forked from evolix/ansible-roles
Compare commits
45 commits
stable
...
replace_in
Author | SHA1 | Date | |
---|---|---|---|
956ecd4700 | |||
Mathieu Trossevin | ef50defc0a | ||
5dc6a1d36b | |||
Jérémy Lecour | 31c2629d31 | ||
20abe0e09a | |||
Jérémy Lecour | 75459baa35 | ||
Jérémy Lecour | 3feacd0c6d | ||
Jérémy Lecour | 1ae978c74a | ||
Ludovic Poujol | 6ab0cb4fd1 | ||
Jérémy Lecour | 214b6e0d6a | ||
Jérémy Lecour | d0f8e6c753 | ||
Jérémy Lecour | f0b23ffa50 | ||
Jérémy Lecour | 54bf9c1854 | ||
Jérémy Lecour | 85d429295f | ||
Jérémy Lecour | bbc1bae437 | ||
Jérémy Dubois | d2fa14fb4f | ||
Jérémy Dubois | 42782b7f3d | ||
1646cc99bf | |||
Jérémy Dubois | b4f83e54d0 | ||
Jérémy Lecour | 0d1ccc79c3 | ||
Jérémy Lecour | 163d5abf7c | ||
Jérémy Lecour | ef832c9ab6 | ||
Jérémy Dubois | c2f6ff5249 | ||
Jérémy Lecour | 5895f5a99b | ||
Jérémy Lecour | e7594c6c86 | ||
444bd72944 | |||
Jérémy Lecour | fb41c81e99 | ||
Jérémy Lecour | 8a9faa0250 | ||
Jérémy Lecour | 545226f6f6 | ||
Jérémy Lecour | ba90203f21 | ||
Ludovic Poujol | 17f884b04a | ||
Ludovic Poujol | 913e6d96e8 | ||
Ludovic Poujol | 0e768809b7 | ||
Ludovic Poujol | 5a2dc5cbd1 | ||
6df10be6ef | |||
William Hirigoyen (Evolix) | 4a31961ba0 | ||
William Hirigoyen (Evolix) | a565e8f8e8 | ||
William Hirigoyen (Evolix) | ab1f3fd6d4 | ||
c880ce43a2 | |||
Jérémy Lecour | a733e2794f | ||
Jérémy Lecour | b4f35af35c | ||
87a3fd48df | |||
3ef6381ba6 | |||
d455de52b3 | |||
9c84e95182 |
19
CHANGELOG.md
19
CHANGELOG.md
|
@ -12,10 +12,29 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Added
|
||||
|
||||
* minifirewall: configure proxy/backup/sysctl values
|
||||
* etc-git: Commit /etc in lxc containers when they are git repositories
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.03.1
|
||||
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
|
||||
* evolinux-base: rename backup-server-state to dump-server-state
|
||||
* dump-server-state: upstream release 22.03.10
|
||||
* generate-ldif: Add services check for bkctld
|
||||
* minifirewall: restore "force-restart" and fix "restart-if-needed"
|
||||
* minifirewall: tail template follows symlinks
|
||||
* minifirewall: upstream release 22.03.4
|
||||
* openvpn: use a subnet topology instead of the net30 default topology
|
||||
|
||||
### Fixed
|
||||
|
||||
* Repair keepalived role
|
||||
* generate-ldif: Correct generated entries for php-fpm in containers
|
||||
* redis: Remount /usr with RW before adding nagios plugin
|
||||
* postfix: Do not send mails through milters a second time after amavis (in packmail)
|
||||
* Replace use of the `include` module with the `import_tasks` or `include_tasks` module to prevent bug due to faulty behaviour choice on the part of ansible
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
- apache
|
||||
|
||||
- name: Load IP whitelist task
|
||||
include: ip_whitelist.yml
|
||||
import_tasks: ip_whitelist.yml
|
||||
|
||||
- name: include private IP whitelist for server-status
|
||||
lineinfile:
|
||||
|
|
|
@ -109,7 +109,7 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- include: auth.yml
|
||||
- import_tasks: auth.yml
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -134,7 +134,7 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- include: server_status.yml
|
||||
- import_tasks: server_status.yml
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -199,12 +199,12 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- include: log2mail.yml
|
||||
- import_tasks: log2mail.yml
|
||||
when: apache_log2mail_include
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
when: apache_munin_include | bool
|
||||
tags:
|
||||
- apache
|
||||
|
|
|
@ -9,31 +9,31 @@
|
|||
- apt
|
||||
|
||||
- name: Custom configuration
|
||||
include: config.yml
|
||||
import_tasks: config.yml
|
||||
when: apt_config | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install basics repositories
|
||||
include: basics.yml
|
||||
import_tasks: basics.yml
|
||||
when: apt_install_basics | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install APT Backports repository
|
||||
include: backports.yml
|
||||
import_tasks: backports.yml
|
||||
when: apt_install_backports | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install Evolix Public APT repository
|
||||
include: evolix_public.yml
|
||||
import_tasks: evolix_public.yml
|
||||
when: apt_install_evolix_public | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install check for packages marked hold
|
||||
include: hold_packages.yml
|
||||
import_tasks: hold_packages.yml
|
||||
when: apt_install_hold_packages | bool
|
||||
tags:
|
||||
- apt
|
||||
|
@ -50,4 +50,4 @@
|
|||
upgrade: dist
|
||||
when: apt_upgrade | bool
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -126,4 +126,4 @@
|
|||
force: yes
|
||||
notify: restart bind
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
|
|
@ -8,18 +8,18 @@
|
|||
msg: only compatible with Debian 9+
|
||||
|
||||
- name: Install legacy script on Debian 8
|
||||
include: install-legacy.yml
|
||||
import_tasks: install-legacy.yml
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '<')
|
||||
|
||||
- name: Install package on Debian 9+
|
||||
include: install-package.yml
|
||||
import_tasks: install-package.yml
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: acme-challenge.yml
|
||||
- import_tasks: acme-challenge.yml
|
||||
|
||||
- name: Deploy hooks are present
|
||||
copy:
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
update_cache: no
|
||||
filename: docker.list
|
||||
|
||||
- include: jessie_backports.yml
|
||||
- import_tasks: jessie_backports.yml
|
||||
when: ansible_distribution_release == 'jessie'
|
||||
|
||||
- name: Add Docker's official GPG key
|
||||
|
|
|
@ -8,3 +8,9 @@
|
|||
service:
|
||||
name: dovecot
|
||||
state: reloaded
|
||||
|
||||
- name: restart log2mail
|
||||
service:
|
||||
name: log2mail
|
||||
state: restarted
|
||||
|
||||
|
|
|
@ -78,6 +78,28 @@
|
|||
tags:
|
||||
- dovecot
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: log2mail is installed
|
||||
apt:
|
||||
name: log2mail
|
||||
state: present
|
||||
tags: dovecot
|
||||
|
||||
- name: dovecot is configured in log2mail
|
||||
blockinfile:
|
||||
path: /etc/log2mail/config/mail.conf
|
||||
create: true
|
||||
owner: log2mail
|
||||
group: adm
|
||||
mode: "0640"
|
||||
block: |
|
||||
file = /var/log/mail.log
|
||||
pattern = "Out of memory"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
||||
notify: restart log2mail
|
||||
tags: dovecot
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- include: packages.yml
|
||||
- import_tasks: packages.yml
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: nagios.yml
|
||||
- import_tasks: nagios.yml
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
---
|
||||
|
||||
- include: packages.yml
|
||||
- import_tasks: packages.yml
|
||||
|
||||
- include: configuration.yml
|
||||
- import_tasks: configuration.yml
|
||||
|
||||
- include: bootstrap_checks.yml
|
||||
- import_tasks: bootstrap_checks.yml
|
||||
|
||||
- include: tmpdir.yml
|
||||
- import_tasks: tmpdir.yml
|
||||
|
||||
- include: datadir.yml
|
||||
- import_tasks: datadir.yml
|
||||
|
||||
- include: logs.yml
|
||||
- import_tasks: logs.yml
|
||||
|
||||
- include: additional_scripts.yml
|
||||
- import_tasks: additional_scripts.yml
|
||||
|
||||
- include: plugin_head.yml
|
||||
- import_tasks: plugin_head.yml
|
||||
when: elasticsearch_plugin_head | bool
|
||||
|
||||
- include: curator.yml
|
||||
- import_tasks: curator.yml
|
||||
when: elasticsearch_curator | bool
|
||||
|
|
|
@ -50,3 +50,30 @@
|
|||
when:
|
||||
- _usr_share_scripts_git.stat.exists
|
||||
- _usr_share_scripts_git.stat.isdir
|
||||
|
||||
- name: Check if there are lxc containers
|
||||
stat:
|
||||
path: /var/lib/lxc
|
||||
get_attributes: no
|
||||
get_checksum: no
|
||||
get_mime: no
|
||||
register: _var_lib_lxc
|
||||
|
||||
- name: Get lxc containers and commit their /etc when needed
|
||||
block:
|
||||
- name: Get all lxc containers
|
||||
find:
|
||||
paths: /var/lib/lxc
|
||||
recurse: no
|
||||
file_type: directory
|
||||
register: _lxc_containers
|
||||
|
||||
- name: "Commit /etc in all containers"
|
||||
include_tasks:
|
||||
file: lxc_commit.yml
|
||||
loop: "{{ _lxc_containers.files | map(attribute='path') | map('basename') }}"
|
||||
loop_control:
|
||||
loop_var: container
|
||||
when:
|
||||
- _var_lib_lxc.stat.exists
|
||||
- _var_lib_lxc.stat.isdir or _var_lib_lxc.stat.islnk
|
||||
|
|
35
etc-git/tasks/lxc_commit.yml
Normal file
35
etc-git/tasks/lxc_commit.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
- name: "Assert that we have been called with `container` defined"
|
||||
assert:
|
||||
that:
|
||||
- container is defined
|
||||
|
||||
- name: "Define path to /etc in {{ container }} container"
|
||||
set_fact:
|
||||
container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}"
|
||||
|
||||
- name: "Check if /etc is a git repository in {{ container }}"
|
||||
stat:
|
||||
path: "{{ (container_etc, '.git') | path_join }}"
|
||||
get_attributes: no
|
||||
get_checksum: no
|
||||
get_mime: no
|
||||
register: "container_etc_git"
|
||||
|
||||
- name: "Evocommit /etc of {{ container }}"
|
||||
command:
|
||||
argv:
|
||||
- /usr/local/bin/evocommit
|
||||
- '--ansible'
|
||||
- '--repository'
|
||||
- "{{ container_etc }}"
|
||||
- '--message'
|
||||
- "{{ commit_message | mandatory }}"
|
||||
changed_when:
|
||||
- "container_etc_git_commit.stdout"
|
||||
- "'CHANGED:' in container_etc_git_commit.stdout"
|
||||
ignore_errors: yes
|
||||
register: "container_etc_git_commit"
|
||||
when:
|
||||
- "container_etc_git.stat.exists"
|
||||
- "container_etc_git.stat.isdir"
|
|
@ -6,6 +6,8 @@
|
|||
state: present
|
||||
tags:
|
||||
- etc-git
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
@ -19,7 +21,7 @@
|
|||
tags:
|
||||
- etc-git
|
||||
|
||||
- include: repository.yml
|
||||
- import_tasks: repository.yml
|
||||
vars:
|
||||
repository_path: "/etc"
|
||||
gitignore_items:
|
||||
|
@ -36,7 +38,7 @@
|
|||
path: /usr/share/scripts
|
||||
register: _usr_share_scripts
|
||||
|
||||
- include: repository.yml
|
||||
- import_tasks: repository.yml
|
||||
vars:
|
||||
repository_path: "/usr/share/scripts"
|
||||
gitignore_items: []
|
||||
|
@ -111,4 +113,4 @@
|
|||
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
|
||||
when: is_cron_installed.rc == 0
|
||||
tags:
|
||||
- etc-git
|
||||
- etc-git
|
||||
|
|
|
@ -70,4 +70,4 @@
|
|||
register: git_commit
|
||||
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
||||
tags:
|
||||
- etc-git
|
||||
- etc-git
|
||||
|
|
|
@ -8,16 +8,16 @@
|
|||
msg: only compatible with Debian >= 9
|
||||
when: not (evoacme_disable_debian_check | bool)
|
||||
|
||||
- include: certbot.yml
|
||||
- import_tasks: certbot.yml
|
||||
|
||||
- include: permissions.yml
|
||||
- import_tasks: permissions.yml
|
||||
|
||||
# Enable this task if you want to deploy hooks
|
||||
# - include: evoacme_hook.yml
|
||||
# - include_tasks: evoacme_hook.yml
|
||||
# vars:
|
||||
# hook_name: "{{ item }}"
|
||||
# loop: []
|
||||
|
||||
- include: conf.yml
|
||||
- import_tasks: conf.yml
|
||||
|
||||
- include: scripts.yml
|
||||
- import_tasks: scripts.yml
|
||||
|
|
|
@ -1,26 +1,26 @@
|
|||
---
|
||||
|
||||
- include: "ssh_key.yml"
|
||||
- import_tasks: "ssh_key.yml"
|
||||
tags:
|
||||
- evobackup_client
|
||||
- evobackup_client_backup_ssh_key
|
||||
|
||||
- include: "jail.yml"
|
||||
- import_tasks: "jail.yml"
|
||||
tags:
|
||||
- evobackup_client
|
||||
- evobackup_client_jail
|
||||
|
||||
- include: "upload_scripts.yml"
|
||||
- import_tasks: "upload_scripts.yml"
|
||||
tags:
|
||||
- evobackup_client
|
||||
- evobackup_client_backup_scripts
|
||||
|
||||
- include: "open_ssh_ports.yml"
|
||||
- import_tasks: "open_ssh_ports.yml"
|
||||
tags:
|
||||
- evobackup_client
|
||||
- evobackup_client_backup_firewall
|
||||
|
||||
- include: "verify_ssh.yml"
|
||||
- import_tasks: "verify_ssh.yml"
|
||||
tags:
|
||||
- evobackup_client
|
||||
- evobackup_client_backup_hosts
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="21.10.4"
|
||||
VERSION="22.03.1"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -13,7 +13,7 @@ show_version() {
|
|||
cat <<END
|
||||
evocheck version ${VERSION}
|
||||
|
||||
Copyright 2009-2021 Evolix <info@evolix.fr>,
|
||||
Copyright 2009-2022 Evolix <info@evolix.fr>,
|
||||
Romain Dessort <rdessort@evolix.fr>,
|
||||
Benoit Série <bserie@evolix.fr>,
|
||||
Gregory Colpart <reg@evolix.fr>,
|
||||
|
@ -142,9 +142,9 @@ failed() {
|
|||
RC=1
|
||||
if [ "${QUIET}" != 1 ]; then
|
||||
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
|
||||
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
|
||||
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}"
|
||||
else
|
||||
printf "%s FAILED!\n" "${check_name}" 2>&1
|
||||
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -328,8 +328,11 @@ check_tmoutprofile() {
|
|||
check_alert5boot() {
|
||||
if is_debian_buster || is_debian_bullseye; then
|
||||
grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
|
||||
test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
|
||||
systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
|
||||
if [ -f /etc/systemd/system/alert5.service ]; then
|
||||
systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
|
||||
else
|
||||
failed "IS_ALERT5BOOT" "alert5 unit file is missing"
|
||||
fi
|
||||
else
|
||||
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
|
||||
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
|
||||
|
@ -567,7 +570,7 @@ check_network_interfaces() {
|
|||
# Verify if all if are in auto
|
||||
check_autoif() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
else
|
||||
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
||||
fi
|
||||
|
@ -592,9 +595,9 @@ check_evobackup() {
|
|||
}
|
||||
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
|
||||
check_evobackup_exclude_mount() {
|
||||
excludes_file=$(mktemp)
|
||||
# shellcheck disable=SC2064
|
||||
trap "rm -f ${excludes_file}" 0
|
||||
excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
|
||||
|
||||
# shellcheck disable=SC2044
|
||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
|
@ -603,7 +606,6 @@ check_evobackup_exclude_mount() {
|
|||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||
done
|
||||
done
|
||||
rm -rf "${excludes_file}"
|
||||
}
|
||||
# Verification de la presence du userlogrotate
|
||||
check_userlogrotate() {
|
||||
|
@ -809,8 +811,10 @@ check_tune2fs_m5() {
|
|||
check_evolinuxsudogroup() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
if grep -q "^evolinux-sudo:" /etc/group; then
|
||||
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|
||||
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
|
||||
if [ -f /etc/sudoers.d/evolinux ]; then
|
||||
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|
||||
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -827,7 +831,7 @@ check_userinadmgroup() {
|
|||
}
|
||||
check_apache2evolinuxconf() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
if test -d /etc/apache2; then
|
||||
if is_installed apache2; then
|
||||
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
|
||||
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
|
||||
&& test -f /etc/apache2/ipaddr_whitelist.conf;
|
||||
|
@ -1006,6 +1010,8 @@ check_mysqlmunin() {
|
|||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
done
|
||||
munin-run mysql_commands 2> /dev/null > /dev/null
|
||||
test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
@ -1062,8 +1068,10 @@ check_squidevolinuxconf() {
|
|||
check_duplicate_fs_label() {
|
||||
# Do it only if thereis blkid binary
|
||||
BLKID_BIN=$(command -v blkid)
|
||||
if [ -x "$BLKID_BIN" ]; then
|
||||
tmpFile=$(mktemp -p /tmp)
|
||||
if [ -n "$BLKID_BIN" ]; then
|
||||
tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
|
||||
|
||||
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||
for part in $parts; do
|
||||
echo "$part" >> "$tmpFile"
|
||||
|
@ -1076,7 +1084,6 @@ check_duplicate_fs_label() {
|
|||
labels=$(echo -n $tmpOutput | tr '\n' ' ')
|
||||
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
|
||||
fi
|
||||
rm "$tmpFile"
|
||||
else
|
||||
failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}"
|
||||
fi
|
||||
|
@ -1395,6 +1402,7 @@ get_command() {
|
|||
listupgrade) command -v "evolistupgrade.sh" ;;
|
||||
old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
|
||||
mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
|
||||
minifirewall) echo "/etc/init.d/minifirewall" ;;
|
||||
|
||||
## General case, where the program name is the same as the command name
|
||||
*) command -v "${program}" ;;
|
||||
|
@ -1415,6 +1423,9 @@ get_version() {
|
|||
add-vm)
|
||||
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
|
||||
;;
|
||||
minifirewall)
|
||||
${command} status | head -1 | cut -d ' ' -f 3
|
||||
;;
|
||||
## Let's try the --version flag before falling back to grep for the constant
|
||||
kvmstats)
|
||||
if ${command} --version > /dev/null 2> /dev/null; then
|
||||
|
@ -1457,9 +1468,9 @@ add_to_path() {
|
|||
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
||||
}
|
||||
check_versions() {
|
||||
versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
|
||||
# shellcheck disable=SC2064
|
||||
trap "rm -f ${versions_file}" 0
|
||||
versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${versions_file}"
|
||||
|
||||
download_versions "${versions_file}"
|
||||
add_to_path "/usr/share/scripts"
|
||||
|
||||
|
@ -1477,8 +1488,6 @@ check_versions() {
|
|||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
rm -f "${versions_file}"
|
||||
}
|
||||
|
||||
main() {
|
||||
|
@ -1487,6 +1496,9 @@ main() {
|
|||
# Detect operating system name, version and release
|
||||
detect_os
|
||||
|
||||
main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX")
|
||||
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Tests communs à tous les systèmes
|
||||
#-----------------------------------------------------------
|
||||
|
@ -1715,8 +1727,19 @@ main() {
|
|||
# - NRPEDISK et NRPEPOSTFIX
|
||||
fi
|
||||
|
||||
if [ -f "${main_output_file}" ]; then
|
||||
if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then
|
||||
|
||||
cat "${main_output_file}" 2>&1
|
||||
fi
|
||||
fi
|
||||
|
||||
exit ${RC}
|
||||
}
|
||||
cleanup_temp_files() {
|
||||
# shellcheck disable=SC2086
|
||||
rm -f ${files_to_cleanup}
|
||||
}
|
||||
|
||||
PROGNAME=$(basename "$0")
|
||||
# shellcheck disable=SC2034
|
||||
|
@ -1730,6 +1753,10 @@ readonly ARGS
|
|||
export LANG=C
|
||||
export LANGUAGE=C
|
||||
|
||||
files_to_cleanup=""
|
||||
# shellcheck disable=SC2064
|
||||
trap cleanup_temp_files 0
|
||||
|
||||
# Source configuration file
|
||||
# shellcheck disable=SC1091
|
||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
- evocheck_force_install is defined
|
||||
- evocheck_force_install == "package"
|
||||
|
||||
- include: install.yml
|
||||
- import_tasks: install.yml
|
||||
|
||||
- include: cron.yml
|
||||
- import_tasks: cron.yml
|
||||
when: evocheck_update_crontab | bool
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
PROGNAME="backup-server-state"
|
||||
PROGNAME="dump-server-state"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state"
|
||||
|
||||
VERSION="22.01.3"
|
||||
VERSION="22.03.10"
|
||||
readonly VERSION
|
||||
|
||||
backup_dir=
|
||||
dump_dir=
|
||||
rc=0
|
||||
|
||||
# base functions
|
||||
|
@ -15,9 +16,13 @@ show_version() {
|
|||
${PROGNAME} version ${VERSION}
|
||||
|
||||
Copyright 2018-2022 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Éric Morino <emorino@evolix.fr>,
|
||||
Brice Waegeneire <bwaegeneire@evolix.fr>
|
||||
and others.
|
||||
|
||||
${REPOSITORY}
|
||||
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU General Public License v3.0 for details.
|
||||
|
@ -25,54 +30,48 @@ END
|
|||
}
|
||||
show_help() {
|
||||
cat <<END
|
||||
${PROGNAME} is making backup copies of information related to the state of the server.
|
||||
${PROGNAME} is dumping information related to the state of the server.
|
||||
|
||||
Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
|
||||
Usage: ${PROGNAME} --dump-dir=/path/to/dump/directory [OPTIONS]
|
||||
|
||||
Options
|
||||
-d, --backup-dir path to the directory where the backup will be stored
|
||||
-f, --force keep existing backup directory and its content
|
||||
--etc backup copy of /etc
|
||||
--no-etc no backup copy of /etc (default)
|
||||
--dpkg backup copy of /var/lib/dpkg
|
||||
--no-dpkg no backup copy of /var/lib/dpkg (default)
|
||||
--apt-states backup copy of apt extended states (default)
|
||||
--no-apt-states no backup copy of apt extended states
|
||||
--apt-config backup copy of apt configuration (default)
|
||||
--no-apt-config no backup copy of apt configuration
|
||||
--packages backup copy of dpkg selections (default)
|
||||
--no-packages no backup copy of dpkg selections
|
||||
--processes backup copy of process list (default)
|
||||
--no-processes no backup copy of process list
|
||||
--uptime backup of uptime value (default)
|
||||
--no-uptime no backup of uptime value
|
||||
--netstat backup copy of netstat (default)
|
||||
--no-netstat no backup copy of netstat
|
||||
--netcfg backup copy of network configuration (default)
|
||||
--no-netcfg no backup copy of network configuration
|
||||
--iptables backup copy of iptables (default)
|
||||
--no-iptables no backup copy of iptables
|
||||
--sysctl backup copy of sysctl values (default)
|
||||
--no-sysctl no backup copy of sysctl values
|
||||
--virsh backup copy of virsh list (default)
|
||||
--no-virsh no backup copy of virsh list
|
||||
--lxc backup copy of lxc list (default)
|
||||
--no-lxc no backup copy of lxc list
|
||||
--disks backup copy of MBR and partitions (default)
|
||||
--no-disks no backup copy of MBR and partitions
|
||||
--mount backup copy of mount points (default)
|
||||
--no-mount no backup copy of mount points
|
||||
--df backup copy of disk usage (default)
|
||||
--no-df no backup copy of disk usage
|
||||
--dmesg backup copy of dmesg (default)
|
||||
--no-dmesg no backup copy of dmesg
|
||||
--mysql backup copy of mysql processes (default)
|
||||
--no-mysql no backup copy of mysql processes
|
||||
--services backup copy of services states (default)
|
||||
--no-services no backup copy of services states
|
||||
-v, --verbose print details about backup steps
|
||||
-V, --version print version and exit
|
||||
-h, --help print this message and exit
|
||||
Main options
|
||||
-d, --dump-dir path to the directory where data will be stored
|
||||
--backup-dir legacy option for dump directory
|
||||
-f, --force keep existing dump directory and its content
|
||||
-v, --verbose print details about each task
|
||||
-V, --version print version and exit
|
||||
-h, --help print this message and exit
|
||||
|
||||
Tasks options
|
||||
--all reset options to execute all tasks
|
||||
--none reset options to execute no task
|
||||
--[no-]etc copy of /etc (default: no)
|
||||
--[no-]dpkg-full copy of /var/lib/dpkg (default: no)
|
||||
--[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes)
|
||||
--[no-]apt-states copy of apt extended states (default: yes)
|
||||
--[no-]apt-config copy of apt configuration (default: yes)
|
||||
--[no-]packages copy of dpkg selections (default: yes)
|
||||
--[no-]processes copy of process list (default: yes)
|
||||
--[no-]uname copy of uname value (default: yes)
|
||||
--[no-]uptime copy of uptime value (default: yes)
|
||||
--[no-]netstat copy of netstat (default: yes)
|
||||
--[no-]netcfg copy of network configuration (default: yes)
|
||||
--[no-]iptables copy of iptables (default: yes)
|
||||
--[no-]sysctl copy of sysctl values (default: yes)
|
||||
--[no-]virsh copy of virsh list (default: yes)
|
||||
--[no-]lxc copy of lxc list (default: yes)
|
||||
--[no-]disks copy of MBR and partitions (default: yes)
|
||||
--[no-]mount copy of mount points (default: yes)
|
||||
--[no-]df copy of disk usage (default: yes)
|
||||
--[no-]dmesg copy of dmesg (default: yes)
|
||||
--[no-]mysql copy of mysql processes (default: yes)
|
||||
--[no-]systemctl copy of systemd services states (default: yes)
|
||||
|
||||
Tasks options order matters. They are evaluated from left to right.
|
||||
Examples :
|
||||
* "[…] --none --uname" will do only the uname task
|
||||
* "[…] --all --no-etc" will do everything but the etc task
|
||||
* "[…] --etc --none --mysql" will do only the mysql task
|
||||
END
|
||||
}
|
||||
debug() {
|
||||
|
@ -81,10 +80,10 @@ debug() {
|
|||
fi
|
||||
}
|
||||
|
||||
create_backup_dir() {
|
||||
debug "Create ${backup_dir}"
|
||||
create_dump_dir() {
|
||||
debug "Task: Create ${dump_dir}"
|
||||
|
||||
last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
|
||||
last_result=$(mkdir -p "${dump_dir}" && chmod -R 755 "${dump_dir}")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -96,13 +95,13 @@ create_backup_dir() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_etc() {
|
||||
debug "Backup /etc"
|
||||
task_etc() {
|
||||
debug "Task: /etc"
|
||||
|
||||
rsync_bin=$(command -v rsync)
|
||||
|
||||
if [ -n "${rsync_bin}" ]; then
|
||||
last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
|
||||
last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${dump_dir}/")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -114,7 +113,7 @@ backup_etc() {
|
|||
fi
|
||||
else
|
||||
debug "* rsync not found"
|
||||
last_result=$(cp -r /etc "${backup_dir}/ && rm -rf ${backup_dir}/etc/.git")
|
||||
last_result=$(cp -r /etc "${dump_dir}/ && rm -rf ${dump_dir}/etc/.git")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -127,7 +126,7 @@ backup_etc() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_apt_states() {
|
||||
task_apt_states() {
|
||||
apt_dir="/"
|
||||
apt_dir_state="var/lib/apt"
|
||||
apt_dir_state_extended_states="extended_states"
|
||||
|
@ -142,9 +141,9 @@ backup_apt_states() {
|
|||
extended_states="${apt_dir}/${apt_dir_state}/${apt_dir_state_extended_states}"
|
||||
|
||||
if [ -f "${extended_states}" ]; then
|
||||
debug "Backup APT states"
|
||||
debug "Task: APT states"
|
||||
|
||||
last_result=$(cp -r "${extended_states}" "${backup_dir}/apt-extended-states.txt")
|
||||
last_result=$(cp -r "${extended_states}" "${dump_dir}/apt-extended-states.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -157,13 +156,13 @@ backup_apt_states() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_apt_config() {
|
||||
debug "Backup APT config"
|
||||
task_apt_config() {
|
||||
debug "Task: APT config"
|
||||
|
||||
apt_config_bin=$(command -v apt-config)
|
||||
|
||||
if [ -n "${apt_config_bin}" ]; then
|
||||
last_result=$(${apt_config_bin} dump > "${backup_dir}/apt-config.txt")
|
||||
last_result=$(${apt_config_bin} dump > "${dump_dir}/apt-config.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -178,8 +177,8 @@ backup_apt_config() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_dpkg_full() {
|
||||
debug "Backup DPkg full state"
|
||||
task_dpkg_full() {
|
||||
debug "Task: DPkg full state"
|
||||
|
||||
dir_state_status="/var/lib/dpkg/status"
|
||||
|
||||
|
@ -191,7 +190,7 @@ backup_dpkg_full() {
|
|||
|
||||
dpkg_dir=$(dirname "${dir_state_status}")
|
||||
|
||||
last_result=$(mkdir -p "${backup_dir}${dpkg_dir}" && chmod -R 755 "${backup_dir}${dpkg_dir}")
|
||||
last_result=$(mkdir -p "${dump_dir}${dpkg_dir}" && chmod -R 755 "${dump_dir}${dpkg_dir}")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -205,7 +204,7 @@ backup_dpkg_full() {
|
|||
rsync_bin=$(command -v rsync)
|
||||
|
||||
if [ -n "${rsync_bin}" ]; then
|
||||
last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${backup_dir}${dpkg_dir}/")
|
||||
last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${dump_dir}${dpkg_dir}/")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -218,7 +217,7 @@ backup_dpkg_full() {
|
|||
else
|
||||
debug "* rsync not found"
|
||||
|
||||
last_result=$(cp -r "${dpkg_dir}/*" "${backup_dir}${dpkg_dir}/" && rm -rf "${backup_dir}${dpkg_dir}/*-old")
|
||||
last_result=$(cp -r "${dpkg_dir}/*" "${dump_dir}${dpkg_dir}/" && rm -rf "${dump_dir}${dpkg_dir}/*-old")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -231,8 +230,8 @@ backup_dpkg_full() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_dpkg_status() {
|
||||
debug "Backup DPkg status"
|
||||
task_dpkg_status() {
|
||||
debug "Task: DPkg status"
|
||||
|
||||
dir_state_status="/var/lib/dpkg/status"
|
||||
|
||||
|
@ -242,7 +241,7 @@ backup_dpkg_status() {
|
|||
eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
|
||||
fi
|
||||
|
||||
last_result=$(cp "${dir_state_status}" "${backup_dir}/dpkg-status.txt")
|
||||
last_result=$(cp "${dir_state_status}" "${dump_dir}/dpkg-status.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -254,13 +253,13 @@ backup_dpkg_status() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_packages() {
|
||||
debug "Backup list of installed package"
|
||||
task_packages() {
|
||||
debug "Task: List of installed package"
|
||||
|
||||
dpkg_bin=$(command -v dpkg)
|
||||
|
||||
if [ -n "${dpkg_bin}" ]; then
|
||||
last_result=$(${dpkg_bin} --get-selections "*" > "${backup_dir}/current_packages.txt")
|
||||
last_result=$(${dpkg_bin} --get-selections "*" > "${dump_dir}/current_packages.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -275,10 +274,10 @@ backup_packages() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_uname() {
|
||||
debug "Backup uname"
|
||||
task_uname() {
|
||||
debug "Task: uname"
|
||||
|
||||
last_result=$(uname -a > "${backup_dir}/uname.txt")
|
||||
last_result=$(uname -a > "${dump_dir}/uname.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -290,10 +289,10 @@ backup_uname() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_uptime() {
|
||||
debug "Backup uptime"
|
||||
task_uptime() {
|
||||
debug "Task: uptime"
|
||||
|
||||
last_result=$(uptime > "${backup_dir}/uptime.txt")
|
||||
last_result=$(uptime > "${dump_dir}/uptime.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -305,10 +304,10 @@ backup_uptime() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_processes() {
|
||||
debug "Backup process list"
|
||||
task_processes() {
|
||||
debug "Task: Process list"
|
||||
|
||||
last_result=$(ps fauxw > "${backup_dir}/ps.txt")
|
||||
last_result=$(ps fauxw > "${dump_dir}/ps.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -322,7 +321,7 @@ backup_processes() {
|
|||
pstree_bin=$(command -v pstree)
|
||||
|
||||
if [ -n "${pstree_bin}" ]; then
|
||||
last_result=$(${pstree_bin} -pan > "${backup_dir}/pstree.txt")
|
||||
last_result=$(${pstree_bin} -pan > "${dump_dir}/pstree.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -335,13 +334,13 @@ backup_processes() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_netstat() {
|
||||
debug "Backup network status"
|
||||
task_netstat() {
|
||||
debug "Task: Network status"
|
||||
|
||||
ss_bin=$(command -v ss)
|
||||
|
||||
if [ -n "${ss_bin}" ]; then
|
||||
last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
|
||||
last_result=$(${ss_bin} -tanpul > "${dump_dir}/netstat-ss.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -358,7 +357,7 @@ backup_netstat() {
|
|||
netstat_bin=$(command -v netstat)
|
||||
|
||||
if [ -n "${netstat_bin}" ]; then
|
||||
last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
|
||||
last_result=$(netstat -laputen > "${dump_dir}/netstat-legacy.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -373,13 +372,13 @@ backup_netstat() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_netcfg() {
|
||||
debug "Backup network configuration"
|
||||
task_netcfg() {
|
||||
debug "Task: Network configuration"
|
||||
|
||||
ip_bin=$(command -v ip)
|
||||
|
||||
if [ -n "${ip_bin}" ]; then
|
||||
last_result=$(${ip_bin} address show > "${backup_dir}/ip-address.txt")
|
||||
last_result=$(${ip_bin} address show > "${dump_dir}/ip-address.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -390,7 +389,7 @@ backup_netcfg() {
|
|||
rc=10
|
||||
fi
|
||||
|
||||
last_result=$(${ip_bin} route show > "${backup_dir}/ip-route.txt")
|
||||
last_result=$(${ip_bin} route show > "${dump_dir}/ip-route.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -406,7 +405,7 @@ backup_netcfg() {
|
|||
ifconfig_bin=$(command -v ifconfig)
|
||||
|
||||
if [ -n "${ifconfig_bin}" ]; then
|
||||
last_result=$(${ifconfig_bin} > "${backup_dir}/ifconfig.txt")
|
||||
last_result=$(${ifconfig_bin} > "${dump_dir}/ifconfig.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -422,13 +421,25 @@ backup_netcfg() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_iptables() {
|
||||
debug "Backup iptables"
|
||||
task_iptables() {
|
||||
debug "Task: iptables"
|
||||
|
||||
iptables_bin=$(command -v iptables)
|
||||
|
||||
if [ -n "${iptables_bin}" ]; then
|
||||
last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
|
||||
last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${dump_dir}/iptables-v.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* iptables -v OK"
|
||||
else
|
||||
debug "* iptables -v ERROR"
|
||||
debug "${last_result}"
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
|
||||
last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } > "${dump_dir}/iptables.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -436,7 +447,8 @@ backup_iptables() {
|
|||
else
|
||||
debug "* iptables ERROR"
|
||||
debug "${last_result}"
|
||||
rc=10
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
else
|
||||
debug "* iptables not found"
|
||||
|
@ -445,7 +457,7 @@ backup_iptables() {
|
|||
iptables_save_bin=$(command -v iptables-save)
|
||||
|
||||
if [ -n "${iptables_save_bin}" ]; then
|
||||
last_result=$(${iptables_save_bin} > "${backup_dir}/iptables-save.txt")
|
||||
last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -453,20 +465,36 @@ backup_iptables() {
|
|||
else
|
||||
debug "* iptables-save ERROR"
|
||||
debug "${last_result}"
|
||||
rc=10
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
else
|
||||
debug "* iptables-save not found"
|
||||
fi
|
||||
|
||||
nft_bin=$(command -v nft)
|
||||
|
||||
if [ -n "${nft_bin}" ]; then
|
||||
last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* nft ruleset OK"
|
||||
else
|
||||
debug "* nft ruleset ERROR"
|
||||
debug "${last_result}"
|
||||
rc=10
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
backup_sysctl() {
|
||||
debug "Backup sysctl values"
|
||||
task_sysctl() {
|
||||
debug "Task: sysctl values"
|
||||
|
||||
sysctl_bin=$(command -v sysctl)
|
||||
|
||||
if [ -n "${sysctl_bin}" ]; then
|
||||
last_result=$(${sysctl_bin} -a | sort -h > "${backup_dir}/sysctl.txt")
|
||||
last_result=$(${sysctl_bin} -a --ignore 2>/dev/null | sort -h > "${dump_dir}/sysctl.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -481,13 +509,13 @@ backup_sysctl() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_virsh() {
|
||||
debug "Backup virsh list"
|
||||
task_virsh() {
|
||||
debug "Task: virsh list"
|
||||
|
||||
virsh_bin=$(command -v virsh)
|
||||
|
||||
if [ -n "${virsh_bin}" ]; then
|
||||
last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
|
||||
last_result=$(${virsh_bin} list --all > "${dump_dir}/virsh-list.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -502,13 +530,13 @@ backup_virsh() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_lxc() {
|
||||
debug "Backup lxc list"
|
||||
task_lxc() {
|
||||
debug "Task: lxc list"
|
||||
|
||||
lxc_ls_bin=$(command -v lxc-ls)
|
||||
|
||||
if [ -n "${lxc_ls_bin}" ]; then
|
||||
last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
|
||||
last_result=$(${lxc_ls_bin} --fancy > "${dump_dir}/lxc-list.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -523,8 +551,8 @@ backup_lxc() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_disks() {
|
||||
debug "Backup disks"
|
||||
task_disks() {
|
||||
debug "Task: Disks"
|
||||
|
||||
lsblk_bin=$(command -v lsblk)
|
||||
awk_bin=$(command -v awk)
|
||||
|
@ -534,7 +562,7 @@ backup_disks() {
|
|||
for disk in ${disks}; do
|
||||
dd_bin=$(command -v dd)
|
||||
if [ -n "${dd_bin}" ]; then
|
||||
last_result=$(${dd_bin} if="/dev/${disk}" of="${backup_dir}/MBR-${disk}" bs=512 count=1 2>&1)
|
||||
last_result=$(${dd_bin} if="/dev/${disk}" of="${dump_dir}/MBR-${disk}" bs=512 count=1 2>&1)
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -549,7 +577,7 @@ backup_disks() {
|
|||
fi
|
||||
fdisk_bin=$(command -v fdisk)
|
||||
if [ -n "${fdisk_bin}" ]; then
|
||||
last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${backup_dir}/partitions-${disk}" 2>&1)
|
||||
last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${dump_dir}/partitions-${disk}" 2>&1)
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -563,7 +591,7 @@ backup_disks() {
|
|||
debug "* fdisk not found"
|
||||
fi
|
||||
done
|
||||
cat "${backup_dir}"/partitions-* > "${backup_dir}/partitions"
|
||||
cat "${dump_dir}"/partitions-* > "${dump_dir}/partitions"
|
||||
else
|
||||
if [ -n "${lsblk_bin}" ]; then
|
||||
debug "* lsblk not found"
|
||||
|
@ -574,13 +602,13 @@ backup_disks() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_mount() {
|
||||
debug "Backup mount points"
|
||||
task_mount() {
|
||||
debug "Task: Mount points"
|
||||
|
||||
findmnt_bin=$(command -v findmnt)
|
||||
|
||||
if [ -n "${findmnt_bin}" ]; then
|
||||
last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
|
||||
last_result=$(${findmnt_bin} > "${dump_dir}/mount.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -596,7 +624,7 @@ backup_mount() {
|
|||
mount_bin=$(command -v mount)
|
||||
|
||||
if [ -n "${mount_bin}" ]; then
|
||||
last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
|
||||
last_result=$(${mount_bin} > "${dump_dir}/mount.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -612,13 +640,13 @@ backup_mount() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_df() {
|
||||
debug "Backup df"
|
||||
task_df() {
|
||||
debug "Task: df"
|
||||
|
||||
df_bin=$(command -v df)
|
||||
|
||||
if [ -n "${df_bin}" ]; then
|
||||
last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
|
||||
last_result=$(${df_bin} --portability > "${dump_dir}/df.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -633,13 +661,13 @@ backup_df() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_dmesg() {
|
||||
debug "Backup dmesg"
|
||||
task_dmesg() {
|
||||
debug "Task: dmesg"
|
||||
|
||||
dmesg_bin=$(command -v dmesg)
|
||||
|
||||
if [ -n "${dmesg_bin}" ]; then
|
||||
last_result=$(${dmesg_bin} > "${backup_dir}/dmesg.txt")
|
||||
last_result=$(${dmesg_bin} > "${dump_dir}/dmesg.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -654,34 +682,39 @@ backup_dmesg() {
|
|||
fi
|
||||
}
|
||||
|
||||
backup_mysql_processes() {
|
||||
debug "Backup mysql processes"
|
||||
task_mysql_processes() {
|
||||
debug "Task: MySQL processes"
|
||||
|
||||
mysqladmin_bin=$(command -v mysqladmin)
|
||||
|
||||
if [ -n "${mysqladmin_bin}" ]; then
|
||||
last_result=$(${mysqladmin_bin} --verbose processlist > "${backup_dir}/mysql-processlist.txt")
|
||||
last_rc=$?
|
||||
# Look for local MySQL or MariaDB process
|
||||
if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then
|
||||
last_result=$(${mysqladmin_bin} --verbose processlist > "${dump_dir}/mysql-processlist.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* mysqladmin OK"
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* mysqladmin OK"
|
||||
else
|
||||
debug "* mysqladmin ERROR"
|
||||
debug "${last_result}"
|
||||
rc=10
|
||||
fi
|
||||
else
|
||||
debug "* mysqladmin ERROR"
|
||||
debug "${last_result}"
|
||||
rc=10
|
||||
debug "* no mysqld or mariadbd process is running"
|
||||
fi
|
||||
else
|
||||
debug "* mysqladmin not found"
|
||||
fi
|
||||
}
|
||||
|
||||
backup_systemctl() {
|
||||
debug "Backup services"
|
||||
task_systemctl() {
|
||||
debug "Task: Systemd services"
|
||||
|
||||
systemctl_bin=$(command -v systemctl)
|
||||
|
||||
if [ -n "${systemctl_bin}" ]; then
|
||||
last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${backup_dir}/systemctl-failed-services.txt")
|
||||
last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${dump_dir}/systemctl-failed-services.txt")
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
|
@ -696,88 +729,87 @@ backup_systemctl() {
|
|||
fi
|
||||
}
|
||||
|
||||
|
||||
main() {
|
||||
if [ -z "${backup_dir}" ]; then
|
||||
echo "ERROR: You must provide the --backup-dir argument" >&2
|
||||
if [ -z "${dump_dir}" ]; then
|
||||
echo "ERROR: You must provide the --dump-dir argument" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -d "${backup_dir}" ]; then
|
||||
if [ -d "${dump_dir}" ]; then
|
||||
if [ "${FORCE}" != "1" ]; then
|
||||
echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
|
||||
echo "ERROR: The dump directory ${dump_dir} already exists. Delete it first." >&2
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
create_backup_dir
|
||||
create_dump_dir
|
||||
fi
|
||||
|
||||
if [ "${DO_ETC}" -eq 1 ]; then
|
||||
backup_etc
|
||||
if [ "${TASK_ETC}" -eq 1 ]; then
|
||||
task_etc
|
||||
fi
|
||||
if [ "${DO_DPKG_FULL}" -eq 1 ]; then
|
||||
backup_dpkg_full
|
||||
if [ "${TASK_DPKG_FULL}" -eq 1 ]; then
|
||||
task_dpkg_full
|
||||
fi
|
||||
if [ "${DO_DPKG_STATUS}" -eq 1 ]; then
|
||||
backup_dpkg_status
|
||||
if [ "${TASK_DPKG_STATUS}" -eq 1 ]; then
|
||||
task_dpkg_status
|
||||
fi
|
||||
if [ "${DO_APT_STATES}" -eq 1 ]; then
|
||||
backup_apt_states
|
||||
if [ "${TASK_APT_STATES}" -eq 1 ]; then
|
||||
task_apt_states
|
||||
fi
|
||||
if [ "${DO_APT_CONFIG}" -eq 1 ]; then
|
||||
backup_apt_config
|
||||
if [ "${TASK_APT_CONFIG}" -eq 1 ]; then
|
||||
task_apt_config
|
||||
fi
|
||||
if [ "${DO_PACKAGES}" -eq 1 ]; then
|
||||
backup_packages
|
||||
if [ "${TASK_PACKAGES}" -eq 1 ]; then
|
||||
task_packages
|
||||
fi
|
||||
if [ "${DO_PROCESSES}" -eq 1 ]; then
|
||||
backup_processes
|
||||
if [ "${TASK_PROCESSES}" -eq 1 ]; then
|
||||
task_processes
|
||||
fi
|
||||
if [ "${DO_UPTIME}" -eq 1 ]; then
|
||||
backup_uptime
|
||||
if [ "${TASK_UPTIME}" -eq 1 ]; then
|
||||
task_uptime
|
||||
fi
|
||||
if [ "${DO_UNAME}" -eq 1 ]; then
|
||||
backup_uname
|
||||
if [ "${TASK_UNAME}" -eq 1 ]; then
|
||||
task_uname
|
||||
fi
|
||||
if [ "${DO_NETSTAT}" -eq 1 ]; then
|
||||
backup_netstat
|
||||
if [ "${TASK_NETSTAT}" -eq 1 ]; then
|
||||
task_netstat
|
||||
fi
|
||||
if [ "${DO_NETCFG}" -eq 1 ]; then
|
||||
backup_netcfg
|
||||
if [ "${TASK_NETCFG}" -eq 1 ]; then
|
||||
task_netcfg
|
||||
fi
|
||||
if [ "${DO_IPTABLES}" -eq 1 ]; then
|
||||
backup_iptables
|
||||
if [ "${TASK_IPTABLES}" -eq 1 ]; then
|
||||
task_iptables
|
||||
fi
|
||||
if [ "${DO_SYSCTL}" -eq 1 ]; then
|
||||
backup_sysctl
|
||||
if [ "${TASK_SYSCTL}" -eq 1 ]; then
|
||||
task_sysctl
|
||||
fi
|
||||
if [ "${DO_VIRSH}" -eq 1 ]; then
|
||||
backup_virsh
|
||||
if [ "${TASK_VIRSH}" -eq 1 ]; then
|
||||
task_virsh
|
||||
fi
|
||||
if [ "${DO_LXC}" -eq 1 ]; then
|
||||
backup_lxc
|
||||
if [ "${TASK_LXC}" -eq 1 ]; then
|
||||
task_lxc
|
||||
fi
|
||||
if [ "${DO_DISKS}" -eq 1 ]; then
|
||||
backup_disks
|
||||
if [ "${TASK_DISKS}" -eq 1 ]; then
|
||||
task_disks
|
||||
fi
|
||||
if [ "${DO_MOUNT}" -eq 1 ]; then
|
||||
backup_mount
|
||||
if [ "${TASK_MOUNT}" -eq 1 ]; then
|
||||
task_mount
|
||||
fi
|
||||
if [ "${DO_DF}" -eq 1 ]; then
|
||||
backup_df
|
||||
if [ "${TASK_DF}" -eq 1 ]; then
|
||||
task_df
|
||||
fi
|
||||
if [ "${DO_DMESG}" -eq 1 ]; then
|
||||
backup_dmesg
|
||||
if [ "${TASK_DMESG}" -eq 1 ]; then
|
||||
task_dmesg
|
||||
fi
|
||||
if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then
|
||||
backup_mysql_processes
|
||||
if [ "${TASK_MYSQL_PROCESSES}" -eq 1 ]; then
|
||||
task_mysql_processes
|
||||
fi
|
||||
if [ "${DO_SYSTEMCTL}" -eq 1 ]; then
|
||||
backup_systemctl
|
||||
if [ "${TASK_SYSTEMCTL}" -eq 1 ]; then
|
||||
task_systemctl
|
||||
fi
|
||||
|
||||
|
||||
debug "=> Your backup is available at ${backup_dir}"
|
||||
debug "=> Your dump is available at ${dump_dir}"
|
||||
exit ${rc}
|
||||
}
|
||||
|
||||
|
@ -801,171 +833,264 @@ while :; do
|
|||
FORCE=1
|
||||
;;
|
||||
|
||||
-d|--backup-dir)
|
||||
-d|--dump-dir)
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
backup_dir=$2
|
||||
dump_dir=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
|
||||
printf 'ERROR: "-d|--dump-dir" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--dump-dir=?*)
|
||||
# with value speparated by =
|
||||
dump_dir=${1#*=}
|
||||
;;
|
||||
--dump-dir=)
|
||||
# without value
|
||||
printf 'ERROR: "--dump-dir" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
|
||||
--backup-dir)
|
||||
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
|
||||
if [ -n "${dump_dir}" ]; then
|
||||
debug "Dump directory is already set, let's ignore this one."
|
||||
else
|
||||
debug "Dump directory is not set already, let's stay backward compatible."
|
||||
# with value separated by space
|
||||
if [ -n "$2" ]; then
|
||||
dump_dir=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
--backup-dir=?*)
|
||||
# with value speparated by =
|
||||
backup_dir=${1#*=}
|
||||
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
|
||||
if [ -n "${dump_dir}" ]; then
|
||||
debug "Dump directory is already set, let's ignore this one."
|
||||
else
|
||||
debug "Dump directory is not set already, let's stay backward compatible."
|
||||
dump_dir=${1#*=}
|
||||
fi
|
||||
;;
|
||||
--backup-dir=)
|
||||
# without value
|
||||
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
|
||||
if [ -n "${dump_dir}" ]; then
|
||||
debug "Dump directory is already set, let's ignore this one."
|
||||
else
|
||||
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
|
||||
--all)
|
||||
for option in \
|
||||
TASK_ETC \
|
||||
TASK_DPKG_FULL \
|
||||
TASK_DPKG_STATUS \
|
||||
TASK_APT_STATES \
|
||||
TASK_APT_CONFIG \
|
||||
TASK_PACKAGES \
|
||||
TASK_PROCESSES \
|
||||
TASK_UNAME \
|
||||
TASK_UPTIME \
|
||||
TASK_NETSTAT \
|
||||
TASK_NETCFG \
|
||||
TASK_IPTABLES \
|
||||
TASK_SYSCTL \
|
||||
TASK_VIRSH \
|
||||
TASK_LXC \
|
||||
TASK_DISKS \
|
||||
TASK_MOUNT \
|
||||
TASK_DF \
|
||||
TASK_DMESG \
|
||||
TASK_MYSQL_PROCESSES \
|
||||
TASK_SYSTEMCTL
|
||||
do
|
||||
eval "${option}=1"
|
||||
done
|
||||
;;
|
||||
|
||||
--none)
|
||||
for option in \
|
||||
TASK_ETC \
|
||||
TASK_DPKG_FULL \
|
||||
TASK_DPKG_STATUS \
|
||||
TASK_APT_STATES \
|
||||
TASK_APT_CONFIG \
|
||||
TASK_PACKAGES \
|
||||
TASK_PROCESSES \
|
||||
TASK_UNAME \
|
||||
TASK_UPTIME \
|
||||
TASK_NETSTAT \
|
||||
TASK_NETCFG \
|
||||
TASK_IPTABLES \
|
||||
TASK_SYSCTL \
|
||||
TASK_VIRSH \
|
||||
TASK_LXC \
|
||||
TASK_DISKS \
|
||||
TASK_MOUNT \
|
||||
TASK_DF \
|
||||
TASK_DMESG \
|
||||
TASK_MYSQL_PROCESSES \
|
||||
TASK_SYSTEMCTL
|
||||
do
|
||||
eval "${option}=0"
|
||||
done
|
||||
;;
|
||||
|
||||
--etc)
|
||||
DO_ETC=1
|
||||
TASK_ETC=1
|
||||
;;
|
||||
--no-etc)
|
||||
DO_ETC=0
|
||||
TASK_ETC=0
|
||||
;;
|
||||
|
||||
--dpkg-full)
|
||||
DO_DPKG_FULL=1
|
||||
TASK_DPKG_FULL=1
|
||||
;;
|
||||
--no-dpkg-full)
|
||||
DO_DPKG_FULL=0
|
||||
TASK_DPKG_FULL=0
|
||||
;;
|
||||
|
||||
--dpkg-status)
|
||||
DO_DPKG_STATUS=1
|
||||
TASK_DPKG_STATUS=1
|
||||
;;
|
||||
--no-dpkg-status)
|
||||
DO_DPKG_STATUS=0
|
||||
TASK_DPKG_STATUS=0
|
||||
;;
|
||||
|
||||
--apt-states)
|
||||
DO_APT_STATES=1
|
||||
TASK_APT_STATES=1
|
||||
;;
|
||||
--no-apt-states)
|
||||
DO_APT_STATES=0
|
||||
TASK_APT_STATES=0
|
||||
;;
|
||||
|
||||
--apt-config)
|
||||
DO_APT_CONFIG=1
|
||||
TASK_APT_CONFIG=1
|
||||
;;
|
||||
--no-apt-config)
|
||||
DO_APT_CONFIG=0
|
||||
TASK_APT_CONFIG=0
|
||||
;;
|
||||
|
||||
--packages)
|
||||
DO_PACKAGES=1
|
||||
TASK_PACKAGES=1
|
||||
;;
|
||||
--no-packages)
|
||||
DO_PACKAGES=0
|
||||
TASK_PACKAGES=0
|
||||
;;
|
||||
|
||||
--processes)
|
||||
DO_PROCESSES=1
|
||||
TASK_PROCESSES=1
|
||||
;;
|
||||
--no-processes)
|
||||
DO_PROCESSES=0
|
||||
TASK_PROCESSES=0
|
||||
;;
|
||||
|
||||
--uptime)
|
||||
DO_UPTIME=1
|
||||
TASK_UPTIME=1
|
||||
;;
|
||||
--no-uptime)
|
||||
DO_UPTIME=0
|
||||
TASK_UPTIME=0
|
||||
;;
|
||||
|
||||
--uname)
|
||||
DO_UNAME=1
|
||||
TASK_UNAME=1
|
||||
;;
|
||||
--no-uname)
|
||||
DO_UNAME=0
|
||||
TASK_UNAME=0
|
||||
;;
|
||||
|
||||
--netstat)
|
||||
DO_NETSTAT=1
|
||||
TASK_NETSTAT=1
|
||||
;;
|
||||
--no-netstat)
|
||||
DO_NETSTAT=0
|
||||
TASK_NETSTAT=0
|
||||
;;
|
||||
|
||||
--netcfg)
|
||||
DO_NETCFG=1
|
||||
TASK_NETCFG=1
|
||||
;;
|
||||
--no-netcfg)
|
||||
DO_NETCFG=0
|
||||
TASK_NETCFG=0
|
||||
;;
|
||||
|
||||
--iptables)
|
||||
DO_IPTABLES=1
|
||||
TASK_IPTABLES=1
|
||||
;;
|
||||
--no-iptables)
|
||||
DO_IPTABLES=0
|
||||
TASK_IPTABLES=0
|
||||
;;
|
||||
|
||||
--sysctl)
|
||||
DO_SYSCTL=1
|
||||
TASK_SYSCTL=1
|
||||
;;
|
||||
--no-sysctl)
|
||||
DO_SYSCTL=0
|
||||
TASK_SYSCTL=0
|
||||
;;
|
||||
|
||||
--virsh)
|
||||
DO_VIRSH=1
|
||||
TASK_VIRSH=1
|
||||
;;
|
||||
--no-virsh)
|
||||
DO_VIRSH=0
|
||||
TASK_VIRSH=0
|
||||
;;
|
||||
|
||||
--lxc)
|
||||
DO_LXC=1
|
||||
TASK_LXC=1
|
||||
;;
|
||||
--no-lxc)
|
||||
DO_LXC=0
|
||||
TASK_LXC=0
|
||||
;;
|
||||
|
||||
--disks)
|
||||
DO_DISKS=1
|
||||
TASK_DISKS=1
|
||||
;;
|
||||
--no-disks)
|
||||
DO_DISKS=0
|
||||
TASK_DISKS=0
|
||||
;;
|
||||
|
||||
--mount)
|
||||
DO_MOUNT=1
|
||||
TASK_MOUNT=1
|
||||
;;
|
||||
--no-mount)
|
||||
DO_MOUNT=0
|
||||
TASK_MOUNT=0
|
||||
;;
|
||||
|
||||
--df)
|
||||
DO_DF=1
|
||||
TASK_DF=1
|
||||
;;
|
||||
--no-df)
|
||||
DO_DF=0
|
||||
TASK_DF=0
|
||||
;;
|
||||
|
||||
--dmesg)
|
||||
DO_DMESG=1
|
||||
TASK_DMESG=1
|
||||
;;
|
||||
--no-dmesg)
|
||||
DO_DMESG=0
|
||||
TASK_DMESG=0
|
||||
;;
|
||||
|
||||
--mysql-processes)
|
||||
DO_MYSQL_PROCESSES=1
|
||||
TASK_MYSQL_PROCESSES=1
|
||||
;;
|
||||
--no-mysql-processes)
|
||||
DO_MYSQL_PROCESSES=0
|
||||
TASK_MYSQL_PROCESSES=0
|
||||
;;
|
||||
|
||||
--systemctl)
|
||||
DO_SYSTEMCTL=1
|
||||
TASK_SYSTEMCTL=1
|
||||
;;
|
||||
--no-systemctl)
|
||||
DO_SYSTEMCTL=0
|
||||
TASK_SYSTEMCTL=0
|
||||
;;
|
||||
|
||||
--)
|
||||
|
@ -990,27 +1115,27 @@ done
|
|||
# Default values
|
||||
: "${VERBOSE:=0}"
|
||||
: "${FORCE:=0}"
|
||||
: "${DO_ETC:=0}"
|
||||
: "${DO_DPKG_FULL:=0}"
|
||||
: "${DO_DPKG_STATUS:=1}"
|
||||
: "${DO_APT_STATES:=1}"
|
||||
: "${DO_APT_CONFIG:=1}"
|
||||
: "${DO_PACKAGES:=1}"
|
||||
: "${DO_PROCESSES:=1}"
|
||||
: "${DO_UNAME:=1}"
|
||||
: "${DO_UPTIME:=1}"
|
||||
: "${DO_NETSTAT:=1}"
|
||||
: "${DO_NETCFG:=1}"
|
||||
: "${DO_IPTABLES:=1}"
|
||||
: "${DO_SYSCTL:=1}"
|
||||
: "${DO_VIRSH:=1}"
|
||||
: "${DO_LXC:=1}"
|
||||
: "${DO_DISKS:=1}"
|
||||
: "${DO_MOUNT:=1}"
|
||||
: "${DO_DF:=1}"
|
||||
: "${DO_DMESG:=1}"
|
||||
: "${DO_MYSQL_PROCESSES:=1}"
|
||||
: "${DO_SYSTEMCTL:=1}"
|
||||
: "${TASK_ETC:=0}"
|
||||
: "${TASK_DPKG_FULL:=0}"
|
||||
: "${TASK_DPKG_STATUS:=1}"
|
||||
: "${TASK_APT_STATES:=1}"
|
||||
: "${TASK_APT_CONFIG:=1}"
|
||||
: "${TASK_PACKAGES:=1}"
|
||||
: "${TASK_PROCESSES:=1}"
|
||||
: "${TASK_UNAME:=1}"
|
||||
: "${TASK_UPTIME:=1}"
|
||||
: "${TASK_NETSTAT:=1}"
|
||||
: "${TASK_NETCFG:=1}"
|
||||
: "${TASK_IPTABLES:=1}"
|
||||
: "${TASK_SYSCTL:=1}"
|
||||
: "${TASK_VIRSH:=1}"
|
||||
: "${TASK_LXC:=1}"
|
||||
: "${TASK_DISKS:=1}"
|
||||
: "${TASK_MOUNT:=1}"
|
||||
: "${TASK_DF:=1}"
|
||||
: "${TASK_DMESG:=1}"
|
||||
: "${TASK_MYSQL_PROCESSES:=1}"
|
||||
: "${TASK_SYSTEMCTL:=1}"
|
||||
|
||||
export LC_ALL=C
|
||||
|
|
@ -1,15 +1,15 @@
|
|||
top's Config File (Linux processes with windows)
|
||||
Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
|
||||
Def fieldscur=ķ&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=1, msgsclr=1, headclr=3, taskclr=1
|
||||
Job fieldscur=(Ļ@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=6, msgsclr=6, headclr=7, taskclr=6
|
||||
Mem fieldscur=<MBND34&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=5, msgsclr=5, headclr=4, taskclr=5
|
||||
Usr fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=3, msgsclr=3, headclr=2, taskclr=3
|
||||
Def fieldscur=¥¨³´»½À¼Ä·º¹Å&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=177460, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=1, msgsclr=1, headclr=3, taskclr=1
|
||||
Job fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=6, msgsclr=6, headclr=7, taskclr=6
|
||||
Mem fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=5, msgsclr=5, headclr=4, taskclr=5
|
||||
Usr fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
|
||||
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
|
||||
summclr=3, msgsclr=3, headclr=2, taskclr=3
|
||||
Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0
|
||||
|
|
|
@ -32,11 +32,14 @@
|
|||
|
||||
|
||||
## Dedicated hardware
|
||||
- name: Install freepmi when it's dedicated hardware
|
||||
- name: Install some additionnals tools when it dedicated hardware
|
||||
apt:
|
||||
name:
|
||||
- libipc-run-perl
|
||||
- freeipmi
|
||||
- ipmitool
|
||||
- firmware-linux-nonfree
|
||||
- intel-microcode
|
||||
state: present
|
||||
tags:
|
||||
- packages
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
|
||||
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
|
||||
apt_upgrade: "{{ evolinux_apt_upgrade }}"
|
||||
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}"
|
||||
when: evolinux_apt_include | bool
|
||||
|
||||
- name: /etc versioning with Git
|
||||
|
@ -22,27 +23,27 @@
|
|||
when: evolinux_etcgit_include | bool
|
||||
|
||||
- name: /etc/evolinux base
|
||||
include: etc-evolinux.yml
|
||||
import_tasks: etc-evolinux.yml
|
||||
when: evolinux_etcevolinux_include | bool
|
||||
|
||||
- name: Hostname
|
||||
include: hostname.yml
|
||||
import_tasks: hostname.yml
|
||||
when: evolinux_hostname_include | bool
|
||||
|
||||
- name: Kernel tuning
|
||||
include: kernel.yml
|
||||
import_tasks: kernel.yml
|
||||
when: evolinux_kernel_include | bool
|
||||
|
||||
- name: Fstab configuration
|
||||
include: fstab.yml
|
||||
import_tasks: fstab.yml
|
||||
when: evolinux_fstab_include | bool
|
||||
|
||||
- name: Packages
|
||||
include: packages.yml
|
||||
import_tasks: packages.yml
|
||||
when: evolinux_packages_include | bool
|
||||
|
||||
- name: System settings
|
||||
include: system.yml
|
||||
import_tasks: system.yml
|
||||
when: evolinux_system_include | bool
|
||||
|
||||
- name: Minifirewall
|
||||
|
@ -56,7 +57,7 @@
|
|||
when: evolinux_evomaintenance_include | bool
|
||||
|
||||
- name: SSH configuration
|
||||
include: ssh.yml
|
||||
import_tasks: ssh.yml
|
||||
when: evolinux_ssh_include | bool
|
||||
|
||||
### disabled because of a memory leak
|
||||
|
@ -66,41 +67,41 @@
|
|||
# when: evolinux_users_include
|
||||
|
||||
- name: Root user configuration
|
||||
include: root.yml
|
||||
import_tasks: root.yml
|
||||
when: evolinux_root_include | bool
|
||||
|
||||
- name: Postfix
|
||||
include: postfix.yml
|
||||
import_tasks: postfix.yml
|
||||
when: evolinux_postfix_include | bool
|
||||
|
||||
- name: Logs management
|
||||
include: logs.yml
|
||||
import_tasks: logs.yml
|
||||
when: evolinux_logs_include | bool
|
||||
|
||||
- name: Default index page
|
||||
include: default_www.yml
|
||||
import_tasks: default_www.yml
|
||||
when: evolinux_default_www_include | bool
|
||||
|
||||
- name: Hardware drivers and tools
|
||||
include: hardware.yml
|
||||
import_tasks: hardware.yml
|
||||
when: evolinux_hardware_include | bool
|
||||
|
||||
- name: Customize for Online.net
|
||||
include: provider_online.yml
|
||||
import_tasks: provider_online.yml
|
||||
when: evolinux_provider_online_include | bool
|
||||
|
||||
- name: Customize for Orange FCE
|
||||
include: provider_orange_fce.yml
|
||||
import_tasks: provider_orange_fce.yml
|
||||
when: evolinux_provider_orange_fce_include | bool
|
||||
|
||||
- name: Override Log2mail service
|
||||
include: log2mail.yml
|
||||
import_tasks: log2mail.yml
|
||||
when: evolinux_log2mail_include | bool
|
||||
|
||||
- include: motd.yml
|
||||
- import_tasks: motd.yml
|
||||
when: evolinux_motd_include | bool
|
||||
|
||||
- include: utils.yml
|
||||
- import_tasks: utils.yml
|
||||
|
||||
- name: Munin
|
||||
include_role:
|
||||
|
@ -132,6 +133,6 @@
|
|||
name: evolix/generate-ldif
|
||||
when: evolinux_generateldif_include | bool
|
||||
|
||||
- include: top.yml
|
||||
- import_tasks: top.yml
|
||||
|
||||
- include: htop.yml
|
||||
- import_tasks: htop.yml
|
||||
|
|
|
@ -2,6 +2,6 @@
|
|||
- name: Deploy top configuration file
|
||||
copy:
|
||||
# The config format is unredable; ATM it only add the SWAP column
|
||||
src: htoprc
|
||||
src: topdefaultrc
|
||||
dest: /etc/topdefaultrc
|
||||
mode: "0644"
|
||||
|
|
|
@ -3,15 +3,22 @@
|
|||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: backup-server-state script is present
|
||||
- name: dump-server-state script is present
|
||||
copy:
|
||||
src: "backup-server-state.sh"
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
src: "dump-server-state.sh"
|
||||
dest: /usr/local/sbin/dump-server-state
|
||||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: symlink backup-server-state to dump-server-state
|
||||
file:
|
||||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
force: yes
|
||||
|
||||
- name: "/sbin/deny script is present"
|
||||
copy:
|
||||
src: deny.sh
|
||||
|
@ -19,4 +26,4 @@
|
|||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
force: no
|
||||
|
|
|
@ -12,15 +12,15 @@
|
|||
when: evolinux_users | length == 0
|
||||
|
||||
- name: Create user accounts
|
||||
include: user.yml
|
||||
include_tasks: user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
when: evolinux_users | length > 0
|
||||
|
||||
- name: Configure sudo
|
||||
include: sudo.yml
|
||||
import_tasks: sudo.yml
|
||||
|
||||
- name: Configure SSH
|
||||
include: ssh.yml
|
||||
import_tasks: ssh.yml
|
||||
when: evolinux_users | length > 0
|
||||
|
|
|
@ -40,12 +40,12 @@
|
|||
var: ssh_allowusers
|
||||
verbosity: 1
|
||||
|
||||
- include: ssh_allowgroups.yml
|
||||
- import_tasks: ssh_allowgroups.yml
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- not ssh_allowusers
|
||||
|
||||
- include: ssh_allowusers.yml
|
||||
- include_tasks: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
|
||||
- include: sudo_jessie.yml
|
||||
- include_tasks: sudo_jessie.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
@ -10,9 +10,9 @@
|
|||
|
||||
|
||||
- block:
|
||||
- include: sudo_stretch_common.yml
|
||||
- import_tasks: sudo_stretch_common.yml
|
||||
|
||||
- include: sudo_stretch_user.yml
|
||||
- include_tasks: sudo_stretch_user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
|
|
@ -12,4 +12,4 @@
|
|||
name: evomaintenance
|
||||
allow_unauthenticated: yes
|
||||
tags:
|
||||
- evomaintenance
|
||||
- evomaintenance
|
||||
|
|
|
@ -46,4 +46,4 @@
|
|||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
|
||||
tags:
|
||||
- evomaintenance
|
||||
- evomaintenance
|
||||
|
|
31
evomaintenance/tasks/install_vendor_other.yml
Normal file
31
evomaintenance/tasks/install_vendor_other.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
tags:
|
||||
- evomaintenance
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- evomaintenance
|
||||
|
||||
- name: Evomaintenance script and template are installed
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "{{ item.mode }}"
|
||||
force: yes
|
||||
backup: yes
|
||||
loop:
|
||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
|
||||
tags:
|
||||
- evomaintenance
|
|
@ -1,18 +1,24 @@
|
|||
---
|
||||
|
||||
- include: install_package_debian.yml
|
||||
- import_tasks: install_package_debian.yml
|
||||
when:
|
||||
- not (evomaintenance_install_vendor | bool)
|
||||
- ansible_distribution == "Debian"
|
||||
|
||||
- include: install_vendor_debian.yml
|
||||
- import_tasks: install_vendor_debian.yml
|
||||
when:
|
||||
- evomaintenance_install_vendor | bool
|
||||
- ansible_distribution == "Debian"
|
||||
|
||||
- include: config.yml
|
||||
- import_tasks: install_vendor_other.yml
|
||||
when:
|
||||
- evomaintenance_install_vendor | bool
|
||||
- ansible_distribution != "Debian"
|
||||
|
||||
- include: minifirewall.yml
|
||||
|
||||
- import_tasks: config.yml
|
||||
|
||||
- import_tasks: minifirewall.yml
|
||||
when:
|
||||
- evomaintenance_hook_db | bool
|
||||
- ansible_distribution == "Debian"
|
||||
|
|
|
@ -3,8 +3,11 @@
|
|||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: restart munin-node
|
||||
service:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
tags: fail2ban
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
- fail2ban
|
||||
|
||||
- name: Include ignoredips update task
|
||||
include: ip_whitelist.yml
|
||||
import_tasks: ip_whitelist.yml
|
||||
when: fail2ban_force_update_ignore_ips | bool
|
||||
tags:
|
||||
- fail2ban
|
||||
|
|
|
@ -608,11 +608,11 @@ if is_pkg_installed lxc; then
|
|||
if lxc-ls | grep -q php56 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm56,${computer_dn}
|
||||
dn: ServiceName=php-fpm56,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm56
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 5.6 (multiphp)
|
||||
|
@ -622,11 +622,11 @@ fi
|
|||
if lxc-ls | grep -q php70 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm70,${computer_dn}
|
||||
dn: ServiceName=php-fpm70,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm70
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 7.0 (multiphp)
|
||||
|
@ -636,11 +636,11 @@ fi
|
|||
if lxc-ls | grep -q php73 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm73,${computer_dn}
|
||||
dn: ServiceName=php-fpm73,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm73
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 7.3 (multiphp)
|
||||
|
@ -650,11 +650,11 @@ fi
|
|||
if lxc-ls | grep -q php74 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm74,${computer_dn}
|
||||
dn: ServiceName=php-fpm74,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm74
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 7.4 (multiphp)
|
||||
|
@ -664,11 +664,11 @@ fi
|
|||
if lxc-ls | grep -q php80 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm80,${computer_dn}
|
||||
dn: ServiceName=php-fpm80,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm80
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 8.0 (multiphp)
|
||||
|
@ -678,11 +678,11 @@ fi
|
|||
if lxc-ls | grep -q php81 ; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=ServiceName=php-fpm81,${computer_dn}
|
||||
dn: ServiceName=php-fpm81,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
ipServiceProtocol: tcp
|
||||
objectClass: EvoService
|
||||
ServiceName: PHP-FPM (multiphp)
|
||||
ServiceName: php-fpm81
|
||||
ipServicePort: 443
|
||||
ServiceType: web
|
||||
ServiceVersion: PHP-FPM 8.1 (multiphp)
|
||||
|
@ -709,6 +709,37 @@ EOT
|
|||
fi
|
||||
|
||||
|
||||
# bkctld
|
||||
if is_pkg_installed bkctld; then
|
||||
bkctld_version=$(get_pkg_version bkctld)
|
||||
fi
|
||||
if [ -n "${bkctld_version}" ]; then
|
||||
cat <<EOT >> "${ldif_file}"
|
||||
|
||||
dn: ServiceName=bkctld_jails,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
objectClass: EvoService
|
||||
ServiceName: bkctld_jails
|
||||
ServiceType: backup
|
||||
ServiceVersion: bkctld ${bkctld_version}
|
||||
|
||||
dn: ServiceName=bkctld_setup,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
objectClass: EvoService
|
||||
ServiceName: bkctld_setup
|
||||
ServiceType: backup
|
||||
ServiceVersion: bkctld ${bkctld_version}
|
||||
|
||||
dn: ServiceName=disk-worktime,${computer_dn}
|
||||
NagiosEnabled: TRUE
|
||||
objectClass: EvoService
|
||||
ServiceName: disk-worktime
|
||||
ServiceType: disk
|
||||
ServiceVersion: Undefined
|
||||
EOT
|
||||
fi
|
||||
|
||||
|
||||
# test if we have a stdout
|
||||
if [ -t 1 ]; then
|
||||
echo "Output is in ${ldif_file}"
|
||||
|
|
|
@ -83,7 +83,7 @@
|
|||
- config
|
||||
- update-config
|
||||
|
||||
- include: packages_backports.yml
|
||||
- import_tasks: packages_backports.yml
|
||||
when: haproxy_backports | bool
|
||||
|
||||
- name: Install HAProxy package
|
||||
|
@ -134,4 +134,4 @@
|
|||
- haproxy
|
||||
- logrotate
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# msg: "This role support only java 8 for now !"
|
||||
# when: java_version != 8
|
||||
|
||||
- include: openjdk.yml
|
||||
- import_tasks: openjdk.yml
|
||||
when: java_alternative == 'openjdk'
|
||||
|
||||
- include: oracle.yml
|
||||
- import_tasks: oracle.yml
|
||||
when: java_alternative == 'oracle'
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
force: yes
|
||||
tags:
|
||||
tags:
|
||||
- keepalived
|
||||
- nrpe
|
||||
|
||||
|
|
|
@ -136,7 +136,7 @@
|
|||
# - optimize
|
||||
# - data
|
||||
|
||||
- include: proxy_nginx.yml
|
||||
- import_tasks: proxy_nginx.yml
|
||||
when: kibana_proxy_nginx | bool
|
||||
tags:
|
||||
- kibana
|
||||
|
|
|
@ -5,12 +5,12 @@
|
|||
when: kvm_install_drbd
|
||||
|
||||
## TODO: check why it's disabled
|
||||
- include: ssh.yml
|
||||
- import_tasks: ssh.yml
|
||||
|
||||
- include: packages.yml
|
||||
- import_tasks: packages.yml
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: images.yml
|
||||
- import_tasks: images.yml
|
||||
|
||||
- include: tools.yml
|
||||
- import_tasks: tools.yml
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
state: present
|
||||
special_time: "hourly"
|
||||
user: root
|
||||
job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
|
||||
job: "if ls /etc/libvirt/qemu/*xml > /dev/null 2> /dev/null; then rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/; fi"
|
||||
when:
|
||||
- kvm_pair is defined
|
||||
- kvm_pair is not none
|
||||
|
|
|
@ -64,4 +64,4 @@
|
|||
file:
|
||||
path: /usr/share/scripts/kvmstats
|
||||
state: absent
|
||||
when: "'/usr/share/scripts' not in kvm_scripts_dir"
|
||||
when: "'/usr/share/scripts' not in kvm_scripts_dir"
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
notify: restart slapd
|
||||
|
||||
- name: ldapvirc file
|
||||
include: ldapvirc.yml
|
||||
import_tasks: ldapvirc.yml
|
||||
|
||||
- name: nagios config file for LDAP
|
||||
include: nagios.yml
|
||||
import_tasks: nagios.yml
|
||||
|
||||
- name: initialize database
|
||||
include: init.yml
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
import_tasks: init.yml
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
|
|
@ -105,6 +105,6 @@
|
|||
var: logstash_template
|
||||
verbosity: 1
|
||||
|
||||
- include: logs.yml
|
||||
- import_tasks: logs.yml
|
||||
|
||||
- include: tmpdir.yml
|
||||
- import_tasks: tmpdir.yml
|
||||
|
|
|
@ -9,22 +9,22 @@
|
|||
name: "{{ lxc_php_version }}"
|
||||
container_command: "apt-get update"
|
||||
|
||||
- include: "php56.yml"
|
||||
- import_tasks: "php56.yml"
|
||||
when: lxc_php_version == "php56"
|
||||
|
||||
- include: "php70.yml"
|
||||
- import_tasks: "php70.yml"
|
||||
when: lxc_php_version == "php70"
|
||||
|
||||
- include: "php73.yml"
|
||||
- import_tasks: "php73.yml"
|
||||
when: lxc_php_version == "php73"
|
||||
|
||||
- include: "php74.yml"
|
||||
- import_tasks: "php74.yml"
|
||||
when: lxc_php_version == "php74"
|
||||
|
||||
- include: "php80.yml"
|
||||
- import_tasks: "php80.yml"
|
||||
when: lxc_php_version == "php80"
|
||||
|
||||
- include: "php81.yml"
|
||||
- import_tasks: "php81.yml"
|
||||
when: lxc_php_version == "php81"
|
||||
|
||||
- include: "misc.yml"
|
||||
- import_tasks: "misc.yml"
|
||||
|
|
|
@ -17,4 +17,4 @@
|
|||
loop_control:
|
||||
loop_var: line_item
|
||||
|
||||
- include: "mail_ssmtp.yml"
|
||||
- import_tasks: "mail_ssmtp.yml"
|
||||
|
|
|
@ -17,4 +17,4 @@
|
|||
loop_control:
|
||||
loop_var: line_item
|
||||
|
||||
- include: "mail_opensmtpd.yml"
|
||||
- import_tasks: "mail_opensmtpd.yml"
|
||||
|
|
|
@ -17,4 +17,4 @@
|
|||
loop_control:
|
||||
loop_var: line_item
|
||||
|
||||
- include: "mail_opensmtpd.yml"
|
||||
- import_tasks: "mail_opensmtpd.yml"
|
||||
|
|
|
@ -23,4 +23,4 @@
|
|||
loop_control:
|
||||
loop_var: line_item
|
||||
|
||||
- include: "mail_opensmtpd.yml"
|
||||
- import_tasks: "mail_opensmtpd.yml"
|
||||
|
|
|
@ -60,4 +60,4 @@
|
|||
loop_control:
|
||||
loop_var: line_item
|
||||
|
||||
- include: "mail_opensmtpd.yml"
|
||||
- import_tasks: "mail_opensmtpd.yml"
|
||||
|
|
|
@ -50,7 +50,7 @@
|
|||
failed_when: "check_var.rc == 0"
|
||||
|
||||
- name: Create containers
|
||||
include: create-container.yml
|
||||
include_tasks: create-container.yml
|
||||
vars:
|
||||
name: "{{ item.name }}"
|
||||
release: "{{ item.release }}"
|
||||
|
|
|
@ -36,4 +36,6 @@ lxc.start.auto = 1
|
|||
{% if ansible_distribution_major_version is version('9', '>') %}
|
||||
# Set LXC container unconfined in AppArmor
|
||||
lxc.apparmor.profile = unconfined
|
||||
{% else %}
|
||||
lxc.aa_profile = unconfined
|
||||
{% endif %}
|
||||
|
|
|
@ -69,6 +69,6 @@
|
|||
- memcached
|
||||
when: memcached_instance_name | length > 0
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
|
|
|
@ -1,13 +1,19 @@
|
|||
---
|
||||
|
||||
minifirewall_main_file: /etc/default/minifirewall
|
||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||
# Deprecated variable
|
||||
# minifirewall_main_file: /etc/default/minifirewall
|
||||
|
||||
minifirewall_tail_file: zzz-tail
|
||||
minifirewall_tail_included: False
|
||||
minifirewall_tail_force: True
|
||||
|
||||
# Overwrite files completely
|
||||
minifirewall_force_upgrade_script: False
|
||||
minifirewall_force_upgrade_config: False
|
||||
|
||||
# Update specific values in configuration
|
||||
minifirewall_update_config: True
|
||||
|
||||
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
|
||||
minifirewall_checkout_path: "/tmp/minifirewall"
|
||||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||
|
@ -31,7 +37,7 @@ minifirewall_private_ports_tcp: [5666]
|
|||
minifirewall_private_ports_udp: []
|
||||
|
||||
# Keep a null value to leave the setting as is
|
||||
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
|
||||
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0', '::/0']"
|
||||
minifirewall_dns_servers: Null
|
||||
minifirewall_http_sites: Null
|
||||
minifirewall_https_sites: Null
|
||||
|
@ -41,6 +47,22 @@ minifirewall_smtp_ok: Null
|
|||
minifirewall_smtp_secure_ok: Null
|
||||
minifirewall_ntp_ok: Null
|
||||
|
||||
minifirewall_proxy: "off"
|
||||
minifirewall_proxyport: 8888
|
||||
minifirewall_proxybypass:
|
||||
- "${INTLAN}"
|
||||
- "127.0.0.0/8"
|
||||
- "::1/128"
|
||||
minifirewall_backupservers: Null
|
||||
|
||||
minifirewall_sysctl_icmp_echo_ignore_broadcasts : Null
|
||||
minifirewall_sysctl_icmp_ignore_bogus_error_responses : Null
|
||||
minifirewall_sysctl_accept_source_route : Null
|
||||
minifirewall_sysctl_tcp_syncookies : Null
|
||||
minifirewall_sysctl_icmp_redirects : Null
|
||||
minifirewall_sysctl_rp_filter : Null
|
||||
minifirewall_sysctl_log_martians : Null
|
||||
|
||||
minifirewall_autostart: False
|
||||
minifirewall_restart_if_needed: True
|
||||
minifirewall_restart_force: False
|
||||
|
|
23
minifirewall/files/blacklist-countries.sh
Normal file
23
minifirewall/files/blacklist-countries.sh
Normal file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
ripedeny_file=/var/tmp/ripe_deny
|
||||
|
||||
cd /var/tmp
|
||||
|
||||
rm -f $ripedeny_file
|
||||
|
||||
GET http://antispam00.evolix.org/spam/ripe.cidr.md5 > ripe.cidr.md5
|
||||
GET http://antispam00.evolix.org/spam/ripe.cidr > ripe.cidr
|
||||
|
||||
for i in CN KR RU; do
|
||||
|
||||
grep "^$i|" ripe.cidr >> $ripedeny_file
|
||||
|
||||
done
|
||||
|
||||
/sbin/iptables -F NEEDRESTRICT
|
||||
|
||||
for i in $(cat $ripedeny_file); do
|
||||
BLOCK=$(echo $i | cut -d"|" -f2)
|
||||
/sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
|
||||
done
|
902
minifirewall/files/minifirewall
Executable file
902
minifirewall/files/minifirewall
Executable file
|
@ -0,0 +1,902 @@
|
|||
#!/bin/sh
|
||||
|
||||
# minifirewall is shellscripts for easy firewalling on a standalone server
|
||||
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||
# See https://gitea.evolix.org/evolix/minifirewall
|
||||
|
||||
# Copyright (c) 2007-2022 Evolix
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 3
|
||||
# of the License.
|
||||
|
||||
# Description
|
||||
# script for standalone server
|
||||
|
||||
# Start or stop minifirewall
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: minifirewall
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start: $network $syslog $named
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop the firewall
|
||||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
VERSION="22.03.4"
|
||||
|
||||
NAME="minifirewall"
|
||||
# shellcheck disable=SC2034
|
||||
DESC="Firewall designed for standalone server"
|
||||
|
||||
set -u
|
||||
|
||||
# Variables configuration
|
||||
#########################
|
||||
|
||||
config_file="/etc/default/minifirewall"
|
||||
includes_dir="/etc/minifirewall.d"
|
||||
|
||||
# iptables paths
|
||||
IPT=$(command -v iptables)
|
||||
if [ -z "${IPT}" ]; then
|
||||
echo "Unable to find 'iptables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
IPT6=$(command -v ip6tables)
|
||||
if [ -z "${IPT6}" ]; then
|
||||
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# TCP/IP variables
|
||||
LOOPBACK='127.0.0.0/8'
|
||||
CLASSA='10.0.0.0/8'
|
||||
CLASSB='172.16.0.0/12'
|
||||
CLASSC='192.168.0.0/16'
|
||||
CLASSD='224.0.0.0/4'
|
||||
CLASSE='240.0.0.0/5'
|
||||
ALL='0.0.0.0'
|
||||
BROAD='255.255.255.255'
|
||||
PORTSROOT='0:1023'
|
||||
PORTSUSER='1024:65535'
|
||||
|
||||
# Configuration
|
||||
|
||||
INT=''
|
||||
IPV6=''
|
||||
DOCKER=''
|
||||
INTLAN=''
|
||||
TRUSTEDIPS=''
|
||||
PRIVILEGIEDIPS=''
|
||||
SERVICESTCP1p=''
|
||||
SERVICESUDP1p=''
|
||||
SERVICESTCP1=''
|
||||
SERVICESUDP1=''
|
||||
SERVICESTCP2=''
|
||||
SERVICESUDP2=''
|
||||
SERVICESTCP3=''
|
||||
SERVICESUDP3=''
|
||||
DNSSERVEURS=''
|
||||
HTTPSITES=''
|
||||
HTTPSSITES=''
|
||||
FTPSITES=''
|
||||
SSHOK=''
|
||||
SMTPOK=''
|
||||
SMTPSECUREOK=''
|
||||
NTPOK=''
|
||||
PROXY=''
|
||||
PROXYBYPASS=''
|
||||
PROXYPORT=''
|
||||
BACKUPSERVERS=''
|
||||
|
||||
LEGACY_CONFIG='off'
|
||||
|
||||
## pseudo dry-run :
|
||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||
# IPT="fake_iptables"
|
||||
# IPT6="fake_ip6tables"
|
||||
# fake_iptables() {
|
||||
# printf "DRY-RUN iptables %s\n" "$*"
|
||||
# }
|
||||
# fake_ip6tables() {
|
||||
# printf "DRY-RUN ip6tables %s\n" "$*"
|
||||
# }
|
||||
## Beware that commands executed from included files are not modified by this trick.
|
||||
|
||||
sort_values() {
|
||||
echo "$*" | tr ' ' '\n' | sort -h
|
||||
}
|
||||
is_ipv6_enabled() {
|
||||
test "${IPV6}" != "off"
|
||||
}
|
||||
is_docker_enabled() {
|
||||
test "${DOCKER}" = "on"
|
||||
}
|
||||
is_proxy_enabled() {
|
||||
test "${PROXY}" = "on"
|
||||
}
|
||||
is_ipv6() {
|
||||
echo "$1" | grep -q ':'
|
||||
}
|
||||
is_legacy_config() {
|
||||
test "${LEGACY_CONFIG}" != "off"
|
||||
}
|
||||
chain_exists() {
|
||||
chain_name="$1"
|
||||
if [ $# -ge 2 ]; then
|
||||
intable="--table $2"
|
||||
else
|
||||
intable=""
|
||||
fi
|
||||
# shellcheck disable=SC2086
|
||||
iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
|
||||
}
|
||||
source_file_or_error() {
|
||||
file=$1
|
||||
echo "...sourcing '${file}\`"
|
||||
|
||||
tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX)
|
||||
. "${file}" 2>"${tmpfile}" >&2
|
||||
|
||||
if [ -s "${tmpfile}" ]; then
|
||||
echo "${file} returns standard or error output (see below). Stopping." >&2
|
||||
cat "${tmpfile}"
|
||||
exit 1
|
||||
fi
|
||||
rm "${tmpfile}"
|
||||
}
|
||||
source_configuration() {
|
||||
if ! test -f ${config_file}; then
|
||||
echo "${config_file} does not exist" >&2
|
||||
|
||||
## We still want to deal with this really old configuration file
|
||||
## even if it has been deprecated since Debian 8
|
||||
old_config_file="/etc/firewall.rc"
|
||||
if test -f ${old_config_file}; then
|
||||
echo "${old_config_file} is deprecated. Rename it to ${config_file}" >&2
|
||||
fi
|
||||
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if grep -e "iptables" -e "ip6tables" "${config_file}" | grep -qvE "^#"; then
|
||||
# Backward compatible mode
|
||||
###########################
|
||||
|
||||
echo "Legacy config detected"
|
||||
LEGACY_CONFIG='on'
|
||||
|
||||
# Non-backward compatible mode
|
||||
###############################
|
||||
|
||||
# If we ever want to remove the backward compatible mode
|
||||
# we can remove the two lines above and uncomment the lines below.
|
||||
# They break if any iptables/ip6tables command is found in the configuration file
|
||||
|
||||
# echo "iptables/ip6tables commands found in ${config_file}." >&2
|
||||
# echo "Move them in included files (in ${includes_dir})." >&2
|
||||
# exit 1
|
||||
fi
|
||||
|
||||
if is_legacy_config; then
|
||||
# In this mode, we extract all variable definitions
|
||||
# to a temporary file that we can source.
|
||||
# It allow iptables/ip6tables commands to remain in the configuration file
|
||||
# and not interfere with the configuration step.
|
||||
|
||||
tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX)
|
||||
grep -E "^\s*[_a-zA-Z0-9]+=" "${config_file}" > "${tmp_config_file}"
|
||||
|
||||
source_file_or_error "${tmp_config_file}"
|
||||
rm "${tmp_config_file}"
|
||||
else
|
||||
source_file_or_error "${config_file}"
|
||||
fi
|
||||
}
|
||||
source_includes() {
|
||||
if [ -d "${includes_dir}" ]; then
|
||||
include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h)
|
||||
for include_file in ${include_files}; do
|
||||
source_file_or_error "${include_file}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
start() {
|
||||
echo "Start IPTables rules..."
|
||||
|
||||
# Stop and warn if error!
|
||||
set -e
|
||||
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
|
||||
|
||||
# sysctl network security settings
|
||||
##################################
|
||||
|
||||
# Set 1 to ignore broadcast pings (default)
|
||||
: "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS:=1}"
|
||||
# Set 1 to ignore bogus ICMP responses (default)
|
||||
: "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES:=1}"
|
||||
# Set 0 to disable source routing (default)
|
||||
: "${SYSCTL_ACCEPT_SOURCE_ROUTE:=0}"
|
||||
# Set 1 to enable TCP SYN cookies (default)
|
||||
# cf http://cr.yp.to/syncookies.html
|
||||
: "${SYSCTL_TCP_SYNCOOKIES:=1}"
|
||||
# Set 0 to disable ICMP redirects (default)
|
||||
: "${SYSCTL_ICMP_REDIRECTS:=0}"
|
||||
# Set 1 to enable Reverse Path filtering (default)
|
||||
# Set 0 if VRRP is used
|
||||
: "${SYSCTL_RP_FILTER:=1}"
|
||||
# Set 1 to log packets with inconsistent address (default)
|
||||
: "${SYSCTL_LOG_MARTIANS:=1}"
|
||||
|
||||
if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then
|
||||
echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
else
|
||||
echo "Invalid SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS value '${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then
|
||||
echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||
else
|
||||
echo "Invalid SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES value '${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "1" ] || [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "0" ]; then
|
||||
for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
||||
echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = > "${proc_sys_file}"
|
||||
done
|
||||
else
|
||||
echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then
|
||||
echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies
|
||||
else
|
||||
echo "Invalid SYSCTL_TCP_SYNCOOKIES value '${SYSCTL_TCP_SYNCOOKIES}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_ICMP_REDIRECTS}" = "1" ] || [ "${SYSCTL_ICMP_REDIRECTS}" = "0" ]; then
|
||||
for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
|
||||
echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
|
||||
done
|
||||
for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do
|
||||
echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
|
||||
done
|
||||
else
|
||||
echo "Invalid SYSCTL_ICMP_REDIRECTS value '${SYSCTL_ICMP_REDIRECTS}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_RP_FILTER}" = "1" ] || [ "${SYSCTL_RP_FILTER}" = "0" ]; then
|
||||
for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}"
|
||||
done
|
||||
else
|
||||
echo "Invalid SYSCTL_RP_FILTER value '${SYSCTL_RP_FILTER}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${SYSCTL_LOG_MARTIANS}" = "1" ] || [ "${SYSCTL_LOG_MARTIANS}" = "0" ]; then
|
||||
for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do
|
||||
echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}"
|
||||
done
|
||||
else
|
||||
echo "Invalid SYSCTL_LOG_MARTIANS value '${SYSCTL_LOG_MARTIANS}', must be '0' or '1'." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# IPTables configuration
|
||||
########################
|
||||
|
||||
${IPT} -N LOG_DROP
|
||||
${IPT} -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||
${IPT} -A LOG_DROP -j DROP
|
||||
${IPT} -N LOG_ACCEPT
|
||||
${IPT} -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
${IPT} -A LOG_ACCEPT -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -N LOG_DROP
|
||||
${IPT6} -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||
${IPT6} -A LOG_DROP -j DROP
|
||||
${IPT6} -N LOG_ACCEPT
|
||||
${IPT6} -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
${IPT6} -A LOG_ACCEPT -j ACCEPT
|
||||
fi
|
||||
|
||||
# Source additional rules and commands
|
||||
# * from legacy configuration file (/etc/default/minifirewall)
|
||||
# * from configuration directory (/etc/minifirewall.d/*)
|
||||
source_includes
|
||||
|
||||
# IP/ports lists are sorted to have consistent ordering
|
||||
# You can disable this feature by simply commenting the following lines
|
||||
LOOPBACK=$(sort_values ${LOOPBACK})
|
||||
INTLAN=$(sort_values ${INTLAN})
|
||||
TRUSTEDIPS=$(sort_values ${TRUSTEDIPS})
|
||||
PRIVILEGIEDIPS=$(sort_values ${PRIVILEGIEDIPS})
|
||||
SERVICESTCP1p=$(sort_values ${SERVICESTCP1p})
|
||||
SERVICESUDP1p=$(sort_values ${SERVICESUDP1p})
|
||||
SERVICESTCP1=$(sort_values ${SERVICESTCP1})
|
||||
SERVICESUDP1=$(sort_values ${SERVICESUDP1})
|
||||
SERVICESTCP2=$(sort_values ${SERVICESTCP2})
|
||||
SERVICESUDP2=$(sort_values ${SERVICESUDP2})
|
||||
SERVICESTCP3=$(sort_values ${SERVICESTCP3})
|
||||
SERVICESUDP3=$(sort_values ${SERVICESUDP3})
|
||||
DNSSERVEURS=$(sort_values ${DNSSERVEURS})
|
||||
HTTPSITES=$(sort_values ${HTTPSITES})
|
||||
HTTPSSITES=$(sort_values ${HTTPSSITES})
|
||||
FTPSITES=$(sort_values ${FTPSITES})
|
||||
SSHOK=$(sort_values ${SSHOK})
|
||||
SMTPOK=$(sort_values ${SMTPOK})
|
||||
SMTPSECUREOK=$(sort_values ${SMTPSECUREOK})
|
||||
NTPOK=$(sort_values ${NTPOK})
|
||||
PROXYBYPASS=$(sort_values ${PROXYBYPASS})
|
||||
BACKUPSERVERS=$(sort_values ${BACKUPSERVERS})
|
||||
|
||||
# Trusted ip addresses
|
||||
${IPT} -N ONLYTRUSTED
|
||||
${IPT} -A ONLYTRUSTED -j LOG_DROP
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -N ONLYTRUSTED
|
||||
${IPT6} -A ONLYTRUSTED -j LOG_DROP
|
||||
fi
|
||||
for ip in ${TRUSTEDIPS}; do
|
||||
if is_ipv6 ${ip}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -I ONLYTRUSTED -s ${ip} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -I ONLYTRUSTED -s ${ip} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Privilegied ip addresses
|
||||
# (trusted ip addresses *are* privilegied)
|
||||
${IPT} -N ONLYPRIVILEGIED
|
||||
${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -N ONLYPRIVILEGIED
|
||||
${IPT6} -A ONLYPRIVILEGIED -j ONLYTRUSTED
|
||||
fi
|
||||
for ip in ${PRIVILEGIEDIPS}; do
|
||||
if is_ipv6 ${ip}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Chain for restrictions (blacklist IPs/ranges)
|
||||
${IPT} -N NEEDRESTRICT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -N NEEDRESTRICT
|
||||
fi
|
||||
|
||||
# We allow all on loopback interface
|
||||
${IPT} -A INPUT -i lo -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -i lo -j ACCEPT
|
||||
fi
|
||||
# if OUTPUTDROP
|
||||
${IPT} -A OUTPUT -o lo -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A OUTPUT -o lo -j ACCEPT
|
||||
fi
|
||||
|
||||
# We avoid "martians" packets, typical when W32/Blaster virus
|
||||
# attacked windowsupdate.com and DNS was changed to 127.0.0.1
|
||||
# ${IPT} -t NAT -I PREROUTING -s ${LOOPBACK} -i ! lo -j DROP
|
||||
for IP in ${LOOPBACK}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -s ${IP} ! -i lo -j DROP
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -s ${IP} ! -i lo -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
if is_docker_enabled; then
|
||||
# WARN: IPv6 not yet supported for Docker rules
|
||||
${IPT} -N MINIFW-DOCKER-TRUSTED
|
||||
${IPT} -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||
|
||||
${IPT} -N MINIFW-DOCKER-PRIVILEGED
|
||||
${IPT} -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||
${IPT} -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||
|
||||
${IPT} -N MINIFW-DOCKER-PUB
|
||||
${IPT} -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||
${IPT} -A MINIFW-DOCKER-PUB -j RETURN
|
||||
|
||||
# Flush DOCKER-USER if exist, create it if absent
|
||||
if chain_exists 'DOCKER-USER'; then
|
||||
${IPT} -F DOCKER-USER
|
||||
else
|
||||
${IPT} -N DOCKER-USER
|
||||
fi;
|
||||
|
||||
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||
${IPT} -A DOCKER-USER -i ${INT} -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||
${IPT} -A DOCKER-USER -j RETURN
|
||||
fi
|
||||
|
||||
|
||||
# Local services restrictions
|
||||
#############################
|
||||
|
||||
# Allow services for ${INTLAN} (local server or local network)
|
||||
for IP in ${INTLAN}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Enable protection chain for sensible services
|
||||
for port in ${SERVICESTCP1p}; do
|
||||
${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
|
||||
fi
|
||||
done
|
||||
|
||||
for port in ${SERVICESUDP1p}; do
|
||||
${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
|
||||
fi
|
||||
done
|
||||
|
||||
# Public service
|
||||
for port in ${SERVICESTCP1}; do
|
||||
${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
for port in ${SERVICESUDP1}; do
|
||||
${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Privilegied services
|
||||
for port in ${SERVICESTCP2}; do
|
||||
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
|
||||
fi
|
||||
done
|
||||
|
||||
for port in ${SERVICESUDP2}; do
|
||||
${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
|
||||
fi
|
||||
done
|
||||
|
||||
# Private services
|
||||
for port in ${SERVICESTCP3}; do
|
||||
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
|
||||
fi
|
||||
done
|
||||
|
||||
for port in ${SERVICESUDP3}; do
|
||||
${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
if is_docker_enabled; then
|
||||
# WARN: IPv6 not yet supported
|
||||
|
||||
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||
for dstport in ${SERVICESTCP1}; do
|
||||
${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN
|
||||
done
|
||||
|
||||
for dstport in ${SERVICESUDP1}; do
|
||||
${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN
|
||||
done
|
||||
|
||||
# Privileged services (accessible from privileged & trusted IPs)
|
||||
for dstport in ${SERVICESTCP2}; do
|
||||
for srcip in ${PRIVILEGIEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in ${SERVICESUDP2}; do
|
||||
for srcip in ${PRIVILEGIEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Trusted services (accessible from trusted IPs)
|
||||
for dstport in ${SERVICESTCP3}; do
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in ${SERVICESUDP3}; do
|
||||
for srcip in ${TRUSTEDIPS}; do
|
||||
if ! is_ipv6 ${srcip}; then
|
||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
# External services
|
||||
###################
|
||||
|
||||
# DNS authorizations
|
||||
for IP in ${DNSSERVEURS}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
${IPT6} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# HTTP (TCP/80) authorizations
|
||||
for IP in ${HTTPSITES}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# HTTPS (TCP/443) authorizations
|
||||
for IP in ${HTTPSSITES}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# FTP (so complex protocol...) authorizations
|
||||
for IP in ${FTPSITES}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
# requests on Control connection
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
${IPT6} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
# requests on Control connection
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# SSH authorizations
|
||||
for IP in ${SSHOK}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# SMTP authorizations
|
||||
for IP in ${SMTPOK}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# secure SMTP (TCP/465 et TCP/587) authorizations
|
||||
for IP in ${SMTPSECUREOK}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# NTP authorizations
|
||||
for IP in ${NTPOK}; do
|
||||
if is_ipv6 ${IP}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --sport 123 -s ${IP} -j ACCEPT
|
||||
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 123 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p udp --sport 123 -s ${IP} -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 123 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Proxy (Squid)
|
||||
if is_proxy_enabled; then
|
||||
# WARN: Squid only listen on IPv4 yet
|
||||
# TODO: verify that the pattern used for IPv4 is relevant with IPv6
|
||||
|
||||
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
|
||||
for dstip in ${PROXYBYPASS}; do
|
||||
if ! is_ipv6 ${dstip}; then
|
||||
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -d "${dstip}" -j ACCEPT
|
||||
fi
|
||||
done
|
||||
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port "${PROXYPORT:-'8888'}"
|
||||
fi
|
||||
|
||||
# Output for backup servers
|
||||
for server in ${BACKUPSERVERS}; do
|
||||
server_port=$(echo "${server}" | awk -F : '{print $(NF)}')
|
||||
server_ip=$(echo "${server}" | sed -e "s/:${server_port}$//")
|
||||
|
||||
if [ -n "${server_ip}" ] && [ -n "${server_port}" ]; then
|
||||
if is_ipv6 ${server_ip}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
else
|
||||
echo "Unrecognized syntax for BACKUPSERVERS '${server}\`. Use space-separated IP:PORT tuples." >&2
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Always allow ICMP
|
||||
${IPT} -A INPUT -p icmp -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p icmpv6 -j ACCEPT
|
||||
fi
|
||||
|
||||
|
||||
# IPTables policy
|
||||
#################
|
||||
|
||||
# by default DROP INPUT packets
|
||||
${IPT} -P INPUT DROP
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -P INPUT DROP
|
||||
fi
|
||||
|
||||
# by default, no FORWARDING (deprecated for Virtual Machines)
|
||||
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
#${IPT} -P FORWARD DROP
|
||||
#${IPT6} -P FORWARD DROP
|
||||
|
||||
# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
|
||||
${IPT} -P OUTPUT ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -P OUTPUT ACCEPT
|
||||
fi
|
||||
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
|
||||
${IPT} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
${IPT} -A OUTPUT -p udp -j DROP
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A OUTPUT -p udp -j DROP
|
||||
fi
|
||||
|
||||
if is_legacy_config; then
|
||||
source_file_or_error "${config_file}"
|
||||
fi
|
||||
|
||||
trap - INT TERM EXIT
|
||||
|
||||
echo "...starting IPTables rules is now finish : OK"
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo "Flush all rules and accept everything..."
|
||||
|
||||
# Delete all rules
|
||||
${IPT} -F INPUT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -F INPUT
|
||||
fi
|
||||
|
||||
${IPT} -F OUTPUT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -F OUTPUT
|
||||
fi
|
||||
|
||||
${IPT} -F LOG_DROP
|
||||
${IPT} -F LOG_ACCEPT
|
||||
${IPT} -F ONLYTRUSTED
|
||||
${IPT} -F ONLYPRIVILEGIED
|
||||
${IPT} -F NEEDRESTRICT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -F LOG_DROP
|
||||
${IPT6} -F LOG_ACCEPT
|
||||
${IPT6} -F ONLYTRUSTED
|
||||
${IPT6} -F ONLYPRIVILEGIED
|
||||
${IPT6} -F NEEDRESTRICT
|
||||
fi
|
||||
|
||||
${IPT} -t mangle -F
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -t mangle -F
|
||||
fi
|
||||
|
||||
if is_docker_enabled; then
|
||||
# WARN: IPv6 not yet supported
|
||||
|
||||
${IPT} -F DOCKER-USER
|
||||
${IPT} -A DOCKER-USER -j RETURN
|
||||
|
||||
${IPT} -F MINIFW-DOCKER-PUB
|
||||
${IPT} -X MINIFW-DOCKER-PUB
|
||||
${IPT} -F MINIFW-DOCKER-PRIVILEGED
|
||||
${IPT} -X MINIFW-DOCKER-PRIVILEGED
|
||||
${IPT} -F MINIFW-DOCKER-TRUSTED
|
||||
${IPT} -X MINIFW-DOCKER-TRUSTED
|
||||
else
|
||||
${IPT} -t nat -F
|
||||
fi
|
||||
|
||||
# Accept all
|
||||
${IPT} -P INPUT ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -P INPUT ACCEPT
|
||||
fi
|
||||
|
||||
${IPT} -P OUTPUT ACCEPT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -P OUTPUT ACCEPT
|
||||
fi
|
||||
#${IPT} -P FORWARD ACCEPT
|
||||
#${IPT} -t nat -P PREROUTING ACCEPT
|
||||
#${IPT} -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
# Delete non-standard chains
|
||||
${IPT} -X LOG_DROP
|
||||
${IPT} -X LOG_ACCEPT
|
||||
${IPT} -X ONLYPRIVILEGIED
|
||||
${IPT} -X ONLYTRUSTED
|
||||
${IPT} -X NEEDRESTRICT
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -X LOG_DROP
|
||||
${IPT6} -X LOG_ACCEPT
|
||||
${IPT6} -X ONLYPRIVILEGIED
|
||||
${IPT6} -X ONLYTRUSTED
|
||||
${IPT6} -X NEEDRESTRICT
|
||||
fi
|
||||
|
||||
echo "...flushing IPTables rules is now finish : OK"
|
||||
}
|
||||
|
||||
status() {
|
||||
${IPT} -L -n -v --line-numbers
|
||||
${IPT} -t nat -L -n -v --line-numbers
|
||||
${IPT} -t mangle -L -n -v --line-numbers
|
||||
${IPT6} -L -n -v --line-numbers
|
||||
${IPT6} -t mangle -L -n -v --line-numbers
|
||||
}
|
||||
|
||||
reset() {
|
||||
echo "Reset all IPTables counters..."
|
||||
|
||||
${IPT} -Z
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -Z
|
||||
fi
|
||||
|
||||
${IPT} -t nat -Z
|
||||
|
||||
${IPT} -t mangle -Z
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -t mangle -Z
|
||||
fi
|
||||
|
||||
echo "...reseting IPTables counters is now finish : OK"
|
||||
}
|
||||
|
||||
echo "${NAME} version ${VERSION}"
|
||||
source_configuration
|
||||
|
||||
case "${1:-''}" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
|
||||
status)
|
||||
status
|
||||
;;
|
||||
|
||||
reset)
|
||||
reset
|
||||
;;
|
||||
|
||||
restart)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status|reset}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -1,31 +1,37 @@
|
|||
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
|
||||
# Version 20.12 — 2020-12-01 22:55:35
|
||||
# Version 22.03.1 — 2022-03-15
|
||||
# shellcheck shell=sh disable=SC2034
|
||||
|
||||
# Main interface
|
||||
INT='eth0'
|
||||
|
||||
# IPv6
|
||||
IPV6=on
|
||||
IPV6='on'
|
||||
|
||||
# Docker Mode
|
||||
# Changes the behaviour of minifirewall to not break the containers' network
|
||||
# For instance, turning it on will disable nat table purge
|
||||
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||
# Also, we'll add the DOCKER-USER chain, in iptables
|
||||
#
|
||||
# WARNING : If the port mapping is different between the host and the container
|
||||
# (ie: Listen on :8090 on host, but :8080 in container)
|
||||
# then you need to give the port used inside the container
|
||||
DOCKER='off'
|
||||
|
||||
# Trusted IPv4 local network
|
||||
# ...will be often IP/32 if you don't trust anything
|
||||
INTLAN='192.168.0.2/32'
|
||||
# Trusted local network
|
||||
# ...will be often IPv4/32 or IPv6/128 if you don't trust anything
|
||||
INTLAN='192.0.2.1/32 2001:db8::1/128'
|
||||
|
||||
# Trusted IPv4 addresses for private and semi-public services
|
||||
TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'
|
||||
# Trusted IP addresses for private and semi-public services
|
||||
# TODO: add all our IPv6 adresses
|
||||
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 62.212.121.90 31.170.8.4 2a01:9500::fada/128 82.65.34.85 54.37.106.210 51.210.84.146'
|
||||
|
||||
# Privilegied IPv4 addresses for semi-public services
|
||||
# Privilegied IP addresses for semi-public services
|
||||
# (no need to add again TRUSTEDIPS)
|
||||
PRIVILEGIEDIPS=''
|
||||
|
||||
|
||||
# Local services IPv4/IPv6 restrictions
|
||||
# Local services IP restrictions
|
||||
#######################################
|
||||
|
||||
# Protected services
|
||||
|
@ -45,62 +51,86 @@ SERVICESUDP2=''
|
|||
SERVICESTCP3='5666'
|
||||
SERVICESUDP3=''
|
||||
|
||||
# Standard output IPv4 access restrictions
|
||||
|
||||
# Standard output IPv4/IPv6 access restrictions
|
||||
##########################################
|
||||
|
||||
# DNS authorizations
|
||||
# (if you have local DNS server, set 0.0.0.0/0)
|
||||
DNSSERVEURS='0.0.0.0/0'
|
||||
DNSSERVEURS='0.0.0.0/0 ::/0'
|
||||
|
||||
# HTTP authorizations
|
||||
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||
# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
|
||||
HTTPSITES='0.0.0.0/0'
|
||||
HTTPSITES='0.0.0.0/0 ::/0'
|
||||
|
||||
# HTTPS authorizations
|
||||
HTTPSSITES='0.0.0.0/0'
|
||||
HTTPSSITES='0.0.0.0/0 ::/0'
|
||||
|
||||
# FTP authorizations
|
||||
FTPSITES=''
|
||||
|
||||
# SSH authorizations
|
||||
SSHOK='0.0.0.0/0'
|
||||
SSHOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# SMTP authorizations
|
||||
SMTPOK='0.0.0.0/0'
|
||||
SMTPOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
||||
SMTPSECUREOK=''
|
||||
|
||||
# NTP authorizations
|
||||
NTPOK='0.0.0.0/0'
|
||||
NTPOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# Proxy (Squid)
|
||||
PROXY='off'
|
||||
# (proxy port)
|
||||
PROXYPORT='8888'
|
||||
# (destinations that bypass the proxy)
|
||||
PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
|
||||
|
||||
# Backup servers
|
||||
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
|
||||
BACKUPSERVERS=''
|
||||
|
||||
|
||||
# IPv6 Specific rules
|
||||
# Includes
|
||||
#####################
|
||||
|
||||
# Example: allow SSH from Trusted IPv6 addresses
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT
|
||||
# Files in /etc/minifirewall.d/* (without "." in name)
|
||||
# are automatically included in alphanumerical order.
|
||||
#
|
||||
# Within included files, you can use those helper functions :
|
||||
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
|
||||
# * is_docker_enabled: returns true if Docker mode is eabled, or false
|
||||
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
|
||||
|
||||
# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Example: allow output DNS, NTP and traceroute traffic
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
|
||||
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
# Custom sysctl values (advanced)
|
||||
#################################
|
||||
|
||||
# Example: allow DHCPv6
|
||||
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
|
||||
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
|
||||
# In most cases, the default values set by minifirewall are good.
|
||||
# If you really know what you are doing,
|
||||
# you can uncomment some lines and customize the values.
|
||||
|
||||
# IPv4 Specific rules
|
||||
#####################
|
||||
# Set 1 to ignore broadcast pings (default)
|
||||
# SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1'
|
||||
|
||||
# /sbin/iptables ...
|
||||
# Set 1 to ignore bogus ICMP responses (default)
|
||||
# SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1'
|
||||
|
||||
# Set 0 to disable source routing (default)
|
||||
# SYSCTL_ACCEPT_SOURCE_ROUTE='0'
|
||||
|
||||
# Set 1 to enable TCP SYN cookies (default)
|
||||
# SYSCTL_TCP_SYNCOOKIES='1'
|
||||
|
||||
# Set 0 to disable ICMP redirects (default)
|
||||
# SYSCTL_ICMP_REDIRECTS='0'
|
||||
|
||||
# Set 1 to enable Reverse Path filtering (default)
|
||||
# Set 0 if VRRP is used
|
||||
# SYSCTL_RP_FILTER='1'
|
||||
|
||||
# Set 1 to log packets with inconsistent address (default)
|
||||
# SYSCTL_LOG_MARTIANS='1'
|
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
|
@ -0,0 +1,11 @@
|
|||
### custom minifirewall commands
|
||||
#
|
||||
# You can add any custom command in files like this;
|
||||
# either this one, or others in the same directory.
|
||||
# They are executed as shell scripts.
|
||||
# They are automatically included in alphanumerical order.
|
||||
#
|
||||
# Within included files, you can use those helper functions :
|
||||
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
|
||||
# * is_docker_enabled: returns true if Docker mode is eabled, or false
|
||||
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
|
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
|
@ -0,0 +1,7 @@
|
|||
### ban rules
|
||||
#
|
||||
# If you have ban rules in /root/ban.iptables
|
||||
# (either manually or with /usr/share/scripts/blacklist-countries.sh)
|
||||
# ou can automatically import them with the following command:
|
||||
#
|
||||
# cat /root/ban.iptables | iptables-restore -n
|
|
@ -9,11 +9,12 @@
|
|||
|
||||
- name: Stat minifirewall config file (before)
|
||||
stat:
|
||||
path: "{{ minifirewall_main_file }}"
|
||||
path: "/etc/default/minifirewall"
|
||||
register: minifirewall_before
|
||||
|
||||
- name: Check if minifirewall is running
|
||||
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
shell:
|
||||
cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -25,14 +26,14 @@
|
|||
|
||||
- name: Begin marker for IP addresses
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertbefore: '^# Main interface'
|
||||
create: no
|
||||
|
||||
- name: End marker for IP addresses
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
create: no
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
insertafter: '^PRIVILEGIEDIPS='
|
||||
|
@ -43,12 +44,16 @@
|
|||
msg: You must provide at least 1 trusted IP
|
||||
|
||||
- debug:
|
||||
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
||||
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
||||
msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!"
|
||||
when: "'0.0.0.0/0' in minifirewall_trusted_ips"
|
||||
|
||||
- debug:
|
||||
msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!"
|
||||
when: "'::/0' in minifirewall_trusted_ips"
|
||||
|
||||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
|
||||
block: |
|
||||
# Main interface
|
||||
|
@ -60,8 +65,12 @@
|
|||
# Docker Mode
|
||||
# Changes the behaviour of minifirewall to not break the containers' network
|
||||
# For instance, turning it on will disable nat table purge
|
||||
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||
DOCKER='{{ minifirewall_docker }}'
|
||||
# Also, we'll add the DOCKER-USER chain, in iptables
|
||||
#
|
||||
# WARNING : If the port mapping is different between the host and the container
|
||||
# (ie: Listen on :8090 on host, but :8080 in container)
|
||||
# then you need to give the port used inside the container
|
||||
DOCKER='off'
|
||||
|
||||
# Trusted IPv4 local network
|
||||
# ...will be often IP/32 if you don't trust anything
|
||||
|
@ -78,21 +87,21 @@
|
|||
|
||||
- name: Begin marker for ports
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertbefore: '^# Protected services'
|
||||
create: no
|
||||
|
||||
- name: End marker for ports
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
insertafter: '^SERVICESUDP3='
|
||||
create: no
|
||||
|
||||
- name: Configure ports
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
|
||||
block: |
|
||||
# Protected services
|
||||
|
@ -116,106 +125,171 @@
|
|||
|
||||
- name: Configure DNSSERVEURS
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
|
||||
regexp: "DNSSERVEURS='.*'"
|
||||
regexp: "DNSSERVEURS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_dns_servers is not none
|
||||
|
||||
- name: Configure HTTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
|
||||
regexp: "HTTPSITES='.*'"
|
||||
regexp: "HTTPSITES=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_http_sites is not none
|
||||
|
||||
- name: Configure HTTPSSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
|
||||
regexp: "HTTPSSITES='.*'"
|
||||
regexp: "HTTPSSITES=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_https_sites is not none
|
||||
|
||||
- name: Configure FTPSITES
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
|
||||
regexp: "FTPSITES='.*'"
|
||||
regexp: "FTPSITES=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_ftp_sites is not none
|
||||
|
||||
- name: Configure SSHOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
|
||||
regexp: "SSHOK='.*'"
|
||||
regexp: "SSHOK=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_ssh_ok is not none
|
||||
|
||||
- name: Configure SMTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
|
||||
regexp: "SMTPOK='.*'"
|
||||
regexp: "SMTPOK=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_smtp_ok is not none
|
||||
|
||||
- name: Configure SMTPSECUREOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
|
||||
regexp: "SMTPSECUREOK='.*'"
|
||||
regexp: "SMTPSECUREOK=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_smtp_secure_ok is not none
|
||||
|
||||
- name: Configure NTPOK
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
|
||||
regexp: "NTPOK='.*'"
|
||||
regexp: "NTPOK=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_ntp_ok is not none
|
||||
|
||||
- name: evomaintenance
|
||||
- name: Configure PROXY
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||
insertafter: "^# EvoMaintenance"
|
||||
loop: "{{ evomaintenance_hosts }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "PROXY='{{ minifirewall_proxy }}'"
|
||||
regexp: "PROXY=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_proxy is not none
|
||||
|
||||
- name: remove minifirewall example rule for the evomaintenance
|
||||
- name: Configure PROXYPORT
|
||||
lineinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
|
||||
state: absent
|
||||
when: evomaintenance_hosts | length > 0
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "PROXYPORT='{{ minifirewall_proxyport }}'"
|
||||
regexp: "PROXYPORT=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_proxyport is not none
|
||||
|
||||
# Warning: keep double quotes for the value,
|
||||
# since we often reference a shell variable that needs to be interpolated
|
||||
- name: Configure PROXYBYPASS
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
|
||||
regexp: "PROXYBYPASS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_proxybypass is not none
|
||||
|
||||
- name: Configure BACKUPSERVERS
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
|
||||
regexp: "BACKUPSERVERS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_backupservers is not none
|
||||
|
||||
- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
|
||||
regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none
|
||||
|
||||
- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
|
||||
regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none
|
||||
|
||||
- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
|
||||
regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_accept_source_route is not none
|
||||
|
||||
- name: Configure SYSCTL_TCP_SYNCOOKIES
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
|
||||
regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_tcp_syncookies is not none
|
||||
|
||||
- name: Configure SYSCTL_ICMP_REDIRECTS
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
|
||||
regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_icmp_redirects is not none
|
||||
|
||||
- name: Configure SYSCTL_RP_FILTER
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
|
||||
regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_rp_filter is not none
|
||||
|
||||
- name: Configure SYSCTL_LOG_MARTIANS
|
||||
lineinfile:
|
||||
dest: "/etc/default/minifirewall"
|
||||
line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
|
||||
regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
|
||||
create: no
|
||||
when: minifirewall_sysctl_log_martians is not none
|
||||
|
||||
- name: Stat minifirewall config file (after)
|
||||
stat:
|
||||
path: "{{ minifirewall_main_file }}"
|
||||
path: "/etc/default/minifirewall"
|
||||
register: minifirewall_after
|
||||
|
||||
- name: restart minifirewall
|
||||
# service:
|
||||
# name: minifirewall
|
||||
# state: restarted
|
||||
command: /etc/init.d/minifirewall restart
|
||||
register: minifirewall_init_restart
|
||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
||||
when:
|
||||
- minifirewall_restart_if_needed | bool
|
||||
- minifirewall_is_running.rc == 0
|
||||
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
|
||||
|
||||
- name: restart minifirewall (noop)
|
||||
meta: noop
|
||||
register: minifirewall_init_restart
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
when: not (minifirewall_restart_if_needed | bool)
|
||||
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
|
||||
|
||||
- debug:
|
||||
var: minifirewall_init_restart
|
||||
|
|
|
@ -6,19 +6,58 @@
|
|||
state: present
|
||||
|
||||
- name: init script is copied
|
||||
template:
|
||||
src: minifirewall.j2
|
||||
copy:
|
||||
src: minifirewall
|
||||
dest: /etc/init.d/minifirewall
|
||||
force: "{{ minifirewall_force_upgrade_script | default('no') }}"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
register: minifirewall_upgrade_script
|
||||
|
||||
- name: configuration is copied
|
||||
copy:
|
||||
src: minifirewall.conf
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
dest: "/etc/default/minifirewall"
|
||||
force: "{{ minifirewall_force_upgrade_config | default('no') }}"
|
||||
mode: "0600"
|
||||
owner: root
|
||||
group: root
|
||||
register: minifirewall_upgrade_config
|
||||
|
||||
- name: includes directory is present
|
||||
file:
|
||||
path: /etc/minifirewall.d/
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
|
||||
- name: examples for includes are present
|
||||
copy:
|
||||
src: "minifirewall.d/"
|
||||
dest: "/etc/minifirewall.d/"
|
||||
force: "no"
|
||||
mode: "0600"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: blacklist-countries.sh is copied
|
||||
copy:
|
||||
src: blacklist-countries.sh
|
||||
dest: /usr/share/scripts/blacklist-countries.sh
|
||||
force: "no"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -4,19 +4,25 @@
|
|||
set_fact:
|
||||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||
|
||||
- include: install.yml
|
||||
- name: Fail if minifirewall_main_file is defined
|
||||
fail:
|
||||
msg: "Variable minifirewall_main_file is deprecated and not configurable anymore."
|
||||
when: minifirewall_main_file is defined
|
||||
|
||||
- include: config.yml
|
||||
- import_tasks: install.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: config.yml
|
||||
when: minifirewall_update_config | bool
|
||||
|
||||
- include: activate.yml
|
||||
- import_tasks: nrpe.yml
|
||||
|
||||
- include: tail.yml
|
||||
- import_tasks: activate.yml
|
||||
|
||||
- import_tasks: tail.yml
|
||||
when: minifirewall_tail_included | bool
|
||||
|
||||
- name: Force restart minifirewall
|
||||
command: /bin/true
|
||||
notify: restart minifirewall
|
||||
changed_when: False
|
||||
command: /etc/init.d/minifirewall restart
|
||||
register: minifirewall_init_restart
|
||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||
when: minifirewall_restart_force | bool
|
||||
|
|
|
@ -2,8 +2,9 @@
|
|||
- name: Add some rules at the end of minifirewall file
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ minifirewall_tail_file }}"
|
||||
dest: "/etc/minifirewall.d/{{ minifirewall_tail_file }}"
|
||||
force: "{{ minifirewall_tail_force | bool }}"
|
||||
follow: yes
|
||||
loop: "{{ query('first_found', templates) }}"
|
||||
vars:
|
||||
templates:
|
||||
|
@ -17,18 +18,6 @@
|
|||
var: minifirewall_tail_template
|
||||
verbosity: 1
|
||||
|
||||
- name: source minifirewall.tail at the end of the main file
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_main_file }}"
|
||||
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
|
||||
block: ". {{ minifirewall_tail_file }}"
|
||||
insertbefore: EOF
|
||||
register: minifirewall_tail_source
|
||||
|
||||
- debug:
|
||||
var: minifirewall_tail_source
|
||||
verbosity: 1
|
||||
|
||||
- name: restart minifirewall
|
||||
# service:
|
||||
# name: minifirewall
|
||||
|
|
|
@ -1,492 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# minifirewall is shellscripts for easy firewalling on a standalone server
|
||||
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||
# See https://gitea.evolix.org/evolix/minifirewall
|
||||
|
||||
# Copyright (c) 2007-2020 Evolix
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 3
|
||||
# of the License.
|
||||
|
||||
# Description
|
||||
# script for standalone server
|
||||
|
||||
# Start or stop minifirewall
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: minfirewall
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start: $network $syslog $named
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop the firewall
|
||||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
DESC="minifirewall"
|
||||
NAME="minifirewall"
|
||||
|
||||
|
||||
# Variables configuration
|
||||
#########################
|
||||
|
||||
# iptables paths
|
||||
IPT=/sbin/iptables
|
||||
IPT6=/sbin/ip6tables
|
||||
|
||||
# TCP/IP variables
|
||||
LOOPBACK='127.0.0.0/8'
|
||||
CLASSA='10.0.0.0/8'
|
||||
CLASSB='172.16.0.0/12'
|
||||
CLASSC='192.168.0.0/16'
|
||||
CLASSD='224.0.0.0/4'
|
||||
CLASSE='240.0.0.0/5'
|
||||
ALL='0.0.0.0'
|
||||
BROAD='255.255.255.255'
|
||||
PORTSROOT='0:1023'
|
||||
PORTSUSER='1024:65535'
|
||||
|
||||
chain_exists()
|
||||
{
|
||||
local chain_name="$1" ; shift
|
||||
[ $# -eq 1 ] && local intable="--table $1"
|
||||
iptables $intable -nL "$chain_name" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
# Configuration
|
||||
oldconfigfile="/etc/firewall.rc"
|
||||
configfile="{{ minifirewall_main_file }}"
|
||||
|
||||
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
|
||||
echo "Start IPTables rules..."
|
||||
|
||||
# Stop and warn if error!
|
||||
set -e
|
||||
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
|
||||
|
||||
|
||||
# sysctl network security settings
|
||||
##################################
|
||||
|
||||
# Don't answer to broadcast pings
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
|
||||
# Ignore bogus ICMP responses
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||
|
||||
# Disable Source Routing
|
||||
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
||||
echo 0 > $i
|
||||
done
|
||||
|
||||
# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks
|
||||
# cf http://cr.yp.to/syncookies.html
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||||
|
||||
# Disable ICMP redirects
|
||||
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
|
||||
echo 0 > $i
|
||||
done
|
||||
|
||||
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
|
||||
echo 0 > $i
|
||||
done
|
||||
|
||||
# Enable Reverse Path filtering : verify if responses use same network interface
|
||||
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 1 > $i
|
||||
done
|
||||
|
||||
# log des paquets avec adresse incoherente
|
||||
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
|
||||
echo 1 > $i
|
||||
done
|
||||
|
||||
# IPTables configuration
|
||||
########################
|
||||
|
||||
$IPT -N LOG_DROP
|
||||
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
|
||||
$IPT -A LOG_DROP -j DROP
|
||||
$IPT -N LOG_ACCEPT
|
||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||
|
||||
if test -f $oldconfigfile; then
|
||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! test -f $configfile; then
|
||||
echo "$configfile does not exist" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tmpfile=`mktemp`
|
||||
. $configfile 2>$tmpfile >&2
|
||||
if [ -s $tmpfile ]; then
|
||||
echo "$configfile returns standard or error output (see below). Stopping." >&2
|
||||
cat $tmpfile
|
||||
exit 1
|
||||
fi
|
||||
rm $tmpfile
|
||||
|
||||
# Trusted ip addresses
|
||||
$IPT -N ONLYTRUSTED
|
||||
$IPT -A ONLYTRUSTED -j LOG_DROP
|
||||
for x in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I ONLYTRUSTED -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# Privilegied ip addresses
|
||||
# (trusted ip addresses *are* privilegied)
|
||||
$IPT -N ONLYPRIVILEGIED
|
||||
$IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED
|
||||
for x in $PRIVILEGIEDIPS
|
||||
do
|
||||
$IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# Chain for restrictions (blacklist IPs/ranges)
|
||||
$IPT -N NEEDRESTRICT
|
||||
|
||||
# We allow all on loopback interface
|
||||
$IPT -A INPUT -i lo -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT
|
||||
# if OUTPUTDROP
|
||||
$IPT -A OUTPUT -o lo -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# We avoid "martians" packets, typical when W32/Blaster virus
|
||||
# attacked windowsupdate.com and DNS was changed to 127.0.0.1
|
||||
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
|
||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
|
||||
$IPT -N MINIFW-DOCKER-TRUSTED
|
||||
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||
|
||||
$IPT -N MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||
|
||||
$IPT -N MINIFW-DOCKER-PUB
|
||||
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -A MINIFW-DOCKER-PUB -j RETURN
|
||||
|
||||
# Flush DOCKER-USER if exist, create it if absent
|
||||
if chain_exists 'DOCKER-USER'; then
|
||||
$IPT -F DOCKER-USER
|
||||
else
|
||||
$IPT -N DOCKER-USER
|
||||
fi;
|
||||
|
||||
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||
$IPT -A DOCKER-USER -j RETURN
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# Local services restrictions
|
||||
#############################
|
||||
|
||||
# Allow services for $INTLAN (local server or local network)
|
||||
$IPT -A INPUT -s $INTLAN -j ACCEPT
|
||||
|
||||
# Enable protection chain for sensible services
|
||||
for x in $SERVICESTCP1p
|
||||
do
|
||||
$IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT
|
||||
done
|
||||
|
||||
for x in $SERVICESUDP1p
|
||||
do
|
||||
$IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT
|
||||
done
|
||||
|
||||
# Public service
|
||||
for x in $SERVICESTCP1
|
||||
do
|
||||
$IPT -A INPUT -p tcp --dport $x -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
|
||||
done
|
||||
|
||||
for x in $SERVICESUDP1
|
||||
do
|
||||
$IPT -A INPUT -p udp --dport $x -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT
|
||||
done
|
||||
|
||||
# Privilegied services
|
||||
for x in $SERVICESTCP2
|
||||
do
|
||||
$IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED
|
||||
done
|
||||
|
||||
for x in $SERVICESUDP2
|
||||
do
|
||||
$IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED
|
||||
done
|
||||
|
||||
# Private services
|
||||
for x in $SERVICESTCP3
|
||||
do
|
||||
$IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED
|
||||
done
|
||||
|
||||
for x in $SERVICESUDP3
|
||||
do
|
||||
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
|
||||
done
|
||||
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
|
||||
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||
for dstport in $SERVICESTCP1
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP1
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
# Privileged services (accessible from privileged & trusted IPs)
|
||||
for dstport in $SERVICESTCP2
|
||||
do
|
||||
for srcip in $PRIVILEGIEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP2
|
||||
do
|
||||
for srcip in $PRIVILEGIEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
# Trusted services (accessible from trusted IPs)
|
||||
for dstport in $SERVICESTCP3
|
||||
do
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
|
||||
for dstport in $SERVICESUDP3
|
||||
do
|
||||
for srcip in $TRUSTEDIPS
|
||||
do
|
||||
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
# External services
|
||||
###################
|
||||
|
||||
# DNS authorizations
|
||||
for x in $DNSSERVEURS
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
|
||||
done
|
||||
|
||||
# HTTP (TCP/80) authorizations
|
||||
for x in $HTTPSITES
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# HTTPS (TCP/443) authorizations
|
||||
for x in $HTTPSSITES
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# FTP (so complex protocol...) authorizations
|
||||
for x in $FTPSITES
|
||||
do
|
||||
# requests on Control connection
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
$IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
$IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# SSH authorizations
|
||||
for x in $SSHOK
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# SMTP authorizations
|
||||
for x in $SMTPOK
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# secure SMTP (TCP/465 et TCP/587) authorizations
|
||||
for x in $SMTPSECUREOK
|
||||
do
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
$IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $x -j ACCEPT
|
||||
done
|
||||
|
||||
# NTP authorizations
|
||||
for x in $NTPOK
|
||||
do
|
||||
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
|
||||
done
|
||||
|
||||
# Always allow ICMP
|
||||
$IPT -A INPUT -p icmp -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
|
||||
|
||||
|
||||
# IPTables policy
|
||||
#################
|
||||
|
||||
# by default DROP INPUT packets
|
||||
$IPT -P INPUT DROP
|
||||
[ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP
|
||||
|
||||
# by default, no FORWARING (deprecated for Virtual Machines)
|
||||
#echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
#$IPT -P FORWARD DROP
|
||||
#$IPT6 -P FORWARD DROP
|
||||
|
||||
# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
|
||||
$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPT -A OUTPUT -p udp -j DROP
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP
|
||||
|
||||
trap - INT TERM EXIT
|
||||
|
||||
echo "...starting IPTables rules is now finish : OK"
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
||||
echo "Flush all rules and accept everything..."
|
||||
|
||||
# Delete all rules
|
||||
$IPT -F INPUT
|
||||
$IPT -F OUTPUT
|
||||
$IPT -F LOG_DROP
|
||||
$IPT -F LOG_ACCEPT
|
||||
$IPT -F ONLYTRUSTED
|
||||
$IPT -F ONLYPRIVILEGIED
|
||||
$IPT -F NEEDRESTRICT
|
||||
[ "$DOCKER" = "off" ] && $IPT -t nat -F
|
||||
$IPT -t mangle -F
|
||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||
|
||||
if [ "$DOCKER" = "on" ]; then
|
||||
$IPT -F DOCKER-USER
|
||||
$IPT -A DOCKER-USER -j RETURN
|
||||
|
||||
$IPT -F MINIFW-DOCKER-PUB
|
||||
$IPT -X MINIFW-DOCKER-PUB
|
||||
$IPT -F MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -X MINIFW-DOCKER-PRIVILEGED
|
||||
$IPT -F MINIFW-DOCKER-TRUSTED
|
||||
$IPT -X MINIFW-DOCKER-TRUSTED
|
||||
|
||||
fi
|
||||
|
||||
# Accept all
|
||||
$IPT -P INPUT ACCEPT
|
||||
$IPT -P OUTPUT ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT
|
||||
[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
|
||||
#$IPT -P FORWARD ACCEPT
|
||||
#$IPT -t nat -P PREROUTING ACCEPT
|
||||
#$IPT -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
# Delete non-standard chains
|
||||
$IPT -X LOG_DROP
|
||||
$IPT -X LOG_ACCEPT
|
||||
$IPT -X ONLYPRIVILEGIED
|
||||
$IPT -X ONLYTRUSTED
|
||||
$IPT -X NEEDRESTRICT
|
||||
|
||||
echo "...flushing IPTables rules is now finish : OK"
|
||||
;;
|
||||
|
||||
status)
|
||||
|
||||
$IPT -L -n -v --line-numbers
|
||||
$IPT -t nat -L -n -v --line-numbers
|
||||
$IPT -t mangle -L -n -v --line-numbers
|
||||
$IPT6 -L -n -v --line-numbers
|
||||
$IPT6 -t mangle -L -n -v --line-numbers
|
||||
;;
|
||||
|
||||
reset)
|
||||
|
||||
echo "Reset all IPTables counters..."
|
||||
|
||||
$IPT -Z
|
||||
$IPT -t nat -Z
|
||||
$IPT -t mangle -Z
|
||||
[ "$IPV6" != "off" ] && $IPT6 -Z
|
||||
[ "$IPV6" != "off" ] && $IPT6 -t mangle -Z
|
||||
|
||||
echo "...reseting IPTables counters is now finish : OK"
|
||||
;;
|
||||
|
||||
restart)
|
||||
|
||||
$0 stop
|
||||
$0 start
|
||||
;;
|
||||
|
||||
*)
|
||||
|
||||
echo "Usage: $0 {start|stop|restart|status|reset|squid}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
|
||||
- include: main_jessie.yml
|
||||
- import_tasks: main_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: main_stretch.yml
|
||||
- import_tasks: main_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: main_buster.yml
|
||||
- import_tasks: main_buster.yml
|
||||
when: ansible_distribution_release == "buster"
|
||||
|
||||
- include: main_bullseye.yml
|
||||
- import_tasks: main_bullseye.yml
|
||||
when: ansible_distribution_major_version is version('11', '>=')
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
- set_fact:
|
||||
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
|
||||
|
||||
- include: packages.yml
|
||||
- import_tasks: packages.yml
|
||||
|
||||
- include: users.yml
|
||||
- import_tasks: users.yml
|
||||
|
||||
- include: config.yml
|
||||
- import_tasks: config.yml
|
||||
|
||||
- include: datadir.yml
|
||||
- import_tasks: datadir.yml
|
||||
|
||||
- include: tmpdir.yml
|
||||
- import_tasks: tmpdir.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: log2mail.yml
|
||||
- import_tasks: log2mail.yml
|
||||
|
||||
- include: utils.yml
|
||||
- import_tasks: utils.yml
|
||||
|
|
|
@ -4,44 +4,44 @@
|
|||
set_fact:
|
||||
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
|
||||
|
||||
- include: packages_stretch.yml
|
||||
- import_tasks: packages_stretch.yml
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: packages_jessie.yml
|
||||
- import_tasks: packages_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility
|
||||
- include: users_bullseye.yml
|
||||
- import_tasks: users_bullseye.yml
|
||||
when: ansible_distribution_release == "bullseye"
|
||||
|
||||
- include: users_buster.yml
|
||||
- import_tasks: users_buster.yml
|
||||
when: ansible_distribution_release == "buster"
|
||||
|
||||
- include: users_stretch.yml
|
||||
- import_tasks: users_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: users_jessie.yml
|
||||
- import_tasks: users_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: config_stretch.yml
|
||||
- import_tasks: config_stretch.yml
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: config_jessie.yml
|
||||
- import_tasks: config_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: replication.yml
|
||||
- import_tasks: replication.yml
|
||||
when: mysql_replication | bool
|
||||
|
||||
- include: datadir.yml
|
||||
- import_tasks: datadir.yml
|
||||
|
||||
- include: logdir.yml
|
||||
- import_tasks: logdir.yml
|
||||
|
||||
- include: tmpdir.yml
|
||||
- import_tasks: tmpdir.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: log2mail.yml
|
||||
- import_tasks: log2mail.yml
|
||||
|
||||
- include: utils.yml
|
||||
- import_tasks: utils.yml
|
||||
|
|
|
@ -239,4 +239,4 @@
|
|||
mode: "0755"
|
||||
force: no
|
||||
tags:
|
||||
- mysql
|
||||
- mysql
|
||||
|
|
|
@ -1,30 +1,40 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Verify that given mountpoints have 'read-write' option.
|
||||
|
||||
output=$(mktemp --tmpdir $(basename $0).XXXXXXXXXX)
|
||||
output=$(mktemp --tmpdir $(basename "$0").XXXXXXXXXX)
|
||||
critical_count=0
|
||||
ok_count=0
|
||||
|
||||
trap "rm -f $output" EXIT
|
||||
|
||||
for mountpoint in $@; do
|
||||
# We verify no mointpoints have 'read-only' option instead of checking
|
||||
# for 'read-write' option, because there could be multiple device
|
||||
# mounted on a sigle path. In that edge case only checking for the
|
||||
# presence of the 'read-write' option would yeild a flase positive.
|
||||
if findmnt -O ro --noheadings "$mountpoint" 1>/dev/null 2>&1; then
|
||||
echo "CRITICAL - $mountpoint" >> "$output"
|
||||
critical_count=$(( critical_count + 1))
|
||||
critical_count=$(( critical_count + 1))
|
||||
else
|
||||
echo "OK - $mountpoint" >> "$output"
|
||||
ok_count=$(( ok_count + 1))
|
||||
ok_count=$(( ok_count + 1))
|
||||
fi
|
||||
done
|
||||
|
||||
total_count=$(( ok_count + critical_count ))
|
||||
|
||||
plural=''
|
||||
test "$total_count" -gt 1 && plural='s'
|
||||
|
||||
if [ $ok_count -eq $total_count ]; then
|
||||
printf "OK - %d/%d no read-only mountpoint\n\n" "$ok_count" "$total_count"
|
||||
printf "OK - %d/%d mountpoint%s have 'read-write' option\n\n" \
|
||||
"$ok_count" "$total_count" "$plural"
|
||||
cat "$output"
|
||||
exit 0
|
||||
else
|
||||
printf "CRITICAL - %d/%d read-only mountpoint\n\n" "$critical_count" "$total_count"
|
||||
printf "CRITICAL - %d/%d mountpoint%s don't have 'read-write' option\n\n" \
|
||||
"$critical_count" "$total_count" "$plural"
|
||||
cat "$output"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
|
|
|
@ -21,10 +21,10 @@
|
|||
set_fact:
|
||||
eni_interface_name: "{{ ansible_default_ipv4.interface }}"
|
||||
|
||||
- include: set_facts_from_systemd.yml
|
||||
- import_tasks: set_facts_from_systemd.yml
|
||||
when: systemd_network_file.stat.exists
|
||||
|
||||
- include: set_facts_from_ansible.yml
|
||||
- import_tasks: set_facts_from_ansible.yml
|
||||
when: not systemd_network_file.stat.exists
|
||||
|
||||
- name: Check config (IPv4)
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
|
||||
- include: sources.yml
|
||||
- import_tasks: sources.yml
|
||||
|
||||
- include: php.yml
|
||||
- import_tasks: php.yml
|
||||
when: newrelic_php | bool
|
||||
|
||||
- include: sysmond.yml
|
||||
- import_tasks: sysmond.yml
|
||||
when: newrelic_sysmond | bool
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# Evolix default customizations
|
||||
|
||||
server_tokens off;
|
||||
server_names_hash_max_size 512;
|
||||
server_names_hash_bucket_size 128;
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
msg: "Nginx minimal mode has been set, using minimal mode."
|
||||
when: nginx_minimal | bool
|
||||
|
||||
- include: packages.yml
|
||||
- import_tasks: packages.yml
|
||||
|
||||
- include: server_status_read.yml
|
||||
- import_tasks: server_status_read.yml
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
|
@ -64,7 +64,7 @@
|
|||
- ips
|
||||
|
||||
- name: Include IP address whitelist task
|
||||
include: ip_whitelist.yml
|
||||
import_tasks: ip_whitelist.yml
|
||||
|
||||
- name: Copy evolinux_server_custom
|
||||
copy:
|
||||
|
@ -134,7 +134,7 @@
|
|||
tags:
|
||||
- nginx
|
||||
|
||||
- include: server_status_write.yml
|
||||
- import_tasks: server_status_write.yml
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
|
@ -155,16 +155,16 @@
|
|||
- nginx
|
||||
- munin
|
||||
|
||||
- include: munin_vhost.yml
|
||||
- import_tasks: munin_vhost.yml
|
||||
when: stat_munin_node.stat.exists
|
||||
tags:
|
||||
- nginx
|
||||
- munin
|
||||
|
||||
- include: munin_graphs.yml
|
||||
- import_tasks: munin_graphs.yml
|
||||
when: stat_munin_node.stat.exists
|
||||
tags:
|
||||
- nginx
|
||||
- munin
|
||||
|
||||
- include: logrotate.yml
|
||||
- import_tasks: logrotate.yml
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
nginx_default_package_name: nginx-light
|
||||
when: nginx_minimal | bool
|
||||
|
||||
- include: packages_backports.yml
|
||||
- import_tasks: packages_backports.yml
|
||||
when: nginx_backports | bool
|
||||
|
||||
# TODO: install "nginx" + only necessary modules, instead of "nginx-full"
|
||||
|
|
|
@ -61,5 +61,5 @@
|
|||
- packages
|
||||
- nodejs
|
||||
|
||||
- include: yarn.yml
|
||||
- import_tasks: yarn.yml
|
||||
when: nodejs_install_yarn | bool
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
msg: "Only compatible with Debian and OpenBSD"
|
||||
|
||||
- name: Include Debian version
|
||||
include: debian.yml
|
||||
import_tasks: debian.yml
|
||||
when: ansible_distribution == "Debian"
|
||||
|
||||
- name: Include OpenBSD version
|
||||
include: openbsd.yml
|
||||
import_tasks: openbsd.yml
|
||||
when: ansible_distribution == "OpenBSD"
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@ port 1194
|
|||
proto udp
|
||||
dev tun
|
||||
mode server
|
||||
topology subnet
|
||||
keepalive 10 120
|
||||
tls-exit
|
||||
|
||||
|
|
|
@ -82,13 +82,13 @@
|
|||
regexp: '^DIR_MODE='
|
||||
line: 'DIR_MODE=0750'
|
||||
|
||||
- include: apache.yml
|
||||
- import_tasks: apache.yml
|
||||
|
||||
- include: phpmyadmin.yml
|
||||
- import_tasks: phpmyadmin.yml
|
||||
|
||||
- include: awstats.yml
|
||||
- import_tasks: awstats.yml
|
||||
|
||||
- include: fhs_retrictions.yml
|
||||
- import_tasks: fhs_retrictions.yml
|
||||
when: packweb_fhs_retrictions | bool
|
||||
|
||||
- name: Periodically cache ftp directory sizes for ftpadmin.sh
|
||||
|
@ -97,5 +97,5 @@
|
|||
special_time: daily
|
||||
job: "/usr/share/scripts/evoadmin/stats.sh"
|
||||
|
||||
- include: multiphp.yml
|
||||
- import_tasks: multiphp.yml
|
||||
when: packweb_multiphp_versions | length > 0
|
||||
|
|
|
@ -61,5 +61,5 @@
|
|||
update_cache: yes
|
||||
when: percona__apt_config_deb is changed
|
||||
|
||||
- include: xtrabackup.yml
|
||||
- import_tasks: xtrabackup.yml
|
||||
when: percona__install_xtrabackup | bool
|
||||
|
|
|
@ -7,14 +7,14 @@
|
|||
- ansible_distribution_major_version is version('11', '<=')
|
||||
msg: This is only compatible with Debian 8 → 11
|
||||
|
||||
- include: main_jessie.yml
|
||||
- import_tasks: main_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: main_stretch.yml
|
||||
- import_tasks: main_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: main_buster.yml
|
||||
- import_tasks: main_buster.yml
|
||||
when: ansible_distribution_release == "buster"
|
||||
|
||||
- include: main_bullseye.yml
|
||||
- import_tasks: main_bullseye.yml
|
||||
when: ansible_distribution_release == "bullseye"
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
- include: sury_pre.yml
|
||||
- import_tasks: sury_pre.yml
|
||||
when: php_sury_enable
|
||||
|
||||
- name: "Install PHP packages (Debian 11)"
|
||||
|
@ -68,13 +68,13 @@
|
|||
- /etc/php
|
||||
- /etc/php/7.4
|
||||
|
||||
- include: config_cli.yml
|
||||
- import_tasks: config_cli.yml
|
||||
- name: "Enforce permissions on PHP cli directory (Debian 11)"
|
||||
file:
|
||||
dest: /etc/php/7.4/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
- import_tasks: config_fpm.yml
|
||||
when: php_fpm_enable
|
||||
|
||||
- name: "Enforce permissions on PHP fpm directory (Debian 11)"
|
||||
|
@ -83,7 +83,7 @@
|
|||
mode: "0755"
|
||||
when: php_fpm_enable
|
||||
|
||||
- include: config_apache.yml
|
||||
- import_tasks: config_apache.yml
|
||||
when: php_apache_enable
|
||||
|
||||
- name: "Enforce permissions on PHP apache2 directory (Debian 11)"
|
||||
|
@ -92,5 +92,5 @@
|
|||
mode: "0755"
|
||||
when: php_apache_enable
|
||||
|
||||
- include: sury_post.yml
|
||||
- import_tasks: sury_post.yml
|
||||
when: php_sury_enable
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
- include: sury_pre.yml
|
||||
- import_tasks: sury_pre.yml
|
||||
when: php_sury_enable | bool
|
||||
|
||||
- name: "Install PHP packages (Debian 10)"
|
||||
|
@ -69,13 +69,13 @@
|
|||
- /etc/php
|
||||
- /etc/php/7.3
|
||||
|
||||
- include: config_cli.yml
|
||||
- import_tasks: config_cli.yml
|
||||
- name: "Enforce permissions on PHP cli directory (Debian 10)"
|
||||
file:
|
||||
dest: /etc/php/7.3/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
- import_tasks: config_fpm.yml
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- name: "Enforce permissions on PHP fpm directory (Debian 10)"
|
||||
|
@ -84,7 +84,7 @@
|
|||
mode: "0755"
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- include: config_apache.yml
|
||||
- import_tasks: config_apache.yml
|
||||
when: php_apache_enable | bool
|
||||
|
||||
- name: "Enforce permissions on PHP apache2 directory (Debian 10)"
|
||||
|
@ -93,5 +93,5 @@
|
|||
mode: "0755"
|
||||
when: php_apache_enable | bool
|
||||
|
||||
- include: sury_post.yml
|
||||
- import_tasks: sury_post.yml
|
||||
when: php_sury_enable | bool
|
||||
|
|
|
@ -57,14 +57,14 @@
|
|||
dest: /etc/php5
|
||||
mode: "0755"
|
||||
|
||||
- include: config_cli.yml
|
||||
- import_tasks: config_cli.yml
|
||||
|
||||
- name: Enforce permissions on PHP cli directory (Debian 8)
|
||||
file:
|
||||
dest: /etc/php5/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
- import_tasks: config_fpm.yml
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- name: Enforce permissions on PHP fpm directory (Debian 8)
|
||||
|
@ -73,7 +73,7 @@
|
|||
mode: "0755"
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- include: config_apache.yml
|
||||
- import_tasks: config_apache.yml
|
||||
when: php_apache_enable | bool
|
||||
|
||||
- name: Enforce permissions on PHP apache2 directory (Debian 8)
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
- composer
|
||||
- libphp-phpmailer
|
||||
|
||||
- include: sury_pre.yml
|
||||
- import_tasks: sury_pre.yml
|
||||
when: php_sury_enable | bool
|
||||
|
||||
- name: "Install PHP packages (Debian 9)"
|
||||
|
@ -69,14 +69,14 @@
|
|||
- /etc/php
|
||||
- /etc/php/7.0
|
||||
|
||||
- include: config_cli.yml
|
||||
- import_tasks: config_cli.yml
|
||||
|
||||
- name: "Enforce permissions on PHP cli directory (Debian 9)"
|
||||
file:
|
||||
dest: /etc/php/7.0/cli
|
||||
mode: "0755"
|
||||
|
||||
- include: config_fpm.yml
|
||||
- import_tasks: config_fpm.yml
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- name: "Enforce permissions on PHP fpm directory (Debian 9)"
|
||||
|
@ -85,7 +85,7 @@
|
|||
mode: "0755"
|
||||
when: php_fpm_enable | bool
|
||||
|
||||
- include: config_apache.yml
|
||||
- import_tasks: config_apache.yml
|
||||
when: php_apache_enable | bool
|
||||
|
||||
- name: "Enforce permissions on PHP apache2 directory (Debian 9)"
|
||||
|
@ -94,5 +94,5 @@
|
|||
mode: "0755"
|
||||
when: php_apache_enable | bool
|
||||
|
||||
- include: sury_post.yml
|
||||
- import_tasks: sury_post.yml
|
||||
when: php_sury_enable | bool
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
|
||||
- include: common.yml
|
||||
- import_tasks: common.yml
|
||||
|
||||
- include: minimal.yml
|
||||
- import_tasks: minimal.yml
|
||||
when: not (postfix_packmail | bool)
|
||||
|
||||
- include: packmail.yml
|
||||
- import_tasks: packmail.yml
|
||||
when: postfix_packmail | bool
|
||||
|
||||
- include: slow_transport.yml
|
||||
- import_tasks: slow_transport.yml
|
||||
when: postfix_slow_transport_include | bool
|
||||
|
|
|
@ -158,7 +158,7 @@ smtp-amavis unix - - y - 2 lmtp
|
|||
-o smtpd_hard_error_limit=1000
|
||||
-o smtpd_client_connection_count_limit=0
|
||||
-o smtpd_client_connection_rate_limit=0
|
||||
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
|
||||
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
|
||||
|
||||
pre-cleanup unix n - n - 0 cleanup
|
||||
-o virtual_alias_maps=
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
---
|
||||
- include: locales.yml
|
||||
- import_tasks: locales.yml
|
||||
|
||||
- include: packages_jessie.yml
|
||||
- import_tasks: packages_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: packages_stretch.yml
|
||||
- import_tasks: packages_stretch.yml
|
||||
when: ansible_distribution_release == "stretch"
|
||||
|
||||
- include: packages_buster.yml
|
||||
- import_tasks: packages_buster.yml
|
||||
when: ansible_distribution_release == "buster"
|
||||
|
||||
- include: packages_bullseye.yml
|
||||
- import_tasks: packages_bullseye.yml
|
||||
when: ansible_distribution_major_version is version('11', '>=')
|
||||
|
||||
- include: config.yml
|
||||
- import_tasks: config.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
|
||||
- include: logrotate.yml
|
||||
- import_tasks: logrotate.yml
|
||||
|
||||
- include: postgis.yml
|
||||
- import_tasks: postgis.yml
|
||||
when: postgresql_install_postgis | bool
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
postgresql_version: '13'
|
||||
when: postgresql_version is none or postgresql_version | length == 0
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
- import_tasks: pgdg-repo.yml
|
||||
when: postgresql_version != '13'
|
||||
|
||||
- name: Install postgresql package
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
postgresql_version: '11'
|
||||
when: postgresql_version is none or postgresql_version | length == 0
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
- import_tasks: pgdg-repo.yml
|
||||
when: postgresql_version != '11'
|
||||
|
||||
- name: Install postgresql package
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
postgresql_version: '9.4'
|
||||
when: postgresql_version is none or postgresql_version | length == 0
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
- import_tasks: pgdg-repo.yml
|
||||
when: postgresql_version != '9.4'
|
||||
|
||||
- name: Install postgresql package
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
postgresql_version: '9.6'
|
||||
when: postgresql_version is none or postgresql_version | length == 0
|
||||
|
||||
- include: pgdg-repo.yml
|
||||
- import_tasks: pgdg-repo.yml
|
||||
when: postgresql_version != '9.6'
|
||||
|
||||
- name: Install postgresql package
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- include: accounts_password.yml
|
||||
- include_tasks: accounts_password.yml
|
||||
when: item.password is undefined
|
||||
loop: "{{ proftpd_accounts }}"
|
||||
tags:
|
||||
|
|
|
@ -79,5 +79,5 @@
|
|||
tags:
|
||||
- proftpd
|
||||
|
||||
- include: accounts.yml
|
||||
- import_tasks: accounts.yml
|
||||
when: proftpd_accounts | length > 0
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
tags:
|
||||
- nrpe
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
when: nrpe_evolix_config.stat.exists
|
||||
|
||||
- name: is Munin present ?
|
||||
|
@ -45,5 +45,5 @@
|
|||
tags:
|
||||
- nrpe
|
||||
|
||||
- include: munin.yml
|
||||
- import_tasks: munin.yml
|
||||
when: etc_munin_directory.stat.exists
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# munin
|
||||
# Redis
|
||||
|
||||
Installation and basic configuration of Redis.
|
||||
|
||||
|
|
|
@ -56,11 +56,11 @@
|
|||
when: redis_instance_name is defined
|
||||
|
||||
- name: configure Redis for default mode
|
||||
include: default-server.yml
|
||||
import_tasks: default-server.yml
|
||||
when: redis_instance_name is not defined
|
||||
|
||||
- name: configure Redis for instance mode
|
||||
include: instance-server.yml
|
||||
import_tasks: instance-server.yml
|
||||
when: redis_instance_name is defined
|
||||
|
||||
- name: Is Munin installed
|
||||
|
@ -72,7 +72,7 @@
|
|||
- munin
|
||||
|
||||
- name: configure Munin for default mode
|
||||
include: default-munin.yml
|
||||
import_tasks: default-munin.yml
|
||||
when:
|
||||
- _munin_installed.stat.exists
|
||||
- _munin_installed.stat.isdir
|
||||
|
@ -82,7 +82,7 @@
|
|||
- munin
|
||||
|
||||
- name: configure Munin for instance mode
|
||||
include: instance-munin.yml
|
||||
import_tasks: instance-munin.yml
|
||||
when:
|
||||
- _munin_installed.stat.exists
|
||||
- _munin_installed.stat.isdir
|
||||
|
@ -100,7 +100,7 @@
|
|||
- log2mail
|
||||
|
||||
- name: configure log2mail for default mode
|
||||
include: default-log2mail.yml
|
||||
import_tasks: default-log2mail.yml
|
||||
when:
|
||||
- _log2mail_installed.stat.exists
|
||||
- _log2mail_installed.stat.isdir
|
||||
|
@ -110,7 +110,7 @@
|
|||
- log2mail
|
||||
|
||||
- name: configure log2mail for instance mode
|
||||
include: instance-log2mail.yml
|
||||
import_tasks: instance-log2mail.yml
|
||||
when:
|
||||
- _log2mail_installed.stat.exists
|
||||
- _log2mail_installed.stat.isdir
|
||||
|
@ -128,7 +128,7 @@
|
|||
- redis
|
||||
- nrpe
|
||||
|
||||
- include: nrpe.yml
|
||||
- import_tasks: nrpe.yml
|
||||
when: nrpe_evolix_config.stat.exists
|
||||
tags:
|
||||
- redis
|
||||
|
|
|
@ -79,6 +79,10 @@
|
|||
- redis
|
||||
- nrpe
|
||||
|
||||
- name: "Remount /usr with RW for 'install check_redis instance'"
|
||||
include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: install check_redis_instances
|
||||
copy:
|
||||
src: check_redis_instances.sh
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
- include: packages.yml
|
||||
- include: syslog.yml
|
||||
- include: user.yml
|
||||
- import_tasks: packages.yml
|
||||
- import_tasks: syslog.yml
|
||||
- import_tasks: user.yml
|
||||
- include_role:
|
||||
name: evolix/rbenv
|
||||
vars:
|
||||
- username: "{{ redmine_user }}"
|
||||
- include: config.yml
|
||||
- include: mysql.yml
|
||||
- include: source.yml
|
||||
- include: release.yml
|
||||
- include: nginx.yml
|
||||
- import_tasks: config.yml
|
||||
- import_tasks: mysql.yml
|
||||
- import_tasks: source.yml
|
||||
- import_tasks: release.yml
|
||||
- import_tasks: nginx.yml
|
||||
|
|
|
@ -152,15 +152,15 @@
|
|||
notify: "reload squid"
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: systemd.yml
|
||||
- import_tasks: systemd.yml
|
||||
when: ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- include: logrotate_jessie.yml
|
||||
- import_tasks: logrotate_jessie.yml
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- include: logrotate_stretch.yml
|
||||
- import_tasks: logrotate_stretch.yml
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: minifirewall.yml
|
||||
- import_tasks: minifirewall.yml
|
||||
|
||||
- include: log2mail.yml
|
||||
- import_tasks: log2mail.yml
|
||||
|
|
|
@ -39,5 +39,5 @@
|
|||
tags:
|
||||
- ssl
|
||||
|
||||
- include: haproxy.yml
|
||||
- import_tasks: haproxy.yml
|
||||
when: haproxy_check.rc == 0
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue