5.sh
@@ -163,7 +163,7 @@
     - evolinux_system_alert5_init | bool
     - ansible_distribution_major_version is version('10', '>=')
 
-- name: Install alert5 service (buster)
+- name: Install alert5 service (buster and later)
   copy:
     src: alert5.service
     dest: /etc/systemd/system/alert5.service
@@ -173,7 +173,7 @@
     - evolinux_system_alert5_init | bool
     - ansible_distribution_major_version is version('10', '>=')
 
-- name: Enable alert5 init script (buster)
+- name: Enable alert5 init script (buster and later)
   systemd:
     name: alert5
     daemon_reload: yes
@@ -182,6 +182,7 @@
     - evolinux_system_alert5_init | bool
     - evolinux_system_alert5_enable | bool
     - ansible_distribution_major_version is version('10', '>=')
+    - not ansible_check_mode
 
 ## network interfaces
 
@@ -203,13 +204,4 @@
 
 ## /sbin/deny
 
-- name: "/sbin/deny script is present"
-  copy:
-    src: deny.sh
-    dest: /sbin/deny
-    mode: "0700"
-    owner: root
-    group: root
-    force: no
-
 - meta: flush_handlers

evolinux-base/tasks/top.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy top configuration file
+  copy:
+    # The config format is unredable; ATM it only add the SWAP column
+    src: htoprc
+    dest: /etc/topdefaultrc
+    mode: "0644"

evolinux-base/tasks/utils.yml

@@ -0,0 +1,22 @@
+---
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: backup-server-state script is present
+  copy:
+    src: "backup-server-state.sh"
+    dest: /usr/local/sbin/backup-server-state
+    force: True
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: "/sbin/deny script is present"
+  copy:
+    src: deny.sh
+    dest: /sbin/deny
+    mode: "0700"
+    owner: root
+    group: root
+    force: no

evolinux-base/templates/logs/zsyslog.j2

@@ -1,8 +1,13 @@
 # Custom EvoLinux
 create 640 root adm
+{% if not evolinux_logs_default_dateext %}
+# BEGIN legacy setting
+# … when global dateext and dateformat are not enabled
 dateext
 dateyesterday
 dateformat .%Y%m%d
+# END legacy setting
+{% endif %}
 missingok
 notifempty
 delaycompress

evolinux-users/tasks/main.yml

@@ -20,10 +20,6 @@
 
 - name: Configure sudo
   include: sudo.yml
-  vars:
-    user: "{{ item.value }}"
-  loop: "{{ evolinux_users | dict2items }}"
-  when: evolinux_users | length > 0
 
 - name: Configure SSH
   include: ssh.yml

evolinux-users/tasks/sudo.yml

@@ -1,9 +1,21 @@
 ---
 
 - include: sudo_jessie.yml
-  when: ansible_distribution_release == "jessie"
+  vars:
+    user: "{{ item.value }}"
+  loop: "{{ evolinux_users | dict2items }}"
+  when:
+    - evolinux_users | length > 0
+    - ansible_distribution_release == "jessie"
 
-- include: sudo_stretch.yml
+
+- block:
+  - include: sudo_stretch_common.yml
+
+  - include: sudo_stretch_user.yml
+    vars:
+      user: "{{ item.value }}"
+    loop: "{{ evolinux_users | dict2items }}"
   when:
     - ansible_distribution_major_version is defined
     - ansible_distribution_major_version is version('9', '>=')

evolinux-users/tasks/sudo_stretch_common.yml

@@ -1,5 +1,13 @@
 ---
 
+- name: "/etc/sudoers.d presence and permissions"
+  file:
+    path: /etc/sudoers.d
+    owner: root
+    group: root
+    mode: "0750"
+    state: directory
+
 - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
   template:
     src: sudoers_stretch.j2
@@ -13,15 +21,3 @@
   group:
     name: "{{ evolinux_sudo_group }}"
     system: yes
-
-- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
-  user:
-    name: '{{ user.name }}'
-    groups: "{{ evolinux_sudo_group }}"
-    append: yes
-
-- name: "Add user to 'adm' group (Debian 9 or later)"
-  user:
-    name: '{{ user.name }}'
-    groups: "adm"
-    append: yes

evolinux-users/tasks/sudo_stretch_user.yml

@@ -0,0 +1,13 @@
+---
+
+- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "{{ evolinux_sudo_group }}"
+    append: yes
+
+- name: "Add user to 'adm' group (Debian 9 or later)"
+  user:
+    name: '{{ user.name }}'
+    groups: "adm"
+    append: yes

evolinux-users/templates/sudoers_jessie.j2

@@ -7,6 +7,8 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 ADMINS          ALL = (ALL:ALL) ALL

evolinux-users/templates/sudoers_stretch.j2

@@ -6,10 +6,22 @@ nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
 nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-jails
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check-setup
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
 nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/
+nagios          ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
+nagios          ALL = NOPASSWD: /sbin/dmsetup status --noflush
+nagios          ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
+nagios          ALL = NOPASSWD: /sbin/ssacli controller all show status
+nagios          ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
+      
 nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
 
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL

evomaintenance/files/evomaintenance.sh

@@ -4,16 +4,16 @@
 # Dependencies (all OS): git postgresql-client
 # Dependencies (Debian): sudo
 
-# Copyright 2007-2021 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
+# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
 #                     Jérémy Lecour <jlecour@evolix.fr> and others.
 
-VERSION="0.6.4"
+VERSION="22.01"
 
 show_version() {
     cat <<END
 evomaintenance version ${VERSION}
 
-Copyright 2007-2021 Evolix <info@evolix.fr>,
+Copyright 2007-2022 Evolix <info@evolix.fr>,
                     Gregory Colpart <reg@evolix.fr>,
                     Jérémy Lecour <jlecour@evolix.fr>
                     and others.
@@ -303,6 +303,9 @@ From: ${FULLFROM}
 Content-Type: text/plain; charset=UTF-8
 MIME-Version: 1.0
 Content-Transfer-Encoding: 8bit
+X-Evomaintenance-Version: ${VERSION}
+X-Evomaintenance-Host: ${HOSTNAME_TEXT}
+X-Evomaintenance-User: ${USER}
 To: ${EVOMAINTMAIL}
 Subject: [evomaintenance] Intervention sur ${HOSTNAME_TEXT} (${USER})
 

evomaintenance/tasks/config.yml

@@ -0,0 +1,18 @@
+---
+
+- assert:
+    that:
+      - evomaintenance_api_endpoint is not none
+      - evomaintenance_api_key is not none
+    msg: evomaintenance api variables must be set
+
+- name: Configuration is installed
+  template:
+    src: evomaintenance.j2
+    dest: /etc/evomaintenance.cf
+    owner: root
+    group: root
+    mode: "0600"
+    force: "{{ evomaintenance_force_config | bool }}"
+  tags:
+    - evomaintenance

evomaintenance/tasks/install_package_debian.yml

@@ -12,15 +12,4 @@
     name: evomaintenance
     allow_unauthenticated: yes
   tags:
-    - evomaintenance
-
-- name: Configuration is installed
-  template:
-    src: evomaintenance.j2
-    dest: /etc/evomaintenance.cf
-    owner: root
-    group: root
-    mode: "0600"
-    force: "{{ evomaintenance_force_config | bool }}"
-  tags:
-    - evomaintenance
+    - evomaintenance

evomaintenance/tasks/install_vendor_debian.yml

@@ -46,15 +46,4 @@
     - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
     - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
   tags:
-    - evomaintenance
-
-- name: Configuration is installed
-  template:
-    src: evomaintenance.j2
-    dest: /etc/evomaintenance.cf
-    owner: root
-    group: root
-    mode: "0600"
-    force: "{{ evomaintenance_force_config | bool }}"
-  tags:
-    - evomaintenance
+    - evomaintenance

evomaintenance/tasks/main.yml

@@ -1,14 +1,5 @@
 ---
 
-- set_fact:
-    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
-
-- assert:
-    that:
-      - evomaintenance_api_endpoint is not none
-      - evomaintenance_api_key is not none
-    msg: evomaintenance api variables must be set
-
 - include: install_package_debian.yml
   when:
     - not (evomaintenance_install_vendor | bool)
@@ -19,6 +10,8 @@
     - evomaintenance_install_vendor | bool
     - ansible_distribution == "Debian"
 
+- include: config.yml
+
 - include: minifirewall.yml
   when:
     - evomaintenance_hook_db | bool

evomaintenance/tasks/minifirewall.yml

@@ -1,5 +1,8 @@
 ---
 
+- set_fact:
+    minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
+
 - name: Is minifirewall installed?
   stat:
     path: /etc/default/minifirewall

filebeat/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "6.x"
+elastic_stack_version: "7.x"
 
 filebeat_logstash_plugin: False
 

filebeat/handlers/main.yml

@@ -4,3 +4,4 @@
   systemd:
     name: filebeat
     state: restarted
+  when: not ansible_check_mode

filebeat/tasks/main.yml

@@ -8,11 +8,20 @@
     - filebeat
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - filebeat
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - filebeat
     - packages
@@ -53,6 +62,7 @@
     name: filebeat
     enabled: yes
   notify: restart filebeat
+  when: not ansible_check_mode
 
 - name: is logstash-plugin available?
   stat:
@@ -131,7 +141,9 @@
     when:
       - filebeat_elasticsearch_auth_username | length > 0
       - filebeat_elasticsearch_auth_password | length > 0
-  when: not (filebeat_use_config_template | bool)
+  when:
+    - not (filebeat_use_config_template | bool)
+    - not ansible_check_mode
 
 - name: Filebeat api_key for Elasticsearch are configured
   lineinfile:

fluentd/tasks/main.yml

@@ -1,10 +1,19 @@
 ---
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - packages
+    - fluentd
+
 - name: Fluentd embedded GPG key is absent
   apt_key:
     id: "AB97ACBE"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - packages
     - fluentd

generate-ldif/templates/generateldif.sh.j2

@@ -31,17 +31,30 @@ computerKernel=$(uname -r)
 HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
 
 type="baremetal"
-lscpu | grep -q KVM && type="kvm"
+lscpu | grep "Hypervisor vendor:" | grep -q KVM && type="kvm"
+lscpu | grep "Hypervisor vendor:" | grep -q VMware && type="vmware"
 lscpu | grep -q Oracle && type="virtualbox"
 
 if [ "$type" = "kvm" ]; then
+    ComputerType="VM"
     HardwareMark="KVM"
     HardwareModel="Virtual Machine"
 
     cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
     cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
     cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
+
+elif [ "$type" = "vmware" ]; then
+    ComputerType="VM"
+    HardwareMark="VMWare"
+    HardwareModel="Virtual Machine"
+
+    cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
+    cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
+    cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
+
 elif [ "$type" = "virtualbox" ]; then
+    ComputerType="VM"
     HardwareMark="VirtualBox"
     HardwareModel="Virtual Machine"
 
@@ -49,6 +62,7 @@ elif [ "$type" = "virtualbox" ]; then
     cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
     cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
 else
+    ComputerType="Baremetal"
     HardwareModel=$(dmidecode -s system-product-name | grep -v '^#')
 
     cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1)
@@ -115,6 +129,7 @@ NagiosEnabled: ${NagiosEnabled}
 NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
 HardwareSerial: ${HardwareSerial}
 clientNumber: ${clientNumber}
+ComputerType: ${ComputerType}
 EOT
 
 # CPU
@@ -174,6 +189,19 @@ NagiosEnabled: TRUE
 EOT
 fi
 
+# raid hardware
+if [ -n "${raidModel}" ]; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: HardwareName=raid_card,${computer_dn}
+objectClass: EvoHardware
+HardwareName: raid_card
+HardwareType: disk
+HardwareModel: ${raidModel}
+NagiosEnabled: TRUE
+EOT
+fi
+
 # Swap
 swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2)
 if [ -n "${swap}" ]; then
@@ -570,10 +598,117 @@ objectClass: EvoService
 ServiceName: postgresql
 ipServicePort: 5432
 ServiceType: database
-ServiceVersion: PostgreSQL ${elasticsearch_version}
+ServiceVersion: PostgreSQL ${postgresql_version}
 EOT
 fi
 
+# LXC (multiphp)
+if is_pkg_installed lxc; then
+
+if lxc-ls | grep -q php56 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm56,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 5.6 (multiphp)
+EOT
+fi
+
+if lxc-ls | grep -q php70 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm70,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 7.0 (multiphp)
+EOT
+fi
+
+if lxc-ls | grep -q php73 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm73,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 7.3 (multiphp)
+EOT
+fi
+
+if lxc-ls | grep -q php74 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm74,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 7.4 (multiphp)
+EOT
+fi
+
+if lxc-ls | grep -q php80 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm80,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 8.0 (multiphp)
+EOT
+fi
+
+if lxc-ls | grep -q php81 ; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=ServiceName=php-fpm81,${computer_dn}
+NagiosEnabled: TRUE
+ipServiceProtocol: tcp
+objectClass: EvoService
+ServiceName: PHP-FPM (multiphp)
+ipServicePort: 443
+ServiceType: web
+ServiceVersion: PHP-FPM 8.1 (multiphp)
+EOT
+fi
+
+fi
+# END - LXC (multiphp)
+
+# mdadm
+if is_pkg_installed mdadm; then
+    mdadm_version=$(get_pkg_version mdadm)
+fi
+if [ -n "${mdadm_version}" ]; then
+    cat <<EOT >> "${ldif_file}"
+
+dn: ServiceName=mdadm,${computer_dn}
+NagiosEnabled: TRUE
+objectClass: EvoService
+ServiceName: mdadm
+ServiceType: raid
+ServiceVersion: mdadm ${mdadm_version}
+EOT
+fi
+
+
 # test if we have a stdout
 if [ -t 1 ]; then
   echo "Output is in ${ldif_file}"

haproxy/defaults/main.yml

@@ -34,3 +34,4 @@ haproxy_deny_ips: []
 
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
+haproxy_backports_packages_bullseye: haproxy

haproxy/tasks/packages_backports.yml

@@ -15,6 +15,10 @@
     haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}"
   when: ansible_distribution_release == 'buster'
 
+- set_fact:
+    haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
+  when: ansible_distribution_release == 'bullseye'
+
 - name: Prefer HAProxy package from backports
   template:
     src: haproxy_apt_preferences.j2

java/tasks/oracle.yml

@@ -14,9 +14,9 @@
     state: directory
     mode: "0777"
   loop:
-  - /srv/java-package
-  - /srv/java-package/src
-  - /srv/java-package/tmp
+    - /srv/java-package
+    - /srv/java-package/src
+    - /srv/java-package/tmp
   tags:
   - java
 

jenkins/tasks/main.yml

@@ -5,11 +5,17 @@
 # http://mirrors.jenkins.io/.*
 # http://jenkins.mirror.isppower.de/.*
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+
 - name: Jenkins embedded GPG key is absent
   apt_key:
     id: "D50582E6"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
 
 - name: Add Jenkins GPG key
   copy:

kibana/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-elastic_stack_version: "5.x"
+elastic_stack_version: "7.x"
 
 kibana_server_host: "127.0.0.1"
 kibana_server_basepath: ""

kibana/files/elasticsearch.key

@@ -1,31 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.14 (GNU/Linux)
-
-mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
-A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
-CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
-j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
-1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
-2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
-KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
-Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
-F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
-nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
-7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
-TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
-8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
-eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
-zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
-RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
-1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
-Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
-KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
-EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
-c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
-TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
-6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
-vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
-cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
-qPDlGRlOgVTd9xUfHFkzB52c70E=
-=92oX
------END PGP PUBLIC KEY BLOCK-----

kibana/tasks/main.yml

@@ -8,11 +8,20 @@
     - kibana
     - packages
 
+- name: Look for legacy apt keyring
+  stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - kibana
+    - packages
+
 - name: Elastic embedded GPG key is absent
   apt_key:
     id: "D88E42B4"
     keyring: /etc/apt/trusted.gpg
     state: absent
+  when: _trusted_gpg_keyring.stat.exists
   tags:
     - kibana
     - packages
@@ -129,3 +138,5 @@
 
 - include: proxy_nginx.yml
   when: kibana_proxy_nginx | bool
+  tags:
+    - kibana

kvm-host/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
 kvm_custom_libvirt_images_path: ''
 kvm_install_drbd: True
-kvm_scripts_dir: /usr/local/sbin
+kvm_scripts_dir: /usr/local/sbin
+
+kvm_pair: null

kvm-host/files/add-vm.sh

@@ -10,6 +10,8 @@
 # Bash strict mode
 set -euo pipefail
 
+VERSION="21.10"
+
 isDryRun() {
     test "${doDryRun}" = "true"
 }

kvm-host/files/kvmstats.sh

@@ -1,96 +1,202 @@
 #!/bin/sh
 
+VERSION="21.10"
+
+PROGNAME=$(basename "$0")
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+               Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+
+show_help() {
+    cat <<END
+${PROGNAME} print stats about configured virtal servers
+
+END
+    show_usage
+}
+show_usage() {
+    cat <<END
+Usage: ${PROGNAME} --all
+  or   ${PROGNAME} --output <human|html|csv>
+  or   ${PROGNAME} --units <k|m|g>
+END
+}
+
 error () {
     echo "$0": "$@" >&2
     exit 1
 }
 
-usage () {
-    echo 'usage:' "$0" '[-a] [-u k|m|g] [-o human|html|csv]' >&2
-    exit 1
+main() {
+    for VM in $(virsh list --name --all | sed '/^$/d' | sort)
+    do
+        echo "$VM"
+
+        # cpu
+        virsh vcpucount --current "$VM"
+
+        # mem
+        # libvirt stores memory in KiB, POW must be lowered by 1
+        virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
+            virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
+
+        # disk
+        for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
+        do
+            virsh domblkinfo "$VM" "$BLK" 2>/dev/null
+        done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
+
+        # state
+        virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
+    done | xargs -n5 | {
+        echo vm vcpu ram disk running
+        awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
+        test "$SHOW_AVAIL" && {
+            nproc
+            awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
+        } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
+    } | case "$FMT" in
+    'human')
+        column -t
+        ;;
+    'html')
+        awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
+        ;;
+    'csv')
+        tr ' ' ','
+        ;;
+    esac
 }
 
+parse_units() {
+    case "$1" in
+    'k')
+        POW="$(echo '1024 ^ 1' | bc)"
+        ;;
+    'm')
+        POW="$(echo '1024 ^ 2' | bc)"
+        ;;
+    'g')
+        POW="$(echo '1024 ^ 3' | bc)"
+        ;;
+    *)
+        printf 'ERROR: Unknown unit value: %s. Possible values: %s\n' "$1" "k, m, g" >&2
+        echo "" >&2
+        show_usage >&2
+        exit 1
+        ;;
+    esac 
+}
+parse_output() {
+    case "$1" in
+    'csv'|'html'|'human')
+        FMT="$1"
+        ;;
+    *)
+        printf 'ERROR: Unknown output value : %s. Possible values: %s\n' "$1" "csv, html, human" >&2
+        echo "" >&2
+        show_usage >&2
+        exit 1
+        ;;
+    esac
+}
+
+# Check dependencies
 for DEP in bc virsh
 do
     command -v "$DEP" > /dev/null || error "$DEP" 'command not found'
 done
 
+# default values
 POW="$(echo '1024 ^ 3' | bc)"
 FMT='human'
-while [ "$#" -ne 0 ]
-do
-    case "$1" in
-    '-a')
-        SHOW_AVAIL='y'
-        ;;
-    '-o')
-        case "$2" in
-        'csv'|'html'|'human')
-            FMT="$2"
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        -a|--all)
+            SHOW_AVAIL='y'
+            ;;
+        -u|--units)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                parse_units "$2"
+                shift
+            else
+                printf 'ERROR: "-u|--units" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --units=?*)
+            # with value speparated by =
+            parse_units ${1#*=}
+            ;;
+        --units=)
+            # without value
+            printf 'ERROR: "--units" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        -o|--output)
+            # with value separated by space
+            if [ -n "$2" ]; then
+                parse_output "$2"
+                shift
+            else
+                printf 'ERROR: "-o|--output" requires a non-empty option argument.\n' >&2
+                exit 1
+            fi
+            ;;
+        --output=?*)
+            # with value speparated by =
+            parse_output ${1#*=}
+            ;;
+        --output=)
+            # without value
+            printf 'ERROR: "--output" requires a non-empty option argument.\n' >&2
+            exit 1
+            ;;
+
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            printf 'ERROR: Unknown option : %s\n' "$1" >&2
+            echo "" >&2
+            show_usage >&2
+            exit 1
             ;;
         *)
-            usage
+            # Default case: If no more options then break out of the loop.
+            break
             ;;
-        esac
-        shift
-        ;;
-    '-u')
-        case "$2" in
-        'k')
-            POW="$(echo '1024 ^ 1' | bc)"
-            ;;
-        'm')
-            POW="$(echo '1024 ^ 2' | bc)"
-            ;;
-        'g')
-            POW="$(echo '1024 ^ 3' | bc)"
-            ;;
-        *)
-            usage
-        esac
-        shift
-        ;;
-    *)
-        usage
     esac
+
     shift
 done
 
-for VM in $(virsh list --name --all)
-do
-    echo "$VM"
-
-    # cpu
-    virsh vcpucount --current "$VM"
-
-    # mem
-    # libvirt stores memory in KiB, POW must be lowered by 1
-    virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
-        virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
-
-    # disk
-    for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
-    do
-        virsh domblkinfo "$VM" "$BLK" 2>/dev/null
-    done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
-
-    # state
-    virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
-done | xargs -n5 | {
-    echo vm vcpu ram disk running
-    awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
-    test "$SHOW_AVAIL" && {
-        nproc
-        awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
-    } | xargs -r printf 'AVAILABLE %s %s %s %s\n'
-} | case "$FMT" in
-'human')
-    column -t
-    ;;
-'html')
-    awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
-    ;;
-'csv')
-    tr ' ' ','
-    ;;
-esac
+main

kvm-host/tasks/main.yml

@@ -5,7 +5,7 @@
   when: kvm_install_drbd
 
 ## TODO: check why it's disabled
-#- include: ssh.yml
+- include: ssh.yml
 
 - include: packages.yml
 

kvm-host/tasks/ssh.yml

@@ -15,36 +15,42 @@
   debug:
     msg: "{{ ssh_keys.stdout }}"
 
-- name: Autorize other kvm ssh key
-  authorized_key:
-    user: root
-    state: present
-    key: "{{ item[0] }}"
-  delegate_to: "{{ item[1] }}"
-  loop: "{{ _keys | product(_servers) | list }}"
-  vars:
-    _keys: ssh_keys.stdout
-    _servers: groups['hypervisors']
-  when: item[1] != inventory_hostname
+#- name: Autorize other kvm ssh key
+#  authorized_key:
+#    user: root
+#    state: present
+#    key: "{{ item[0] }}"
+#  delegate_to: "{{ item[1] }}"
+#  loop: "{{ _keys | product(_servers) | list }}"
+#  vars:
+#    _keys: ssh_keys.stdout
+#    _servers: groups['hypervisors']
+#  when: item[1] != inventory_hostname
 
 - name: Crontab for sync libvirt xml file
   cron:
-    name: "sync libvirt xml on {{ item }}"
+    name: "sync libvirt xml on {{ kvm_pair }}"
     state: present
     special_time: "hourly"
     user: root
-    job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/"
-  loop:
-    - "{{ groups['hypervisors'] }}"
-  when: item != inventory_hostname
+    job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
+  when:
+    - kvm_pair is defined
+    - kvm_pair is not none
+    - kvm_pair | length > 0
+    - kvm_pair != inventory_hostname
+  tags: crontab
 
 - name: Crontab for sync list of running vm
   cron:
-    name: "sync list of libvirt running vm on {{ item }}"
+    name: "sync list of libvirt running vm on {{ kvm_pair }}"
     state: present
     special_time: "daily"
     user: root
-    job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
-  loop:
-    - "{{ groups['hypervisors'] }}"
-  when: item != inventory_hostname
+    job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[kvm_pair]['lan.ip'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
+  when:
+    - kvm_pair is defined
+    - kvm_pair is not none
+    - kvm_pair | length > 0
+    - kvm_pair != inventory_hostname
+  tags: crontab

ldap/defaults/main.yml

@@ -1,10 +1,10 @@
 ---
 
-ldap_listen: "ldap://127.0.0.1:389/"
+ldap_listen: "ldap://127.0.0.1:389/ ldapi:///"
 
 ldap_hostname: "{{ ansible_hostname }}"
 ldap_domain: "{{ ansible_domain }}"
 ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
 
 ldap_admin_password: ""
-ldap_nagios_password: ""
+ldap_nagios_password: ""

listupgrade/defaults/main.yml

@@ -2,4 +2,10 @@
 general_alert_email: "root@localhost"
 listupgrade_alert_email: Null
 
-listupgrade_cron_enabled: true
+listupgrade_cron_enabled: true
+listupgrade_cron_minute: "42"
+listupgrade_cron_hour: "9"
+listupgrade_cron_day: "*"
+listupgrade_cron_month: "*"
+listupgrade_cron_weekday: "2"
+listupgrade_cron_force: false

listupgrade/files/listupgrade.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# Repository: https://gitea.evolix.org/evolix/maj.sh/
+
 # Exit codes :
 # - 30 : $skip_releases or $skip_packages is set to "all"
 # - 40 : current release is in $skip_releases list
@@ -7,7 +9,7 @@
 # - 60 : current release is not in the $r_releases list
 # - 70 : at least an upgradable package is not in the $r_packages list
 
-VERSION="21.06.2"
+VERSION="21.06.3"
 
 show_version() {
     cat <<END
@@ -121,7 +123,7 @@ EOT
 # are executed if they are executable
 # and if their name doesn't contain a dot
 exec_hooks_in_dir() {
-    hooks=$(find "${1}" -type f -executable -not -name '*.*')
+    hooks=$(find "${1}" -type f -executable -not -name '*.* -print0 | sort --zero-terminated --dictionary-order | xargs --no-run-if-empty --null --max-args=1')
     for hook in ${hooks}; do
         if ! cron_mode; then
             printf "Running '%s\`\n" "${hook}"
@@ -178,13 +180,14 @@ main() {
         echo 'Aucun' >"${packagesHold}"
     fi
 
+    local_release=$(cut -f 1 -d . </etc/debian_version)
+
     if force_mode; then
         if ! cron_mode; then
             echo "Force mode is enabled, as if every release/package is available for upgrade."
         fi
     else
         fetch_upgrade_info
-        local_release=$(cut -f 1 -d . </etc/debian_version)
 
         # Exit if skip_releases or skip_packages in upgrade info file are set to all.
         if [ "${r_skip_releases}" = "all" ] || [ "${r_skip_packages}" = "all" ]; then

listupgrade/files/old-kernel-autoremoval.sh

@@ -1,74 +1,152 @@
 #!/bin/sh
 
+# Repository: https://gitea.evolix.org/evolix/maj.sh/
+
 # fork by reg from /etc/kernel/postinst.d/apt-auto-removal script
 
-set -e
+VERSION="21.10"
+readonly VERSION
 
-eval $(apt-config shell DPKG Dir::bin::dpkg/f)
-test -n "$DPKG" || DPKG="/usr/bin/dpkg"
+PROGNAME=$(basename "$0")
+
+show_version() {
+    cat <<END
+${PROGNAME} version ${VERSION}
+
+Copyright 2018-2021 Evolix <info@evolix.fr>,
+               Gregory Colpart <reg@evolix.fr>,
+               Romain Dessort <rdessort@evolix.fr>,
+               Ludovic Poujol <lpoujol@evolix.fr>,
+               Jérémy Lecour <jlecour@evolix.fr>
+               and others.
+
+${PROGNAME} comes with ABSOLUTELY NO WARRANTY.  This is free software,
+and you are welcome to redistribute it under certain conditions.
+See the GNU General Public Licence for details.
+END
+}
+show_help() {
+    cat <<END
+${PROGNAME} removes old kernels.
+
+Options
+ -h, --help                  print this message and exit
+     --version               print version and exit
+END
+}
 
 # Detect which one of apt/aptitude we should use.
+# shellcheck disable=SC2120
 get_apt_binary() {
-    root="$1"
+    root="${1:-}"
     # apt could be a Java binary...
-    if [ -x $root/usr/bin/apt ] && ! $root/usr/bin/apt --version 2>&1 |grep -q "javac"; then
+    if [ -x "${root}/usr/bin/apt" ] && ! ${root}/usr/bin/apt --version 2>&1 | grep -q "javac"; then
         echo "apt"
-    elif [ -x $root/usr/bin/aptitude ]; then
+    elif [ -x "${root}/usr/bin/aptitude" ]; then
         echo "aptitude"
     # Usually in containers
     else
         echo "apt-get"
     fi
 }
-APT=$(get_apt_binary)
 
-list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
-   | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
-debverlist="$(echo "$list" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
+main() {
+    specifc_kernel="$1"
 
-if [ -n "$1" ]; then
-    installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")"
-fi
-unamer="$(uname -r | tr '[A-Z]' '[a-z]')"
-if [ -n "$unamer" ]; then
-    running_version="$(echo "$list" | awk "\$1 == \"$unamer\" { print \$2;exit; }")"
-fi
-# ignore the currently running version if attempting a reproducible build
-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
-    unamer=""
-    running_version=""
-fi
-latest_version="$(echo "$debverlist" | sed -n 1p)"
-previous_version="$(echo "$debverlist" | sed -n 2p)"
+    # shellcheck disable=SC2046
+    eval $(apt-config shell DPKG Dir::bin::dpkg/f)
+    DPKG="${DPKG:-/usr/bin/dpkg}"
 
-debkernels="$(echo "$latest_version
-$installed_version
-$running_version" | sort -u | sed -e '/^$/ d')"
-kernels="$( (echo "$1
-$unamer"; for deb in $debkernels; do echo "$list" | awk "\$2 == \"$deb\" { print \$1; }"; done; ) \
-   | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
+    listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}"
+
+    APT=$(get_apt_binary)
+
+    list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
+    | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
+    debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
+
+    if [ -n "${specifc_kernel}" ]; then
+        installed_version="$(echo "$list" | awk "\$1 == \"${specifc_kernel}\" { print \$2;exit; }")"
+    fi
+    unamer="$(uname -r | tr '[:upper:]' '[:lower:]')"
+    if [ -n "${unamer}" ]; then
+        running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")"
+    fi
+    # ignore the currently running version if attempting a reproducible build
+    if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+        unamer=""
+        running_version=""
+    fi
+    latest_version="$(echo "${debverlist}" | sed -n 1p)"
+    previous_version="$(echo "${debverlist}" | sed -n 2p)"
+
+    debkernels="$(echo "${latest_version}
+    ${installed_version}
+    ${running_version}" | sort -u | sed -e '/^$/ d')"
+    kernels="$( (echo "${specifc_kernel}
+    ${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \
+    | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
 
 
-echo "
-List of installed kernel packages:
-$list
+    echo "
+    List of installed kernel packages:
+    $list
 
-# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
-# Last kernel: $latest_version
-# Previous kernel: $previous_version
-# Kernel versions list to keep:
-$debkernels
+    # Running kernel: ${running_version:-ignored} (${unamer:-ignored})
+    # Last kernel: ${latest_version}
+    # Previous kernel: ${previous_version}
+    # Kernel versions list to keep:
+    ${debkernels}
 
-# Kernel packages (version part) to protect:
-$kernels
-"
+    # Kernel packages (version part) to protect:
+    ${kernels}
+    "
 
-echo "BEFORE"
-dpkg -l | grep linux-image
+    echo "BEFORE"
+    dpkg -l | grep linux-image
 
-dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep ^linux-image-[234] | egrep -v  "($kernels)" | xargs --no-run-if-empty $APT -y purge
+    dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge
 
-echo "
-AFTER"
-dpkg -l | grep linux-image
-echo ""
+    echo "
+    AFTER"
+    dpkg -l | grep linux-image
+    echo ""
+
+}
+
+# Parse options
+# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
+while :; do
+    case $1 in
+        -h|-\?|--help)
+            show_help
+            exit 0
+            ;;
+        -V|--version)
+            show_version
+            exit 0
+            ;;
+        --)
+            # End of all options.
+            shift
+            break
+            ;;
+        -?*|[[:alnum:]]*)
+            # ignore unknown options
+            if [ "${QUIET}" != 1 ]; then
+                printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
+            fi
+            ;;
+        *)
+            # Default case: If no more options then break out of the loop.
+            break
+            ;;
+    esac
+
+    shift
+done
+
+set -e
+
+
+main "${@}"

listupgrade/tasks/main.yml

@@ -46,14 +46,17 @@
     group: root
 
 - name: Enable listupgrade cron
-  copy:
-    src: listupgrade_cron
-    dest: /etc/cron.d/listupgrade
-    mode: "0600"
-    owner: root
-    group: root
-    force: no
-  when: listupgrade_cron_enabled | bool
+  cron:
+    name: "lisupgrade.sh"
+    cron_file: "listupgrade"
+    user: root
+    job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
+    minute: "{{ listupgrade_cron_minute }}"
+    hour: "{{ listupgrade_cron_hour }}"
+    weekday: "{{ listupgrade_cron_weekday }}"
+    day: "{{ listupgrade_cron_day }}"
+    month: "{{ listupgrade_cron_month }}"
+    state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
 
 - name: old-kernel-autoremoval script is present
   copy: