forked from evolix/ansible-roles
Compare commits
231 commits
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | c17bb03535 | ||
Jérémy Lecour | d7d58bf158 | ||
Jérémy Lecour | e5dc503cfd | ||
Jérémy Lecour | 270d03b6a6 | ||
Jérémy Lecour | 1dc4d0e133 | ||
Jérémy Lecour | c8ef7e9b75 | ||
53af37e055 | |||
Jérémy Lecour | d9e95218ce | ||
Eric Morino | 6321f32e81 | ||
Ludovic Poujol | 69a9cb9591 | ||
Ludovic Poujol | 39949ea921 | ||
Ludovic Poujol | e79141d2d2 | ||
Jérémy Lecour | 799466788f | ||
Jérémy Dubois | 03c97f2d0f | ||
William Hirigoyen (Evolix) | 1fdc0f2566 | ||
Jérémy Dubois | f3c443d076 | ||
ebfa8df6bc | |||
William Hirigoyen (Evolix) | 68b4b0803e | ||
Ludovic Poujol | 9995fca35d | ||
William Hirigoyen (Evolix) | e080b37be2 | ||
Ludovic Poujol | a2f73bb7df | ||
Jérémy Dubois | 981128dc17 | ||
Jérémy Lecour | 0cbdda840d | ||
Jérémy Lecour | 9e27d9707b | ||
Jérémy Lecour | 5153b88d01 | ||
Jérémy Lecour | 25563ee0f0 | ||
Jérémy Lecour | 3dd78fbf7e | ||
Jérémy Lecour | cd4822488c | ||
Jérémy Lecour | fcb0b8c80f | ||
Jérémy Lecour | cd26081add | ||
Jérémy Lecour | 8beb1e7460 | ||
Jérémy Lecour | 6d5aa67045 | ||
Jérémy Lecour | 359719d0d0 | ||
Jérémy Lecour | bb30402df3 | ||
Jérémy Lecour | 6ccd0ea440 | ||
Jérémy Lecour | 88cd8a0976 | ||
Jérémy Lecour | 519228ff9f | ||
6dc17658a9 | |||
Jérémy Lecour | 2849039fad | ||
Jérémy Lecour | 80f8a94798 | ||
Eric Morino | 0a244894eb | ||
Jérémy Lecour | 2c6a3601de | ||
Jérémy Lecour | bff8fcfebb | ||
Jérémy Lecour | 93929864be | ||
Jérémy Lecour | 52fff750df | ||
Jérémy Lecour | 0e34d4cd4b | ||
Jérémy Lecour | 8f8c024163 | ||
Jérémy Lecour | 1f4ee2de79 | ||
Jérémy Lecour | 0fce412cf5 | ||
Jérémy Lecour | 544b213529 | ||
Jérémy Lecour | 266289c72e | ||
Jérémy Lecour | 51bc48623b | ||
Mathieu Trossevin | 7a969a0be2 | ||
1902c40c3c | |||
fec9e49c18 | |||
Jérémy Dubois | 3822696db6 | ||
Jérémy Dubois | 4effe91b9f | ||
168b0fa9b7 | |||
Jérémy Lecour | c4fab71d7a | ||
Ludovic Poujol | c8a862c5e7 | ||
Jérémy Lecour | ea382a1686 | ||
Jérémy Lecour | ca1f465aaa | ||
William Hirigoyen (Evolix) | bd39adaf68 | ||
William Hirigoyen (Evolix) | 14883aa95e | ||
4c6d30a52c | |||
Jérémy Lecour | 1893b6dea5 | ||
Jérémy Lecour | ec346a42a5 | ||
William Hirigoyen (Evolix) | 1c754f7eb0 | ||
Eric Morino | 7bb7b22d1f | ||
Ludovic Poujol | 7c7ccf07eb | ||
Ludovic Poujol | 64b632c000 | ||
Ludovic Poujol | 8b701e615f | ||
Ludovic Poujol | d27d6b69cd | ||
Ludovic Poujol | bd429275d1 | ||
Eric Morino | cd7c488713 | ||
Eric Morino | 7e36d03804 | ||
Eric Morino | 2ec026c2b3 | ||
Mathieu Trossevin | 53cd3ba342 | ||
d3eef71127 | |||
Ludovic Poujol | 82694ef5e9 | ||
Ludovic Poujol | a35139fcee | ||
Eric Morino | 8dca949564 | ||
Eric Morino | c9af7db827 | ||
Eric Morino | 21bd4021d3 | ||
Eric Morino | 4fb885a33b | ||
Jérémy Lecour | e4bb0c6f55 | ||
Jérémy Lecour | 039c740ef3 | ||
William Hirigoyen (Evolix) | 51aaac0cbc | ||
Jérémy Lecour | 6cf8195744 | ||
0247216429 | |||
Eric Morino | 2ea8d279d5 | ||
William Hirigoyen (Evolix) | b9c1e9eafe | ||
Jérémy Lecour | dcfea674a4 | ||
Jérémy Lecour | 646a7b1813 | ||
Jérémy Lecour | dd53c01027 | ||
Jérémy Lecour | 0e2b43a1e9 | ||
Jérémy Dubois | 90acb99c2a | ||
Jérémy Lecour | ca28df1b75 | ||
Jérémy Lecour | 1706361e8d | ||
Jérémy Lecour | 72e8200d5b | ||
Ludovic Poujol | 03f846b94b | ||
Jérémy Lecour | 7cb6dffd6f | ||
Jérémy Lecour | dcdde5f7f6 | ||
Ludovic Poujol | 9b3bb39bd0 | ||
Ludovic Poujol | b120a92203 | ||
Eric Morino | be5bb73675 | ||
Ludovic Poujol | a9d0d0958d | ||
Jérémy Dubois | d38119eb0f | ||
Jérémy Lecour | 7586881f4d | ||
Jérémy Lecour | bbd16dc5b4 | ||
Jérémy Lecour | 33cb1dd8ef | ||
Jérémy Lecour | 6a4b250b5d | ||
Jérémy Lecour | 520cba9c5b | ||
Jérémy Lecour | 9aff38c0a7 | ||
Eric Morino | 2dfd0c0706 | ||
Jérémy Lecour | 3e80c98a05 | ||
Jérémy Lecour | 2d11580a6e | ||
Jérémy Lecour | dfd6aa0315 | ||
Jérémy Lecour | 679875d00b | ||
Ludovic Poujol | 73d6979e72 | ||
616ead41d5 | |||
Jérémy Lecour | a6fe0397a6 | ||
Jérémy Lecour | 7d63f20336 | ||
Jérémy Lecour | 86e5df9c16 | ||
Jérémy Lecour | 7b14296503 | ||
Jérémy Lecour | 37cb18f676 | ||
Jérémy Lecour | e089ddf091 | ||
Jérémy Lecour | de843cb91f | ||
Jérémy Lecour | 6cb2c66924 | ||
Jérémy Lecour | b293cf2cf9 | ||
Jérémy Lecour | dc1a01ce37 | ||
Jérémy Lecour | 5cbfda8f52 | ||
Jérémy Lecour | b2f8095d14 | ||
Jérémy Lecour | 9b479f9c05 | ||
Jérémy Lecour | 4a035d248d | ||
Jérémy Lecour | 3de5de5304 | ||
Jérémy Lecour | 4c52719561 | ||
Jérémy Lecour | 437d2986ae | ||
Jérémy Lecour | 0eb7332a34 | ||
Jérémy Lecour | febc76b26c | ||
Ludovic Poujol | e130728034 | ||
Jérémy Lecour | 73efee9caa | ||
Eric Morino | 3fcb79a3a3 | ||
Eric Morino | ae2be6a009 | ||
Jérémy Lecour | 1d55965527 | ||
Jérémy Lecour | 8233264d2a | ||
Jérémy Lecour | ef1472cbba | ||
Ludovic Poujol | f75354bb84 | ||
Ludovic Poujol | de4d814d74 | ||
Ludovic Poujol | 6a2cd59e6d | ||
Ludovic Poujol | 51fd2337f0 | ||
Ludovic Poujol | fa0c668cec | ||
45b7ce3486 | |||
Jérémy Lecour | 2b549af7d9 | ||
Jérémy Lecour | e429f7aecb | ||
Jérémy Lecour | 0cab062431 | ||
Jérémy Lecour | e76f2fe448 | ||
Jérémy Lecour | b908fc6cee | ||
Jérémy Lecour | 51e414df31 | ||
Jérémy Lecour | 887c1552cb | ||
Jérémy Lecour | e45ee59801 | ||
Jérémy Lecour | 73f55a42fa | ||
Jérémy Lecour | 65750d2aa6 | ||
Jérémy Lecour | 74ab96d67f | ||
Eric Morino | d2ef3fe27f | ||
5e794cd2b6 | |||
Eric Morino | 6c21c3b505 | ||
Jérémy Lecour | ecba57ad75 | ||
Jérémy Lecour | 2c7380240c | ||
Eric Morino | 999efb3983 | ||
Eric Morino | 916138575a | ||
Jérémy Lecour | 5a83a30a4c | ||
Eric Morino | bd92ff95c8 | ||
2448168008 | |||
Ludovic Poujol | 42189ba613 | ||
Jérémy Lecour | 066baf3538 | ||
Eric Morino | ca7d8e9739 | ||
Jérémy Lecour | ad457dd7ba | ||
Jérémy Lecour | 969a5bce7d | ||
Jérémy Lecour | d186e21239 | ||
Jérémy Lecour | c9f25f4638 | ||
Jérémy Lecour | 139b342fbd | ||
491407953c | |||
Jérémy Lecour | bf49ec8df5 | ||
Jérémy Lecour | 32b5efa30e | ||
Jérémy Lecour | 73352f55d7 | ||
Ludovic Poujol | b362fadc80 | ||
Ludovic Poujol | 8e6c08b81b | ||
Ludovic Poujol | 7a089f88af | ||
Ludovic Poujol | 49cb5adf92 | ||
Jérémy Lecour | c77e0d73f8 | ||
Jérémy Lecour | 29ec7bdcf2 | ||
Jérémy Lecour | ffd7d0e504 | ||
Jérémy Lecour | 6f66ab8e93 | ||
Jérémy Lecour | ba3ed5e903 | ||
Jérémy Lecour | d1829e7000 | ||
Jérémy Lecour | 4167b6d2a9 | ||
Jérémy Lecour | 3721c2ab38 | ||
Jérémy Lecour | 04e41b5dc9 | ||
Jérémy Lecour | 5905751a82 | ||
Jérémy Lecour | b5bcd666c6 | ||
Jérémy Lecour | 58cd1fedfa | ||
Jérémy Lecour | a5658b7f26 | ||
Jérémy Lecour | 5c1ae6ed0c | ||
Jérémy Lecour | 8a784c39ab | ||
Jérémy Lecour | 9c8dd743c8 | ||
Jérémy Lecour | 6b87ead5b4 | ||
Jérémy Lecour | d40fad662f | ||
Jérémy Lecour | 613a11d119 | ||
Jérémy Lecour | a60189eb3e | ||
Jérémy Lecour | c80c354d65 | ||
Jérémy Lecour | e8a8e85819 | ||
Jérémy Lecour | c5ab0c0ff9 | ||
Jérémy Lecour | f673ea85d1 | ||
Jérémy Lecour | 2c441f176a | ||
Jérémy Lecour | c5bb8f06ae | ||
Jérémy Lecour | 51d4ec1bb2 | ||
Jérémy Lecour | 5e09906c8f | ||
Jérémy Lecour | 380c50b999 | ||
Jérémy Lecour | 008cb6a3c9 | ||
Jérémy Lecour | 52d06a3987 | ||
Jérémy Lecour | 4a158ac819 | ||
Jérémy Lecour | 2f68ae5339 | ||
Jérémy Lecour | 6bfef35729 | ||
Jérémy Lecour | b8ac36e673 | ||
Jérémy Lecour | 83e8a3d75a | ||
Jérémy Lecour | 27a09ce682 | ||
Jérémy Lecour | 90cbd17f9b | ||
Jérémy Lecour | b0b24744d6 | ||
Jérémy Lecour | 11813c31a4 | ||
Jérémy Lecour | 51462c724c |
136
CHANGELOG.md
136
CHANGELOG.md
|
@ -4,9 +4,9 @@ All notable changes to this project will be documented in this file.
|
||||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
This project does not follow semantic versioning.
|
This project does not follow semantic versioning.
|
||||||
The **major** part of the version is aligned with the stable version of Debian.
|
The **major** part of the version is the year
|
||||||
The **minor** part changes with big changes (probably incompatible).
|
The **minor** part changes is the month
|
||||||
The **patch** part changes incrementally at each release.
|
The **patch** part changes is incremented if multiple releases happen the same month
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
@ -14,12 +14,142 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
* minifirewall: tail template follows symlinks
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [22.03] 2022-03-02
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* apt: apt_hold_packages: broadcast message with wall, if present
|
||||||
|
* evolinux-base: option to bypass raid-related tasks
|
||||||
|
* Explicit permissions for systemd overrides
|
||||||
|
* generate-ldif: Add support for php-fpm in containers
|
||||||
|
* kvm-host: add missing default value
|
||||||
|
* lxc-php: preliminary support for PHP 8.1 container
|
||||||
|
* openvpn: now check that openvpn has been restarted since last certificates renewal
|
||||||
|
* redis: always install check_redis_instances
|
||||||
|
* redis: check_redis_instances tolerates absence of instances
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
|
||||||
|
* evolinux-users: check permissions for /etc/sudoers.d
|
||||||
|
* evolinux-users: optimize sudo configuration
|
||||||
|
* lxc: Fail if /var is nosuid
|
||||||
|
* openvpn: make it compatible with OpenBSD and add some improvements
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## [22.01.3] 2022-01-31
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* rbenv: install Ruby 3.1.0 by default
|
||||||
|
* evolinux-base: backup-server-state: add "force" mode
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* evolinux-base: backup-server-state: fix systemctl invocation
|
||||||
|
* varnish: update munin plugin to work with recent varnish versions
|
||||||
|
|
||||||
|
## [22.01.2] 2022-01-27
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* evolinux-base: many improvements for backup-server-state script
|
||||||
|
* remount-usr: use findmnt to find if usr is a readonly partition
|
||||||
|
|
||||||
|
## [22.01] 2022-01-25
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
|
||||||
|
* apache: new variable for MPM mode (+ updated default config accordingly)
|
||||||
|
* apache: prevent accessing Git or "env" related files
|
||||||
|
* certbot: add script for manual deploy hooks execution
|
||||||
|
* docker-host: install additional dependencies
|
||||||
|
* dovecot: switch to TLS 1.2+ and external DH params
|
||||||
|
* etc-git: centralize cron jobs in dedicated crontab
|
||||||
|
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
|
||||||
|
* evolinux-base: add script backup-server-state
|
||||||
|
* evolinux-base: configure top and htop to display the swap column
|
||||||
|
* evolinux-base: install molly-guard by default
|
||||||
|
* generate-ldif: detect RAID controller
|
||||||
|
* generate-ldif: detect mdadm
|
||||||
|
* listupgrade: crontab is configurable
|
||||||
|
* logstash: logging to syslog is configurable (default: True)
|
||||||
|
* mongodb: create munin plugins directory if missing
|
||||||
|
* munin: systemd override to unprotect home directory
|
||||||
|
* mysql: add evomariabackup 21.11
|
||||||
|
* mysql: improve Bullseye compatibility
|
||||||
|
* mysql: script "mysql_connections" to display a compact list of connections
|
||||||
|
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
|
||||||
|
* nagios-nrpe + evolinux-users: new check for ipmi
|
||||||
|
* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
|
||||||
|
* nagios-nrpe + evolinux-users: new checks for bkctld
|
||||||
|
* nagios-nrpe: new check influxdb
|
||||||
|
* openvpn: new role (beta)
|
||||||
|
* redis: instance service for Debian 11
|
||||||
|
* squid: add *.o.lencr.org to default whitelist
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Change version pattern
|
||||||
|
* Install python 2 or 3 libraries according to running python version
|
||||||
|
* Remove embedded GPG keys only if legacy keyring is present
|
||||||
|
* apt: remove workaround for Evolix public repositories with Debian 11
|
||||||
|
* apt: upgrade packages after all the configuration is done
|
||||||
|
* apt: use the new security repository for Bullseye
|
||||||
|
* certbot: silence letsencrypt deprecation warnings
|
||||||
|
* elasticsearch: elastic_stack_version = 7.x
|
||||||
|
* evoacme: exclude renewal-hooks directory from cron
|
||||||
|
* evoadmin-web: simpler PHP packages lists
|
||||||
|
* evocheck: upstream release 21.10.4
|
||||||
|
* evolinux-base: alert5 comes after the network
|
||||||
|
* evolinux-base: force Debian version to buster for Evolix repository (temporary)
|
||||||
|
* evolinux-base: install freeipmi by default on dedicated hw
|
||||||
|
* evolinux-base: logs are rotated with dateext by default
|
||||||
|
* evolinux-base: split dpkg logrotate configuration
|
||||||
|
* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
|
||||||
|
* evomaintenance: extract a config.yml tasks file
|
||||||
|
* evomaintenance: upstream release 22.01
|
||||||
|
* filebeat/metricbeat: elastic_stack_version = 7.x
|
||||||
|
* kibana: elastic_stack_version = 7.x
|
||||||
|
* listupgrade: old-kernel-removal version 21.10
|
||||||
|
* listupgrade: upstream release 21.06.3
|
||||||
|
* logstash: elastic_stack_version = 7.x
|
||||||
|
* mongodb: Allow to specify a mongodb version for buster & bullseye
|
||||||
|
* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
|
||||||
|
* mongodb: Support version 5.0 (for buster)
|
||||||
|
* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
|
||||||
|
* nodejs: default to version 16 LTS
|
||||||
|
* php: enforce Debian version with assert instead of fail
|
||||||
|
* squid: improve default whitelist (more specific patterns)
|
||||||
|
* squid: must be started in foreground mode for systemd
|
||||||
|
* squid: remove obsolete variable on Squid 4
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* evolinux-base: fix alert5.service dependency syntax
|
||||||
|
* certbot: sync_remote excludes itself
|
||||||
|
* lxc-php: fix config for opensmtpd on bullseye containers
|
||||||
|
* mysql : Create a default ~root/.my.cnf for compatibility reasons
|
||||||
|
* nginx : fix variable name and debug to actually use nginx-light
|
||||||
|
* packweb-apache : Support php 8.0
|
||||||
|
* nagios-nrpe: Fix check_nfsserver for buster and bullseye
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* evocheck: package install is not supported anymore
|
||||||
|
* logstash: no more dependency on Java
|
||||||
|
* php: remove php-gettext for 7.4
|
||||||
|
|
||||||
## [10.6.0] 2021-06-28
|
## [10.6.0] 2021-06-28
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -48,12 +48,23 @@ MaxKeepAliveRequests 10
|
||||||
Deny from env=GoAway
|
Deny from env=GoAway
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<DirectoryMatch "/\.git">
|
||||||
|
# We don't want to let the client know a file exist on the server,
|
||||||
|
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||||
|
Redirect 404
|
||||||
|
</DirectoryMatch>
|
||||||
|
|
||||||
<Files ~ "\.(inc|bak)$">
|
# File names starting with
|
||||||
Require all denied
|
<FilesMatch "^\.(git|env)">
|
||||||
</Files>
|
Redirect 404
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
|
# File names ending with
|
||||||
|
<FilesMatch "\.(inc|bak)$">
|
||||||
|
Redirect 404
|
||||||
|
</FilesMatch>
|
||||||
|
|
||||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||||
Require all denied
|
Require all denied
|
||||||
</LocationMatch>
|
</LocationMatch>
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
var: apache_serverstatus_suffix
|
var: apache_serverstatus_suffix
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
- name: replace server-status suffix in default site index
|
- name: replace server-status suffix in default site index
|
||||||
replace:
|
replace:
|
||||||
|
|
3
apt/files/bullseye_backports_preferences
Normal file
3
apt/files/bullseye_backports_preferences
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Package: *
|
||||||
|
Pin: release a=bullseye-backports
|
||||||
|
Pin-Priority: 50
|
|
@ -21,7 +21,12 @@ if [ -f ${config_file} ]; then
|
||||||
if [ -n "${package}" ]; then
|
if [ -n "${package}" ]; then
|
||||||
if is_installed ${package} && ! is_held ${package}; then
|
if is_installed ${package} && ! is_held ${package}; then
|
||||||
apt-mark hold ${package}
|
apt-mark hold ${package}
|
||||||
>&2 echo "Package \`${package}' has been marked \`hold'."
|
msg="Package \`${package}' has been marked \`hold'."
|
||||||
|
>&2 echo "${msg}"
|
||||||
|
wall_bin=$(command -v wall)
|
||||||
|
if [ -n "${wall_bin}" ]; then
|
||||||
|
"${wall_bin}" --timeout 5 "${msg}"
|
||||||
|
fi
|
||||||
return_code=1
|
return_code=1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
- /etc/apt/sources.list.d/debian-jessie.list
|
- /etc/apt/sources.list.d/debian-jessie.list
|
||||||
- /etc/apt/sources.list.d/debian-stretch.list
|
- /etc/apt/sources.list.d/debian-stretch.list
|
||||||
- /etc/apt/sources.list.d/debian-buster.list
|
- /etc/apt/sources.list.d/debian-buster.list
|
||||||
|
- /etc/apt/sources.list.d/debian-bullseye.list
|
||||||
- /etc/apt/sources.list.d/debian-update.list
|
- /etc/apt/sources.list.d/debian-update.list
|
||||||
when: apt_clean_gandi_sourceslist | bool
|
when: apt_clean_gandi_sourceslist | bool
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -39,17 +39,3 @@
|
||||||
when: apt_remove_aptitude | bool
|
when: apt_remove_aptitude | bool
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
- name: Updating APT cache
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
changed_when: False
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
||||||
- name: Upgrading system
|
|
||||||
apt:
|
|
||||||
upgrade: dist
|
|
||||||
when: apt_upgrade | bool
|
|
||||||
tags:
|
|
||||||
- apt
|
|
||||||
|
|
|
@ -1,10 +1,18 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
- name: Evolix embedded GPG key is absent
|
- name: Evolix embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "B8612B5D"
|
id: "B8612B5D"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
|
|
|
@ -37,3 +37,17 @@
|
||||||
when: apt_install_hold_packages | bool
|
when: apt_install_hold_packages | bool
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
||||||
|
- name: Updating APT cache
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
changed_when: False
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Upgrading system
|
||||||
|
apt:
|
||||||
|
upgrade: dist
|
||||||
|
when: apt_upgrade | bool
|
||||||
|
tags:
|
||||||
|
- apt
|
3
apt/templates/bullseye_backports.list.j2
Normal file
3
apt/templates/bullseye_backports.list.j2
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}
|
5
apt/templates/bullseye_basics.list.j2
Normal file
5
apt/templates/bullseye_basics.list.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
||||||
|
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
|
||||||
|
deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
8
bullseye-detect/tasks/main.yml
Normal file
8
bullseye-detect/tasks/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# Force facts until Debian 11 is released because Ansible is dumb
|
||||||
|
- set_fact:
|
||||||
|
ansible_distribution_major_version: 11
|
||||||
|
ansible_distribution: "Debian"
|
||||||
|
ansible_distribution_release: "bullseye"
|
||||||
|
when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"
|
|
@ -14,8 +14,15 @@ debug() {
|
||||||
found_renewed_lineage() {
|
found_renewed_lineage() {
|
||||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||||
}
|
}
|
||||||
|
cert_content() {
|
||||||
|
openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
|
||||||
|
}
|
||||||
domain_from_cert() {
|
domain_from_cert() {
|
||||||
openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
|
if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
|
||||||
|
cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
|
||||||
|
else
|
||||||
|
cert_content | sed 's/^.*CN\ *=\ *//'
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
main() {
|
main() {
|
||||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||||
|
@ -40,11 +47,11 @@ main() {
|
||||||
rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
|
rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
|
||||||
|| error "Couldn't sync certificate on ${server}"
|
|| error "Couldn't sync certificate on ${server}"
|
||||||
|
|
||||||
rsync --archive --copy-links --delete --exclude $0 --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
|
rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
|
||||||
|| error "Couldn't sync hooks on ${server}"
|
|| error "Couldn't sync hooks on ${server}"
|
||||||
|
|
||||||
# shellcheck disable=SC2029
|
# shellcheck disable=SC2029
|
||||||
ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=${RENEWED_DOMAINS}; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
|
ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
|
||||||
|| error "Something went wrong on ${server} for deploy hooks"
|
|| error "Something went wrong on ${server} for deploy hooks"
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
|
|
40
certbot/files/hooks/manual-deploy.sh
Executable file
40
certbot/files/hooks/manual-deploy.sh
Executable file
|
@ -0,0 +1,40 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
error() {
|
||||||
|
>&2 echo "${PROGNAME}: $1"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
debug() {
|
||||||
|
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||||
|
>&2 echo "${PROGNAME}: $1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
found_renewed_lineage() {
|
||||||
|
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||||
|
}
|
||||||
|
main() {
|
||||||
|
if [ -z "${RENEWED_LINEAGE:-}" ]; then
|
||||||
|
error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
|
||||||
|
fi
|
||||||
|
if [ "${VERBOSE}" = "1" ]; then
|
||||||
|
xargs_verbose="--verbose"
|
||||||
|
else
|
||||||
|
xargs_verbose=""
|
||||||
|
fi
|
||||||
|
if found_renewed_lineage; then
|
||||||
|
find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c
|
||||||
|
else
|
||||||
|
error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
PROGNAME=$(basename "$0")
|
||||||
|
VERBOSE=${VERBOSE:-"0"}
|
||||||
|
QUIET=${QUIET:-"0"}
|
||||||
|
|
||||||
|
hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
|
||||||
|
|
||||||
|
main
|
|
@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then
|
||||||
fi
|
fi
|
||||||
VENV_BIN="$VENV_PATH/bin"
|
VENV_BIN="$VENV_PATH/bin"
|
||||||
BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
|
BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
|
||||||
LE_AUTO_VERSION="1.9.0"
|
LE_AUTO_VERSION="1.14.0"
|
||||||
BASENAME=$(basename $0)
|
BASENAME=$(basename $0)
|
||||||
USAGE="Usage: $BASENAME [OPTIONS]
|
USAGE="Usage: $BASENAME [OPTIONS]
|
||||||
A self-updating wrapper script for the Certbot ACME client. When run, updates
|
A self-updating wrapper script for the Certbot ACME client. When run, updates
|
||||||
|
@ -497,7 +497,7 @@ Python36SclIsAvailable() {
|
||||||
|
|
||||||
# Try to enable rh-python36 from SCL if it is necessary and possible.
|
# Try to enable rh-python36 from SCL if it is necessary and possible.
|
||||||
EnablePython36SCL() {
|
EnablePython36SCL() {
|
||||||
if "$EXISTS" python3.6 > /dev/null 2>/dev/null; then
|
if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [ ! -f /opt/rh/rh-python36/enable ]; then
|
if [ ! -f /opt/rh/rh-python36/enable ]; then
|
||||||
|
@ -799,15 +799,15 @@ BootstrapMageiaCommon() {
|
||||||
# that function. If Bootstrap is set to a function that doesn't install any
|
# that function. If Bootstrap is set to a function that doesn't install any
|
||||||
# packages BOOTSTRAP_VERSION is not set.
|
# packages BOOTSTRAP_VERSION is not set.
|
||||||
if [ -f /etc/debian_version ]; then
|
if [ -f /etc/debian_version ]; then
|
||||||
Bootstrap() {
|
DEPRECATED_OS=1
|
||||||
BootstrapMessage "Debian-based OSes"
|
NO_SELF_UPGRADE=1
|
||||||
BootstrapDebCommon
|
|
||||||
}
|
|
||||||
BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION"
|
|
||||||
elif [ -f /etc/mageia-release ]; then
|
elif [ -f /etc/mageia-release ]; then
|
||||||
# Mageia has both /etc/mageia-release and /etc/redhat-release
|
# Mageia has both /etc/mageia-release and /etc/redhat-release
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif [ -f /etc/redhat-release ]; then
|
elif [ -f /etc/redhat-release ]; then
|
||||||
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
# Run DeterminePythonVersion to decide on the basis of available Python versions
|
# Run DeterminePythonVersion to decide on the basis of available Python versions
|
||||||
# whether to use 2.x or 3.x on RedHat-like systems.
|
# whether to use 2.x or 3.x on RedHat-like systems.
|
||||||
# Then, revert LE_PYTHON to its previous state.
|
# Then, revert LE_PYTHON to its previous state.
|
||||||
|
@ -815,7 +815,7 @@ elif [ -f /etc/redhat-release ]; then
|
||||||
unset LE_PYTHON
|
unset LE_PYTHON
|
||||||
DeterminePythonVersion "NOCRASH"
|
DeterminePythonVersion "NOCRASH"
|
||||||
|
|
||||||
RPM_DIST_NAME=`(. /etc/os-release 2>/dev/null && echo $ID) || echo "unknown"`
|
RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
|
||||||
|
|
||||||
if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
|
if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
|
||||||
# 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
|
# 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
|
||||||
|
@ -825,7 +825,7 @@ elif [ -f /etc/redhat-release ]; then
|
||||||
# Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
|
# Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
|
||||||
# '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
|
# '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
|
||||||
# error, RPM_DIST_VERSION is set to "unknown".
|
# error, RPM_DIST_VERSION is set to "unknown".
|
||||||
RPM_DIST_VERSION=$( (. /etc/os-release 2>/dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
|
RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
|
||||||
|
|
||||||
# If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
|
# If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
|
||||||
# characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
|
# characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
|
||||||
|
@ -840,12 +840,7 @@ elif [ -f /etc/redhat-release ]; then
|
||||||
INTERACTIVE_BOOTSTRAP=1
|
INTERACTIVE_BOOTSTRAP=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Bootstrap() {
|
|
||||||
BootstrapMessage "Legacy RedHat-based OSes that will use Python3"
|
|
||||||
BootstrapRpmPython3Legacy
|
|
||||||
}
|
|
||||||
USE_PYTHON_3=1
|
USE_PYTHON_3=1
|
||||||
BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION"
|
|
||||||
|
|
||||||
# Try now to enable SCL rh-python36 for systems already bootstrapped
|
# Try now to enable SCL rh-python36 for systems already bootstrapped
|
||||||
# NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
|
# NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
|
||||||
|
@ -864,43 +859,38 @@ elif [ -f /etc/redhat-release ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$RPM_USE_PYTHON_3" = 1 ]; then
|
if [ "$RPM_USE_PYTHON_3" = 1 ]; then
|
||||||
Bootstrap() {
|
|
||||||
BootstrapMessage "RedHat-based OSes that will use Python3"
|
|
||||||
BootstrapRpmPython3
|
|
||||||
}
|
|
||||||
USE_PYTHON_3=1
|
USE_PYTHON_3=1
|
||||||
BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION"
|
|
||||||
else
|
|
||||||
Bootstrap() {
|
|
||||||
BootstrapMessage "RedHat-based OSes"
|
|
||||||
BootstrapRpmCommon
|
|
||||||
}
|
|
||||||
BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
LE_PYTHON="$prev_le_python"
|
LE_PYTHON="$prev_le_python"
|
||||||
elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
|
elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif [ -f /etc/arch-release ]; then
|
elif [ -f /etc/arch-release ]; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif [ -f /etc/manjaro-release ]; then
|
elif [ -f /etc/manjaro-release ]; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif [ -f /etc/gentoo-release ]; then
|
elif [ -f /etc/gentoo-release ]; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif uname | grep -iq FreeBSD ; then
|
elif uname | grep -iq FreeBSD ; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif uname | grep -iq Darwin ; then
|
elif uname | grep -iq Darwin ; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
|
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
|
||||||
Bootstrap() {
|
DEPRECATED_OS=1
|
||||||
ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon
|
NO_SELF_UPGRADE=1
|
||||||
}
|
|
||||||
BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION"
|
|
||||||
elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
|
elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
else
|
else
|
||||||
DEPRECATED_OS=1
|
DEPRECATED_OS=1
|
||||||
|
NO_SELF_UPGRADE=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# We handle this case after determining the normal bootstrap version to allow
|
# We handle this case after determining the normal bootstrap version to allow
|
||||||
|
@ -1122,15 +1112,17 @@ if [ "$1" = "--le-auto-phase2" ]; then
|
||||||
if [ "$DEPRECATED_OS" = 1 ]; then
|
if [ "$DEPRECATED_OS" = 1 ]; then
|
||||||
# Phase 2 damage control mode for deprecated OSes.
|
# Phase 2 damage control mode for deprecated OSes.
|
||||||
# In this situation, we bypass any bootstrap or certbot venv setup.
|
# In this situation, we bypass any bootstrap or certbot venv setup.
|
||||||
error "Your system is not supported by certbot-auto anymore."
|
# error "Your system is not supported by certbot-auto anymore."
|
||||||
|
|
||||||
if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
|
if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
|
||||||
VENV_BIN="$OLD_VENV_PATH/bin"
|
VENV_BIN="$OLD_VENV_PATH/bin"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
|
if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
|
||||||
error "Certbot will no longer receive updates."
|
# error "certbot-auto and its Certbot installation will no longer receive updates."
|
||||||
error "Please visit https://certbot.eff.org/ to check for other alternatives."
|
# error "You will not receive any bug fixes including those fixing server compatibility"
|
||||||
|
# error "or security problems."
|
||||||
|
# error "Please visit https://certbot.eff.org/ to check for other alternatives."
|
||||||
"$VENV_BIN/letsencrypt" "$@"
|
"$VENV_BIN/letsencrypt" "$@"
|
||||||
exit 0
|
exit 0
|
||||||
else
|
else
|
||||||
|
@ -1497,18 +1489,18 @@ letsencrypt==0.7.0 \
|
||||||
--hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
|
--hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
|
||||||
--hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
|
--hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
|
||||||
|
|
||||||
certbot==1.9.0 \
|
certbot==1.14.0 \
|
||||||
--hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \
|
--hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \
|
||||||
--hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57
|
--hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb
|
||||||
acme==1.9.0 \
|
acme==1.14.0 \
|
||||||
--hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \
|
--hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \
|
||||||
--hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f
|
--hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35
|
||||||
certbot-apache==1.9.0 \
|
certbot-apache==1.14.0 \
|
||||||
--hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \
|
--hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \
|
||||||
--hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e
|
--hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0
|
||||||
certbot-nginx==1.9.0 \
|
certbot-nginx==1.14.0 \
|
||||||
--hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \
|
--hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \
|
||||||
--hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65
|
--hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597
|
||||||
|
|
||||||
UNLIKELY_EOF
|
UNLIKELY_EOF
|
||||||
# -------------------------------------------------------------------------
|
# -------------------------------------------------------------------------
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
|
||||||
- name: Let's Encrypt script is present
|
- name: Let's Encrypt script is present
|
||||||
copy:
|
copy:
|
||||||
src: letsencrypt-auto
|
src: letsencrypt-auto
|
||||||
|
@ -55,5 +56,5 @@
|
||||||
dest: "/etc/letsencrypt/cli.ini"
|
dest: "/etc/letsencrypt/cli.ini"
|
||||||
section: null
|
section: null
|
||||||
option: "no-self-upgrade"
|
option: "no-self-upgrade"
|
||||||
value: 0
|
value: "no"
|
||||||
state: present
|
state: present
|
||||||
|
|
|
@ -7,17 +7,17 @@
|
||||||
- ansible_distribution_major_version is version('8', '>=')
|
- ansible_distribution_major_version is version('8', '>=')
|
||||||
msg: only compatible with Debian 9+
|
msg: only compatible with Debian 9+
|
||||||
|
|
||||||
- name: Install legacy script on Debian 8 and 9
|
- name: Install legacy script on Debian 8
|
||||||
include: install-legacy.yml
|
include: install-legacy.yml
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('10', '<')
|
- ansible_distribution_major_version is version('9', '<')
|
||||||
|
|
||||||
- name: Install package on Debian 10+
|
- name: Install package on Debian 9+
|
||||||
include: install-package.yml
|
include: install-package.yml
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- include: acme-challenge.yml
|
- include: acme-challenge.yml
|
||||||
|
|
||||||
|
@ -29,6 +29,14 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Manual deploy hook is present
|
||||||
|
copy:
|
||||||
|
src: hooks/manual-deploy.sh
|
||||||
|
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
- name: "sync_remote is configured with servers"
|
- name: "sync_remote is configured with servers"
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
|
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
|
||||||
|
|
|
@ -6,48 +6,48 @@
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
vtype: "{{ item.type }}"
|
vtype: "{{ item.type }}"
|
||||||
loop:
|
loop:
|
||||||
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
|
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
|
||||||
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
||||||
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
||||||
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
||||||
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
|
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
|
||||||
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
|
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
|
||||||
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
|
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
|
||||||
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
|
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
|
||||||
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
|
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
|
||||||
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
|
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
|
||||||
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
|
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
|
||||||
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
|
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
|
||||||
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
|
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
|
||||||
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
|
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
|
||||||
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
|
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
|
||||||
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
|
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
|
||||||
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
|
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
|
||||||
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
|
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
|
||||||
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
|
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
|
||||||
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
|
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
|
||||||
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
|
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
|
||||||
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
|
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
|
||||||
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
|
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
|
||||||
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
|
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
|
||||||
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
|
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
|
||||||
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
|
||||||
tags:
|
tags:
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
|
@ -58,17 +58,17 @@
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
vtype: "{{ item.type }}"
|
vtype: "{{ item.type }}"
|
||||||
loop:
|
loop:
|
||||||
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
|
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
|
||||||
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
|
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
|
||||||
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
|
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
|
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
|
||||||
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
|
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
|
||||||
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
|
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
|
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
|
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
|
||||||
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
|
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
|
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
|
||||||
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
|
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
|
||||||
tags:
|
tags:
|
||||||
- clamav
|
- clamav
|
||||||
|
|
||||||
|
|
|
@ -36,13 +36,26 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Install docker and python-docker
|
- name: Install Docker
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
- docker-ce
|
- docker-ce
|
||||||
- python-docker
|
- docker-ce-cli
|
||||||
|
- containerd.io
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
|
- name: python-docker is installed
|
||||||
|
apt:
|
||||||
|
name: python-docker
|
||||||
|
state: present
|
||||||
|
when: ansible_python_version is version('3', '<')
|
||||||
|
|
||||||
|
- name: python3-docker is installed
|
||||||
|
apt:
|
||||||
|
name: python3-docker
|
||||||
|
state: present
|
||||||
|
when: ansible_python_version is version('3', '>=')
|
||||||
|
|
||||||
- name: Copy Docker daemon configuration file
|
- name: Copy Docker daemon configuration file
|
||||||
template:
|
template:
|
||||||
src: daemon.json.j2
|
src: daemon.json.j2
|
||||||
|
|
|
@ -10,6 +10,11 @@
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
|
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
|
||||||
|
openssl_dhparam:
|
||||||
|
path: /etc/ssl/dhparams.pem
|
||||||
|
size: 4096
|
||||||
|
|
||||||
- name: disable pam auth
|
- name: disable pam auth
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/dovecot/conf.d/10-auth.conf
|
dest: /etc/dovecot/conf.d/10-auth.conf
|
||||||
|
@ -64,6 +69,15 @@
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
||||||
|
- name: deploy file for custom configuration
|
||||||
|
template:
|
||||||
|
src: zzz-evolinux-custom.conf.j2
|
||||||
|
dest: /etc/dovecot/conf.d/zzz-evolinux-custom.conf
|
||||||
|
mode: "0644"
|
||||||
|
notify: reload dovecot
|
||||||
|
tags:
|
||||||
|
- dovecot
|
||||||
|
|
||||||
- include: munin.yml
|
- include: munin.yml
|
||||||
tags:
|
tags:
|
||||||
- dovecot
|
- dovecot
|
||||||
|
|
|
@ -35,12 +35,27 @@ service login {
|
||||||
}
|
}
|
||||||
mail_max_userip_connections = 42
|
mail_max_userip_connections = 42
|
||||||
|
|
||||||
|
# Configuration pour stats dovecot
|
||||||
|
service stats {
|
||||||
|
unix_listener stats-reader {
|
||||||
|
user = vmail
|
||||||
|
group = vmail
|
||||||
|
mode = 0660
|
||||||
|
}
|
||||||
|
|
||||||
|
unix_listener stats-writer {
|
||||||
|
user = vmail
|
||||||
|
group = vmail
|
||||||
|
mode = 0660
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# SSL/TLS
|
# SSL/TLS
|
||||||
ssl = yes
|
ssl = yes
|
||||||
ssl_prefer_server_ciphers = yes
|
ssl_prefer_server_ciphers = yes
|
||||||
ssl_dh_parameters_length = 2048
|
ssl_dh=</etc/ssl/dhparams.pem
|
||||||
ssl_options = no_compression no_ticket
|
ssl_options = no_compression no_ticket
|
||||||
ssl_protocols = !TLSv1 !TLSv1.1
|
ssl_min_protocol = TLSv1.2
|
||||||
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
1
dovecot/templates/zzz-evolinux-custom.conf.j2
Normal file
1
dovecot/templates/zzz-evolinux-custom.conf.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
## Put your customized configuration here, verify configuration with "doveconf -n" and /var/log/mail.log
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "6.x"
|
elastic_stack_version: "7.x"
|
||||||
|
|
||||||
elasticsearch_cluster_name: Null
|
elasticsearch_cluster_name: Null
|
||||||
elasticsearch_cluster_members: Null
|
elasticsearch_cluster_members: Null
|
||||||
|
|
BIN
elasticsearch/files/elastic.gpg
Normal file
BIN
elasticsearch/files/elastic.gpg
Normal file
Binary file not shown.
|
@ -96,17 +96,25 @@
|
||||||
|
|
||||||
- name: JVM Heap size (min) is set
|
- name: JVM Heap size (min) is set
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
regexp: "^-Xms"
|
regexp: "^-Xms"
|
||||||
line: "-Xms{{ elasticsearch_jvm_xms }}"
|
line: "-Xms{{ elasticsearch_jvm_xms }}"
|
||||||
|
create: yes
|
||||||
|
owner: root
|
||||||
|
group: elasticsearch
|
||||||
|
mode: 0640
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: JVM Heap size (max) is set
|
- name: JVM Heap size (max) is set
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
regexp: "^-Xmx"
|
regexp: "^-Xmx"
|
||||||
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
|
line: "-Xmx{{ elasticsearch_jvm_xmx }}"
|
||||||
|
create: yes
|
||||||
|
owner: root
|
||||||
|
group: elasticsearch
|
||||||
|
mode: 0640
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
|
|
@ -8,11 +8,20 @@
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- elasticsearch
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Elastic embedded GPG key is absent
|
- name: Elastic embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "D88E42B4"
|
id: "D88E42B4"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
- packages
|
- packages
|
||||||
|
@ -52,4 +61,4 @@
|
||||||
name: elasticsearch
|
name: elasticsearch
|
||||||
enabled: yes
|
enabled: yes
|
||||||
tags:
|
tags:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
|
|
|
@ -26,10 +26,13 @@
|
||||||
|
|
||||||
- name: change JVM tmpdir (< 6.x)
|
- name: change JVM tmpdir (< 6.x)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options.d/evolinux.options
|
||||||
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
|
line: "-Djava.io.tmpdir={{ _elasticsearch_custom_tmpdir }}"
|
||||||
regexp: "^-Djava.io.tmpdir="
|
regexp: "^-Djava.io.tmpdir="
|
||||||
insertafter: "## JVM configuration"
|
create: yes
|
||||||
|
owner: root
|
||||||
|
group: elasticsearch
|
||||||
|
mode: 0640
|
||||||
notify:
|
notify:
|
||||||
- restart elasticsearch
|
- restart elasticsearch
|
||||||
tags:
|
tags:
|
||||||
|
@ -48,6 +51,7 @@
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
when: elastic_stack_version is version('6', '>=')
|
when: elastic_stack_version is version('6', '>=')
|
||||||
|
|
||||||
|
# Note : Should not do any changes as -Djava.io.tmpdir=${ES_TMPDIR} is already here in the default config.
|
||||||
- name: change JVM tmpdir (>= 6.x)
|
- name: change JVM tmpdir (>= 6.x)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/elasticsearch/jvm.options
|
dest: /etc/elasticsearch/jvm.options
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
---
|
---
|
||||||
commit_message: Ansible run
|
etc_git_default_commit_message: Ansible run
|
||||||
|
|
||||||
etc_git_monitor_status: True
|
etc_git_monitor_status: True
|
||||||
|
etc_git_purge_index_lock_enabled: True
|
||||||
|
etc_git_purge_index_lock_age: 86400
|
||||||
|
|
11
etc-git/files/etc-git-optimize
Normal file
11
etc-git/files/etc-git-optimize
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
repositories="/etc /etc/bind/ /usr/share/scripts"
|
||||||
|
|
||||||
|
for repository in ${repositories}; do
|
||||||
|
if [ -d "${repository}/.git" ]; then
|
||||||
|
git --git-dir="${repository}/.git" gc --quiet
|
||||||
|
fi
|
||||||
|
done
|
11
etc-git/files/etc-git-status
Normal file
11
etc-git/files/etc-git-status
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
repositories="/etc /etc/bind/ /usr/share/scripts"
|
||||||
|
|
||||||
|
for repository in ${repositories}; do
|
||||||
|
if [ -d "${repository}/.git" ]; then
|
||||||
|
git --git-dir="${repository}/.git" --work-tree="${repository}" status --short
|
||||||
|
fi
|
||||||
|
done
|
265
etc-git/files/evocommit
Normal file
265
etc-git/files/evocommit
Normal file
|
@ -0,0 +1,265 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
VERSION="21.10"
|
||||||
|
|
||||||
|
show_version() {
|
||||||
|
cat <<END
|
||||||
|
evocommit version ${VERSION}
|
||||||
|
|
||||||
|
Copyright 2021 Evolix <info@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
evocommit comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public Licence for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
evocommit helps properly committing changes in a repository
|
||||||
|
|
||||||
|
END
|
||||||
|
show_usage
|
||||||
|
}
|
||||||
|
show_usage() {
|
||||||
|
cat <<END
|
||||||
|
Usage: evocommit --repository /path/to/repository --message "add new host"
|
||||||
|
|
||||||
|
Options
|
||||||
|
--repository PATH set the path for the repository
|
||||||
|
--message MESSAGE set the commit message
|
||||||
|
-V, --version print version number
|
||||||
|
-v, --verbose increase verbosity
|
||||||
|
-n, --dry-run actions are not executed
|
||||||
|
--help print this message and exit
|
||||||
|
--version print version and exit
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
syslog() {
|
||||||
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
|
${LOGGER_BIN} -t "evocommit" "$1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
get_system() {
|
||||||
|
uname -s
|
||||||
|
}
|
||||||
|
is_repository_readonly() {
|
||||||
|
if [ "$(get_system)" = "OpenBSD" ]; then
|
||||||
|
partition=$(stat -f '%Sd' $1)
|
||||||
|
mount | grep "${partition}" | grep -q "read-only"
|
||||||
|
elif command -v findmnt >/dev/null; then
|
||||||
|
mountpoint=$(stat -c '%m' $1)
|
||||||
|
findmnt "${mountpoint}" --noheadings --output OPTIONS -O ro
|
||||||
|
else
|
||||||
|
grep /usr /proc/mounts | grep -E '\bro\b'
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
remount_repository_readwrite() {
|
||||||
|
if [ "$(get_system)" = "OpenBSD" ]; then
|
||||||
|
partition=$(stat -f '%Sd' $1)
|
||||||
|
mount -u -w /dev/${partition} 2>/dev/null
|
||||||
|
else
|
||||||
|
mountpoint=$(stat -c '%m' $1)
|
||||||
|
mount -o remount,rw ${mountpoint}
|
||||||
|
syslog "Re-mount ${mountpoint} as read-write to commit in repository $1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
remount_repository_readonly() {
|
||||||
|
if [ "$(get_system)" = "OpenBSD" ]; then
|
||||||
|
partition=$(stat -f '%Sd' $1)
|
||||||
|
mount -u -r /dev/${partition} 2>/dev/null
|
||||||
|
else
|
||||||
|
mountpoint=$(stat -c '%m' $1)
|
||||||
|
mount -o remount,ro ${mountpoint} 2>/dev/null
|
||||||
|
syslog "Re-mount ${mountpoint} as read-only after commit to repository $1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
is_dry_run() {
|
||||||
|
test "${DRY_RUN}" = "1"
|
||||||
|
}
|
||||||
|
is_verbose() {
|
||||||
|
test "${VERBOSE}" = "1"
|
||||||
|
}
|
||||||
|
is_ansible() {
|
||||||
|
test "${ANSIBLE}" = "1"
|
||||||
|
}
|
||||||
|
main() {
|
||||||
|
rc=0
|
||||||
|
lock="${GIT_DIR}/index.lock"
|
||||||
|
if [ -f "${lock}" ]; then
|
||||||
|
limit=$(date +"%s" -d "now - 1 hour")
|
||||||
|
updated_at=$(stat -c "%Y" "${lock}")
|
||||||
|
if [ "$updated_at" -lt "$limit" ]; then
|
||||||
|
rm -f "${lock}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
git_status=$(${GIT_BIN} status --porcelain)
|
||||||
|
|
||||||
|
if [ -n "${git_status}" ]; then
|
||||||
|
if is_dry_run; then
|
||||||
|
${GIT_BIN} status
|
||||||
|
else
|
||||||
|
readonly_orig=0
|
||||||
|
# remount mount point read-write if currently readonly
|
||||||
|
if is_repository_readonly "${REPOSITORY}"; then
|
||||||
|
readonly_orig=1;
|
||||||
|
remount_repository_readwrite "${REPOSITORY}";
|
||||||
|
fi
|
||||||
|
author=$(logname)
|
||||||
|
email=$(git config --get user.email)
|
||||||
|
email=${email:-"${author}@evolix.net"}
|
||||||
|
|
||||||
|
# commit changes
|
||||||
|
git_add_result=$(${GIT_BIN} add --all)
|
||||||
|
git_add_rc=$?
|
||||||
|
|
||||||
|
if is_ansible; then
|
||||||
|
if [ ${git_add_rc} -ne 0 ]; then
|
||||||
|
printf "FAILED: %s\n%s" "can't add changes in ${REPOSITORY}" "${git_add_result}"
|
||||||
|
rc=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
git_commit_result=$(${GIT_BIN} commit --message "${MESSAGE}" --author "${author} <${email}>")
|
||||||
|
git_commit_rc=$?
|
||||||
|
|
||||||
|
if is_ansible; then
|
||||||
|
if [ ${git_commit_rc} -eq 0 ]; then
|
||||||
|
printf "CHANGED: %s\n" "commit done in ${REPOSITORY} with \`${MESSAGE}'"
|
||||||
|
else
|
||||||
|
printf "FAILED: %s\n%s" "can't commit in ${REPOSITORY} \`${MESSAGE}'" "${git_commit_result}"
|
||||||
|
rc=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# remount mount point read-only if it was before
|
||||||
|
if [ ${readonly_orig} -eq 1 ]; then
|
||||||
|
remount_repository_readonly "${REPOSITORY}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if is_ansible; then
|
||||||
|
printf "INFO: %s\n" "no commit in ${REPOSITORY}'"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset GIT_DIR
|
||||||
|
unset GIT_WORK_TREE
|
||||||
|
|
||||||
|
exit ${rc}
|
||||||
|
}
|
||||||
|
# Parse options
|
||||||
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
while :; do
|
||||||
|
case ${1:-''} in
|
||||||
|
-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
--message)
|
||||||
|
# message options, with value speparated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
MESSAGE=$2
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--message=?*)
|
||||||
|
# message options, with value speparated by =
|
||||||
|
MESSAGE=${1#*=}
|
||||||
|
;;
|
||||||
|
--message=)
|
||||||
|
# message options, without value
|
||||||
|
printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
--repository)
|
||||||
|
# repository options, with value speparated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
REPOSITORY=$2
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--repository=?*)
|
||||||
|
# repository options, with value speparated by =
|
||||||
|
REPOSITORY=${1#*=}
|
||||||
|
;;
|
||||||
|
--repository=)
|
||||||
|
# repository options, without value
|
||||||
|
printf 'ERROR: "--repository" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
-n|--dry-run)
|
||||||
|
# disable actual commands
|
||||||
|
DRY_RUN=1
|
||||||
|
;;
|
||||||
|
-v|--verbose)
|
||||||
|
# print verbose information
|
||||||
|
VERBOSE=1
|
||||||
|
;;
|
||||||
|
--ansible)
|
||||||
|
# print information for Ansible
|
||||||
|
ANSIBLE=1
|
||||||
|
;;
|
||||||
|
--)
|
||||||
|
# End of all options.
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-?*|[[:alnum:]]*)
|
||||||
|
# ignore unknown options
|
||||||
|
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "${MESSAGE}" ]; then
|
||||||
|
echo "Error: missing message parameter" >&2
|
||||||
|
show_usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${REPOSITORY}" ]; then
|
||||||
|
echo "Error: missing repository parameter" >&2
|
||||||
|
show_usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
DRY_RUN=${DRY_RUN:-0}
|
||||||
|
VERBOSE=${VERBOSE:-0}
|
||||||
|
ANSIBLE=${ANSIBLE:-0}
|
||||||
|
|
||||||
|
GIT_BIN=$(command -v git)
|
||||||
|
readonly GIT_BIN
|
||||||
|
|
||||||
|
LOGGER_BIN=$(command -v logger)
|
||||||
|
readonly LOGGER_BIN
|
||||||
|
|
||||||
|
export GIT_DIR="${REPOSITORY}/.git"
|
||||||
|
export GIT_WORK_TREE="${REPOSITORY}"
|
||||||
|
|
||||||
|
if [ -d "${GIT_DIR}" ]; then
|
||||||
|
main
|
||||||
|
else
|
||||||
|
echo "There is no Git repository in '${REPOSITORY}'" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
|
@ -1,3 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
git --git-dir /etc/.git gc --quiet
|
|
|
@ -1,25 +1,52 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# /etc
|
||||||
- name: Is /etc a git repository
|
- name: Is /etc a git repository
|
||||||
stat:
|
stat:
|
||||||
path: /etc/.git
|
path: /etc/.git
|
||||||
register: _etc_git
|
register: _etc_git
|
||||||
|
|
||||||
- include: do_commit.yml
|
- name: "evocommit /etc"
|
||||||
vars:
|
command: "/usr/local/bin/evocommit --ansible --repository /etc --message \"{{ commit_message | mandatory }}\""
|
||||||
git_folder: "/etc"
|
changed_when:
|
||||||
|
- _etc_git_commit.stdout
|
||||||
|
- "'CHANGED:' in _etc_git_commit.stdout"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: _etc_git_commit
|
||||||
when:
|
when:
|
||||||
- _etc_git.stat.exists
|
- _etc_git.stat.exists
|
||||||
- _etc_git.stat.isdir
|
- _etc_git.stat.isdir
|
||||||
|
|
||||||
|
# /etc/bind
|
||||||
|
- name: Is /etc/bind a git repository
|
||||||
|
stat:
|
||||||
|
path: /etc/bind/.git
|
||||||
|
register: _etc_bind_git
|
||||||
|
|
||||||
|
- name: "evocommit /etc/bind"
|
||||||
|
command: "/usr/local/bin/evocommit --ansible --repository /etc/bind --message \"{{ commit_message | mandatory }}\""
|
||||||
|
changed_when:
|
||||||
|
- _etc_bind_git_commit.stdout
|
||||||
|
- "'CHANGED:' in _etc_bind_git_commit.stdout"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: _etc_bind_git_commit
|
||||||
|
when:
|
||||||
|
- _etc_bind_git.stat.exists
|
||||||
|
- _etc_bind_git.stat.isdir
|
||||||
|
|
||||||
|
# /usr/share/scripts
|
||||||
- name: Is /usr/share/scripts a git repository
|
- name: Is /usr/share/scripts a git repository
|
||||||
stat:
|
stat:
|
||||||
path: /usr/share/scripts/.git
|
path: /usr/share/scripts/.git
|
||||||
register: _usr_share_scripts_git
|
register: _usr_share_scripts_git
|
||||||
|
|
||||||
- include: do_commit.yml
|
- name: "evocommit /usr/share/scripts"
|
||||||
vars:
|
command: "/usr/local/bin/evocommit --ansible --repository /usr/share/scripts --message \"{{ commit_message | mandatory }}\""
|
||||||
git_folder: "/usr/share/scripts"
|
changed_when:
|
||||||
|
- _usr_share_scripts_git_commit.stdout
|
||||||
|
- "'CHANGED:' in _usr_share_scripts_git_commit.stdout"
|
||||||
|
ignore_errors: yes
|
||||||
|
register: _usr_share_scripts_git_commit
|
||||||
when:
|
when:
|
||||||
- _usr_share_scripts_git.stat.exists
|
- _usr_share_scripts_git.stat.exists
|
||||||
- _usr_share_scripts_git.stat.isdir
|
- _usr_share_scripts_git.stat.isdir
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: "Remount /usr if needed"
|
|
||||||
include_role:
|
|
||||||
name: remount-usr
|
|
||||||
when: git_folder is match('/usr/.*')
|
|
||||||
|
|
||||||
- name: "is {{ git_folder }} clean?"
|
|
||||||
command: git status --porcelain
|
|
||||||
args:
|
|
||||||
chdir: "{{ git_folder }}"
|
|
||||||
changed_when: False
|
|
||||||
register: git_status
|
|
||||||
when: not ansible_check_mode
|
|
||||||
ignore_errors: yes
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
||||||
|
|
||||||
- debug:
|
|
||||||
var: git_status
|
|
||||||
verbosity: 3
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
||||||
|
|
||||||
- name: fetch current Git user.email
|
|
||||||
git_config:
|
|
||||||
name: user.email
|
|
||||||
repo: "{{ git_folder }}"
|
|
||||||
register: git_config_user_email
|
|
||||||
ignore_errors: yes
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
||||||
|
|
||||||
- name: "set commit author"
|
|
||||||
set_fact:
|
|
||||||
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
|
||||||
commit_email: '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
||||||
|
|
||||||
- name: "{{ git_folder }} modifications are committed"
|
|
||||||
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
|
|
||||||
args:
|
|
||||||
chdir: "{{ git_folder }}"
|
|
||||||
register: commit_end_run
|
|
||||||
when:
|
|
||||||
- not ansible_check_mode
|
|
||||||
- git_status.stdout | length > 0
|
|
||||||
ignore_errors: yes
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
||||||
|
|
||||||
- debug:
|
|
||||||
var: commit_end_run
|
|
||||||
verbosity: 4
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
- commit
|
|
|
@ -7,6 +7,18 @@
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: "evocommit script is installed"
|
||||||
|
copy:
|
||||||
|
src: evocommit
|
||||||
|
dest: /usr/local/bin/evocommit
|
||||||
|
mode: "0755"
|
||||||
|
force: yes
|
||||||
|
tags:
|
||||||
|
- etc-git
|
||||||
|
|
||||||
- include: repository.yml
|
- include: repository.yml
|
||||||
vars:
|
vars:
|
||||||
repository_path: "/etc"
|
repository_path: "/etc"
|
||||||
|
@ -32,6 +44,24 @@
|
||||||
- _usr_share_scripts.stat.isdir
|
- _usr_share_scripts.stat.isdir
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
|
- name: "etc-git-optimize script is installed"
|
||||||
|
copy:
|
||||||
|
src: etc-git-optimize
|
||||||
|
dest: /usr/share/scripts/etc-git-optimize
|
||||||
|
mode: "0755"
|
||||||
|
force: yes
|
||||||
|
tags:
|
||||||
|
- etc-git
|
||||||
|
|
||||||
|
- name: "etc-git-status script is installed"
|
||||||
|
copy:
|
||||||
|
src: etc-git-status
|
||||||
|
dest: /usr/share/scripts/etc-git-status
|
||||||
|
mode: "0755"
|
||||||
|
force: yes
|
||||||
|
tags:
|
||||||
|
- etc-git
|
||||||
|
|
||||||
- name: Check if cron is installed
|
- name: Check if cron is installed
|
||||||
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
shell: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
args:
|
args:
|
||||||
|
@ -41,29 +71,44 @@
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: is_cron_installed
|
register: is_cron_installed
|
||||||
|
|
||||||
- name: Optimize script is installed in monthly crontab
|
- block:
|
||||||
copy:
|
- name: Legacy cron jobs for /etc/.git status are absent
|
||||||
src: optimize-etc-git
|
file:
|
||||||
dest: /etc/cron.monthly/optimize-etc-git
|
dest: "{{ item }}"
|
||||||
mode: "0750"
|
state: absent
|
||||||
force: no
|
loop:
|
||||||
|
- /etc/cron.monthly/optimize-etc-git
|
||||||
|
- /etc/cron.d/etc-git-status
|
||||||
|
|
||||||
|
- name: Cron job for monthly git optimization
|
||||||
|
cron:
|
||||||
|
name: "Monthly optimization"
|
||||||
|
cron_file: etc-git
|
||||||
|
special_time: "monthly"
|
||||||
|
user: root
|
||||||
|
job: "/usr/share/scripts/etc-git-optimize"
|
||||||
|
|
||||||
|
- name: Cron job for hourly git status
|
||||||
|
cron:
|
||||||
|
name: "Hourly warning for unclean Git repository if nobody is connected"
|
||||||
|
cron_file: etc-git
|
||||||
|
special_time: "hourly"
|
||||||
|
user: root
|
||||||
|
job: "who > /dev/null || /usr/share/scripts/etc-git-status"
|
||||||
|
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
|
||||||
|
|
||||||
|
- name: Cron job for daily git status
|
||||||
|
cron:
|
||||||
|
name: "Daily warning for unclean Git repository"
|
||||||
|
cron_file: etc-git
|
||||||
|
user: root
|
||||||
|
job: "/usr/share/scripts/etc-git-status"
|
||||||
|
minute: "21"
|
||||||
|
hour: "21"
|
||||||
|
weekday: "*"
|
||||||
|
day: "*"
|
||||||
|
month: "*"
|
||||||
|
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
|
||||||
when: is_cron_installed.rc == 0
|
when: is_cron_installed.rc == 0
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
|
||||||
- name: Cron job for /etc/.git status is installed
|
|
||||||
template:
|
|
||||||
src: etc-git-status.j2
|
|
||||||
dest: /etc/cron.d/etc-git-status
|
|
||||||
mode: "0644"
|
|
||||||
when: is_cron_installed.rc == 0 and etc_git_monitor_status
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
||||||
|
|
||||||
- name: Cron job for /etc/.git status is removed
|
|
||||||
file:
|
|
||||||
dest: /etc/cron.d/etc-git-status
|
|
||||||
state: absent
|
|
||||||
when: is_cron_installed.rc == 0 and not etc_git_monitor_status
|
|
||||||
tags:
|
|
||||||
- etc-git
|
|
|
@ -70,4 +70,4 @@
|
||||||
register: git_commit
|
register: git_commit
|
||||||
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
|
@ -1,4 +0,0 @@
|
||||||
# {{ ansible_managed }}
|
|
||||||
|
|
||||||
@hourly root who > /dev/null || git --git-dir=/etc/.git --work-tree=/etc status --short
|
|
||||||
21 21 * * * root git --git-dir=/etc/.git --work-tree=/etc status --short
|
|
|
@ -15,12 +15,13 @@ find "${CRT_DIR}" \
|
||||||
-maxdepth 1 \
|
-maxdepth 1 \
|
||||||
-mindepth 1 \
|
-mindepth 1 \
|
||||||
-type d \
|
-type d \
|
||||||
! -path "*accounts" \
|
! -path "${CRT_DIR}/accounts" \
|
||||||
! -path "*archive" \
|
! -path "${CRT_DIR}/archive" \
|
||||||
! -path "*csr" \
|
! -path "${CRT_DIR}/csr" \
|
||||||
! -path "*hooks" \
|
! -path "${CRT_DIR}/hooks" \
|
||||||
! -path "*keys" \
|
! -path "${CRT_DIR}/keys" \
|
||||||
! -path "*live" \
|
! -path "${CRT_DIR}/live" \
|
||||||
! -path "*renewal" \
|
! -path "${CRT_DIR}/renewal" \
|
||||||
|
! -path "${CRT_DIR}/renewal-hooks" \
|
||||||
-printf "%f\n" \
|
-printf "%f\n" \
|
||||||
| xargs --max-args=1 --no-run-if-empty evoacme
|
| xargs --max-args=1 --no-run-if-empty evoacme
|
||||||
|
|
|
@ -16,6 +16,4 @@ A separate `exec.yml` file can be imported manually in playbooks or roles to exe
|
||||||
## Variables
|
## Variables
|
||||||
|
|
||||||
We can force install via :
|
We can force install via :
|
||||||
* `evocheck_force_install: local` : will copy the script provided by the role
|
|
||||||
* `evocheck_force_install: package` : will install the package via repositories
|
|
||||||
* `evocheck_update_crontab` : will update the crontab (default: `True`)
|
* `evocheck_update_crontab` : will update the crontab (default: `True`)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
---
|
---
|
||||||
evocheck_force_install: False
|
|
||||||
evocheck_update_crontab: True
|
evocheck_update_crontab: True
|
||||||
evocheck_bin_dir: /usr/share/scripts
|
evocheck_bin_dir: /usr/share/scripts
|
||||||
|
|
|
@ -4,7 +4,8 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="20.12"
|
VERSION="21.10.4"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
|
@ -12,7 +13,7 @@ show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
evocheck version ${VERSION}
|
evocheck version ${VERSION}
|
||||||
|
|
||||||
Copyright 2009-2019 Evolix <info@evolix.fr>,
|
Copyright 2009-2021 Evolix <info@evolix.fr>,
|
||||||
Romain Dessort <rdessort@evolix.fr>,
|
Romain Dessort <rdessort@evolix.fr>,
|
||||||
Benoit SĂ©rie <bserie@evolix.fr>,
|
Benoit SĂ©rie <bserie@evolix.fr>,
|
||||||
Gregory Colpart <reg@evolix.fr>,
|
Gregory Colpart <reg@evolix.fr>,
|
||||||
|
@ -62,6 +63,8 @@ detect_os() {
|
||||||
8) DEBIAN_RELEASE="jessie";;
|
8) DEBIAN_RELEASE="jessie";;
|
||||||
9) DEBIAN_RELEASE="stretch";;
|
9) DEBIAN_RELEASE="stretch";;
|
||||||
10) DEBIAN_RELEASE="buster";;
|
10) DEBIAN_RELEASE="buster";;
|
||||||
|
11) DEBIAN_RELEASE="bullseye";;
|
||||||
|
12) DEBIAN_RELEASE="bookworm";;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
elif [ "$(uname -s)" = "OpenBSD" ]; then
|
elif [ "$(uname -s)" = "OpenBSD" ]; then
|
||||||
|
@ -71,7 +74,7 @@ detect_os() {
|
||||||
}
|
}
|
||||||
|
|
||||||
is_debian() {
|
is_debian() {
|
||||||
test -n "${DEBIAN_RELEASE}"
|
test -n "${DEBIAN_RELEASE}"
|
||||||
}
|
}
|
||||||
is_debian_lenny() {
|
is_debian_lenny() {
|
||||||
test "${DEBIAN_RELEASE}" = "lenny"
|
test "${DEBIAN_RELEASE}" = "lenny"
|
||||||
|
@ -91,6 +94,12 @@ is_debian_stretch() {
|
||||||
is_debian_buster() {
|
is_debian_buster() {
|
||||||
test "${DEBIAN_RELEASE}" = "buster"
|
test "${DEBIAN_RELEASE}" = "buster"
|
||||||
}
|
}
|
||||||
|
is_debian_bullseye() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "bullseye"
|
||||||
|
}
|
||||||
|
is_debian_bookworm() {
|
||||||
|
test "${DEBIAN_RELEASE}" = "bookworm"
|
||||||
|
}
|
||||||
debian_release() {
|
debian_release() {
|
||||||
printf "%s" "${DEBIAN_RELEASE}"
|
printf "%s" "${DEBIAN_RELEASE}"
|
||||||
}
|
}
|
||||||
|
@ -109,7 +118,7 @@ is_pack_samba(){
|
||||||
}
|
}
|
||||||
is_installed(){
|
is_installed(){
|
||||||
for pkg in "$@"; do
|
for pkg in "$@"; do
|
||||||
dpkg -l "$pkg" 2>/dev/null | grep -q -E '^(i|h)i' || return 1
|
dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
minifirewall_file() {
|
minifirewall_file() {
|
||||||
|
@ -147,7 +156,7 @@ check_lsbrelease(){
|
||||||
## only the major version matters
|
## only the major version matters
|
||||||
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
|
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
|
||||||
rhs=$(cut -d "." -f 1 < /etc/debian_version)
|
rhs=$(cut -d "." -f 1 < /etc/debian_version)
|
||||||
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
|
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})"
|
||||||
else
|
else
|
||||||
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
|
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
|
||||||
fi
|
fi
|
||||||
|
@ -165,7 +174,7 @@ check_dpkgwarning() {
|
||||||
test -e /etc/apt/apt.conf \
|
test -e /etc/apt/apt.conf \
|
||||||
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
|
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
|
||||||
fi
|
fi
|
||||||
elif is_debian_stretch || is_debian_buster; then
|
elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|
||||||
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
|
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
|
||||||
fi
|
fi
|
||||||
|
@ -211,7 +220,6 @@ check_vartmpfs() {
|
||||||
else
|
else
|
||||||
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
check_serveurbase() {
|
check_serveurbase() {
|
||||||
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
|
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
|
||||||
|
@ -224,8 +232,19 @@ check_syslogconf() {
|
||||||
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
|
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
|
||||||
}
|
}
|
||||||
check_debiansecurity() {
|
check_debiansecurity() {
|
||||||
grep -q "^deb.*security" /etc/apt/sources.list \
|
if is_debian_bullseye; then
|
||||||
|| failed "IS_DEBIANSECURITY" "missing debian security repository"
|
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
||||||
|
pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main"
|
||||||
|
elif is_debian_buster; then
|
||||||
|
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
|
||||||
|
elif is_debian_stretch; then
|
||||||
|
pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
|
||||||
|
else
|
||||||
|
pattern="^deb.*security"
|
||||||
|
fi
|
||||||
|
|
||||||
|
source_file="/etc/apt/sources.list"
|
||||||
|
grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
|
||||||
}
|
}
|
||||||
check_aptitudeonly() {
|
check_aptitudeonly() {
|
||||||
if is_debian_squeeze || is_debian_wheezy; then
|
if is_debian_squeeze || is_debian_wheezy; then
|
||||||
|
@ -234,13 +253,13 @@ check_aptitudeonly() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_aptitude() {
|
check_aptitude() {
|
||||||
if is_debian_jessie || is_debian_stretch || is_debian_buster; then
|
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
|
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_aptgetbak() {
|
check_aptgetbak() {
|
||||||
if is_debian_jessie || is_debian_stretch || is_debian_buster; then
|
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "missing dpkg-divert apt-get.bak"
|
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_apticron() {
|
check_apticron() {
|
||||||
|
@ -276,7 +295,7 @@ check_mountfstab() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_listchangesconf() {
|
check_listchangesconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed apt-listchanges; then
|
if is_installed apt-listchanges; then
|
||||||
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9"
|
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9"
|
||||||
fi
|
fi
|
||||||
|
@ -296,7 +315,7 @@ check_customcrontab() {
|
||||||
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
|
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
|
||||||
}
|
}
|
||||||
check_sshallowusers() {
|
check_sshallowusers() {
|
||||||
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
||||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
||||||
}
|
}
|
||||||
check_diskperf() {
|
check_diskperf() {
|
||||||
|
@ -307,7 +326,7 @@ check_tmoutprofile() {
|
||||||
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
|
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
|
||||||
}
|
}
|
||||||
check_alert5boot() {
|
check_alert5boot() {
|
||||||
if is_debian_buster; then
|
if is_debian_buster || is_debian_bullseye; then
|
||||||
grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
|
grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
|
||||||
test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
|
test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
|
||||||
systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
|
systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
|
||||||
|
@ -320,7 +339,7 @@ check_alert5boot() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_alert5minifw() {
|
check_alert5minifw() {
|
||||||
if is_debian_buster; then
|
if is_debian_buster || is_debian_bullseye; then
|
||||||
grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \
|
grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \
|
||||||
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing"
|
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing"
|
||||||
else
|
else
|
||||||
|
@ -336,6 +355,13 @@ check_minifw() {
|
||||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||||
|| failed "IS_MINIFW" "minifirewall seems not starded"
|
|| failed "IS_MINIFW" "minifirewall seems not starded"
|
||||||
}
|
}
|
||||||
|
check_minifw_includes() {
|
||||||
|
if is_debian_bullseye; then
|
||||||
|
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then
|
||||||
|
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
check_nrpeperms() {
|
check_nrpeperms() {
|
||||||
if [ -d /etc/nagios ]; then
|
if [ -d /etc/nagios ]; then
|
||||||
nagiosDir="/etc/nagios"
|
nagiosDir="/etc/nagios"
|
||||||
|
@ -357,7 +383,11 @@ check_nrpedisks() {
|
||||||
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
|
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
|
||||||
}
|
}
|
||||||
check_nrpepid() {
|
check_nrpepid() {
|
||||||
if ! is_debian_squeeze; then
|
if is_debian_bullseye; then
|
||||||
|
{ test -e /etc/nagios/nrpe.cfg \
|
||||||
|
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||||
|
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
||||||
|
elif ! is_debian_squeeze; then
|
||||||
{ test -e /etc/nagios/nrpe.cfg \
|
{ test -e /etc/nagios/nrpe.cfg \
|
||||||
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||||
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
||||||
|
@ -372,7 +402,7 @@ check_grsecprocs() {
|
||||||
}
|
}
|
||||||
check_apachemunin() {
|
check_apachemunin() {
|
||||||
if test -e /etc/apache2/apache2.conf; then
|
if test -e /etc/apache2/apache2.conf; then
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
{ test -h /etc/apache2/mods-enabled/status.load \
|
{ test -h /etc/apache2/mods-enabled/status.load \
|
||||||
&& test -h /etc/munin/plugins/apache_accesses \
|
&& test -h /etc/munin/plugins/apache_accesses \
|
||||||
&& test -h /etc/munin/plugins/apache_processes \
|
&& test -h /etc/munin/plugins/apache_processes \
|
||||||
|
@ -392,17 +422,20 @@ check_apachemunin() {
|
||||||
check_mysqlutils() {
|
check_mysqlutils() {
|
||||||
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
|
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
|
||||||
if is_installed mysql-server; then
|
if is_installed mysql-server; then
|
||||||
# You can configure MYSQL_ADMIN in evocheck.cf
|
# With Debian 11 and later, root can connect to MariaDB with the socket
|
||||||
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
|
if is_debian_wheezy || is_debian_jessie || is_debian_stretch || is_debian_buster; then
|
||||||
failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
|
# You can configure MYSQL_ADMIN in evocheck.cf
|
||||||
|
if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then
|
||||||
|
failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if ! test -x /usr/bin/mytop; then
|
if ! test -x /usr/bin/mytop; then
|
||||||
if ! test -x /usr/local/bin/mytop; then
|
if ! test -x /usr/local/bin/mytop; then
|
||||||
failed "IS_MYSQLUTILS" "mytop binary missing"
|
failed "IS_MYSQLUTILS" "mytop binary missing"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if ! grep -qs debian-sys-maint /root/.mytop; then
|
if ! grep -qs '^user *=' /root/.mytop; then
|
||||||
failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
|
failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -431,7 +464,7 @@ check_muninlogrotate() {
|
||||||
}
|
}
|
||||||
# Verification de l'activation de Squid dans le cas d'un pack mail
|
# Verification de l'activation de Squid dans le cas d'un pack mail
|
||||||
check_squid() {
|
check_squid() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
squidconffile="/etc/squid/evolinux-custom.conf"
|
squidconffile="/etc/squid/evolinux-custom.conf"
|
||||||
else
|
else
|
||||||
squidconffile="/etc/squid*/squid.conf"
|
squidconffile="/etc/squid*/squid.conf"
|
||||||
|
@ -444,7 +477,8 @@ check_squid() {
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
|
||||||
} || failed "IS_SQUID" "missing squid rules in minifirewall"
|
} || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \
|
||||||
|
|| failed "IS_SQUID" "missing squid rules in minifirewall"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_evomaintenance_fw() {
|
check_evomaintenance_fw() {
|
||||||
|
@ -473,7 +507,7 @@ check_log2mailrunning() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_log2mailapache() {
|
check_log2mailapache() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
conf=/etc/log2mail/config/apache
|
conf=/etc/log2mail/config/apache
|
||||||
else
|
else
|
||||||
conf=/etc/log2mail/config/default
|
conf=/etc/log2mail/config/default
|
||||||
|
@ -532,10 +566,10 @@ check_network_interfaces() {
|
||||||
}
|
}
|
||||||
# Verify if all if are in auto
|
# Verify if all if are in auto
|
||||||
check_autoif() {
|
check_autoif() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||||
else
|
else
|
||||||
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
|
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
||||||
fi
|
fi
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
if ! grep -q "^auto $interface" /etc/network/interfaces; then
|
if ! grep -q "^auto $interface" /etc/network/interfaces; then
|
||||||
|
@ -569,6 +603,7 @@ check_evobackup_exclude_mount() {
|
||||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
rm -rf "${excludes_file}"
|
||||||
}
|
}
|
||||||
# Verification de la presence du userlogrotate
|
# Verification de la presence du userlogrotate
|
||||||
check_userlogrotate() {
|
check_userlogrotate() {
|
||||||
|
@ -681,6 +716,7 @@ check_backupuptodate() {
|
||||||
backup_dir="/home/backup"
|
backup_dir="/home/backup"
|
||||||
if [ -d "${backup_dir}" ]; then
|
if [ -d "${backup_dir}" ]; then
|
||||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||||
|
# shellcheck disable=SC2231
|
||||||
for file in ${backup_dir}/*; do
|
for file in ${backup_dir}/*; do
|
||||||
limit=$(date +"%s" -d "now - 2 day")
|
limit=$(date +"%s" -d "now - 2 day")
|
||||||
updated_at=$(stat -c "%Y" "$file")
|
updated_at=$(stat -c "%Y" "$file")
|
||||||
|
@ -771,7 +807,7 @@ check_tune2fs_m5() {
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
check_evolinuxsudogroup() {
|
check_evolinuxsudogroup() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if grep -q "^evolinux-sudo:" /etc/group; then
|
if grep -q "^evolinux-sudo:" /etc/group; then
|
||||||
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|
||||||
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
|
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
|
||||||
|
@ -779,7 +815,7 @@ check_evolinuxsudogroup() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_userinadmgroup() {
|
check_userinadmgroup() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
|
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
|
||||||
for user in $users; do
|
for user in $users; do
|
||||||
if ! groups "$user" | grep -q adm; then
|
if ! groups "$user" | grep -q adm; then
|
||||||
|
@ -790,7 +826,7 @@ check_userinadmgroup() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_apache2evolinuxconf() {
|
check_apache2evolinuxconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if test -d /etc/apache2; then
|
if test -d /etc/apache2; then
|
||||||
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
|
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
|
||||||
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
|
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
|
||||||
|
@ -800,7 +836,7 @@ check_apache2evolinuxconf() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_backportsconf() {
|
check_backportsconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
|
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
|
||||||
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
|
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
|
||||||
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
|
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
|
||||||
|
@ -810,7 +846,7 @@ check_backportsconf() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_bind9munin() {
|
check_bind9munin() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed bind9; then
|
if is_installed bind9; then
|
||||||
{ test -L /etc/munin/plugins/bind9 \
|
{ test -L /etc/munin/plugins/bind9 \
|
||||||
&& test -e /etc/munin/plugin-conf.d/bind9;
|
&& test -e /etc/munin/plugin-conf.d/bind9;
|
||||||
|
@ -819,7 +855,7 @@ check_bind9munin() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_bind9logrotate() {
|
check_bind9logrotate() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed bind9; then
|
if is_installed bind9; then
|
||||||
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
|
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
|
||||||
fi
|
fi
|
||||||
|
@ -840,7 +876,7 @@ check_broadcomfirmware() {
|
||||||
check_hardwareraidtool() {
|
check_hardwareraidtool() {
|
||||||
LSPCI_BIN=$(command -v lspci)
|
LSPCI_BIN=$(command -v lspci)
|
||||||
if [ -x "${LSPCI_BIN}" ]; then
|
if [ -x "${LSPCI_BIN}" ]; then
|
||||||
if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
|
if ${LSPCI_BIN} | grep -q 'MegaRAID'; then
|
||||||
# shellcheck disable=SC2015
|
# shellcheck disable=SC2015
|
||||||
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|
||||||
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
|
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
|
||||||
|
@ -853,7 +889,7 @@ check_hardwareraidtool() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_log2mailsystemdunit() {
|
check_log2mailsystemdunit() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
systemctl -q is-active log2mail.service \
|
systemctl -q is-active log2mail.service \
|
||||||
|| failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running"
|
|| failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running"
|
||||||
test -f /etc/systemd/system/log2mail.service \
|
test -f /etc/systemd/system/log2mail.service \
|
||||||
|
@ -869,7 +905,7 @@ check_listupgrade() {
|
||||||
|| failed "IS_LISTUPGRADE" "missing listupgrade script or not executable"
|
|| failed "IS_LISTUPGRADE" "missing listupgrade script or not executable"
|
||||||
}
|
}
|
||||||
check_mariadbevolinuxconf() {
|
check_mariadbevolinuxconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed mariadb-server; then
|
if is_installed mariadb-server; then
|
||||||
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
|
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
|
||||||
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
|
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
|
||||||
|
@ -945,6 +981,7 @@ check_elastic_backup() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_mariadbsystemdunit() {
|
check_mariadbsystemdunit() {
|
||||||
|
# TODO: check if it is still needed for bullseye
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster; then
|
||||||
if is_installed mariadb-server; then
|
if is_installed mariadb-server; then
|
||||||
if systemctl -q is-active mariadb.service; then
|
if systemctl -q is-active mariadb.service; then
|
||||||
|
@ -955,7 +992,7 @@ check_mariadbsystemdunit() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_mysqlmunin() {
|
check_mysqlmunin() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed mariadb-server; then
|
if is_installed mariadb-server; then
|
||||||
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
||||||
mysql_threads mysql_connections mysql_files_tables \
|
mysql_threads mysql_connections mysql_files_tables \
|
||||||
|
@ -973,7 +1010,7 @@ check_mysqlmunin() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_mysqlnrpe() {
|
check_mysqlnrpe() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed mariadb-server; then
|
if is_installed mariadb-server; then
|
||||||
nagios_file=~nagios/.my.cnf
|
nagios_file=~nagios/.my.cnf
|
||||||
if ! test -f ${nagios_file}; then
|
if ! test -f ${nagios_file}; then
|
||||||
|
@ -989,9 +1026,10 @@ check_mysqlnrpe() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_phpevolinuxconf() {
|
check_phpevolinuxconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
is_debian_stretch && phpVersion="7.0"
|
is_debian_stretch && phpVersion="7.0"
|
||||||
is_debian_buster && phpVersion="7.3"
|
is_debian_buster && phpVersion="7.3"
|
||||||
|
is_debian_bullseye && phpVersion="7.4"
|
||||||
if is_installed php; then
|
if is_installed php; then
|
||||||
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
|
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
|
||||||
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
|
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
|
||||||
|
@ -1000,15 +1038,15 @@ check_phpevolinuxconf() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_squidlogrotate() {
|
check_squidlogrotate() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed squid; then
|
if is_installed squid; then
|
||||||
grep -q monthly /etc/logrotate.d/squid \
|
grep -q -e monthly -e daily /etc/logrotate.d/squid \
|
||||||
|| failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
|
|| failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_squidevolinuxconf() {
|
check_squidevolinuxconf() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if is_installed squid; then
|
if is_installed squid; then
|
||||||
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
|
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
|
||||||
&& test -f /etc/squid/evolinux-defaults.conf \
|
&& test -f /etc/squid/evolinux-defaults.conf \
|
||||||
|
@ -1044,7 +1082,7 @@ check_duplicate_fs_label() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_evolix_user() {
|
check_evolix_user() {
|
||||||
grep -q "evolix:" /etc/passwd \
|
grep -q -E "^evolix:" /etc/passwd \
|
||||||
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
|
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
|
||||||
}
|
}
|
||||||
check_evoacme_cron() {
|
check_evoacme_cron() {
|
||||||
|
@ -1083,7 +1121,7 @@ check_apache_confenabled() {
|
||||||
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
|
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
|
||||||
# must be replaced by conf-available/ and config files symlinked
|
# must be replaced by conf-available/ and config files symlinked
|
||||||
# to conf-enabled/
|
# to conf-enabled/
|
||||||
if is_debian_jessie || is_debian_stretch || is_debian_buster; then
|
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if [ -f /etc/apache2/apache2.conf ]; then
|
if [ -f /etc/apache2/apache2.conf ]; then
|
||||||
test -d /etc/apache2/conf.d/ \
|
test -d /etc/apache2/conf.d/ \
|
||||||
&& failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists"
|
&& failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists"
|
||||||
|
@ -1095,7 +1133,7 @@ check_apache_confenabled() {
|
||||||
check_meltdown_spectre() {
|
check_meltdown_spectre() {
|
||||||
# For Stretch, detection is easy as the kernel use
|
# For Stretch, detection is easy as the kernel use
|
||||||
# /sys/devices/system/cpu/vulnerabilities/
|
# /sys/devices/system/cpu/vulnerabilities/
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
for vuln in meltdown spectre_v1 spectre_v2; do
|
for vuln in meltdown spectre_v1 spectre_v2; do
|
||||||
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|
||||||
|| failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln"
|
|| failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln"
|
||||||
|
@ -1148,7 +1186,7 @@ check_usrsharescripts() {
|
||||||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
||||||
}
|
}
|
||||||
check_sshpermitrootno() {
|
check_sshpermitrootno() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
||||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
||||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
||||||
|
@ -1159,7 +1197,7 @@ check_sshpermitrootno() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_evomaintenanceusers() {
|
check_evomaintenanceusers() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
|
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
|
||||||
else
|
else
|
||||||
if [ -f /etc/sudoers.d/evolinux ]; then
|
if [ -f /etc/sudoers.d/evolinux ]; then
|
||||||
|
@ -1295,6 +1333,154 @@ check_nginx_letsencrypt_uptodate() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_lxc_container_resolv_conf() {
|
||||||
|
if is_installed lxc; then
|
||||||
|
container_list=$(lxc-ls)
|
||||||
|
current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
|
||||||
|
|
||||||
|
for container in $container_list; do
|
||||||
|
if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
|
||||||
|
|
||||||
|
while read -r resolver; do
|
||||||
|
if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then
|
||||||
|
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf"
|
||||||
|
fi
|
||||||
|
done <<< "${current_resolvers}"
|
||||||
|
|
||||||
|
else
|
||||||
|
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
download_versions() {
|
||||||
|
local file
|
||||||
|
file=${1:-}
|
||||||
|
|
||||||
|
## The file is supposed to list programs : each on a line, then its latest version number
|
||||||
|
## Examples:
|
||||||
|
# evoacme 21.06
|
||||||
|
# evomaintenance 0.6.4
|
||||||
|
|
||||||
|
if is_debian; then
|
||||||
|
versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
|
||||||
|
elif is_openbsd; then
|
||||||
|
versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
|
||||||
|
else
|
||||||
|
failed "IS_VERSIONS_CHECK" "error determining os release"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# fetch timeout, in seconds
|
||||||
|
timeout=10
|
||||||
|
|
||||||
|
if command -v curl > /dev/null; then
|
||||||
|
curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
|
||||||
|
elif command -v wget > /dev/null; then
|
||||||
|
wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
|
||||||
|
elif command -v GET; then
|
||||||
|
GET -t ${timeout}s "${versions_url}" > "${versions_file}"
|
||||||
|
else
|
||||||
|
failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET"
|
||||||
|
fi
|
||||||
|
test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}"
|
||||||
|
}
|
||||||
|
get_command() {
|
||||||
|
local program
|
||||||
|
program=${1:-}
|
||||||
|
|
||||||
|
case "${program}" in
|
||||||
|
## Special cases where the program name is different than the command name
|
||||||
|
evocheck) echo "${0}" ;;
|
||||||
|
evomaintenance) command -v "evomaintenance.sh" ;;
|
||||||
|
listupgrade) command -v "evolistupgrade.sh" ;;
|
||||||
|
old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
|
||||||
|
mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
|
||||||
|
|
||||||
|
## General case, where the program name is the same as the command name
|
||||||
|
*) command -v "${program}" ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
get_version() {
|
||||||
|
local program
|
||||||
|
local command
|
||||||
|
program=${1:-}
|
||||||
|
command=${2:-}
|
||||||
|
|
||||||
|
case "${program}" in
|
||||||
|
## Special case if `command --version => 'command` is not the standard way to get the version
|
||||||
|
# my_command)
|
||||||
|
# /path/to/my_command --get-version
|
||||||
|
# ;;
|
||||||
|
|
||||||
|
add-vm)
|
||||||
|
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
|
||||||
|
;;
|
||||||
|
## Let's try the --version flag before falling back to grep for the constant
|
||||||
|
kvmstats)
|
||||||
|
if ${command} --version > /dev/null 2> /dev/null; then
|
||||||
|
${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
|
||||||
|
else
|
||||||
|
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
## General case to get the version
|
||||||
|
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
check_version() {
|
||||||
|
local program
|
||||||
|
local expected_version
|
||||||
|
program=${1:-}
|
||||||
|
expected_version=${2:-}
|
||||||
|
|
||||||
|
command=$(get_command "${program}")
|
||||||
|
if [ -n "${command}" ]; then
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
actual_version=$(get_version "${program}" "${command}")
|
||||||
|
# printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
|
||||||
|
if [ -z "${actual_version}" ]; then
|
||||||
|
failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
|
||||||
|
elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
|
||||||
|
failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}"
|
||||||
|
elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then
|
||||||
|
failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index."
|
||||||
|
else
|
||||||
|
: # Version check OK
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
add_to_path() {
|
||||||
|
local new_path
|
||||||
|
new_path=${1:-}
|
||||||
|
|
||||||
|
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
||||||
|
}
|
||||||
|
check_versions() {
|
||||||
|
versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
|
||||||
|
# shellcheck disable=SC2064
|
||||||
|
trap "rm -f ${versions_file}" 0
|
||||||
|
download_versions "${versions_file}"
|
||||||
|
add_to_path "/usr/share/scripts"
|
||||||
|
|
||||||
|
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
|
||||||
|
local program
|
||||||
|
local version
|
||||||
|
program=$(echo "${line}" | cut -d ' ' -f 1)
|
||||||
|
version=$(echo "${line}" | cut -d ' ' -f 2)
|
||||||
|
|
||||||
|
if [ -n "${program}" ]; then
|
||||||
|
if [ -n "${version}" ]; then
|
||||||
|
check_version "${program}" "${version}"
|
||||||
|
else
|
||||||
|
failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
rm -f "${versions_file}"
|
||||||
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
RC=0
|
RC=0
|
||||||
|
@ -1349,6 +1535,8 @@ main() {
|
||||||
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
|
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
|
||||||
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
|
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
|
||||||
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
|
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
|
||||||
|
# Enable when minifirewall is released
|
||||||
|
test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
|
||||||
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
|
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
|
||||||
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
|
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
|
||||||
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
|
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
|
||||||
|
@ -1421,6 +1609,8 @@ main() {
|
||||||
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
||||||
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
||||||
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
||||||
|
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
|
||||||
|
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
|
@ -1528,10 +1718,13 @@ main() {
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PROGNAME=$(basename "$0")
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME
|
||||||
# shellcheck disable=2124
|
|
||||||
readonly ARGS=$@
|
# shellcheck disable=SC2124
|
||||||
|
ARGS=$@
|
||||||
|
readonly ARGS
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
|
@ -1557,6 +1750,7 @@ while :; do
|
||||||
IS_KERNELUPTODATE=0
|
IS_KERNELUPTODATE=0
|
||||||
IS_UPTIME=0
|
IS_UPTIME=0
|
||||||
IS_MELTDOWN_SPECTRE=0
|
IS_MELTDOWN_SPECTRE=0
|
||||||
|
IS_CHECK_VERSIONS=0
|
||||||
;;
|
;;
|
||||||
-v|--verbose)
|
-v|--verbose)
|
||||||
VERBOSE=1
|
VERBOSE=1
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- name: install evocheck from package
|
|
||||||
apt:
|
|
||||||
name: evocheck
|
|
||||||
state: present
|
|
|
@ -1,10 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: install_local.yml
|
- name: Package install is not supported anymore
|
||||||
when: evocheck_force_install == "local"
|
fail:
|
||||||
|
msg: Package install is not supported anymore
|
||||||
|
when:
|
||||||
|
- evocheck_force_install is defined
|
||||||
|
- evocheck_force_install == "package"
|
||||||
|
|
||||||
- include: install_package.yml
|
- include: install.yml
|
||||||
when: evocheck_force_install == "package"
|
|
||||||
|
|
||||||
- include: cron.yml
|
- include: cron.yml
|
||||||
when: evocheck_update_crontab | bool
|
when: evocheck_update_crontab | bool
|
||||||
|
|
|
@ -78,6 +78,7 @@ evolinux_packages_include: True
|
||||||
evolinux_packages_system: True
|
evolinux_packages_system: True
|
||||||
evolinux_packages_diagnostic: True
|
evolinux_packages_diagnostic: True
|
||||||
evolinux_packages_hardware: True
|
evolinux_packages_hardware: True
|
||||||
|
evolinux_packages_hardware_raid: True
|
||||||
evolinux_packages_common: True
|
evolinux_packages_common: True
|
||||||
evolinux_packages_stretch: True
|
evolinux_packages_stretch: True
|
||||||
evolinux_packages_buster: True
|
evolinux_packages_buster: True
|
||||||
|
@ -89,6 +90,7 @@ evolinux_packages_invalid_mta: True
|
||||||
evolinux_packages_delete_nfs: True
|
evolinux_packages_delete_nfs: True
|
||||||
evolinux_packages_listchanges: True
|
evolinux_packages_listchanges: True
|
||||||
evolinux_packages_logcheck_recipient: False
|
evolinux_packages_logcheck_recipient: False
|
||||||
|
evolinux_packages_delete_aptlistchanges: True
|
||||||
|
|
||||||
# system
|
# system
|
||||||
|
|
||||||
|
@ -164,8 +166,10 @@ evolinux_logs_include: True
|
||||||
|
|
||||||
evolinux_logs_logrotate_confs: True
|
evolinux_logs_logrotate_confs: True
|
||||||
evolinux_logs_default_rotate: True
|
evolinux_logs_default_rotate: True
|
||||||
|
evolinux_logs_default_dateext : True
|
||||||
evolinux_logs_disable_logrotate_rsyslog: True
|
evolinux_logs_disable_logrotate_rsyslog: True
|
||||||
evolinux_logs_rsyslog_conf: True
|
evolinux_logs_rsyslog_conf: True
|
||||||
|
evolinux_logrotate_dateformat: "-%Y%m%d%H"
|
||||||
|
|
||||||
# default www
|
# default www
|
||||||
|
|
||||||
|
@ -206,7 +210,6 @@ evolinux_fail2ban_include: False
|
||||||
# Evocheck
|
# Evocheck
|
||||||
|
|
||||||
evolinux_evocheck_include: True
|
evolinux_evocheck_include: True
|
||||||
evolinux_evocheck_force_install: "local"
|
|
||||||
|
|
||||||
# Listupgrade
|
# Listupgrade
|
||||||
|
|
||||||
|
@ -218,3 +221,6 @@ evolinux_generateldif_include: True
|
||||||
|
|
||||||
# Cron check_hpraid
|
# Cron check_hpraid
|
||||||
evolinux_cron_checkhpraid_frequency: daily
|
evolinux_cron_checkhpraid_frequency: daily
|
||||||
|
|
||||||
|
# Motd
|
||||||
|
evolinux_motd_include: True
|
|
@ -1,9 +1,10 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Evolix alert5 script
|
Description=Evolix alert5 script
|
||||||
|
After=network.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=/usr/share/scripts/alert5.sh
|
ExecStart=/usr/share/scripts/alert5.sh
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
1019
evolinux-base/files/backup-server-state.sh
Normal file
1019
evolinux-base/files/backup-server-state.sh
Normal file
|
@ -0,0 +1,1019 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
PROGNAME="backup-server-state"
|
||||||
|
|
||||||
|
VERSION="22.01.3"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
|
backup_dir=
|
||||||
|
rc=0
|
||||||
|
|
||||||
|
# base functions
|
||||||
|
|
||||||
|
show_version() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
|
Copyright 2018-2022 Evolix <info@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public License v3.0 for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} is making backup copies of information related to the state of the server.
|
||||||
|
|
||||||
|
Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
|
||||||
|
|
||||||
|
Options
|
||||||
|
-d, --backup-dir path to the directory where the backup will be stored
|
||||||
|
-f, --force keep existing backup directory and its content
|
||||||
|
--etc backup copy of /etc
|
||||||
|
--no-etc no backup copy of /etc (default)
|
||||||
|
--dpkg backup copy of /var/lib/dpkg
|
||||||
|
--no-dpkg no backup copy of /var/lib/dpkg (default)
|
||||||
|
--apt-states backup copy of apt extended states (default)
|
||||||
|
--no-apt-states no backup copy of apt extended states
|
||||||
|
--apt-config backup copy of apt configuration (default)
|
||||||
|
--no-apt-config no backup copy of apt configuration
|
||||||
|
--packages backup copy of dpkg selections (default)
|
||||||
|
--no-packages no backup copy of dpkg selections
|
||||||
|
--processes backup copy of process list (default)
|
||||||
|
--no-processes no backup copy of process list
|
||||||
|
--uptime backup of uptime value (default)
|
||||||
|
--no-uptime no backup of uptime value
|
||||||
|
--netstat backup copy of netstat (default)
|
||||||
|
--no-netstat no backup copy of netstat
|
||||||
|
--netcfg backup copy of network configuration (default)
|
||||||
|
--no-netcfg no backup copy of network configuration
|
||||||
|
--iptables backup copy of iptables (default)
|
||||||
|
--no-iptables no backup copy of iptables
|
||||||
|
--sysctl backup copy of sysctl values (default)
|
||||||
|
--no-sysctl no backup copy of sysctl values
|
||||||
|
--virsh backup copy of virsh list (default)
|
||||||
|
--no-virsh no backup copy of virsh list
|
||||||
|
--lxc backup copy of lxc list (default)
|
||||||
|
--no-lxc no backup copy of lxc list
|
||||||
|
--disks backup copy of MBR and partitions (default)
|
||||||
|
--no-disks no backup copy of MBR and partitions
|
||||||
|
--mount backup copy of mount points (default)
|
||||||
|
--no-mount no backup copy of mount points
|
||||||
|
--df backup copy of disk usage (default)
|
||||||
|
--no-df no backup copy of disk usage
|
||||||
|
--dmesg backup copy of dmesg (default)
|
||||||
|
--no-dmesg no backup copy of dmesg
|
||||||
|
--mysql backup copy of mysql processes (default)
|
||||||
|
--no-mysql no backup copy of mysql processes
|
||||||
|
--services backup copy of services states (default)
|
||||||
|
--no-services no backup copy of services states
|
||||||
|
-v, --verbose print details about backup steps
|
||||||
|
-V, --version print version and exit
|
||||||
|
-h, --help print this message and exit
|
||||||
|
END
|
||||||
|
}
|
||||||
|
debug() {
|
||||||
|
if [ "${VERBOSE}" = "1" ]; then
|
||||||
|
echo "$1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
create_backup_dir() {
|
||||||
|
debug "Create ${backup_dir}"
|
||||||
|
|
||||||
|
last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* mkdir/chmod OK"
|
||||||
|
else
|
||||||
|
debug "* mkdir/chmod ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_etc() {
|
||||||
|
debug "Backup /etc"
|
||||||
|
|
||||||
|
rsync_bin=$(command -v rsync)
|
||||||
|
|
||||||
|
if [ -n "${rsync_bin}" ]; then
|
||||||
|
last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* rsync OK"
|
||||||
|
else
|
||||||
|
debug "* rsync ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* rsync not found"
|
||||||
|
last_result=$(cp -r /etc "${backup_dir}/ && rm -rf ${backup_dir}/etc/.git")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* cp OK"
|
||||||
|
else
|
||||||
|
debug "* cp ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_apt_states() {
|
||||||
|
apt_dir="/"
|
||||||
|
apt_dir_state="var/lib/apt"
|
||||||
|
apt_dir_state_extended_states="extended_states"
|
||||||
|
|
||||||
|
apt_config_bin=$(command -v apt-config)
|
||||||
|
|
||||||
|
if [ -n "${apt_config_bin}" ]; then
|
||||||
|
eval "$(${apt_config_bin} shell apt_dir Dir)"
|
||||||
|
eval "$(${apt_config_bin} shell apt_dir_state Dir::State)"
|
||||||
|
eval "$(${apt_config_bin} shell apt_dir_state_extended_states Dir::State::extended_states)"
|
||||||
|
fi
|
||||||
|
extended_states="${apt_dir}/${apt_dir_state}/${apt_dir_state_extended_states}"
|
||||||
|
|
||||||
|
if [ -f "${extended_states}" ]; then
|
||||||
|
debug "Backup APT states"
|
||||||
|
|
||||||
|
last_result=$(cp -r "${extended_states}" "${backup_dir}/apt-extended-states.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* cp OK"
|
||||||
|
else
|
||||||
|
debug "* cp ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_apt_config() {
|
||||||
|
debug "Backup APT config"
|
||||||
|
|
||||||
|
apt_config_bin=$(command -v apt-config)
|
||||||
|
|
||||||
|
if [ -n "${apt_config_bin}" ]; then
|
||||||
|
last_result=$(${apt_config_bin} dump > "${backup_dir}/apt-config.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* apt-config OK"
|
||||||
|
else
|
||||||
|
debug "* apt-config ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* apt-config is not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_dpkg_full() {
|
||||||
|
debug "Backup DPkg full state"
|
||||||
|
|
||||||
|
dir_state_status="/var/lib/dpkg/status"
|
||||||
|
|
||||||
|
apt_config_bin=$(command -v apt-config)
|
||||||
|
|
||||||
|
if [ -n "${apt_config_bin}" ]; then
|
||||||
|
eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
dpkg_dir=$(dirname "${dir_state_status}")
|
||||||
|
|
||||||
|
last_result=$(mkdir -p "${backup_dir}${dpkg_dir}" && chmod -R 755 "${backup_dir}${dpkg_dir}")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* mkdir/chmod OK"
|
||||||
|
else
|
||||||
|
debug "* mkdir/chmod ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
|
||||||
|
rsync_bin=$(command -v rsync)
|
||||||
|
|
||||||
|
if [ -n "${rsync_bin}" ]; then
|
||||||
|
last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${backup_dir}${dpkg_dir}/")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* rsync OK"
|
||||||
|
else
|
||||||
|
debug "* rsync ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* rsync not found"
|
||||||
|
|
||||||
|
last_result=$(cp -r "${dpkg_dir}/*" "${backup_dir}${dpkg_dir}/" && rm -rf "${backup_dir}${dpkg_dir}/*-old")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* cp OK"
|
||||||
|
else
|
||||||
|
debug "* cp ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_dpkg_status() {
|
||||||
|
debug "Backup DPkg status"
|
||||||
|
|
||||||
|
dir_state_status="/var/lib/dpkg/status"
|
||||||
|
|
||||||
|
apt_config_bin=$(command -v apt-config)
|
||||||
|
|
||||||
|
if [ -n "${apt_config_bin}" ]; then
|
||||||
|
eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
last_result=$(cp "${dir_state_status}" "${backup_dir}/dpkg-status.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* cp OK"
|
||||||
|
else
|
||||||
|
debug "* cp ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_packages() {
|
||||||
|
debug "Backup list of installed package"
|
||||||
|
|
||||||
|
dpkg_bin=$(command -v dpkg)
|
||||||
|
|
||||||
|
if [ -n "${dpkg_bin}" ]; then
|
||||||
|
last_result=$(${dpkg_bin} --get-selections "*" > "${backup_dir}/current_packages.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* dpkg OK"
|
||||||
|
else
|
||||||
|
debug "* dpkg ERROR :"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* dpkg not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_uname() {
|
||||||
|
debug "Backup uname"
|
||||||
|
|
||||||
|
last_result=$(uname -a > "${backup_dir}/uname.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* uname OK"
|
||||||
|
else
|
||||||
|
debug "* uname ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_uptime() {
|
||||||
|
debug "Backup uptime"
|
||||||
|
|
||||||
|
last_result=$(uptime > "${backup_dir}/uptime.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* uptime OK"
|
||||||
|
else
|
||||||
|
debug "* uptime ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_processes() {
|
||||||
|
debug "Backup process list"
|
||||||
|
|
||||||
|
last_result=$(ps fauxw > "${backup_dir}/ps.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* ps OK"
|
||||||
|
else
|
||||||
|
debug "* ps ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
|
||||||
|
pstree_bin=$(command -v pstree)
|
||||||
|
|
||||||
|
if [ -n "${pstree_bin}" ]; then
|
||||||
|
last_result=$(${pstree_bin} -pan > "${backup_dir}/pstree.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* pstree OK"
|
||||||
|
else
|
||||||
|
debug "* pstree ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_netstat() {
|
||||||
|
debug "Backup network status"
|
||||||
|
|
||||||
|
ss_bin=$(command -v ss)
|
||||||
|
|
||||||
|
if [ -n "${ss_bin}" ]; then
|
||||||
|
last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* ss OK"
|
||||||
|
else
|
||||||
|
debug "* ss ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* ss not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
netstat_bin=$(command -v netstat)
|
||||||
|
|
||||||
|
if [ -n "${netstat_bin}" ]; then
|
||||||
|
last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* netstat OK"
|
||||||
|
else
|
||||||
|
debug "* netstat ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* netstat not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_netcfg() {
|
||||||
|
debug "Backup network configuration"
|
||||||
|
|
||||||
|
ip_bin=$(command -v ip)
|
||||||
|
|
||||||
|
if [ -n "${ip_bin}" ]; then
|
||||||
|
last_result=$(${ip_bin} address show > "${backup_dir}/ip-address.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* ip address OK"
|
||||||
|
else
|
||||||
|
debug "* ip address ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
|
||||||
|
last_result=$(${ip_bin} route show > "${backup_dir}/ip-route.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* ip route OK"
|
||||||
|
else
|
||||||
|
debug "* ip route ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* ip not found"
|
||||||
|
|
||||||
|
ifconfig_bin=$(command -v ifconfig)
|
||||||
|
|
||||||
|
if [ -n "${ifconfig_bin}" ]; then
|
||||||
|
last_result=$(${ifconfig_bin} > "${backup_dir}/ifconfig.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* ifconfig OK"
|
||||||
|
else
|
||||||
|
debug "* ifconfig ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* ifconfig not found"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_iptables() {
|
||||||
|
debug "Backup iptables"
|
||||||
|
|
||||||
|
iptables_bin=$(command -v iptables)
|
||||||
|
|
||||||
|
if [ -n "${iptables_bin}" ]; then
|
||||||
|
last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* iptables OK"
|
||||||
|
else
|
||||||
|
debug "* iptables ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* iptables not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
iptables_save_bin=$(command -v iptables-save)
|
||||||
|
|
||||||
|
if [ -n "${iptables_save_bin}" ]; then
|
||||||
|
last_result=$(${iptables_save_bin} > "${backup_dir}/iptables-save.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* iptables-save OK"
|
||||||
|
else
|
||||||
|
debug "* iptables-save ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* iptables-save not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_sysctl() {
|
||||||
|
debug "Backup sysctl values"
|
||||||
|
|
||||||
|
sysctl_bin=$(command -v sysctl)
|
||||||
|
|
||||||
|
if [ -n "${sysctl_bin}" ]; then
|
||||||
|
last_result=$(${sysctl_bin} -a | sort -h > "${backup_dir}/sysctl.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* sysctl OK"
|
||||||
|
else
|
||||||
|
debug "* sysctl ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* sysctl not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_virsh() {
|
||||||
|
debug "Backup virsh list"
|
||||||
|
|
||||||
|
virsh_bin=$(command -v virsh)
|
||||||
|
|
||||||
|
if [ -n "${virsh_bin}" ]; then
|
||||||
|
last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* virsh list OK"
|
||||||
|
else
|
||||||
|
debug "* virsh list ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* virsh not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_lxc() {
|
||||||
|
debug "Backup lxc list"
|
||||||
|
|
||||||
|
lxc_ls_bin=$(command -v lxc-ls)
|
||||||
|
|
||||||
|
if [ -n "${lxc_ls_bin}" ]; then
|
||||||
|
last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* lxc list OK"
|
||||||
|
else
|
||||||
|
debug "* lxc list ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* lxc-ls not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_disks() {
|
||||||
|
debug "Backup disks"
|
||||||
|
|
||||||
|
lsblk_bin=$(command -v lsblk)
|
||||||
|
awk_bin=$(command -v awk)
|
||||||
|
|
||||||
|
if [ -n "${lsblk_bin}" ] && [ -n "${awk_bin}" ]; then
|
||||||
|
disks=$(${lsblk_bin} -l | grep disk | grep -v -E '(drbd|fd[0-9]+)' | ${awk_bin} '{print $1}')
|
||||||
|
for disk in ${disks}; do
|
||||||
|
dd_bin=$(command -v dd)
|
||||||
|
if [ -n "${dd_bin}" ]; then
|
||||||
|
last_result=$(${dd_bin} if="/dev/${disk}" of="${backup_dir}/MBR-${disk}" bs=512 count=1 2>&1)
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* dd ${disk} OK"
|
||||||
|
else
|
||||||
|
debug "* dd ${disk} ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* dd not found"
|
||||||
|
fi
|
||||||
|
fdisk_bin=$(command -v fdisk)
|
||||||
|
if [ -n "${fdisk_bin}" ]; then
|
||||||
|
last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${backup_dir}/partitions-${disk}" 2>&1)
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* fdisk ${disk} OK"
|
||||||
|
else
|
||||||
|
debug "* fdisk ${disk} ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* fdisk not found"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
cat "${backup_dir}"/partitions-* > "${backup_dir}/partitions"
|
||||||
|
else
|
||||||
|
if [ -n "${lsblk_bin}" ]; then
|
||||||
|
debug "* lsblk not found"
|
||||||
|
fi
|
||||||
|
if [ -n "${awk_bin}" ]; then
|
||||||
|
debug "* awk not found"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_mount() {
|
||||||
|
debug "Backup mount points"
|
||||||
|
|
||||||
|
findmnt_bin=$(command -v findmnt)
|
||||||
|
|
||||||
|
if [ -n "${findmnt_bin}" ]; then
|
||||||
|
last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* mount points OK"
|
||||||
|
else
|
||||||
|
debug "* mount points ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* findmnt not found"
|
||||||
|
|
||||||
|
mount_bin=$(command -v mount)
|
||||||
|
|
||||||
|
if [ -n "${mount_bin}" ]; then
|
||||||
|
last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* mount points OK"
|
||||||
|
else
|
||||||
|
debug "* mount points ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* mount not found"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_df() {
|
||||||
|
debug "Backup df"
|
||||||
|
|
||||||
|
df_bin=$(command -v df)
|
||||||
|
|
||||||
|
if [ -n "${df_bin}" ]; then
|
||||||
|
last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* df OK"
|
||||||
|
else
|
||||||
|
debug "* df ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* df not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_dmesg() {
|
||||||
|
debug "Backup dmesg"
|
||||||
|
|
||||||
|
dmesg_bin=$(command -v dmesg)
|
||||||
|
|
||||||
|
if [ -n "${dmesg_bin}" ]; then
|
||||||
|
last_result=$(${dmesg_bin} > "${backup_dir}/dmesg.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* dmesg OK"
|
||||||
|
else
|
||||||
|
debug "* dmesg ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* dmesg not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_mysql_processes() {
|
||||||
|
debug "Backup mysql processes"
|
||||||
|
|
||||||
|
mysqladmin_bin=$(command -v mysqladmin)
|
||||||
|
|
||||||
|
if [ -n "${mysqladmin_bin}" ]; then
|
||||||
|
last_result=$(${mysqladmin_bin} --verbose processlist > "${backup_dir}/mysql-processlist.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* mysqladmin OK"
|
||||||
|
else
|
||||||
|
debug "* mysqladmin ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* mysqladmin not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
backup_systemctl() {
|
||||||
|
debug "Backup services"
|
||||||
|
|
||||||
|
systemctl_bin=$(command -v systemctl)
|
||||||
|
|
||||||
|
if [ -n "${systemctl_bin}" ]; then
|
||||||
|
last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${backup_dir}/systemctl-failed-services.txt")
|
||||||
|
last_rc=$?
|
||||||
|
|
||||||
|
if [ ${last_rc} -eq 0 ]; then
|
||||||
|
debug "* failed services OK"
|
||||||
|
else
|
||||||
|
debug "* failed services ERROR"
|
||||||
|
debug "${last_result}"
|
||||||
|
rc=10
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
debug "* systemctl not found"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
main() {
|
||||||
|
if [ -z "${backup_dir}" ]; then
|
||||||
|
echo "ERROR: You must provide the --backup-dir argument" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -d "${backup_dir}" ]; then
|
||||||
|
if [ "${FORCE}" != "1" ]; then
|
||||||
|
echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
create_backup_dir
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${DO_ETC}" -eq 1 ]; then
|
||||||
|
backup_etc
|
||||||
|
fi
|
||||||
|
if [ "${DO_DPKG_FULL}" -eq 1 ]; then
|
||||||
|
backup_dpkg_full
|
||||||
|
fi
|
||||||
|
if [ "${DO_DPKG_STATUS}" -eq 1 ]; then
|
||||||
|
backup_dpkg_status
|
||||||
|
fi
|
||||||
|
if [ "${DO_APT_STATES}" -eq 1 ]; then
|
||||||
|
backup_apt_states
|
||||||
|
fi
|
||||||
|
if [ "${DO_APT_CONFIG}" -eq 1 ]; then
|
||||||
|
backup_apt_config
|
||||||
|
fi
|
||||||
|
if [ "${DO_PACKAGES}" -eq 1 ]; then
|
||||||
|
backup_packages
|
||||||
|
fi
|
||||||
|
if [ "${DO_PROCESSES}" -eq 1 ]; then
|
||||||
|
backup_processes
|
||||||
|
fi
|
||||||
|
if [ "${DO_UPTIME}" -eq 1 ]; then
|
||||||
|
backup_uptime
|
||||||
|
fi
|
||||||
|
if [ "${DO_UNAME}" -eq 1 ]; then
|
||||||
|
backup_uname
|
||||||
|
fi
|
||||||
|
if [ "${DO_NETSTAT}" -eq 1 ]; then
|
||||||
|
backup_netstat
|
||||||
|
fi
|
||||||
|
if [ "${DO_NETCFG}" -eq 1 ]; then
|
||||||
|
backup_netcfg
|
||||||
|
fi
|
||||||
|
if [ "${DO_IPTABLES}" -eq 1 ]; then
|
||||||
|
backup_iptables
|
||||||
|
fi
|
||||||
|
if [ "${DO_SYSCTL}" -eq 1 ]; then
|
||||||
|
backup_sysctl
|
||||||
|
fi
|
||||||
|
if [ "${DO_VIRSH}" -eq 1 ]; then
|
||||||
|
backup_virsh
|
||||||
|
fi
|
||||||
|
if [ "${DO_LXC}" -eq 1 ]; then
|
||||||
|
backup_lxc
|
||||||
|
fi
|
||||||
|
if [ "${DO_DISKS}" -eq 1 ]; then
|
||||||
|
backup_disks
|
||||||
|
fi
|
||||||
|
if [ "${DO_MOUNT}" -eq 1 ]; then
|
||||||
|
backup_mount
|
||||||
|
fi
|
||||||
|
if [ "${DO_DF}" -eq 1 ]; then
|
||||||
|
backup_df
|
||||||
|
fi
|
||||||
|
if [ "${DO_DMESG}" -eq 1 ]; then
|
||||||
|
backup_dmesg
|
||||||
|
fi
|
||||||
|
if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then
|
||||||
|
backup_mysql_processes
|
||||||
|
fi
|
||||||
|
if [ "${DO_SYSTEMCTL}" -eq 1 ]; then
|
||||||
|
backup_systemctl
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
debug "=> Your backup is available at ${backup_dir}"
|
||||||
|
exit ${rc}
|
||||||
|
}
|
||||||
|
|
||||||
|
# parse options
|
||||||
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
while :; do
|
||||||
|
case $1 in
|
||||||
|
-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-v|--verbose)
|
||||||
|
VERBOSE=1
|
||||||
|
;;
|
||||||
|
|
||||||
|
-f|--force)
|
||||||
|
FORCE=1
|
||||||
|
;;
|
||||||
|
|
||||||
|
-d|--backup-dir)
|
||||||
|
# with value separated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
backup_dir=$2
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--backup-dir=?*)
|
||||||
|
# with value speparated by =
|
||||||
|
backup_dir=${1#*=}
|
||||||
|
;;
|
||||||
|
--backup-dir=)
|
||||||
|
# without value
|
||||||
|
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--etc)
|
||||||
|
DO_ETC=1
|
||||||
|
;;
|
||||||
|
--no-etc)
|
||||||
|
DO_ETC=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--dpkg-full)
|
||||||
|
DO_DPKG_FULL=1
|
||||||
|
;;
|
||||||
|
--no-dpkg-full)
|
||||||
|
DO_DPKG_FULL=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--dpkg-status)
|
||||||
|
DO_DPKG_STATUS=1
|
||||||
|
;;
|
||||||
|
--no-dpkg-status)
|
||||||
|
DO_DPKG_STATUS=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--apt-states)
|
||||||
|
DO_APT_STATES=1
|
||||||
|
;;
|
||||||
|
--no-apt-states)
|
||||||
|
DO_APT_STATES=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--apt-config)
|
||||||
|
DO_APT_CONFIG=1
|
||||||
|
;;
|
||||||
|
--no-apt-config)
|
||||||
|
DO_APT_CONFIG=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--packages)
|
||||||
|
DO_PACKAGES=1
|
||||||
|
;;
|
||||||
|
--no-packages)
|
||||||
|
DO_PACKAGES=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--processes)
|
||||||
|
DO_PROCESSES=1
|
||||||
|
;;
|
||||||
|
--no-processes)
|
||||||
|
DO_PROCESSES=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--uptime)
|
||||||
|
DO_UPTIME=1
|
||||||
|
;;
|
||||||
|
--no-uptime)
|
||||||
|
DO_UPTIME=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--uname)
|
||||||
|
DO_UNAME=1
|
||||||
|
;;
|
||||||
|
--no-uname)
|
||||||
|
DO_UNAME=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--netstat)
|
||||||
|
DO_NETSTAT=1
|
||||||
|
;;
|
||||||
|
--no-netstat)
|
||||||
|
DO_NETSTAT=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--netcfg)
|
||||||
|
DO_NETCFG=1
|
||||||
|
;;
|
||||||
|
--no-netcfg)
|
||||||
|
DO_NETCFG=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--iptables)
|
||||||
|
DO_IPTABLES=1
|
||||||
|
;;
|
||||||
|
--no-iptables)
|
||||||
|
DO_IPTABLES=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--sysctl)
|
||||||
|
DO_SYSCTL=1
|
||||||
|
;;
|
||||||
|
--no-sysctl)
|
||||||
|
DO_SYSCTL=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--virsh)
|
||||||
|
DO_VIRSH=1
|
||||||
|
;;
|
||||||
|
--no-virsh)
|
||||||
|
DO_VIRSH=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--lxc)
|
||||||
|
DO_LXC=1
|
||||||
|
;;
|
||||||
|
--no-lxc)
|
||||||
|
DO_LXC=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--disks)
|
||||||
|
DO_DISKS=1
|
||||||
|
;;
|
||||||
|
--no-disks)
|
||||||
|
DO_DISKS=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--mount)
|
||||||
|
DO_MOUNT=1
|
||||||
|
;;
|
||||||
|
--no-mount)
|
||||||
|
DO_MOUNT=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--df)
|
||||||
|
DO_DF=1
|
||||||
|
;;
|
||||||
|
--no-df)
|
||||||
|
DO_DF=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--dmesg)
|
||||||
|
DO_DMESG=1
|
||||||
|
;;
|
||||||
|
--no-dmesg)
|
||||||
|
DO_DMESG=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--mysql-processes)
|
||||||
|
DO_MYSQL_PROCESSES=1
|
||||||
|
;;
|
||||||
|
--no-mysql-processes)
|
||||||
|
DO_MYSQL_PROCESSES=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--systemctl)
|
||||||
|
DO_SYSTEMCTL=1
|
||||||
|
;;
|
||||||
|
--no-systemctl)
|
||||||
|
DO_SYSTEMCTL=0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--)
|
||||||
|
# End of all options.
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-?*)
|
||||||
|
# ignore unknown options
|
||||||
|
printf 'WARN: Unknown option : %s\n' "$1" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
# Default values
|
||||||
|
: "${VERBOSE:=0}"
|
||||||
|
: "${FORCE:=0}"
|
||||||
|
: "${DO_ETC:=0}"
|
||||||
|
: "${DO_DPKG_FULL:=0}"
|
||||||
|
: "${DO_DPKG_STATUS:=1}"
|
||||||
|
: "${DO_APT_STATES:=1}"
|
||||||
|
: "${DO_APT_CONFIG:=1}"
|
||||||
|
: "${DO_PACKAGES:=1}"
|
||||||
|
: "${DO_PROCESSES:=1}"
|
||||||
|
: "${DO_UNAME:=1}"
|
||||||
|
: "${DO_UPTIME:=1}"
|
||||||
|
: "${DO_NETSTAT:=1}"
|
||||||
|
: "${DO_NETCFG:=1}"
|
||||||
|
: "${DO_IPTABLES:=1}"
|
||||||
|
: "${DO_SYSCTL:=1}"
|
||||||
|
: "${DO_VIRSH:=1}"
|
||||||
|
: "${DO_LXC:=1}"
|
||||||
|
: "${DO_DISKS:=1}"
|
||||||
|
: "${DO_MOUNT:=1}"
|
||||||
|
: "${DO_DF:=1}"
|
||||||
|
: "${DO_DMESG:=1}"
|
||||||
|
: "${DO_MYSQL_PROCESSES:=1}"
|
||||||
|
: "${DO_SYSTEMCTL:=1}"
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
|
||||||
|
set -u
|
||||||
|
|
||||||
|
main
|
2
evolinux-base/files/htoprc
Normal file
2
evolinux-base/files/htoprc
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# Force the SWAP column to the right of the CPU one
|
||||||
|
fields=0 48 17 18 38 39 40 119 2 46 47 49 1
|
9
evolinux-base/files/logs/logrotate.d/alternatives
Normal file
9
evolinux-base/files/logs/logrotate.d/alternatives
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
/var/log/alternatives.log {
|
||||||
|
monthly
|
||||||
|
rotate 120
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
create 644 root root
|
||||||
|
}
|
|
@ -6,14 +6,4 @@
|
||||||
missingok
|
missingok
|
||||||
notifempty
|
notifempty
|
||||||
create 644 root root
|
create 644 root root
|
||||||
}
|
}
|
||||||
/var/log/alternatives.log {
|
|
||||||
monthly
|
|
||||||
rotate 120
|
|
||||||
compress
|
|
||||||
delaycompress
|
|
||||||
missingok
|
|
||||||
notifempty
|
|
||||||
create 644 root root
|
|
||||||
}
|
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
weekly
|
weekly
|
||||||
missingok
|
missingok
|
||||||
rotate 3
|
rotate 3
|
||||||
compress
|
compress
|
||||||
notifempty
|
notifempty
|
||||||
create 640 root adm
|
create 640 root adm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,7 @@
|
||||||
/var/log/procmail.log {
|
/var/log/procmail.log {
|
||||||
daily
|
daily
|
||||||
rotate 365
|
rotate 365
|
||||||
dateext
|
|
||||||
dateyesterday
|
|
||||||
dateformat .%Y%m%d
|
|
||||||
missingok
|
missingok
|
||||||
rotate 365
|
|
||||||
create 640 root adm
|
create 640 root adm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
15
evolinux-base/files/topdefaultrc
Normal file
15
evolinux-base/files/topdefaultrc
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
top's Config File (Linux processes with windows)
|
||||||
|
Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
|
||||||
|
Def fieldscur=Ä·&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||||
|
winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||||
|
summclr=1, msgsclr=1, headclr=3, taskclr=1
|
||||||
|
Job fieldscur=(Ä»@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||||
|
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||||
|
summclr=6, msgsclr=6, headclr=7, taskclr=6
|
||||||
|
Mem fieldscur=<MBND34&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||||
|
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||||
|
summclr=5, msgsclr=5, headclr=4, taskclr=5
|
||||||
|
Usr fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||||
|
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||||
|
summclr=3, msgsclr=3, headclr=2, taskclr=3
|
||||||
|
Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0
|
|
@ -14,6 +14,7 @@ galaxy_info:
|
||||||
- jessie
|
- jessie
|
||||||
- stretch
|
- stretch
|
||||||
- buster
|
- buster
|
||||||
|
- bullseye
|
||||||
|
|
||||||
galaxy_tags: []
|
galaxy_tags: []
|
||||||
# List tags for your role here, one per line. A tag is
|
# List tags for your role here, one per line. A tag is
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
# TODO: trouver comment faire une copie initiale de /etc/fstab
|
# TODO: trouver comment faire une copie initiale de /etc/fstab
|
||||||
|
# - piste : paramètre "backup" du module mount https://docs.ansible.com/ansible/latest/collections/ansible/posix/mount_module.html
|
||||||
# TODO: try to use the custom mount_uuid module for a different approach
|
# TODO: try to use the custom mount_uuid module for a different approach
|
||||||
|
|
||||||
- name: Fetch fstab content
|
- name: Fetch fstab content
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
apt:
|
apt:
|
||||||
name: pciutils
|
name: pciutils
|
||||||
state: present
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
## Broadcom NetXtreme II
|
## Broadcom NetXtreme II
|
||||||
|
|
||||||
|
@ -12,6 +14,8 @@
|
||||||
register: broadcom_netextreme_search
|
register: broadcom_netextreme_search
|
||||||
failed_when: False
|
failed_when: False
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
# TODO: add the "non-free" part to the existing sources
|
# TODO: add the "non-free" part to the existing sources
|
||||||
# instead of adding a new source
|
# instead of adding a new source
|
||||||
|
@ -22,18 +26,43 @@
|
||||||
tasks_from: basics.yml
|
tasks_from: basics.yml
|
||||||
vars:
|
vars:
|
||||||
apt_basics_components: "main contrib non-free"
|
apt_basics_components: "main contrib non-free"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
when: broadcom_netextreme_search.rc == 0
|
when: broadcom_netextreme_search.rc == 0
|
||||||
|
|
||||||
|
|
||||||
|
## Dedicated hardware
|
||||||
|
- name: Install freepmi when it's dedicated hardware
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- libipc-run-perl
|
||||||
|
- freeipmi
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
when: ansible_virtualization_role == "host"
|
||||||
|
|
||||||
## RAID
|
## RAID
|
||||||
# Dell and others: MegaRAID SAS
|
# Dell and others: MegaRAID SAS
|
||||||
# HP gen <10: Hewlett-Packard Company Smart Array
|
# HP gen <10: Hewlett-Packard Company Smart Array
|
||||||
# HP gen >=10: Adaptec Smart Storage PQI
|
# HP gen >=10: Adaptec Smart Storage PQI
|
||||||
- name: Detect if RAID is installed
|
- name: Detect if RAID is installed
|
||||||
shell: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
|
shell:
|
||||||
|
cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'"
|
||||||
|
executable: /bin/bash
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: raidmodel
|
register: raidmodel
|
||||||
changed_when: "'FAILED' in raidmodel.stdout"
|
changed_when: "'FAILED' in raidmodel.stdout"
|
||||||
failed_when: "'FAILED' in raidmodel.stdout"
|
failed_when: "'FAILED' in raidmodel.stdout"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: HPE Smart Storage Administrator (ssacli) is present
|
- name: HPE Smart Storage Administrator (ssacli) is present
|
||||||
block:
|
block:
|
||||||
|
@ -42,6 +71,9 @@
|
||||||
id: "26C2B797"
|
id: "26C2B797"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: HPE GPG key is installed
|
- name: HPE GPG key is installed
|
||||||
copy:
|
copy:
|
||||||
|
@ -51,17 +83,25 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Add HPE repository
|
- name: Add HPE repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
|
repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
|
||||||
state: present
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Install HPE Smart Storage Administrator (ssacli)
|
- name: Install HPE Smart Storage Administrator (ssacli)
|
||||||
apt:
|
apt:
|
||||||
name: ssacli
|
name: ssacli
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
when:
|
when:
|
||||||
- "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
- "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
||||||
- "'Adaptec Smart Storage PQI' in raidmodel.stdout"
|
- "'Adaptec Smart Storage PQI' in raidmodel.stdout"
|
||||||
|
- evolinux_packages_hardware_raid | bool
|
||||||
|
|
||||||
# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role
|
# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role
|
||||||
# So, if nagios-nrpe role is not installed it will not work
|
# So, if nagios-nrpe role is not installed it will not work
|
||||||
|
@ -72,6 +112,8 @@
|
||||||
src: check_hpraid.cron.sh
|
src: check_hpraid.cron.sh
|
||||||
dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid
|
dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
when: "'Adaptec Smart Storage PQI' in raidmodel.stdout"
|
when: "'Adaptec Smart Storage PQI' in raidmodel.stdout"
|
||||||
|
|
||||||
- name: Install and configure cciss-vol-status (HP gen <10)
|
- name: Install and configure cciss-vol-status (HP gen <10)
|
||||||
|
@ -80,12 +122,16 @@
|
||||||
apt:
|
apt:
|
||||||
name: cciss-vol-status
|
name: cciss-vol-status
|
||||||
state: present
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: cciss-vol-statusd init script is present (HP gen <10)
|
- name: cciss-vol-statusd init script is present (HP gen <10)
|
||||||
template:
|
template:
|
||||||
src: hardware/cciss-vol-statusd.j2
|
src: hardware/cciss-vol-statusd.j2
|
||||||
dest: /etc/init.d/cciss-vol-statusd
|
dest: /etc/init.d/cciss-vol-statusd
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Configure cciss-vol-statusd (HP gen <10)
|
- name: Configure cciss-vol-statusd (HP gen <10)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -93,22 +139,31 @@
|
||||||
line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
|
line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"'
|
||||||
regexp: 'MAILTO='
|
regexp: 'MAILTO='
|
||||||
create: yes
|
create: yes
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
|
||||||
- name: Enable cciss-vol-status in systemd (HP gen <10)
|
- name: Enable cciss-vol-status in systemd (HP gen <10)
|
||||||
service:
|
service:
|
||||||
name: cciss-vol-statusd
|
name: cciss-vol-statusd
|
||||||
enabled: true
|
enabled: true
|
||||||
state: restarted
|
state: restarted
|
||||||
when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
tags:
|
||||||
|
- packages
|
||||||
|
- config
|
||||||
|
when:
|
||||||
|
- "'Hewlett-Packard Company Smart Array' in raidmodel.stdout"
|
||||||
|
- evolinux_packages_hardware_raid | bool
|
||||||
|
|
||||||
- name: MegaRAID SAS package is present
|
- name: MegaCLI SAS package is present
|
||||||
block:
|
block:
|
||||||
- name: HWRaid embedded GPG key is absent
|
- name: HWRaid embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "23B3D3B4"
|
id: "23B3D3B4"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
when: ansible_distribution_major_version is version('9', '>=')
|
tags:
|
||||||
|
- packages
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
- name: HWRaid GPG key is installed
|
- name: HWRaid GPG key is installed
|
||||||
copy:
|
copy:
|
||||||
|
@ -118,12 +173,16 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
when: ansible_distribution_major_version is version('9', '>=')
|
when: ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
||||||
- name: Add HW tool repository
|
- name: Add HW tool repository
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
|
repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
|
||||||
state: present
|
state: present
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Install packages for DELL/LSI hardware
|
- name: Install packages for DELL/LSI hardware
|
||||||
apt:
|
apt:
|
||||||
|
@ -131,18 +190,27 @@
|
||||||
- megacli
|
- megacli
|
||||||
- megaclisas-status
|
- megaclisas-status
|
||||||
allow_unauthenticated: yes
|
allow_unauthenticated: yes
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Configure packages for DELL/LSI hardware
|
- name: Configure packages for DELL/LSI hardware
|
||||||
template:
|
template:
|
||||||
src: hardware/megaclisas-statusd.j2
|
src: hardware/megaclisas-statusd.j2
|
||||||
dest: /etc/default/megaclisas-statusd
|
dest: /etc/default/megaclisas-statusd
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
|
||||||
- name: Enable DELL/LSI hardware in systemd
|
- name: Enable DELL/LSI hardware in systemd
|
||||||
service:
|
service:
|
||||||
name: megaclisas-statusd
|
name: megaclisas-statusd
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: restarted
|
||||||
when: "'MegaRAID SAS' in raidmodel.stdout"
|
tags:
|
||||||
|
- packages
|
||||||
|
- config
|
||||||
|
when:
|
||||||
|
- "'MegaRAID' in raidmodel.stdout"
|
||||||
|
- evolinux_packages_hardware_raid | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
6
evolinux-base/tasks/htop.yml
Normal file
6
evolinux-base/tasks/htop.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Deploy htop configuration
|
||||||
|
copy:
|
||||||
|
src: htoprc
|
||||||
|
dest: /etc/htoprc
|
||||||
|
mode: "0644"
|
|
@ -8,8 +8,8 @@
|
||||||
state: present
|
state: present
|
||||||
reload: yes
|
reload: yes
|
||||||
loop:
|
loop:
|
||||||
- { name: kernel.panic_on_oops, value: 1 }
|
- { name: kernel.panic_on_oops, value: 1 }
|
||||||
- { name: kernel.panic, value: 60 }
|
- { name: kernel.panic, value: 60 }
|
||||||
when: evolinux_kernel_reboot_after_panic | bool
|
when: evolinux_kernel_reboot_after_panic | bool
|
||||||
|
|
||||||
- name: Don't reboot after panic
|
- name: Don't reboot after panic
|
||||||
|
@ -19,14 +19,14 @@
|
||||||
state: absent
|
state: absent
|
||||||
reload: yes
|
reload: yes
|
||||||
loop:
|
loop:
|
||||||
- kernel.panic_on_oops
|
- kernel.panic_on_oops
|
||||||
- kernel.panic
|
- kernel.panic
|
||||||
when: not evolinux_kernel_reboot_after_panic | bool
|
when: not evolinux_kernel_reboot_after_panic | bool
|
||||||
|
|
||||||
- name: Disable net.ipv4.tcp_timestamps
|
- name: Disable net.ipv4.tcp_timestamps
|
||||||
sysctl:
|
sysctl:
|
||||||
name: net.ipv4.tcp_timestamps
|
name: net.ipv4.tcp_timestamps
|
||||||
value: 0
|
value: '0'
|
||||||
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
|
||||||
state: present
|
state: present
|
||||||
reload: yes
|
reload: yes
|
||||||
|
|
|
@ -30,11 +30,34 @@
|
||||||
dest: /etc/logrotate.d/zsyslog
|
dest: /etc/logrotate.d/zsyslog
|
||||||
when: evolinux_logs_logrotate_confs | bool
|
when: evolinux_logs_logrotate_confs | bool
|
||||||
|
|
||||||
- name: Configure logrotate.conf
|
- name: Configure logrotate.conf default rotate value
|
||||||
replace:
|
replace:
|
||||||
dest: /etc/logrotate.conf
|
dest: /etc/logrotate.conf
|
||||||
regexp: "rotate [0-9]+"
|
regexp: "rotate [0-9]+"
|
||||||
replace: "rotate 12"
|
replace: "rotate 12"
|
||||||
when: evolinux_logs_default_rotate | bool
|
when: evolinux_logs_default_rotate | bool
|
||||||
|
|
||||||
|
- name: Enable logrotate.conf dateext option
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/logrotate.conf
|
||||||
|
line: "dateext"
|
||||||
|
regexp: "^#?\\s*dateext"
|
||||||
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
|
- name: Enable logrotate.conf dateformat option
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/logrotate.conf
|
||||||
|
line: "dateformat {{ evolinux_logrotate_dateformat | mandatory }}"
|
||||||
|
regexp: "^#?\\s*dateformat.*"
|
||||||
|
insertafter: 'dateext'
|
||||||
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
|
- name: Disable logrotate.conf dateyesterday option
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/logrotate.conf
|
||||||
|
line: "# dateyesterday"
|
||||||
|
regexp: "^\\s*dateyesterday"
|
||||||
|
insertafter: 'dateext'
|
||||||
|
when: evolinux_logs_default_dateext | bool
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
vars:
|
vars:
|
||||||
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
||||||
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
||||||
|
apt_upgrade: "{{ evolinux_apt_upgrade }}"
|
||||||
when: evolinux_apt_include | bool
|
when: evolinux_apt_include | bool
|
||||||
|
|
||||||
- name: /etc versioning with Git
|
- name: /etc versioning with Git
|
||||||
|
@ -97,6 +98,9 @@
|
||||||
when: evolinux_log2mail_include | bool
|
when: evolinux_log2mail_include | bool
|
||||||
|
|
||||||
- include: motd.yml
|
- include: motd.yml
|
||||||
|
when: evolinux_motd_include | bool
|
||||||
|
|
||||||
|
- include: utils.yml
|
||||||
|
|
||||||
- name: Munin
|
- name: Munin
|
||||||
include_role:
|
include_role:
|
||||||
|
@ -116,8 +120,6 @@
|
||||||
- name: Evocheck
|
- name: Evocheck
|
||||||
include_role:
|
include_role:
|
||||||
name: evolix/evocheck
|
name: evolix/evocheck
|
||||||
vars:
|
|
||||||
evocheck_force_install: "{{ evolinux_evocheck_force_install }}"
|
|
||||||
when: evolinux_evocheck_include | bool
|
when: evolinux_evocheck_include | bool
|
||||||
|
|
||||||
- name: Listupgrade
|
- name: Listupgrade
|
||||||
|
@ -129,3 +131,7 @@
|
||||||
include_role:
|
include_role:
|
||||||
name: evolix/generate-ldif
|
name: evolix/generate-ldif
|
||||||
when: evolinux_generateldif_include | bool
|
when: evolinux_generateldif_include | bool
|
||||||
|
|
||||||
|
- include: top.yml
|
||||||
|
|
||||||
|
- include: htop.yml
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
- ssl-cert
|
- ssl-cert
|
||||||
- ca-certificates
|
- ca-certificates
|
||||||
- rename
|
- rename
|
||||||
|
- dmidecode
|
||||||
when: evolinux_packages_system | bool
|
when: evolinux_packages_system | bool
|
||||||
|
|
||||||
- name: Install/Update diagnostic tools
|
- name: Install/Update diagnostic tools
|
||||||
|
@ -34,6 +35,7 @@
|
||||||
- telnet
|
- telnet
|
||||||
- traceroute
|
- traceroute
|
||||||
- man
|
- man
|
||||||
|
- molly-guard
|
||||||
when: evolinux_packages_diagnostic | bool
|
when: evolinux_packages_diagnostic | bool
|
||||||
|
|
||||||
- name: Install/Update hardware tools
|
- name: Install/Update hardware tools
|
||||||
|
@ -143,5 +145,6 @@
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
- evolinux_packages_delete_aptlistchanges
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
|
@ -119,10 +119,10 @@
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
replace: "{{ item.replace }}"
|
replace: "{{ item.replace }}"
|
||||||
loop:
|
loop:
|
||||||
- { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' }
|
- { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' }
|
||||||
- { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
- { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
||||||
- { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
- { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
||||||
- { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
- { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
|
||||||
when:
|
when:
|
||||||
- is_cron_installed.rc == 0
|
- is_cron_installed.rc == 0
|
||||||
- evolinux_system_cron_random | bool
|
- evolinux_system_cron_random | bool
|
||||||
|
@ -153,7 +153,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- name: Install alert5 init script (buster)
|
- name: Install alert5 init script (buster and later)
|
||||||
template:
|
template:
|
||||||
src: system/alert5.sh.j2
|
src: system/alert5.sh.j2
|
||||||
dest: /usr/share/scripts/alert5.sh
|
dest: /usr/share/scripts/alert5.sh
|
||||||
|
@ -163,7 +163,7 @@
|
||||||
- evolinux_system_alert5_init | bool
|
- evolinux_system_alert5_init | bool
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Install alert5 service (buster)
|
- name: Install alert5 service (buster and later)
|
||||||
copy:
|
copy:
|
||||||
src: alert5.service
|
src: alert5.service
|
||||||
dest: /etc/systemd/system/alert5.service
|
dest: /etc/systemd/system/alert5.service
|
||||||
|
@ -173,7 +173,7 @@
|
||||||
- evolinux_system_alert5_init | bool
|
- evolinux_system_alert5_init | bool
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
|
||||||
- name: Enable alert5 init script (buster)
|
- name: Enable alert5 init script (buster and later)
|
||||||
systemd:
|
systemd:
|
||||||
name: alert5
|
name: alert5
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
@ -182,6 +182,7 @@
|
||||||
- evolinux_system_alert5_init | bool
|
- evolinux_system_alert5_init | bool
|
||||||
- evolinux_system_alert5_enable | bool
|
- evolinux_system_alert5_enable | bool
|
||||||
- ansible_distribution_major_version is version('10', '>=')
|
- ansible_distribution_major_version is version('10', '>=')
|
||||||
|
- not ansible_check_mode
|
||||||
|
|
||||||
## network interfaces
|
## network interfaces
|
||||||
|
|
||||||
|
@ -203,13 +204,4 @@
|
||||||
|
|
||||||
## /sbin/deny
|
## /sbin/deny
|
||||||
|
|
||||||
- name: "/sbin/deny script is present"
|
|
||||||
copy:
|
|
||||||
src: deny.sh
|
|
||||||
dest: /sbin/deny
|
|
||||||
mode: "0700"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
force: no
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
7
evolinux-base/tasks/top.yml
Normal file
7
evolinux-base/tasks/top.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Deploy top configuration file
|
||||||
|
copy:
|
||||||
|
# The config format is unredable; ATM it only add the SWAP column
|
||||||
|
src: htoprc
|
||||||
|
dest: /etc/topdefaultrc
|
||||||
|
mode: "0644"
|
22
evolinux-base/tasks/utils.yml
Normal file
22
evolinux-base/tasks/utils.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: backup-server-state script is present
|
||||||
|
copy:
|
||||||
|
src: "backup-server-state.sh"
|
||||||
|
dest: /usr/local/sbin/backup-server-state
|
||||||
|
force: True
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
|
||||||
|
- name: "/sbin/deny script is present"
|
||||||
|
copy:
|
||||||
|
src: deny.sh
|
||||||
|
dest: /sbin/deny
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
force: no
|
|
@ -1,8 +1,13 @@
|
||||||
# Custom EvoLinux
|
# Custom EvoLinux
|
||||||
create 640 root adm
|
create 640 root adm
|
||||||
|
{% if not evolinux_logs_default_dateext %}
|
||||||
|
# BEGIN legacy setting
|
||||||
|
# … when global dateext and dateformat are not enabled
|
||||||
dateext
|
dateext
|
||||||
dateyesterday
|
dateyesterday
|
||||||
dateformat .%Y%m%d
|
dateformat .%Y%m%d
|
||||||
|
# END legacy setting
|
||||||
|
{% endif %}
|
||||||
missingok
|
missingok
|
||||||
notifempty
|
notifempty
|
||||||
delaycompress
|
delaycompress
|
||||||
|
|
|
@ -20,10 +20,6 @@
|
||||||
|
|
||||||
- name: Configure sudo
|
- name: Configure sudo
|
||||||
include: sudo.yml
|
include: sudo.yml
|
||||||
vars:
|
|
||||||
user: "{{ item.value }}"
|
|
||||||
loop: "{{ evolinux_users | dict2items }}"
|
|
||||||
when: evolinux_users | length > 0
|
|
||||||
|
|
||||||
- name: Configure SSH
|
- name: Configure SSH
|
||||||
include: ssh.yml
|
include: ssh.yml
|
||||||
|
|
|
@ -1,9 +1,21 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- include: sudo_jessie.yml
|
- include: sudo_jessie.yml
|
||||||
when: ansible_distribution_release == "jessie"
|
vars:
|
||||||
|
user: "{{ item.value }}"
|
||||||
|
loop: "{{ evolinux_users | dict2items }}"
|
||||||
|
when:
|
||||||
|
- evolinux_users | length > 0
|
||||||
|
- ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- include: sudo_stretch.yml
|
|
||||||
|
- block:
|
||||||
|
- include: sudo_stretch_common.yml
|
||||||
|
|
||||||
|
- include: sudo_stretch_user.yml
|
||||||
|
vars:
|
||||||
|
user: "{{ item.value }}"
|
||||||
|
loop: "{{ evolinux_users | dict2items }}"
|
||||||
when:
|
when:
|
||||||
- ansible_distribution_major_version is defined
|
- ansible_distribution_major_version is defined
|
||||||
- ansible_distribution_major_version is version('9', '>=')
|
- ansible_distribution_major_version is version('9', '>=')
|
||||||
|
|
|
@ -1,5 +1,13 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "/etc/sudoers.d presence and permissions"
|
||||||
|
file:
|
||||||
|
path: /etc/sudoers.d
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
|
- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
|
||||||
template:
|
template:
|
||||||
src: sudoers_stretch.j2
|
src: sudoers_stretch.j2
|
||||||
|
@ -13,15 +21,3 @@
|
||||||
group:
|
group:
|
||||||
name: "{{ evolinux_sudo_group }}"
|
name: "{{ evolinux_sudo_group }}"
|
||||||
system: yes
|
system: yes
|
||||||
|
|
||||||
- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
|
|
||||||
user:
|
|
||||||
name: '{{ user.name }}'
|
|
||||||
groups: "{{ evolinux_sudo_group }}"
|
|
||||||
append: yes
|
|
||||||
|
|
||||||
- name: "Add user to 'adm' group (Debian 9 or later)"
|
|
||||||
user:
|
|
||||||
name: '{{ user.name }}'
|
|
||||||
groups: "adm"
|
|
||||||
append: yes
|
|
13
evolinux-users/tasks/sudo_stretch_user.yml
Normal file
13
evolinux-users/tasks/sudo_stretch_user.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Add user to '{{ evolinux_sudo_group }}' group (Debian 9 or later)"
|
||||||
|
user:
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
groups: "{{ evolinux_sudo_group }}"
|
||||||
|
append: yes
|
||||||
|
|
||||||
|
- name: "Add user to 'adm' group (Debian 9 or later)"
|
||||||
|
user:
|
||||||
|
name: '{{ user.name }}'
|
||||||
|
groups: "adm"
|
||||||
|
append: yes
|
|
@ -7,6 +7,8 @@ nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
|
||||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
||||||
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
|
||||||
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
|
||||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||||
|
|
||||||
ADMINS ALL = (ALL:ALL) ALL
|
ADMINS ALL = (ALL:ALL) ALL
|
||||||
|
|
|
@ -6,10 +6,22 @@ nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
|
||||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
||||||
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
|
||||||
|
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/
|
||||||
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/8.0/fpm/pool.d/
|
||||||
|
nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios
|
||||||
|
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor
|
||||||
|
nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush
|
||||||
|
nagios ALL = NOPASSWD: /sbin/megacli -PDList -aALL -NoLog
|
||||||
|
nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
|
||||||
|
nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
|
||||||
|
nagios ALL = NOPASSWD: /sbin/ssacli controller all show status
|
||||||
|
nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
|
||||||
|
|
||||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||||
|
|
||||||
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
|
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
|
||||||
|
|
|
@ -4,16 +4,16 @@
|
||||||
# Dependencies (all OS): git postgresql-client
|
# Dependencies (all OS): git postgresql-client
|
||||||
# Dependencies (Debian): sudo
|
# Dependencies (Debian): sudo
|
||||||
|
|
||||||
# Copyright 2007-2021 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
|
# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
|
||||||
# Jérémy Lecour <jlecour@evolix.fr> and others.
|
# Jérémy Lecour <jlecour@evolix.fr> and others.
|
||||||
|
|
||||||
VERSION="0.6.4"
|
VERSION="22.01"
|
||||||
|
|
||||||
show_version() {
|
show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
evomaintenance version ${VERSION}
|
evomaintenance version ${VERSION}
|
||||||
|
|
||||||
Copyright 2007-2021 Evolix <info@evolix.fr>,
|
Copyright 2007-2022 Evolix <info@evolix.fr>,
|
||||||
Gregory Colpart <reg@evolix.fr>,
|
Gregory Colpart <reg@evolix.fr>,
|
||||||
Jérémy Lecour <jlecour@evolix.fr>
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
and others.
|
and others.
|
||||||
|
@ -303,6 +303,9 @@ From: ${FULLFROM}
|
||||||
Content-Type: text/plain; charset=UTF-8
|
Content-Type: text/plain; charset=UTF-8
|
||||||
MIME-Version: 1.0
|
MIME-Version: 1.0
|
||||||
Content-Transfer-Encoding: 8bit
|
Content-Transfer-Encoding: 8bit
|
||||||
|
X-Evomaintenance-Version: ${VERSION}
|
||||||
|
X-Evomaintenance-Host: ${HOSTNAME_TEXT}
|
||||||
|
X-Evomaintenance-User: ${USER}
|
||||||
To: ${EVOMAINTMAIL}
|
To: ${EVOMAINTMAIL}
|
||||||
Subject: [evomaintenance] Intervention sur ${HOSTNAME_TEXT} (${USER})
|
Subject: [evomaintenance] Intervention sur ${HOSTNAME_TEXT} (${USER})
|
||||||
|
|
||||||
|
|
18
evomaintenance/tasks/config.yml
Normal file
18
evomaintenance/tasks/config.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- evomaintenance_api_endpoint is not none
|
||||||
|
- evomaintenance_api_key is not none
|
||||||
|
msg: evomaintenance api variables must be set
|
||||||
|
|
||||||
|
- name: Configuration is installed
|
||||||
|
template:
|
||||||
|
src: evomaintenance.j2
|
||||||
|
dest: /etc/evomaintenance.cf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
force: "{{ evomaintenance_force_config | bool }}"
|
||||||
|
tags:
|
||||||
|
- evomaintenance
|
|
@ -12,15 +12,4 @@
|
||||||
name: evomaintenance
|
name: evomaintenance
|
||||||
allow_unauthenticated: yes
|
allow_unauthenticated: yes
|
||||||
tags:
|
tags:
|
||||||
- evomaintenance
|
- evomaintenance
|
||||||
|
|
||||||
- name: Configuration is installed
|
|
||||||
template:
|
|
||||||
src: evomaintenance.j2
|
|
||||||
dest: /etc/evomaintenance.cf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0600"
|
|
||||||
force: "{{ evomaintenance_force_config | bool }}"
|
|
||||||
tags:
|
|
||||||
- evomaintenance
|
|
|
@ -46,15 +46,4 @@
|
||||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||||
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
|
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
|
||||||
tags:
|
tags:
|
||||||
- evomaintenance
|
- evomaintenance
|
||||||
|
|
||||||
- name: Configuration is installed
|
|
||||||
template:
|
|
||||||
src: evomaintenance.j2
|
|
||||||
dest: /etc/evomaintenance.cf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0600"
|
|
||||||
force: "{{ evomaintenance_force_config | bool }}"
|
|
||||||
tags:
|
|
||||||
- evomaintenance
|
|
|
@ -1,14 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- evomaintenance_api_endpoint is not none
|
|
||||||
- evomaintenance_api_key is not none
|
|
||||||
msg: evomaintenance api variables must be set
|
|
||||||
|
|
||||||
- include: install_package_debian.yml
|
- include: install_package_debian.yml
|
||||||
when:
|
when:
|
||||||
- not (evomaintenance_install_vendor | bool)
|
- not (evomaintenance_install_vendor | bool)
|
||||||
|
@ -19,6 +10,8 @@
|
||||||
- evomaintenance_install_vendor | bool
|
- evomaintenance_install_vendor | bool
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
|
|
||||||
|
- include: config.yml
|
||||||
|
|
||||||
- include: minifirewall.yml
|
- include: minifirewall.yml
|
||||||
when:
|
when:
|
||||||
- evomaintenance_hook_db | bool
|
- evomaintenance_hook_db | bool
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||||
|
|
||||||
- name: Is minifirewall installed?
|
- name: Is minifirewall installed?
|
||||||
stat:
|
stat:
|
||||||
path: /etc/default/minifirewall
|
path: /etc/default/minifirewall
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "6.x"
|
elastic_stack_version: "7.x"
|
||||||
|
|
||||||
filebeat_logstash_plugin: False
|
filebeat_logstash_plugin: False
|
||||||
|
|
||||||
|
|
|
@ -4,3 +4,4 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: filebeat
|
name: filebeat
|
||||||
state: restarted
|
state: restarted
|
||||||
|
when: not ansible_check_mode
|
||||||
|
|
|
@ -8,11 +8,20 @@
|
||||||
- filebeat
|
- filebeat
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- filebeat
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Elastic embedded GPG key is absent
|
- name: Elastic embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "D88E42B4"
|
id: "D88E42B4"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- filebeat
|
- filebeat
|
||||||
- packages
|
- packages
|
||||||
|
@ -53,6 +62,7 @@
|
||||||
name: filebeat
|
name: filebeat
|
||||||
enabled: yes
|
enabled: yes
|
||||||
notify: restart filebeat
|
notify: restart filebeat
|
||||||
|
when: not ansible_check_mode
|
||||||
|
|
||||||
- name: is logstash-plugin available?
|
- name: is logstash-plugin available?
|
||||||
stat:
|
stat:
|
||||||
|
@ -131,7 +141,9 @@
|
||||||
when:
|
when:
|
||||||
- filebeat_elasticsearch_auth_username | length > 0
|
- filebeat_elasticsearch_auth_username | length > 0
|
||||||
- filebeat_elasticsearch_auth_password | length > 0
|
- filebeat_elasticsearch_auth_password | length > 0
|
||||||
when: not (filebeat_use_config_template | bool)
|
when:
|
||||||
|
- not (filebeat_use_config_template | bool)
|
||||||
|
- not ansible_check_mode
|
||||||
|
|
||||||
- name: Filebeat api_key for Elasticsearch are configured
|
- name: Filebeat api_key for Elasticsearch are configured
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
|
@ -1,10 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- packages
|
||||||
|
- fluentd
|
||||||
|
|
||||||
- name: Fluentd embedded GPG key is absent
|
- name: Fluentd embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "AB97ACBE"
|
id: "AB97ACBE"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- fluentd
|
- fluentd
|
||||||
|
|
|
@ -31,17 +31,30 @@ computerKernel=$(uname -r)
|
||||||
HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
|
HardwareSerial=$(dmidecode -s system-serial-number | grep -v '^#')
|
||||||
|
|
||||||
type="baremetal"
|
type="baremetal"
|
||||||
lscpu | grep -q KVM && type="kvm"
|
lscpu | grep "Hypervisor vendor:" | grep -q KVM && type="kvm"
|
||||||
|
lscpu | grep "Hypervisor vendor:" | grep -q VMware && type="vmware"
|
||||||
lscpu | grep -q Oracle && type="virtualbox"
|
lscpu | grep -q Oracle && type="virtualbox"
|
||||||
|
|
||||||
if [ "$type" = "kvm" ]; then
|
if [ "$type" = "kvm" ]; then
|
||||||
|
ComputerType="VM"
|
||||||
HardwareMark="KVM"
|
HardwareMark="KVM"
|
||||||
HardwareModel="Virtual Machine"
|
HardwareModel="Virtual Machine"
|
||||||
|
|
||||||
cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
|
cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
|
||||||
cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
|
cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
|
||||||
cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
|
cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
|
||||||
|
|
||||||
|
elif [ "$type" = "vmware" ]; then
|
||||||
|
ComputerType="VM"
|
||||||
|
HardwareMark="VMWare"
|
||||||
|
HardwareModel="Virtual Machine"
|
||||||
|
|
||||||
|
cpuMark=$(lscpu | grep Vendor | tr -s '\t' ' ' | cut -d' ' -f3)
|
||||||
|
cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
|
||||||
|
cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
|
||||||
|
|
||||||
elif [ "$type" = "virtualbox" ]; then
|
elif [ "$type" = "virtualbox" ]; then
|
||||||
|
ComputerType="VM"
|
||||||
HardwareMark="VirtualBox"
|
HardwareMark="VirtualBox"
|
||||||
HardwareModel="Virtual Machine"
|
HardwareModel="Virtual Machine"
|
||||||
|
|
||||||
|
@ -49,6 +62,7 @@ elif [ "$type" = "virtualbox" ]; then
|
||||||
cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
|
cpuModel="Virtual $(lscpu | grep "Model name" | tr -s '\t' ' ' | cut -d' ' -f3-), $(nproc) vCPU"
|
||||||
cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
|
cpuFreq="$(lscpu | grep "CPU MHz" | tr -s '\t' ' ' | cut -d' ' -f3-)MHz"
|
||||||
else
|
else
|
||||||
|
ComputerType="Baremetal"
|
||||||
HardwareModel=$(dmidecode -s system-product-name | grep -v '^#')
|
HardwareModel=$(dmidecode -s system-product-name | grep -v '^#')
|
||||||
|
|
||||||
cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1)
|
cpuMark=$(dmidecode -s processor-manufacturer | grep -v '^#' | head -1)
|
||||||
|
@ -115,6 +129,7 @@ NagiosEnabled: ${NagiosEnabled}
|
||||||
NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
|
NagiosComments: ${monitoringType},${monitoringMode},${monitoringTimeout}
|
||||||
HardwareSerial: ${HardwareSerial}
|
HardwareSerial: ${HardwareSerial}
|
||||||
clientNumber: ${clientNumber}
|
clientNumber: ${clientNumber}
|
||||||
|
ComputerType: ${ComputerType}
|
||||||
EOT
|
EOT
|
||||||
|
|
||||||
# CPU
|
# CPU
|
||||||
|
@ -174,6 +189,19 @@ NagiosEnabled: TRUE
|
||||||
EOT
|
EOT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# raid hardware
|
||||||
|
if [ -n "${raidModel}" ]; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: HardwareName=raid_card,${computer_dn}
|
||||||
|
objectClass: EvoHardware
|
||||||
|
HardwareName: raid_card
|
||||||
|
HardwareType: disk
|
||||||
|
HardwareModel: ${raidModel}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
# Swap
|
# Swap
|
||||||
swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2)
|
swap=$(free -h | grep Swap: | tr -s ' ' | cut -d ' ' -f2)
|
||||||
if [ -n "${swap}" ]; then
|
if [ -n "${swap}" ]; then
|
||||||
|
@ -570,10 +598,117 @@ objectClass: EvoService
|
||||||
ServiceName: postgresql
|
ServiceName: postgresql
|
||||||
ipServicePort: 5432
|
ipServicePort: 5432
|
||||||
ServiceType: database
|
ServiceType: database
|
||||||
ServiceVersion: PostgreSQL ${elasticsearch_version}
|
ServiceVersion: PostgreSQL ${postgresql_version}
|
||||||
EOT
|
EOT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# LXC (multiphp)
|
||||||
|
if is_pkg_installed lxc; then
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php56 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm56,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 5.6 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php70 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm70,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 7.0 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php73 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm73,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 7.3 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php74 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm74,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 7.4 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php80 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm80,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 8.0 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if lxc-ls | grep -q php81 ; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=ServiceName=php-fpm81,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
ipServiceProtocol: tcp
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: PHP-FPM (multiphp)
|
||||||
|
ipServicePort: 443
|
||||||
|
ServiceType: web
|
||||||
|
ServiceVersion: PHP-FPM 8.1 (multiphp)
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
# END - LXC (multiphp)
|
||||||
|
|
||||||
|
# mdadm
|
||||||
|
if is_pkg_installed mdadm; then
|
||||||
|
mdadm_version=$(get_pkg_version mdadm)
|
||||||
|
fi
|
||||||
|
if [ -n "${mdadm_version}" ]; then
|
||||||
|
cat <<EOT >> "${ldif_file}"
|
||||||
|
|
||||||
|
dn: ServiceName=mdadm,${computer_dn}
|
||||||
|
NagiosEnabled: TRUE
|
||||||
|
objectClass: EvoService
|
||||||
|
ServiceName: mdadm
|
||||||
|
ServiceType: raid
|
||||||
|
ServiceVersion: mdadm ${mdadm_version}
|
||||||
|
EOT
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# test if we have a stdout
|
# test if we have a stdout
|
||||||
if [ -t 1 ]; then
|
if [ -t 1 ]; then
|
||||||
echo "Output is in ${ldif_file}"
|
echo "Output is in ${ldif_file}"
|
||||||
|
|
|
@ -34,3 +34,4 @@ haproxy_deny_ips: []
|
||||||
|
|
||||||
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
haproxy_backports_packages_stretch: haproxy libssl1.0.0
|
||||||
haproxy_backports_packages_buster: haproxy
|
haproxy_backports_packages_buster: haproxy
|
||||||
|
haproxy_backports_packages_bullseye: haproxy
|
||||||
|
|
|
@ -15,6 +15,10 @@
|
||||||
haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}"
|
haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}"
|
||||||
when: ansible_distribution_release == 'buster'
|
when: ansible_distribution_release == 'buster'
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}"
|
||||||
|
when: ansible_distribution_release == 'bullseye'
|
||||||
|
|
||||||
- name: Prefer HAProxy package from backports
|
- name: Prefer HAProxy package from backports
|
||||||
template:
|
template:
|
||||||
src: haproxy_apt_preferences.j2
|
src: haproxy_apt_preferences.j2
|
||||||
|
|
|
@ -14,9 +14,9 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: "0777"
|
mode: "0777"
|
||||||
loop:
|
loop:
|
||||||
- /srv/java-package
|
- /srv/java-package
|
||||||
- /srv/java-package/src
|
- /srv/java-package/src
|
||||||
- /srv/java-package/tmp
|
- /srv/java-package/tmp
|
||||||
tags:
|
tags:
|
||||||
- java
|
- java
|
||||||
|
|
||||||
|
|
|
@ -5,11 +5,17 @@
|
||||||
# http://mirrors.jenkins.io/.*
|
# http://mirrors.jenkins.io/.*
|
||||||
# http://jenkins.mirror.isppower.de/.*
|
# http://jenkins.mirror.isppower.de/.*
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
|
||||||
- name: Jenkins embedded GPG key is absent
|
- name: Jenkins embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "D50582E6"
|
id: "D50582E6"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
|
|
||||||
- name: Add Jenkins GPG key
|
- name: Add Jenkins GPG key
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
elastic_stack_version: "5.x"
|
elastic_stack_version: "7.x"
|
||||||
|
|
||||||
kibana_server_host: "127.0.0.1"
|
kibana_server_host: "127.0.0.1"
|
||||||
kibana_server_basepath: ""
|
kibana_server_basepath: ""
|
||||||
|
|
BIN
kibana/files/elastic.gpg
Normal file
BIN
kibana/files/elastic.gpg
Normal file
Binary file not shown.
|
@ -1,31 +0,0 @@
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
||||||
Version: GnuPG v2.0.14 (GNU/Linux)
|
|
||||||
|
|
||||||
mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
|
|
||||||
A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
|
|
||||||
CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
|
|
||||||
j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
|
|
||||||
1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
|
|
||||||
2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
|
|
||||||
KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
|
|
||||||
Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
|
|
||||||
F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
|
|
||||||
nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
|
|
||||||
7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
|
|
||||||
TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
|
|
||||||
8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
|
|
||||||
eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
|
|
||||||
zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
|
|
||||||
RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
|
|
||||||
1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
|
|
||||||
Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
|
|
||||||
KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
|
|
||||||
EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
|
|
||||||
c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
|
|
||||||
TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
|
|
||||||
6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
|
|
||||||
vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
|
|
||||||
cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
|
|
||||||
qPDlGRlOgVTd9xUfHFkzB52c70E=
|
|
||||||
=92oX
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
@ -8,11 +8,20 @@
|
||||||
- kibana
|
- kibana
|
||||||
- packages
|
- packages
|
||||||
|
|
||||||
|
- name: Look for legacy apt keyring
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/trusted.gpg
|
||||||
|
register: _trusted_gpg_keyring
|
||||||
|
tags:
|
||||||
|
- kibana
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Elastic embedded GPG key is absent
|
- name: Elastic embedded GPG key is absent
|
||||||
apt_key:
|
apt_key:
|
||||||
id: "D88E42B4"
|
id: "D88E42B4"
|
||||||
keyring: /etc/apt/trusted.gpg
|
keyring: /etc/apt/trusted.gpg
|
||||||
state: absent
|
state: absent
|
||||||
|
when: _trusted_gpg_keyring.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- kibana
|
- kibana
|
||||||
- packages
|
- packages
|
||||||
|
@ -129,3 +138,5 @@
|
||||||
|
|
||||||
- include: proxy_nginx.yml
|
- include: proxy_nginx.yml
|
||||||
when: kibana_proxy_nginx | bool
|
when: kibana_proxy_nginx | bool
|
||||||
|
tags:
|
||||||
|
- kibana
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
---
|
---
|
||||||
kvm_custom_libvirt_images_path: ''
|
kvm_custom_libvirt_images_path: ''
|
||||||
kvm_install_drbd: True
|
kvm_install_drbd: True
|
||||||
kvm_scripts_dir: /usr/local/sbin
|
kvm_scripts_dir: /usr/local/sbin
|
||||||
|
|
||||||
|
kvm_pair: null
|
|
@ -10,6 +10,8 @@
|
||||||
# Bash strict mode
|
# Bash strict mode
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
VERSION="21.10"
|
||||||
|
|
||||||
isDryRun() {
|
isDryRun() {
|
||||||
test "${doDryRun}" = "true"
|
test "${doDryRun}" = "true"
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,96 +1,202 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
VERSION="21.10"
|
||||||
|
|
||||||
|
PROGNAME=$(basename "$0")
|
||||||
|
|
||||||
|
show_version() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
|
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
||||||
|
Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public Licence for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} print stats about configured virtal servers
|
||||||
|
|
||||||
|
END
|
||||||
|
show_usage
|
||||||
|
}
|
||||||
|
show_usage() {
|
||||||
|
cat <<END
|
||||||
|
Usage: ${PROGNAME} --all
|
||||||
|
or ${PROGNAME} --output <human|html|csv>
|
||||||
|
or ${PROGNAME} --units <k|m|g>
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
error () {
|
error () {
|
||||||
echo "$0": "$@" >&2
|
echo "$0": "$@" >&2
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
usage () {
|
main() {
|
||||||
echo 'usage:' "$0" '[-a] [-u k|m|g] [-o human|html|csv]' >&2
|
for VM in $(virsh list --name --all | sed '/^$/d' | sort)
|
||||||
exit 1
|
do
|
||||||
|
echo "$VM"
|
||||||
|
|
||||||
|
# cpu
|
||||||
|
virsh vcpucount --current "$VM"
|
||||||
|
|
||||||
|
# mem
|
||||||
|
# libvirt stores memory in KiB, POW must be lowered by 1
|
||||||
|
virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
|
||||||
|
virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
|
||||||
|
|
||||||
|
# disk
|
||||||
|
for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
|
||||||
|
do
|
||||||
|
virsh domblkinfo "$VM" "$BLK" 2>/dev/null
|
||||||
|
done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
|
||||||
|
|
||||||
|
# state
|
||||||
|
virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
|
||||||
|
done | xargs -n5 | {
|
||||||
|
echo vm vcpu ram disk running
|
||||||
|
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
|
||||||
|
test "$SHOW_AVAIL" && {
|
||||||
|
nproc
|
||||||
|
awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
|
||||||
|
} | xargs -r printf 'AVAILABLE %s %s %s %s\n'
|
||||||
|
} | case "$FMT" in
|
||||||
|
'human')
|
||||||
|
column -t
|
||||||
|
;;
|
||||||
|
'html')
|
||||||
|
awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
|
||||||
|
;;
|
||||||
|
'csv')
|
||||||
|
tr ' ' ','
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
parse_units() {
|
||||||
|
case "$1" in
|
||||||
|
'k')
|
||||||
|
POW="$(echo '1024 ^ 1' | bc)"
|
||||||
|
;;
|
||||||
|
'm')
|
||||||
|
POW="$(echo '1024 ^ 2' | bc)"
|
||||||
|
;;
|
||||||
|
'g')
|
||||||
|
POW="$(echo '1024 ^ 3' | bc)"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf 'ERROR: Unknown unit value: %s. Possible values: %s\n' "$1" "k, m, g" >&2
|
||||||
|
echo "" >&2
|
||||||
|
show_usage >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
parse_output() {
|
||||||
|
case "$1" in
|
||||||
|
'csv'|'html'|'human')
|
||||||
|
FMT="$1"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf 'ERROR: Unknown output value : %s. Possible values: %s\n' "$1" "csv, html, human" >&2
|
||||||
|
echo "" >&2
|
||||||
|
show_usage >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check dependencies
|
||||||
for DEP in bc virsh
|
for DEP in bc virsh
|
||||||
do
|
do
|
||||||
command -v "$DEP" > /dev/null || error "$DEP" 'command not found'
|
command -v "$DEP" > /dev/null || error "$DEP" 'command not found'
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# default values
|
||||||
POW="$(echo '1024 ^ 3' | bc)"
|
POW="$(echo '1024 ^ 3' | bc)"
|
||||||
FMT='human'
|
FMT='human'
|
||||||
while [ "$#" -ne 0 ]
|
|
||||||
do
|
# Parse options
|
||||||
case "$1" in
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
'-a')
|
while :; do
|
||||||
SHOW_AVAIL='y'
|
case $1 in
|
||||||
;;
|
-h|-\?|--help)
|
||||||
'-o')
|
show_help
|
||||||
case "$2" in
|
exit 0
|
||||||
'csv'|'html'|'human')
|
;;
|
||||||
FMT="$2"
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-a|--all)
|
||||||
|
SHOW_AVAIL='y'
|
||||||
|
;;
|
||||||
|
-u|--units)
|
||||||
|
# with value separated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
parse_units "$2"
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "-u|--units" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--units=?*)
|
||||||
|
# with value speparated by =
|
||||||
|
parse_units ${1#*=}
|
||||||
|
;;
|
||||||
|
--units=)
|
||||||
|
# without value
|
||||||
|
printf 'ERROR: "--units" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
-o|--output)
|
||||||
|
# with value separated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
parse_output "$2"
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "-o|--output" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--output=?*)
|
||||||
|
# with value speparated by =
|
||||||
|
parse_output ${1#*=}
|
||||||
|
;;
|
||||||
|
--output=)
|
||||||
|
# without value
|
||||||
|
printf 'ERROR: "--output" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--)
|
||||||
|
# End of all options.
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-?*|[[:alnum:]]*)
|
||||||
|
# ignore unknown options
|
||||||
|
printf 'ERROR: Unknown option : %s\n' "$1" >&2
|
||||||
|
echo "" >&2
|
||||||
|
show_usage >&2
|
||||||
|
exit 1
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
usage
|
# Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
;;
|
;;
|
||||||
esac
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
'-u')
|
|
||||||
case "$2" in
|
|
||||||
'k')
|
|
||||||
POW="$(echo '1024 ^ 1' | bc)"
|
|
||||||
;;
|
|
||||||
'm')
|
|
||||||
POW="$(echo '1024 ^ 2' | bc)"
|
|
||||||
;;
|
|
||||||
'g')
|
|
||||||
POW="$(echo '1024 ^ 3' | bc)"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
usage
|
|
||||||
esac
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
usage
|
|
||||||
esac
|
esac
|
||||||
|
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
for VM in $(virsh list --name --all)
|
main
|
||||||
do
|
|
||||||
echo "$VM"
|
|
||||||
|
|
||||||
# cpu
|
|
||||||
virsh vcpucount --current "$VM"
|
|
||||||
|
|
||||||
# mem
|
|
||||||
# libvirt stores memory in KiB, POW must be lowered by 1
|
|
||||||
virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
|
|
||||||
virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
|
|
||||||
|
|
||||||
# disk
|
|
||||||
for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
|
|
||||||
do
|
|
||||||
virsh domblkinfo "$VM" "$BLK" 2>/dev/null
|
|
||||||
done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
|
|
||||||
|
|
||||||
# state
|
|
||||||
virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
|
|
||||||
done | xargs -n5 | {
|
|
||||||
echo vm vcpu ram disk running
|
|
||||||
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
|
|
||||||
test "$SHOW_AVAIL" && {
|
|
||||||
nproc
|
|
||||||
awk '/^MemTotal:/ { print int($2 / '$((POW / 1024))' ) }' /proc/meminfo
|
|
||||||
} | xargs -r printf 'AVAILABLE %s %s %s %s\n'
|
|
||||||
} | case "$FMT" in
|
|
||||||
'human')
|
|
||||||
column -t
|
|
||||||
;;
|
|
||||||
'html')
|
|
||||||
awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
|
|
||||||
;;
|
|
||||||
'csv')
|
|
||||||
tr ' ' ','
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
when: kvm_install_drbd
|
when: kvm_install_drbd
|
||||||
|
|
||||||
## TODO: check why it's disabled
|
## TODO: check why it's disabled
|
||||||
#- include: ssh.yml
|
- include: ssh.yml
|
||||||
|
|
||||||
- include: packages.yml
|
- include: packages.yml
|
||||||
|
|
||||||
|
|
|
@ -15,36 +15,42 @@
|
||||||
debug:
|
debug:
|
||||||
msg: "{{ ssh_keys.stdout }}"
|
msg: "{{ ssh_keys.stdout }}"
|
||||||
|
|
||||||
- name: Autorize other kvm ssh key
|
#- name: Autorize other kvm ssh key
|
||||||
authorized_key:
|
# authorized_key:
|
||||||
user: root
|
# user: root
|
||||||
state: present
|
# state: present
|
||||||
key: "{{ item[0] }}"
|
# key: "{{ item[0] }}"
|
||||||
delegate_to: "{{ item[1] }}"
|
# delegate_to: "{{ item[1] }}"
|
||||||
loop: "{{ _keys | product(_servers) | list }}"
|
# loop: "{{ _keys | product(_servers) | list }}"
|
||||||
vars:
|
# vars:
|
||||||
_keys: ssh_keys.stdout
|
# _keys: ssh_keys.stdout
|
||||||
_servers: groups['hypervisors']
|
# _servers: groups['hypervisors']
|
||||||
when: item[1] != inventory_hostname
|
# when: item[1] != inventory_hostname
|
||||||
|
|
||||||
- name: Crontab for sync libvirt xml file
|
- name: Crontab for sync libvirt xml file
|
||||||
cron:
|
cron:
|
||||||
name: "sync libvirt xml on {{ item }}"
|
name: "sync libvirt xml on {{ kvm_pair }}"
|
||||||
state: present
|
state: present
|
||||||
special_time: "hourly"
|
special_time: "hourly"
|
||||||
user: root
|
user: root
|
||||||
job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/"
|
job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
|
||||||
loop:
|
when:
|
||||||
- "{{ groups['hypervisors'] }}"
|
- kvm_pair is defined
|
||||||
when: item != inventory_hostname
|
- kvm_pair is not none
|
||||||
|
- kvm_pair | length > 0
|
||||||
|
- kvm_pair != inventory_hostname
|
||||||
|
tags: crontab
|
||||||
|
|
||||||
- name: Crontab for sync list of running vm
|
- name: Crontab for sync list of running vm
|
||||||
cron:
|
cron:
|
||||||
name: "sync list of libvirt running vm on {{ item }}"
|
name: "sync list of libvirt running vm on {{ kvm_pair }}"
|
||||||
state: present
|
state: present
|
||||||
special_time: "daily"
|
special_time: "daily"
|
||||||
user: root
|
user: root
|
||||||
job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
|
job: "virsh list --all | tee /root/virsh-list.txt | ssh {{ hostvars[kvm_pair]['lan.ip'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'"
|
||||||
loop:
|
when:
|
||||||
- "{{ groups['hypervisors'] }}"
|
- kvm_pair is defined
|
||||||
when: item != inventory_hostname
|
- kvm_pair is not none
|
||||||
|
- kvm_pair | length > 0
|
||||||
|
- kvm_pair != inventory_hostname
|
||||||
|
tags: crontab
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
ldap_listen: "ldap://127.0.0.1:389/"
|
ldap_listen: "ldap://127.0.0.1:389/ ldapi:///"
|
||||||
|
|
||||||
ldap_hostname: "{{ ansible_hostname }}"
|
ldap_hostname: "{{ ansible_hostname }}"
|
||||||
ldap_domain: "{{ ansible_domain }}"
|
ldap_domain: "{{ ansible_domain }}"
|
||||||
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
||||||
|
|
||||||
ldap_admin_password: ""
|
ldap_admin_password: ""
|
||||||
ldap_nagios_password: ""
|
ldap_nagios_password: ""
|
||||||
|
|
|
@ -2,4 +2,10 @@
|
||||||
general_alert_email: "root@localhost"
|
general_alert_email: "root@localhost"
|
||||||
listupgrade_alert_email: Null
|
listupgrade_alert_email: Null
|
||||||
|
|
||||||
listupgrade_cron_enabled: true
|
listupgrade_cron_enabled: true
|
||||||
|
listupgrade_cron_minute: "42"
|
||||||
|
listupgrade_cron_hour: "9"
|
||||||
|
listupgrade_cron_day: "*"
|
||||||
|
listupgrade_cron_month: "*"
|
||||||
|
listupgrade_cron_weekday: "2"
|
||||||
|
listupgrade_cron_force: false
|
|
@ -1,5 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Repository: https://gitea.evolix.org/evolix/maj.sh/
|
||||||
|
|
||||||
# Exit codes :
|
# Exit codes :
|
||||||
# - 30 : $skip_releases or $skip_packages is set to "all"
|
# - 30 : $skip_releases or $skip_packages is set to "all"
|
||||||
# - 40 : current release is in $skip_releases list
|
# - 40 : current release is in $skip_releases list
|
||||||
|
@ -7,7 +9,7 @@
|
||||||
# - 60 : current release is not in the $r_releases list
|
# - 60 : current release is not in the $r_releases list
|
||||||
# - 70 : at least an upgradable package is not in the $r_packages list
|
# - 70 : at least an upgradable package is not in the $r_packages list
|
||||||
|
|
||||||
VERSION="21.06.2"
|
VERSION="21.06.3"
|
||||||
|
|
||||||
show_version() {
|
show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
|
@ -121,7 +123,7 @@ EOT
|
||||||
# are executed if they are executable
|
# are executed if they are executable
|
||||||
# and if their name doesn't contain a dot
|
# and if their name doesn't contain a dot
|
||||||
exec_hooks_in_dir() {
|
exec_hooks_in_dir() {
|
||||||
hooks=$(find "${1}" -type f -executable -not -name '*.*')
|
hooks=$(find "${1}" -type f -executable -not -name '*.* -print0 | sort --zero-terminated --dictionary-order | xargs --no-run-if-empty --null --max-args=1')
|
||||||
for hook in ${hooks}; do
|
for hook in ${hooks}; do
|
||||||
if ! cron_mode; then
|
if ! cron_mode; then
|
||||||
printf "Running '%s\`\n" "${hook}"
|
printf "Running '%s\`\n" "${hook}"
|
||||||
|
@ -178,13 +180,14 @@ main() {
|
||||||
echo 'Aucun' >"${packagesHold}"
|
echo 'Aucun' >"${packagesHold}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
local_release=$(cut -f 1 -d . </etc/debian_version)
|
||||||
|
|
||||||
if force_mode; then
|
if force_mode; then
|
||||||
if ! cron_mode; then
|
if ! cron_mode; then
|
||||||
echo "Force mode is enabled, as if every release/package is available for upgrade."
|
echo "Force mode is enabled, as if every release/package is available for upgrade."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
fetch_upgrade_info
|
fetch_upgrade_info
|
||||||
local_release=$(cut -f 1 -d . </etc/debian_version)
|
|
||||||
|
|
||||||
# Exit if skip_releases or skip_packages in upgrade info file are set to all.
|
# Exit if skip_releases or skip_packages in upgrade info file are set to all.
|
||||||
if [ "${r_skip_releases}" = "all" ] || [ "${r_skip_packages}" = "all" ]; then
|
if [ "${r_skip_releases}" = "all" ] || [ "${r_skip_packages}" = "all" ]; then
|
||||||
|
|
|
@ -1,74 +1,152 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Repository: https://gitea.evolix.org/evolix/maj.sh/
|
||||||
|
|
||||||
# fork by reg from /etc/kernel/postinst.d/apt-auto-removal script
|
# fork by reg from /etc/kernel/postinst.d/apt-auto-removal script
|
||||||
|
|
||||||
set -e
|
VERSION="21.10"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
eval $(apt-config shell DPKG Dir::bin::dpkg/f)
|
PROGNAME=$(basename "$0")
|
||||||
test -n "$DPKG" || DPKG="/usr/bin/dpkg"
|
|
||||||
|
show_version() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
|
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
||||||
|
Gregory Colpart <reg@evolix.fr>,
|
||||||
|
Romain Dessort <rdessort@evolix.fr>,
|
||||||
|
Ludovic Poujol <lpoujol@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public Licence for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
${PROGNAME} removes old kernels.
|
||||||
|
|
||||||
|
Options
|
||||||
|
-h, --help print this message and exit
|
||||||
|
--version print version and exit
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
# Detect which one of apt/aptitude we should use.
|
# Detect which one of apt/aptitude we should use.
|
||||||
|
# shellcheck disable=SC2120
|
||||||
get_apt_binary() {
|
get_apt_binary() {
|
||||||
root="$1"
|
root="${1:-}"
|
||||||
# apt could be a Java binary...
|
# apt could be a Java binary...
|
||||||
if [ -x $root/usr/bin/apt ] && ! $root/usr/bin/apt --version 2>&1 |grep -q "javac"; then
|
if [ -x "${root}/usr/bin/apt" ] && ! ${root}/usr/bin/apt --version 2>&1 | grep -q "javac"; then
|
||||||
echo "apt"
|
echo "apt"
|
||||||
elif [ -x $root/usr/bin/aptitude ]; then
|
elif [ -x "${root}/usr/bin/aptitude" ]; then
|
||||||
echo "aptitude"
|
echo "aptitude"
|
||||||
# Usually in containers
|
# Usually in containers
|
||||||
else
|
else
|
||||||
echo "apt-get"
|
echo "apt-get"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
APT=$(get_apt_binary)
|
|
||||||
|
|
||||||
list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
|
main() {
|
||||||
| sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
|
specifc_kernel="$1"
|
||||||
debverlist="$(echo "$list" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
|
|
||||||
|
|
||||||
if [ -n "$1" ]; then
|
# shellcheck disable=SC2046
|
||||||
installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")"
|
eval $(apt-config shell DPKG Dir::bin::dpkg/f)
|
||||||
fi
|
DPKG="${DPKG:-/usr/bin/dpkg}"
|
||||||
unamer="$(uname -r | tr '[A-Z]' '[a-z]')"
|
|
||||||
if [ -n "$unamer" ]; then
|
|
||||||
running_version="$(echo "$list" | awk "\$1 == \"$unamer\" { print \$2;exit; }")"
|
|
||||||
fi
|
|
||||||
# ignore the currently running version if attempting a reproducible build
|
|
||||||
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
|
|
||||||
unamer=""
|
|
||||||
running_version=""
|
|
||||||
fi
|
|
||||||
latest_version="$(echo "$debverlist" | sed -n 1p)"
|
|
||||||
previous_version="$(echo "$debverlist" | sed -n 2p)"
|
|
||||||
|
|
||||||
debkernels="$(echo "$latest_version
|
listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}"
|
||||||
$installed_version
|
|
||||||
$running_version" | sort -u | sed -e '/^$/ d')"
|
APT=$(get_apt_binary)
|
||||||
kernels="$( (echo "$1
|
|
||||||
$unamer"; for deb in $debkernels; do echo "$list" | awk "\$2 == \"$deb\" { print \$1; }"; done; ) \
|
list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
|
||||||
| sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
|
| sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
|
||||||
|
debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
|
||||||
|
|
||||||
|
if [ -n "${specifc_kernel}" ]; then
|
||||||
|
installed_version="$(echo "$list" | awk "\$1 == \"${specifc_kernel}\" { print \$2;exit; }")"
|
||||||
|
fi
|
||||||
|
unamer="$(uname -r | tr '[:upper:]' '[:lower:]')"
|
||||||
|
if [ -n "${unamer}" ]; then
|
||||||
|
running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")"
|
||||||
|
fi
|
||||||
|
# ignore the currently running version if attempting a reproducible build
|
||||||
|
if [ -n "${SOURCE_DATE_EPOCH}" ]; then
|
||||||
|
unamer=""
|
||||||
|
running_version=""
|
||||||
|
fi
|
||||||
|
latest_version="$(echo "${debverlist}" | sed -n 1p)"
|
||||||
|
previous_version="$(echo "${debverlist}" | sed -n 2p)"
|
||||||
|
|
||||||
|
debkernels="$(echo "${latest_version}
|
||||||
|
${installed_version}
|
||||||
|
${running_version}" | sort -u | sed -e '/^$/ d')"
|
||||||
|
kernels="$( (echo "${specifc_kernel}
|
||||||
|
${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \
|
||||||
|
| sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')"
|
||||||
|
|
||||||
|
|
||||||
echo "
|
echo "
|
||||||
List of installed kernel packages:
|
List of installed kernel packages:
|
||||||
$list
|
$list
|
||||||
|
|
||||||
# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
|
# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
|
||||||
# Last kernel: $latest_version
|
# Last kernel: ${latest_version}
|
||||||
# Previous kernel: $previous_version
|
# Previous kernel: ${previous_version}
|
||||||
# Kernel versions list to keep:
|
# Kernel versions list to keep:
|
||||||
$debkernels
|
${debkernels}
|
||||||
|
|
||||||
# Kernel packages (version part) to protect:
|
# Kernel packages (version part) to protect:
|
||||||
$kernels
|
${kernels}
|
||||||
"
|
"
|
||||||
|
|
||||||
echo "BEFORE"
|
echo "BEFORE"
|
||||||
dpkg -l | grep linux-image
|
dpkg -l | grep linux-image
|
||||||
|
|
||||||
dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep ^linux-image-[234] | egrep -v "($kernels)" | xargs --no-run-if-empty $APT -y purge
|
dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge
|
||||||
|
|
||||||
echo "
|
echo "
|
||||||
AFTER"
|
AFTER"
|
||||||
dpkg -l | grep linux-image
|
dpkg -l | grep linux-image
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# Parse options
|
||||||
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
while :; do
|
||||||
|
case $1 in
|
||||||
|
-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
--)
|
||||||
|
# End of all options.
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-?*|[[:alnum:]]*)
|
||||||
|
# ignore unknown options
|
||||||
|
if [ "${QUIET}" != 1 ]; then
|
||||||
|
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
|
||||||
|
main "${@}"
|
||||||
|
|
|
@ -46,14 +46,17 @@
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Enable listupgrade cron
|
- name: Enable listupgrade cron
|
||||||
copy:
|
cron:
|
||||||
src: listupgrade_cron
|
name: "lisupgrade.sh"
|
||||||
dest: /etc/cron.d/listupgrade
|
cron_file: "listupgrade"
|
||||||
mode: "0600"
|
user: root
|
||||||
owner: root
|
job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
|
||||||
group: root
|
minute: "{{ listupgrade_cron_minute }}"
|
||||||
force: no
|
hour: "{{ listupgrade_cron_hour }}"
|
||||||
when: listupgrade_cron_enabled | bool
|
weekday: "{{ listupgrade_cron_weekday }}"
|
||||||
|
day: "{{ listupgrade_cron_day }}"
|
||||||
|
month: "{{ listupgrade_cron_month }}"
|
||||||
|
state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}"
|
||||||
|
|
||||||
- name: old-kernel-autoremoval script is present
|
- name: old-kernel-autoremoval script is present
|
||||||
copy:
|
copy:
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue