dprevot/ansible-roles
1
0
Fork 0
forked from evolix/ansible-roles
Code Issues Pull requests 1 Projects Releases Wiki Activity

Compare commits

merge into: dprevot:stable
Branches Tags
dprevot:stable
dprevot:jenkins
dprevot:unstable
dprevot:replace_include
dprevot:lxc_etc-commit
dprevot:rename-backup-server-state
dprevot:lxc_etc-git
dprevot:sshd_modular_config
dprevot:exclusion_images_evobackup
dprevot:rotate_elasticsearch_logs
dprevot:evobackup_tags_redux
dprevot:log2mail-beats
dprevot:T47076
dprevot:kvm-guest
dprevot:lpoujol/fpm-php
dprevot:lxc-php-buster
dprevot:simplify-evolinux-users
dprevot:openvpn
dprevot:newkernel
dprevot:etc-git-status-script
dprevot:itk-add-EnableCapabilities-off
dprevot:ubuntu
dprevot:nagios-sudoers
dprevot:configurable-swapiness
dprevot:alert5-minifirewall-restart
dprevot:fail2ban_ips_tag
dprevot:audit-ftpadmin
dprevot:projet6062
dprevot:whitelisting-changes
dprevot:uvrrpd
dprevot:packweb-apache-lxc
dprevot:backup/jlecour/ssh-groups
dprevot:nextcloud
dprevot:backup/jlecour/nextcloud
dprevot:evoadmin-mail
dprevot:haproxy_munin
dprevot:evolinux-users
dprevot:ansible-log
dprevot:ansible-managed
dprevot:apache-fix-default-vhost
dprevot:ipsec
dprevot:courier
dprevot:spamassassin
dprevot:samba
dprevot:munin-openbsd
evolix:munin_ipmi
evolix:unstable
evolix:monitoringctl
evolix:stable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:bind
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
dprevot:1.2
dprevot:1.2.3
dprevot:22.03
dprevot:22.01.3
dprevot:22.01.2
dprevot:22.01.1
dprevot:22.01
dprevot:10.6.0
dprevot:10.5.1
dprevot:10.5.0
dprevot:10.4.0
dprevot:10.3.0
dprevot:10.2.0
dprevot:10.1.0
dprevot:10.0.0
dprevot:9.10.1
dprevot:9.10.0
dprevot:9.9.0
dprevot:9.8.0
dprevot:9.7.0
dprevot:9.6.0
dprevot:9.5.0
dprevot:9.4.2
dprevot:9.4.1
dprevot:9.4.0
dprevot:9.3.2
dprevot:9.3.1
dprevot:9.3.0
dprevot:9.2.0
dprevot:9.1.9
dprevot:9.1.8
dprevot:9.1.7
dprevot:9.1.6
dprevot:9.1.5
dprevot:9.1.4
dprevot:9.1.3
dprevot:9.1.2
dprevot:9.1.1
dprevot:9.1.0
dprevot:9.0.1
dprevot:9.0.0
evolix:24.04
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.01.2
evolix:10.5.1
evolix:9.0.1
evolix:9.0.0
evolix:1.2
evolix:1.2.3
evolix:10.0.0
evolix:10.1.0
evolix:10.2.0
evolix:10.3.0
evolix:10.4.0
evolix:10.5.0
evolix:10.6.0
evolix:22.01
evolix:22.01.1
evolix:22.01.3
evolix:22.03
evolix:9.1.0
evolix:9.1.1
evolix:9.1.2
evolix:9.1.3
evolix:9.1.4
evolix:9.1.5
evolix:9.1.6
evolix:9.1.7
evolix:9.1.8
evolix:9.1.9
evolix:9.10.0
evolix:9.10.1
evolix:9.2.0
evolix:9.3.0
evolix:9.3.1
evolix:9.3.2
evolix:9.4.0
evolix:9.4.1
evolix:9.4.2
evolix:9.5.0
evolix:9.6.0
evolix:9.7.0
evolix:9.8.0
evolix:9.9.0
...
pull from: dprevot:replace_include
Branches Tags
dprevot:jenkins
dprevot:unstable
dprevot:replace_include
dprevot:lxc_etc-commit
dprevot:stable
dprevot:rename-backup-server-state
dprevot:lxc_etc-git
dprevot:sshd_modular_config
dprevot:exclusion_images_evobackup
dprevot:rotate_elasticsearch_logs
dprevot:evobackup_tags_redux
dprevot:log2mail-beats
dprevot:T47076
dprevot:kvm-guest
dprevot:lpoujol/fpm-php
dprevot:lxc-php-buster
dprevot:simplify-evolinux-users
dprevot:openvpn
dprevot:newkernel
dprevot:etc-git-status-script
dprevot:itk-add-EnableCapabilities-off
dprevot:ubuntu
dprevot:nagios-sudoers
dprevot:configurable-swapiness
dprevot:alert5-minifirewall-restart
dprevot:fail2ban_ips_tag
dprevot:audit-ftpadmin
dprevot:projet6062
dprevot:whitelisting-changes
dprevot:uvrrpd
dprevot:packweb-apache-lxc
dprevot:backup/jlecour/ssh-groups
dprevot:nextcloud
dprevot:backup/jlecour/nextcloud
dprevot:evoadmin-mail
dprevot:haproxy_munin
dprevot:evolinux-users
dprevot:ansible-log
dprevot:ansible-managed
dprevot:apache-fix-default-vhost
dprevot:ipsec
dprevot:courier
dprevot:spamassassin
dprevot:samba
dprevot:munin-openbsd
evolix:munin_ipmi
evolix:unstable
evolix:monitoringctl
evolix:stable
evolix:patroni
evolix:etcd
evolix:jitsimeet
evolix:bind
evolix:peertube
evolix:wip_10691
evolix:multi-php-v2
evolix:etherpad
evolix:gitea
evolix:add-drbd-firewall-rule
evolix:backports_preferences
evolix:migrate-vm-error-handling
evolix:evofs
evolix:goto-postfix-role
evolix:lxc-php82
evolix:timesyncd
evolix:noopensshinlxc
evolix:ssh-split
evolix:rsyslog-remote
evolix:emorino/patroni-etcd
evolix:jitsimeet_docker
evolix:hedgedoc
evolix:privatebin
evolix:mattermost
evolix:p10166-mastodon
evolix:replace_include
evolix:when-not-check
evolix:fix_lxc_php56_debian10
evolix:debian12
evolix:boost-proxy
evolix:debian12-keyring
evolix:evodomains
evolix:vrrp-addresses
evolix:lxc_etc-git
evolix:lxc_etc-commit
evolix:evoacme-v2
evolix:sshd_modular_config
evolix:exclusion_images_evobackup
evolix:rotate_elasticsearch_logs
evolix:evobackup_tags_redux
evolix:log2mail-beats
evolix:T47076
evolix:kvm-guest
evolix:lpoujol/fpm-php
evolix:lxc-php-buster
evolix:simplify-evolinux-users
evolix:openvpn
evolix:newkernel
evolix:etc-git-status-script
evolix:ubuntu
evolix:nagios-sudoers
evolix:configurable-swapiness
evolix:alert5-minifirewall-restart
evolix:fail2ban_ips_tag
evolix:audit-ftpadmin
evolix:projet6062
evolix:whitelisting-changes
evolix:uvrrpd
evolix:packweb-apache-lxc
evolix:backup/jlecour/ssh-groups
evolix:nextcloud
evolix:backup/jlecour/nextcloud
evolix:evoadmin-mail
evolix:haproxy_munin
evolix:evolinux-users
evolix:ansible-log
evolix:ansible-managed
evolix:apache-fix-default-vhost
evolix:ipsec
evolix:courier
evolix:spamassassin
evolix:samba
evolix:munin-openbsd
dprevot:1.2
dprevot:1.2.3
dprevot:22.03
dprevot:22.01.3
dprevot:22.01.2
dprevot:22.01.1
dprevot:22.01
dprevot:10.6.0
dprevot:10.5.1
dprevot:10.5.0
dprevot:10.4.0
dprevot:10.3.0
dprevot:10.2.0
dprevot:10.1.0
dprevot:10.0.0
dprevot:9.10.1
dprevot:9.10.0
dprevot:9.9.0
dprevot:9.8.0
dprevot:9.7.0
dprevot:9.6.0
dprevot:9.5.0
dprevot:9.4.2
dprevot:9.4.1
dprevot:9.4.0
dprevot:9.3.2
dprevot:9.3.1
dprevot:9.3.0
dprevot:9.2.0
dprevot:9.1.9
dprevot:9.1.8
dprevot:9.1.7
dprevot:9.1.6
dprevot:9.1.5
dprevot:9.1.4
dprevot:9.1.3
dprevot:9.1.2
dprevot:9.1.1
dprevot:9.1.0
dprevot:9.0.1
dprevot:9.0.0
evolix:24.04
evolix:24.03
evolix:24.02.1
evolix:24.02
evolix:23.10
evolix:23.04
evolix:23.03.1
evolix:23.03
evolix:22.12
evolix:22.09
evolix:22.07.1
evolix:22.07
evolix:22.06.3
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.05.1
evolix:22.05
evolix:22.01.2
evolix:10.5.1
evolix:9.0.1
evolix:9.0.0
evolix:1.2
evolix:1.2.3
evolix:10.0.0
evolix:10.1.0
evolix:10.2.0
evolix:10.3.0
evolix:10.4.0
evolix:10.5.0
evolix:10.6.0
evolix:22.01
evolix:22.01.1
evolix:22.01.3
evolix:22.03
evolix:9.1.0
evolix:9.1.1
evolix:9.1.2
evolix:9.1.3
evolix:9.1.4
evolix:9.1.5
evolix:9.1.6
evolix:9.1.7
evolix:9.1.8
evolix:9.1.9
evolix:9.10.0
evolix:9.10.1
evolix:9.2.0
evolix:9.3.0
evolix:9.3.1
evolix:9.3.2
evolix:9.4.0
evolix:9.4.1
evolix:9.4.2
evolix:9.5.0
evolix:9.6.0
evolix:9.7.0
evolix:9.8.0
evolix:9.9.0

45 commits
stable ... replace_in

Author SHA1 Message Date
Mathieu Trossevin 956ecd4700
Replace the include module with include_tasks or import_tasks 
The behaviour of the `include` module is badly defined (it try to choose
between statically importing the tasks and dynamically including them)
and can cause problems depending on any number of constraints (mostly if
it choose the wrong behaviour).

Replace it with the `import_tasks` (always statically import tasks) unless
the `include` is in a loop in which case we replace it with
`include_tasks` (always dynamically include tasks).
 2022-03-30 16:40:44 +02:00
Mathieu Trossevin ef50defc0a Merge pull request 'Commit changes to /etc of lxc containers that are git repositories' (#149) from lxc_etc-commit into unstable 
Reviewed-on: evolix/ansible-roles#149
 2022-03-30 16:36:38 +02:00
Mathieu Trossevin 5dc6a1d36b
etc-git: Commit changes to /etc in containers 2022-03-30 16:33:00 +02:00
Jérémy Lecour 31c2629d31 minifirewall: configure proxy/backup/sysctl values 2022-03-30 09:42:56 +02:00
Mathieu Trossevin 20abe0e09a
postfix: Skip milters after amavis (in packmail) 
Otherwise opendkim will sign local mails twice AND sign external mails
(pretending to be) from local domains as if they were local mails.
 2022-03-29 16:06:12 +02:00
Jérémy Lecour 75459baa35 dump-server-state: upstream release 22.03.10 2022-03-29 09:11:35 +02:00
Jérémy Lecour 3feacd0c6d update CHANGELOG 2022-03-28 13:28:48 +02:00
Jérémy Lecour 1ae978c74a minifirewall: restore "force-restart" and fix "restart-if-needed" 2022-03-28 13:27:22 +02:00
Ludovic Poujol 6ab0cb4fd1 evolinux-base: Fix utils.yml -> Ne pas déplacer inutilement le script qu'on va de toute façon écraser 
+ Correction du cas d'une machine n'ayant pas le script (fail du mv initial)
 2022-03-28 11:56:24 +02:00
Jérémy Lecour 214b6e0d6a dump-server-state: upstream release 22.03.9 2022-03-27 10:40:52 +02:00
Jérémy Lecour d0f8e6c753 dump-server-state: upstream release 22.03.8 2022-03-27 10:08:20 +02:00
Jérémy Lecour f0b23ffa50 dump-server-state: split backup-dir and dump-dir options parsing 2022-03-27 09:31:06 +02:00
Jérémy Lecour 54bf9c1854 evolinux-base: rename backup-server-state to dump-server-state 2022-03-27 09:18:15 +02:00
Jérémy Lecour 85d429295f minifirewall: tail template follows symlinks 2022-03-25 18:12:24 +01:00
Jérémy Lecour bbc1bae437 minifirewall: upstream release 22.03.4 2022-03-25 14:57:10 +01:00
Jérémy Dubois d2fa14fb4f backup-server-state: release 22.03.5 2022-03-24 18:15:56 +01:00
Jérémy Dubois 42782b7f3d evolinux-base: fix show_help in backup-server-state.sh 
* --uname and --no-uname options were not in help
* --services and --no-services were in help whereas --systemctl and --no-systemctl are used in options parsing
 2022-03-24 17:57:58 +01:00
Mathieu Trossevin 1646cc99bf
redis: Remount /usr with RW when adding nagios plugin 2022-03-23 13:55:54 +01:00
Jérémy Dubois b4f83e54d0 openvpn: use a subnet topology instead of the net30 default topology 2022-03-23 10:46:17 +01:00
Jérémy Lecour 0d1ccc79c3 whitespace 2022-03-22 15:31:06 +01:00
Jérémy Lecour 163d5abf7c backup-server-state: release 22.03.4 2022-03-22 15:31:02 +01:00
Jérémy Lecour ef832c9ab6 backup-server-state: also dump iptables rules without counters 2022-03-22 15:31:02 +01:00
Jérémy Dubois c2f6ff5249 evocheck: upstream release 22.03.1 2022-03-22 11:03:26 +01:00
Jérémy Lecour 5895f5a99b minifirewall: upstream release 22.03.3 2022-03-21 14:35:20 +01:00
Jérémy Lecour e7594c6c86 evolinux-base: backup-server-state release 22.03.2 2022-03-21 11:32:08 +01:00
Mathieu Trossevin 444bd72944
generate-ldif: Correct generated entries for php-fpm in containers 2022-03-17 17:36:35 +01:00
Jérémy Lecour fb41c81e99 backup-server-state: release 22.03.2 
update documentation for --dpkg-full vs. --dpkg-status
 2022-03-17 10:45:44 +01:00
Jérémy Lecour 8a9faa0250 * minifirewall: upstream release 22.03.2 2022-03-16 23:49:34 +01:00
Jérémy Lecour 545226f6f6 evocheck: upstream release 22.03 2022-03-15 23:25:15 +01:00
Jérémy Lecour ba90203f21 minifirewall: upstream release 22.03.1 and use includes directory 2022-03-15 23:07:33 +01:00
Ludovic Poujol 17f884b04a evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware 2022-03-15 11:35:20 +01:00
Ludovic Poujol 913e6d96e8 generate-ldif: Add services check for bkctld 2022-03-15 10:53:16 +01:00
Ludovic Poujol 0e768809b7 evomaintenance: Make it work on non-debian systems 2022-03-15 10:53:16 +01:00
Ludovic Poujol 5a2dc5cbd1 etc-git: Make it work on non-debian systems 2022-03-15 10:53:16 +01:00
Brice Waegeneire 6df10be6ef evolinux-base: Fix top config. 
The wrong file was used as topdefaultrc.  And we were using the wrong
encoding, as top use ISO-8859 instead of UTF-8.
 2022-03-15 10:22:21 +01:00
William Hirigoyen (Evolix) 4a31961ba0 Ajoute le déconfinement d'AppArmor dans la config par défaut des conteneurs LXC pour les version de Debian >= 9. 2022-03-15 10:07:09 +01:00
William Hirigoyen (Evolix) a565e8f8e8 Add Out of memory log2mail alert to dovecot role 2022-03-15 10:06:21 +01:00
William Hirigoyen (Evolix) ab1f3fd6d4 Merge 2022-03-15 10:06:21 +01:00
Brice Waegeneire c880ce43a2 nagios-nrpe: Improve readability for check_mount_rw 2022-03-10 16:41:13 +01:00
Jérémy Lecour a733e2794f evolinux-base: backup-server-state release 22.03 2022-03-08 16:49:53 +01:00
Jérémy Lecour b4f35af35c backup-server-state: skip iptables if nft is installed 2022-03-08 16:48:41 +01:00
Alexis Ben Miloud--Josselin 87a3fd48df Fix commit d455de5 2022-03-03 11:54:32 +01:00
Alexis Ben Miloud--Josselin 3ef6381ba6 Fix redis' README title 2022-03-03 11:52:03 +01:00
Alexis Ben Miloud--Josselin d455de52b3 Check if /etc/libvirt/qemu/*xml exists before sync 
This will prevent sending e-mails saying the file
does not exists.
 2022-03-03 11:48:39 +01:00
Mathieu Trossevin 9c84e95182
Repair keepalived role 2022-03-02 16:23:01 +01:00
106 changed files with 2147 additions and 1173 deletions
Show stats Expand all files Collapse all files

19
CHANGELOG.md
View file

@ -12,10 +12,29 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* minifirewall: configure proxy/backup/sysctl values
* etc-git: Commit /etc in lxc containers when they are git repositories
### Changed
* evocheck: upstream release 22.03.1
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
* evolinux-base: rename backup-server-state to dump-server-state
* dump-server-state: upstream release 22.03.10
* generate-ldif: Add services check for bkctld
* minifirewall: restore "force-restart" and fix "restart-if-needed"
* minifirewall: tail template follows symlinks
* minifirewall: upstream release 22.03.4
* openvpn: use a subnet topology instead of the net30 default topology
### Fixed
* Repair keepalived role
* generate-ldif: Correct generated entries for php-fpm in containers
* redis: Remount /usr with RW before adding nagios plugin
* postfix: Do not send mails through milters a second time after amavis (in packmail)
* Replace use of the `include` module with the `import_tasks` or `include_tasks` module to prevent bug due to faulty behaviour choice on the part of ansible
### Removed
### Security

2
apache/tasks/auth.yml
View file

@ -12,7 +12,7 @@
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
import_tasks: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:

8
apache/tasks/main.yml
View file

@ -109,7 +109,7 @@
tags:
- apache
- include: auth.yml
- import_tasks: auth.yml
tags:
- apache
@ -134,7 +134,7 @@
tags:
- apache
- include: server_status.yml
- import_tasks: server_status.yml
tags:
- apache
@ -199,12 +199,12 @@
tags:
- apache
- include: log2mail.yml
- import_tasks: log2mail.yml
when: apache_log2mail_include
tags:
- apache
- include: munin.yml
- import_tasks: munin.yml
when: apache_munin_include | bool
tags:
- apache

12
apt/tasks/main.yml
View file

@ -9,31 +9,31 @@
- apt
- name: Custom configuration
include: config.yml
import_tasks: config.yml
when: apt_config | bool
tags:
- apt
- name: Install basics repositories
include: basics.yml
import_tasks: basics.yml
when: apt_install_basics | bool
tags:
- apt
- name: Install APT Backports repository
include: backports.yml
import_tasks: backports.yml
when: apt_install_backports | bool
tags:
- apt
- name: Install Evolix Public APT repository
include: evolix_public.yml
import_tasks: evolix_public.yml
when: apt_install_evolix_public | bool
tags:
- apt
- name: Install check for packages marked hold
include: hold_packages.yml
import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool
tags:
- apt
@ -50,4 +50,4 @@
upgrade: dist
when: apt_upgrade | bool
tags:
- apt
- apt

2
bind/tasks/main.yml
View file

@ -126,4 +126,4 @@
force: yes
notify: restart bind
- include: munin.yml
- import_tasks: munin.yml

6
certbot/tasks/main.yml
View file

@ -8,18 +8,18 @@
msg: only compatible with Debian 9+
- name: Install legacy script on Debian 8
include: install-legacy.yml
import_tasks: install-legacy.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '<')
- name: Install package on Debian 9+
include: install-package.yml
import_tasks: install-package.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')
- include: acme-challenge.yml
- import_tasks: acme-challenge.yml
- name: Deploy hooks are present
copy:

2
docker-host/tasks/main.yml
View file

@ -24,7 +24,7 @@
update_cache: no
filename: docker.list
- include: jessie_backports.yml
- import_tasks: jessie_backports.yml
when: ansible_distribution_release == 'jessie'
- name: Add Docker's official GPG key

6
dovecot/handlers/main.yml
View file

@ -8,3 +8,9 @@
service:
name: dovecot
state: reloaded
- name: restart log2mail
service:
name: log2mail
state: restarted

24
dovecot/tasks/main.yml
View file

@ -78,6 +78,28 @@
tags:
- dovecot
- include: munin.yml
- import_tasks: munin.yml
tags:
- dovecot
- name: log2mail is installed
apt:
name: log2mail
state: present
tags: dovecot
- name: dovecot is configured in log2mail
blockinfile:
path: /etc/log2mail/config/mail.conf
create: true
owner: log2mail
group: adm
mode: "0640"
block: |
file = /var/log/mail.log
pattern = "Out of memory"
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
template = /etc/log2mail/mail
notify: restart log2mail
tags: dovecot

6
drbd/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- include: packages.yml
- import_tasks: packages.yml
- include: munin.yml
- import_tasks: munin.yml
- include: nagios.yml
- import_tasks: nagios.yml

18
elasticsearch/tasks/main.yml
View file

@ -1,21 +1,21 @@
---
- include: packages.yml
- import_tasks: packages.yml
- include: configuration.yml
- import_tasks: configuration.yml
- include: bootstrap_checks.yml
- import_tasks: bootstrap_checks.yml
- include: tmpdir.yml
- import_tasks: tmpdir.yml
- include: datadir.yml
- import_tasks: datadir.yml
- include: logs.yml
- import_tasks: logs.yml
- include: additional_scripts.yml
- import_tasks: additional_scripts.yml
- include: plugin_head.yml
- import_tasks: plugin_head.yml
when: elasticsearch_plugin_head | bool
- include: curator.yml
- import_tasks: curator.yml
when: elasticsearch_curator | bool

27
etc-git/tasks/commit.yml
View file

@ -50,3 +50,30 @@
when:
- _usr_share_scripts_git.stat.exists
- _usr_share_scripts_git.stat.isdir
- name: Check if there are lxc containers
stat:
path: /var/lib/lxc
get_attributes: no
get_checksum: no
get_mime: no
register: _var_lib_lxc
- name: Get lxc containers and commit their /etc when needed
block:
- name: Get all lxc containers
find:
paths: /var/lib/lxc
recurse: no
file_type: directory
register: _lxc_containers
- name: "Commit /etc in all containers"
include_tasks:
file: lxc_commit.yml
loop: "{{ _lxc_containers.files | map(attribute='path') | map('basename') }}"
loop_control:
loop_var: container
when:
- _var_lib_lxc.stat.exists
- _var_lib_lxc.stat.isdir or _var_lib_lxc.stat.islnk

35
etc-git/tasks/lxc_commit.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: "Assert that we have been called with `container` defined"
assert:
that:
- container is defined
- name: "Define path to /etc in {{ container }} container"
set_fact:
container_etc: "{{ ('/var/lib/lxc', container, 'rootfs/etc') | path_join }}"
- name: "Check if /etc is a git repository in {{ container }}"
stat:
path: "{{ (container_etc, '.git') | path_join }}"
get_attributes: no
get_checksum: no
get_mime: no
register: "container_etc_git"
- name: "Evocommit /etc of {{ container }}"
command:
argv:
- /usr/local/bin/evocommit
- '--ansible'
- '--repository'
- "{{ container_etc }}"
- '--message'
- "{{ commit_message | mandatory }}"
changed_when:
- "container_etc_git_commit.stdout"
- "'CHANGED:' in container_etc_git_commit.stdout"
ignore_errors: yes
register: "container_etc_git_commit"
when:
- "container_etc_git.stat.exists"
- "container_etc_git.stat.isdir"

8
etc-git/tasks/main.yml
View file

@ -6,6 +6,8 @@
state: present
tags:
- etc-git
when:
- ansible_distribution == "Debian"
- include_role:
name: evolix/remount-usr
@ -19,7 +21,7 @@
tags:
- etc-git
- include: repository.yml
- import_tasks: repository.yml
vars:
repository_path: "/etc"
gitignore_items:
@ -36,7 +38,7 @@
path: /usr/share/scripts
register: _usr_share_scripts
- include: repository.yml
- import_tasks: repository.yml
vars:
repository_path: "/usr/share/scripts"
gitignore_items: []
@ -111,4 +113,4 @@
state: "{{ etc_git_monitor_status | bool | ternary('present','absent') }}"
when: is_cron_installed.rc == 0
tags:
- etc-git
- etc-git

2
etc-git/tasks/repository.yml
View file

@ -70,4 +70,4 @@
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
tags:
- etc-git
- etc-git

10
evoacme/tasks/main.yml
View file

@ -8,16 +8,16 @@
msg: only compatible with Debian >= 9
when: not (evoacme_disable_debian_check | bool)
- include: certbot.yml
- import_tasks: certbot.yml
- include: permissions.yml
- import_tasks: permissions.yml
# Enable this task if you want to deploy hooks
# - include: evoacme_hook.yml
# - include_tasks: evoacme_hook.yml
# vars:
# hook_name: "{{ item }}"
# loop: []
- include: conf.yml
- import_tasks: conf.yml
- include: scripts.yml
- import_tasks: scripts.yml

10
evobackup-client/tasks/main.yml
View file

@ -1,26 +1,26 @@
---
- include: "ssh_key.yml"
- import_tasks: "ssh_key.yml"
tags:
- evobackup_client
- evobackup_client_backup_ssh_key
- include: "jail.yml"
- import_tasks: "jail.yml"
tags:
- evobackup_client
- evobackup_client_jail
- include: "upload_scripts.yml"
- import_tasks: "upload_scripts.yml"
tags:
- evobackup_client
- evobackup_client_backup_scripts
- include: "open_ssh_ports.yml"
- import_tasks: "open_ssh_ports.yml"
tags:
- evobackup_client
- evobackup_client_backup_firewall
- include: "verify_ssh.yml"
- import_tasks: "verify_ssh.yml"
tags:
- evobackup_client
- evobackup_client_backup_hosts

71
evocheck/files/evocheck.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
VERSION="21.10.4"
VERSION="22.03.1"
readonly VERSION
# base functions
@ -13,7 +13,7 @@ show_version() {
cat <<END
evocheck version ${VERSION}
Copyright 2009-2021 Evolix <info@evolix.fr>,
Copyright 2009-2022 Evolix <info@evolix.fr>,
Romain Dessort <rdessort@evolix.fr>,
Benoit Série <bserie@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
@ -142,9 +142,9 @@ failed() {
RC=1
if [ "${QUIET}" != 1 ]; then
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}"
else
printf "%s FAILED!\n" "${check_name}" 2>&1
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
fi
fi
}
@ -328,8 +328,11 @@ check_tmoutprofile() {
check_alert5boot() {
if is_debian_buster || is_debian_bullseye; then
grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing"
systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
if [ -f /etc/systemd/system/alert5.service ]; then
systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
else
failed "IS_ALERT5BOOT" "alert5 unit file is missing"
fi
else
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
@ -567,7 +570,7 @@ check_network_interfaces() {
# Verify if all if are in auto
check_autoif() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
fi
@ -592,9 +595,9 @@ check_evobackup() {
}
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
check_evobackup_exclude_mount() {
excludes_file=$(mktemp)
# shellcheck disable=SC2064
trap "rm -f ${excludes_file}" 0
excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX")
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
# shellcheck disable=SC2044
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
@ -603,7 +606,6 @@ check_evobackup_exclude_mount() {
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
done
done
rm -rf "${excludes_file}"
}
# Verification de la presence du userlogrotate
check_userlogrotate() {
@ -809,8 +811,10 @@ check_tune2fs_m5() {
check_evolinuxsudogroup() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if grep -q "^evolinux-sudo:" /etc/group; then
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
if [ -f /etc/sudoers.d/evolinux ]; then
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
fi
fi
fi
}
@ -827,7 +831,7 @@ check_userinadmgroup() {
}
check_apache2evolinuxconf() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if test -d /etc/apache2; then
if is_installed apache2; then
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf;
@ -1006,6 +1010,8 @@ check_mysqlmunin() {
test "${VERBOSE}" = 1 || break
fi
done
munin-run mysql_commands 2> /dev/null > /dev/null
test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error"
fi
fi
}
@ -1062,8 +1068,10 @@ check_squidevolinuxconf() {
check_duplicate_fs_label() {
# Do it only if thereis blkid binary
BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp)
if [ -n "$BLKID_BIN" ]; then
tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX")
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
@ -1076,7 +1084,6 @@ check_duplicate_fs_label() {
labels=$(echo -n $tmpOutput | tr '\n' ' ')
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
fi
rm "$tmpFile"
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}"
fi
@ -1395,6 +1402,7 @@ get_command() {
listupgrade) command -v "evolistupgrade.sh" ;;
old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
minifirewall) echo "/etc/init.d/minifirewall" ;;
## General case, where the program name is the same as the command name
*) command -v "${program}" ;;
@ -1415,6 +1423,9 @@ get_version() {
add-vm)
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
;;
minifirewall)
${command} status | head -1 | cut -d ' ' -f 3
;;
## Let's try the --version flag before falling back to grep for the constant
kvmstats)
if ${command} --version > /dev/null 2> /dev/null; then
@ -1457,9 +1468,9 @@ add_to_path() {
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
}
check_versions() {
versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX")
# shellcheck disable=SC2064
trap "rm -f ${versions_file}" 0
versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX")
files_to_cleanup="${files_to_cleanup} ${versions_file}"
download_versions "${versions_file}"
add_to_path "/usr/share/scripts"
@ -1477,8 +1488,6 @@ check_versions() {
fi
fi
done
rm -f "${versions_file}"
}
main() {
@ -1487,6 +1496,9 @@ main() {
# Detect operating system name, version and release
detect_os
main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX")
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
#-----------------------------------------------------------
# Tests communs à tous les systèmes
#-----------------------------------------------------------
@ -1715,8 +1727,19 @@ main() {
# - NRPEDISK et NRPEPOSTFIX
fi
if [ -f "${main_output_file}" ]; then
if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then
cat "${main_output_file}" 2>&1
fi
fi
exit ${RC}
}
cleanup_temp_files() {
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
}
PROGNAME=$(basename "$0")
# shellcheck disable=SC2034
@ -1730,6 +1753,10 @@ readonly ARGS
export LANG=C
export LANGUAGE=C
files_to_cleanup=""
# shellcheck disable=SC2064
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf

4
evocheck/tasks/main.yml
View file

@ -7,7 +7,7 @@
- evocheck_force_install is defined
- evocheck_force_install == "package"
- include: install.yml
- import_tasks: install.yml
- include: cron.yml
- import_tasks: cron.yml
when: evocheck_update_crontab | bool

631
evolinux-base/files/backup-server-state.sh → evolinux-base/files/dump-server-state.sh
View file

@ -1,11 +1,12 @@
#!/bin/sh
PROGNAME="backup-server-state"
PROGNAME="dump-server-state"
REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state"
VERSION="22.01.3"
VERSION="22.03.10"
readonly VERSION
backup_dir=
dump_dir=
rc=0
# base functions
@ -15,9 +16,13 @@ show_version() {
${PROGNAME} version ${VERSION}
Copyright 2018-2022 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
Jérémy Lecour <jlecour@evolix.fr>,
Éric Morino <emorino@evolix.fr>,
Brice Waegeneire <bwaegeneire@evolix.fr>
and others.
${REPOSITORY}
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
@ -25,54 +30,48 @@ END
}
show_help() {
cat <<END
${PROGNAME} is making backup copies of information related to the state of the server.
${PROGNAME} is dumping information related to the state of the server.
Usage: ${PROGNAME} --backup-dir=/path/to/backup/directory [OPTIONS]
Usage: ${PROGNAME} --dump-dir=/path/to/dump/directory [OPTIONS]
Options
-d, --backup-dir path to the directory where the backup will be stored
-f, --force keep existing backup directory and its content
--etc backup copy of /etc
--no-etc no backup copy of /etc (default)
--dpkg backup copy of /var/lib/dpkg
--no-dpkg no backup copy of /var/lib/dpkg (default)
--apt-states backup copy of apt extended states (default)
--no-apt-states no backup copy of apt extended states
--apt-config backup copy of apt configuration (default)
--no-apt-config no backup copy of apt configuration
--packages backup copy of dpkg selections (default)
--no-packages no backup copy of dpkg selections
--processes backup copy of process list (default)
--no-processes no backup copy of process list
--uptime backup of uptime value (default)
--no-uptime no backup of uptime value
--netstat backup copy of netstat (default)
--no-netstat no backup copy of netstat
--netcfg backup copy of network configuration (default)
--no-netcfg no backup copy of network configuration
--iptables backup copy of iptables (default)
--no-iptables no backup copy of iptables
--sysctl backup copy of sysctl values (default)
--no-sysctl no backup copy of sysctl values
--virsh backup copy of virsh list (default)
--no-virsh no backup copy of virsh list
--lxc backup copy of lxc list (default)
--no-lxc no backup copy of lxc list
--disks backup copy of MBR and partitions (default)
--no-disks no backup copy of MBR and partitions
--mount backup copy of mount points (default)
--no-mount no backup copy of mount points
--df backup copy of disk usage (default)
--no-df no backup copy of disk usage
--dmesg backup copy of dmesg (default)
--no-dmesg no backup copy of dmesg
--mysql backup copy of mysql processes (default)
--no-mysql no backup copy of mysql processes
--services backup copy of services states (default)
--no-services no backup copy of services states
-v, --verbose print details about backup steps
-V, --version print version and exit
-h, --help print this message and exit
Main options
-d, --dump-dir path to the directory where data will be stored
--backup-dir legacy option for dump directory
-f, --force keep existing dump directory and its content
-v, --verbose print details about each task
-V, --version print version and exit
-h, --help print this message and exit
Tasks options
--all reset options to execute all tasks
--none reset options to execute no task
--[no-]etc copy of /etc (default: no)
--[no-]dpkg-full copy of /var/lib/dpkg (default: no)
--[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes)
--[no-]apt-states copy of apt extended states (default: yes)
--[no-]apt-config copy of apt configuration (default: yes)
--[no-]packages copy of dpkg selections (default: yes)
--[no-]processes copy of process list (default: yes)
--[no-]uname copy of uname value (default: yes)
--[no-]uptime copy of uptime value (default: yes)
--[no-]netstat copy of netstat (default: yes)
--[no-]netcfg copy of network configuration (default: yes)
--[no-]iptables copy of iptables (default: yes)
--[no-]sysctl copy of sysctl values (default: yes)
--[no-]virsh copy of virsh list (default: yes)
--[no-]lxc copy of lxc list (default: yes)
--[no-]disks copy of MBR and partitions (default: yes)
--[no-]mount copy of mount points (default: yes)
--[no-]df copy of disk usage (default: yes)
--[no-]dmesg copy of dmesg (default: yes)
--[no-]mysql copy of mysql processes (default: yes)
--[no-]systemctl copy of systemd services states (default: yes)
Tasks options order matters. They are evaluated from left to right.
Examples :
* "[…] --none --uname" will do only the uname task
* "[…] --all --no-etc" will do everything but the etc task
* "[…] --etc --none --mysql" will do only the mysql task
END
}
debug() {
@ -81,10 +80,10 @@ debug() {
fi
}
create_backup_dir() {
debug "Create ${backup_dir}"
create_dump_dir() {
debug "Task: Create ${dump_dir}"
last_result=$(mkdir -p "${backup_dir}" && chmod -R 755 "${backup_dir}")
last_result=$(mkdir -p "${dump_dir}" && chmod -R 755 "${dump_dir}")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -96,13 +95,13 @@ create_backup_dir() {
fi
}
backup_etc() {
debug "Backup /etc"
task_etc() {
debug "Task: /etc"
rsync_bin=$(command -v rsync)
if [ -n "${rsync_bin}" ]; then
last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${backup_dir}/")
last_result=$(${rsync_bin} -ah --itemize-changes --exclude=.git /etc "${dump_dir}/")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -114,7 +113,7 @@ backup_etc() {
fi
else
debug "* rsync not found"
last_result=$(cp -r /etc "${backup_dir}/ && rm -rf ${backup_dir}/etc/.git")
last_result=$(cp -r /etc "${dump_dir}/ && rm -rf ${dump_dir}/etc/.git")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -127,7 +126,7 @@ backup_etc() {
fi
}
backup_apt_states() {
task_apt_states() {
apt_dir="/"
apt_dir_state="var/lib/apt"
apt_dir_state_extended_states="extended_states"
@ -142,9 +141,9 @@ backup_apt_states() {
extended_states="${apt_dir}/${apt_dir_state}/${apt_dir_state_extended_states}"
if [ -f "${extended_states}" ]; then
debug "Backup APT states"
debug "Task: APT states"
last_result=$(cp -r "${extended_states}" "${backup_dir}/apt-extended-states.txt")
last_result=$(cp -r "${extended_states}" "${dump_dir}/apt-extended-states.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -157,13 +156,13 @@ backup_apt_states() {
fi
}
backup_apt_config() {
debug "Backup APT config"
task_apt_config() {
debug "Task: APT config"
apt_config_bin=$(command -v apt-config)
if [ -n "${apt_config_bin}" ]; then
last_result=$(${apt_config_bin} dump > "${backup_dir}/apt-config.txt")
last_result=$(${apt_config_bin} dump > "${dump_dir}/apt-config.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -178,8 +177,8 @@ backup_apt_config() {
fi
}
backup_dpkg_full() {
debug "Backup DPkg full state"
task_dpkg_full() {
debug "Task: DPkg full state"
dir_state_status="/var/lib/dpkg/status"
@ -191,7 +190,7 @@ backup_dpkg_full() {
dpkg_dir=$(dirname "${dir_state_status}")
last_result=$(mkdir -p "${backup_dir}${dpkg_dir}" && chmod -R 755 "${backup_dir}${dpkg_dir}")
last_result=$(mkdir -p "${dump_dir}${dpkg_dir}" && chmod -R 755 "${dump_dir}${dpkg_dir}")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -205,7 +204,7 @@ backup_dpkg_full() {
rsync_bin=$(command -v rsync)
if [ -n "${rsync_bin}" ]; then
last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${backup_dir}${dpkg_dir}/")
last_result=$(${rsync_bin} -ah --itemize-changes --exclude='*-old' "${dpkg_dir}/" "${dump_dir}${dpkg_dir}/")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -218,7 +217,7 @@ backup_dpkg_full() {
else
debug "* rsync not found"
last_result=$(cp -r "${dpkg_dir}/*" "${backup_dir}${dpkg_dir}/" && rm -rf "${backup_dir}${dpkg_dir}/*-old")
last_result=$(cp -r "${dpkg_dir}/*" "${dump_dir}${dpkg_dir}/" && rm -rf "${dump_dir}${dpkg_dir}/*-old")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -231,8 +230,8 @@ backup_dpkg_full() {
fi
}
backup_dpkg_status() {
debug "Backup DPkg status"
task_dpkg_status() {
debug "Task: DPkg status"
dir_state_status="/var/lib/dpkg/status"
@ -242,7 +241,7 @@ backup_dpkg_status() {
eval "$(${apt_config_bin} shell dir_state_status Dir::State::status)"
fi
last_result=$(cp "${dir_state_status}" "${backup_dir}/dpkg-status.txt")
last_result=$(cp "${dir_state_status}" "${dump_dir}/dpkg-status.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -254,13 +253,13 @@ backup_dpkg_status() {
fi
}
backup_packages() {
debug "Backup list of installed package"
task_packages() {
debug "Task: List of installed package"
dpkg_bin=$(command -v dpkg)
if [ -n "${dpkg_bin}" ]; then
last_result=$(${dpkg_bin} --get-selections "*" > "${backup_dir}/current_packages.txt")
last_result=$(${dpkg_bin} --get-selections "*" > "${dump_dir}/current_packages.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -275,10 +274,10 @@ backup_packages() {
fi
}
backup_uname() {
debug "Backup uname"
task_uname() {
debug "Task: uname"
last_result=$(uname -a > "${backup_dir}/uname.txt")
last_result=$(uname -a > "${dump_dir}/uname.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -290,10 +289,10 @@ backup_uname() {
fi
}
backup_uptime() {
debug "Backup uptime"
task_uptime() {
debug "Task: uptime"
last_result=$(uptime > "${backup_dir}/uptime.txt")
last_result=$(uptime > "${dump_dir}/uptime.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -305,10 +304,10 @@ backup_uptime() {
fi
}
backup_processes() {
debug "Backup process list"
task_processes() {
debug "Task: Process list"
last_result=$(ps fauxw > "${backup_dir}/ps.txt")
last_result=$(ps fauxw > "${dump_dir}/ps.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -322,7 +321,7 @@ backup_processes() {
pstree_bin=$(command -v pstree)
if [ -n "${pstree_bin}" ]; then
last_result=$(${pstree_bin} -pan > "${backup_dir}/pstree.txt")
last_result=$(${pstree_bin} -pan > "${dump_dir}/pstree.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -335,13 +334,13 @@ backup_processes() {
fi
}
backup_netstat() {
debug "Backup network status"
task_netstat() {
debug "Task: Network status"
ss_bin=$(command -v ss)
if [ -n "${ss_bin}" ]; then
last_result=$(${ss_bin} -tanpul > "${backup_dir}/netstat-ss.txt")
last_result=$(${ss_bin} -tanpul > "${dump_dir}/netstat-ss.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -358,7 +357,7 @@ backup_netstat() {
netstat_bin=$(command -v netstat)
if [ -n "${netstat_bin}" ]; then
last_result=$(netstat -laputen > "${backup_dir}/netstat-legacy.txt")
last_result=$(netstat -laputen > "${dump_dir}/netstat-legacy.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -373,13 +372,13 @@ backup_netstat() {
fi
}
backup_netcfg() {
debug "Backup network configuration"
task_netcfg() {
debug "Task: Network configuration"
ip_bin=$(command -v ip)
if [ -n "${ip_bin}" ]; then
last_result=$(${ip_bin} address show > "${backup_dir}/ip-address.txt")
last_result=$(${ip_bin} address show > "${dump_dir}/ip-address.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -390,7 +389,7 @@ backup_netcfg() {
rc=10
fi
last_result=$(${ip_bin} route show > "${backup_dir}/ip-route.txt")
last_result=$(${ip_bin} route show > "${dump_dir}/ip-route.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -406,7 +405,7 @@ backup_netcfg() {
ifconfig_bin=$(command -v ifconfig)
if [ -n "${ifconfig_bin}" ]; then
last_result=$(${ifconfig_bin} > "${backup_dir}/ifconfig.txt")
last_result=$(${ifconfig_bin} > "${dump_dir}/ifconfig.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -422,13 +421,25 @@ backup_netcfg() {
fi
}
backup_iptables() {
debug "Backup iptables"
task_iptables() {
debug "Task: iptables"
iptables_bin=$(command -v iptables)
if [ -n "${iptables_bin}" ]; then
last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${backup_dir}/iptables.txt")
last_result=$({ ${iptables_bin} -L -n -v; ${iptables_bin} -t filter -L -n -v; } > "${dump_dir}/iptables-v.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* iptables -v OK"
else
debug "* iptables -v ERROR"
debug "${last_result}"
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
last_result=$({ ${iptables_bin} -L -n; ${iptables_bin} -t filter -L -n; } > "${dump_dir}/iptables.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -436,7 +447,8 @@ backup_iptables() {
else
debug "* iptables ERROR"
debug "${last_result}"
rc=10
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
else
debug "* iptables not found"
@ -445,7 +457,7 @@ backup_iptables() {
iptables_save_bin=$(command -v iptables-save)
if [ -n "${iptables_save_bin}" ]; then
last_result=$(${iptables_save_bin} > "${backup_dir}/iptables-save.txt")
last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -453,20 +465,36 @@ backup_iptables() {
else
debug "* iptables-save ERROR"
debug "${last_result}"
rc=10
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
else
debug "* iptables-save not found"
fi
nft_bin=$(command -v nft)
if [ -n "${nft_bin}" ]; then
last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* nft ruleset OK"
else
debug "* nft ruleset ERROR"
debug "${last_result}"
rc=10
fi
fi
}
backup_sysctl() {
debug "Backup sysctl values"
task_sysctl() {
debug "Task: sysctl values"
sysctl_bin=$(command -v sysctl)
if [ -n "${sysctl_bin}" ]; then
last_result=$(${sysctl_bin} -a | sort -h > "${backup_dir}/sysctl.txt")
last_result=$(${sysctl_bin} -a --ignore 2>/dev/null | sort -h > "${dump_dir}/sysctl.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -481,13 +509,13 @@ backup_sysctl() {
fi
}
backup_virsh() {
debug "Backup virsh list"
task_virsh() {
debug "Task: virsh list"
virsh_bin=$(command -v virsh)
if [ -n "${virsh_bin}" ]; then
last_result=$(${virsh_bin} list --all > "${backup_dir}/virsh-list.txt")
last_result=$(${virsh_bin} list --all > "${dump_dir}/virsh-list.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -502,13 +530,13 @@ backup_virsh() {
fi
}
backup_lxc() {
debug "Backup lxc list"
task_lxc() {
debug "Task: lxc list"
lxc_ls_bin=$(command -v lxc-ls)
if [ -n "${lxc_ls_bin}" ]; then
last_result=$(${lxc_ls_bin} --fancy > "${backup_dir}/lxc-list.txt")
last_result=$(${lxc_ls_bin} --fancy > "${dump_dir}/lxc-list.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -523,8 +551,8 @@ backup_lxc() {
fi
}
backup_disks() {
debug "Backup disks"
task_disks() {
debug "Task: Disks"
lsblk_bin=$(command -v lsblk)
awk_bin=$(command -v awk)
@ -534,7 +562,7 @@ backup_disks() {
for disk in ${disks}; do
dd_bin=$(command -v dd)
if [ -n "${dd_bin}" ]; then
last_result=$(${dd_bin} if="/dev/${disk}" of="${backup_dir}/MBR-${disk}" bs=512 count=1 2>&1)
last_result=$(${dd_bin} if="/dev/${disk}" of="${dump_dir}/MBR-${disk}" bs=512 count=1 2>&1)
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -549,7 +577,7 @@ backup_disks() {
fi
fdisk_bin=$(command -v fdisk)
if [ -n "${fdisk_bin}" ]; then
last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${backup_dir}/partitions-${disk}" 2>&1)
last_result=$(${fdisk_bin} -l "/dev/${disk}" > "${dump_dir}/partitions-${disk}" 2>&1)
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -563,7 +591,7 @@ backup_disks() {
debug "* fdisk not found"
fi
done
cat "${backup_dir}"/partitions-* > "${backup_dir}/partitions"
cat "${dump_dir}"/partitions-* > "${dump_dir}/partitions"
else
if [ -n "${lsblk_bin}" ]; then
debug "* lsblk not found"
@ -574,13 +602,13 @@ backup_disks() {
fi
}
backup_mount() {
debug "Backup mount points"
task_mount() {
debug "Task: Mount points"
findmnt_bin=$(command -v findmnt)
if [ -n "${findmnt_bin}" ]; then
last_result=$(${findmnt_bin} > "${backup_dir}/mount.txt")
last_result=$(${findmnt_bin} > "${dump_dir}/mount.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -596,7 +624,7 @@ backup_mount() {
mount_bin=$(command -v mount)
if [ -n "${mount_bin}" ]; then
last_result=$(${mount_bin} > "${backup_dir}/mount.txt")
last_result=$(${mount_bin} > "${dump_dir}/mount.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -612,13 +640,13 @@ backup_mount() {
fi
}
backup_df() {
debug "Backup df"
task_df() {
debug "Task: df"
df_bin=$(command -v df)
if [ -n "${df_bin}" ]; then
last_result=$(${df_bin} --portability > "${backup_dir}/df.txt")
last_result=$(${df_bin} --portability > "${dump_dir}/df.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -633,13 +661,13 @@ backup_df() {
fi
}
backup_dmesg() {
debug "Backup dmesg"
task_dmesg() {
debug "Task: dmesg"
dmesg_bin=$(command -v dmesg)
if [ -n "${dmesg_bin}" ]; then
last_result=$(${dmesg_bin} > "${backup_dir}/dmesg.txt")
last_result=$(${dmesg_bin} > "${dump_dir}/dmesg.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -654,34 +682,39 @@ backup_dmesg() {
fi
}
backup_mysql_processes() {
debug "Backup mysql processes"
task_mysql_processes() {
debug "Task: MySQL processes"
mysqladmin_bin=$(command -v mysqladmin)
if [ -n "${mysqladmin_bin}" ]; then
last_result=$(${mysqladmin_bin} --verbose processlist > "${backup_dir}/mysql-processlist.txt")
last_rc=$?
# Look for local MySQL or MariaDB process
if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then
last_result=$(${mysqladmin_bin} --verbose processlist > "${dump_dir}/mysql-processlist.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* mysqladmin OK"
if [ ${last_rc} -eq 0 ]; then
debug "* mysqladmin OK"
else
debug "* mysqladmin ERROR"
debug "${last_result}"
rc=10
fi
else
debug "* mysqladmin ERROR"
debug "${last_result}"
rc=10
debug "* no mysqld or mariadbd process is running"
fi
else
debug "* mysqladmin not found"
fi
}
backup_systemctl() {
debug "Backup services"
task_systemctl() {
debug "Task: Systemd services"
systemctl_bin=$(command -v systemctl)
if [ -n "${systemctl_bin}" ]; then
last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${backup_dir}/systemctl-failed-services.txt")
last_result=$(${systemctl_bin} --no-legend --state=failed --type=service > "${dump_dir}/systemctl-failed-services.txt")
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
@ -696,88 +729,87 @@ backup_systemctl() {
fi
}
main() {
if [ -z "${backup_dir}" ]; then
echo "ERROR: You must provide the --backup-dir argument" >&2
if [ -z "${dump_dir}" ]; then
echo "ERROR: You must provide the --dump-dir argument" >&2
exit 1
fi
if [ -d "${backup_dir}" ]; then
if [ -d "${dump_dir}" ]; then
if [ "${FORCE}" != "1" ]; then
echo "ERROR: The backup directory ${backup_dir} already exists. Delete it first." >&2
echo "ERROR: The dump directory ${dump_dir} already exists. Delete it first." >&2
exit 2
fi
else
create_backup_dir
create_dump_dir
fi
if [ "${DO_ETC}" -eq 1 ]; then
backup_etc
if [ "${TASK_ETC}" -eq 1 ]; then
task_etc
fi
if [ "${DO_DPKG_FULL}" -eq 1 ]; then
backup_dpkg_full
if [ "${TASK_DPKG_FULL}" -eq 1 ]; then
task_dpkg_full
fi
if [ "${DO_DPKG_STATUS}" -eq 1 ]; then
backup_dpkg_status
if [ "${TASK_DPKG_STATUS}" -eq 1 ]; then
task_dpkg_status
fi
if [ "${DO_APT_STATES}" -eq 1 ]; then
backup_apt_states
if [ "${TASK_APT_STATES}" -eq 1 ]; then
task_apt_states
fi
if [ "${DO_APT_CONFIG}" -eq 1 ]; then
backup_apt_config
if [ "${TASK_APT_CONFIG}" -eq 1 ]; then
task_apt_config
fi
if [ "${DO_PACKAGES}" -eq 1 ]; then
backup_packages
if [ "${TASK_PACKAGES}" -eq 1 ]; then
task_packages
fi
if [ "${DO_PROCESSES}" -eq 1 ]; then
backup_processes
if [ "${TASK_PROCESSES}" -eq 1 ]; then
task_processes
fi
if [ "${DO_UPTIME}" -eq 1 ]; then
backup_uptime
if [ "${TASK_UPTIME}" -eq 1 ]; then
task_uptime
fi
if [ "${DO_UNAME}" -eq 1 ]; then
backup_uname
if [ "${TASK_UNAME}" -eq 1 ]; then
task_uname
fi
if [ "${DO_NETSTAT}" -eq 1 ]; then
backup_netstat
if [ "${TASK_NETSTAT}" -eq 1 ]; then
task_netstat
fi
if [ "${DO_NETCFG}" -eq 1 ]; then
backup_netcfg
if [ "${TASK_NETCFG}" -eq 1 ]; then
task_netcfg
fi
if [ "${DO_IPTABLES}" -eq 1 ]; then
backup_iptables
if [ "${TASK_IPTABLES}" -eq 1 ]; then
task_iptables
fi
if [ "${DO_SYSCTL}" -eq 1 ]; then
backup_sysctl
if [ "${TASK_SYSCTL}" -eq 1 ]; then
task_sysctl
fi
if [ "${DO_VIRSH}" -eq 1 ]; then
backup_virsh
if [ "${TASK_VIRSH}" -eq 1 ]; then
task_virsh
fi
if [ "${DO_LXC}" -eq 1 ]; then
backup_lxc
if [ "${TASK_LXC}" -eq 1 ]; then
task_lxc
fi
if [ "${DO_DISKS}" -eq 1 ]; then
backup_disks
if [ "${TASK_DISKS}" -eq 1 ]; then
task_disks
fi
if [ "${DO_MOUNT}" -eq 1 ]; then
backup_mount
if [ "${TASK_MOUNT}" -eq 1 ]; then
task_mount
fi
if [ "${DO_DF}" -eq 1 ]; then
backup_df
if [ "${TASK_DF}" -eq 1 ]; then
task_df
fi
if [ "${DO_DMESG}" -eq 1 ]; then
backup_dmesg
if [ "${TASK_DMESG}" -eq 1 ]; then
task_dmesg
fi
if [ "${DO_MYSQL_PROCESSES}" -eq 1 ]; then
backup_mysql_processes
if [ "${TASK_MYSQL_PROCESSES}" -eq 1 ]; then
task_mysql_processes
fi
if [ "${DO_SYSTEMCTL}" -eq 1 ]; then
backup_systemctl
if [ "${TASK_SYSTEMCTL}" -eq 1 ]; then
task_systemctl
fi
debug "=> Your backup is available at ${backup_dir}"
debug "=> Your dump is available at ${dump_dir}"
exit ${rc}
}
@ -801,171 +833,264 @@ while :; do
FORCE=1
;;
-d|--backup-dir)
-d|--dump-dir)
# with value separated by space
if [ -n "$2" ]; then
backup_dir=$2
dump_dir=$2
shift
else
printf 'ERROR: "-d|--backup-dir" requires a non-empty option argument.\n' >&2
printf 'ERROR: "-d|--dump-dir" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--dump-dir=?*)
# with value speparated by =
dump_dir=${1#*=}
;;
--dump-dir=)
# without value
printf 'ERROR: "--dump-dir" requires a non-empty option argument.\n' >&2
exit 1
;;
--backup-dir)
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
if [ -n "${dump_dir}" ]; then
debug "Dump directory is already set, let's ignore this one."
else
debug "Dump directory is not set already, let's stay backward compatible."
# with value separated by space
if [ -n "$2" ]; then
dump_dir=$2
shift
else
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
exit 1
fi
fi
;;
--backup-dir=?*)
# with value speparated by =
backup_dir=${1#*=}
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
if [ -n "${dump_dir}" ]; then
debug "Dump directory is already set, let's ignore this one."
else
debug "Dump directory is not set already, let's stay backward compatible."
dump_dir=${1#*=}
fi
;;
--backup-dir=)
# without value
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
exit 1
printf 'WARNING: "--backup-dir" is deprecated in favor of "--dump-dir".\n'
if [ -n "${dump_dir}" ]; then
debug "Dump directory is already set, let's ignore this one."
else
printf 'ERROR: "--backup-dir" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--all)
for option in \
TASK_ETC \
TASK_DPKG_FULL \
TASK_DPKG_STATUS \
TASK_APT_STATES \
TASK_APT_CONFIG \
TASK_PACKAGES \
TASK_PROCESSES \
TASK_UNAME \
TASK_UPTIME \
TASK_NETSTAT \
TASK_NETCFG \
TASK_IPTABLES \
TASK_SYSCTL \
TASK_VIRSH \
TASK_LXC \
TASK_DISKS \
TASK_MOUNT \
TASK_DF \
TASK_DMESG \
TASK_MYSQL_PROCESSES \
TASK_SYSTEMCTL
do
eval "${option}=1"
done
;;
--none)
for option in \
TASK_ETC \
TASK_DPKG_FULL \
TASK_DPKG_STATUS \
TASK_APT_STATES \
TASK_APT_CONFIG \
TASK_PACKAGES \
TASK_PROCESSES \
TASK_UNAME \
TASK_UPTIME \
TASK_NETSTAT \
TASK_NETCFG \
TASK_IPTABLES \
TASK_SYSCTL \
TASK_VIRSH \
TASK_LXC \
TASK_DISKS \
TASK_MOUNT \
TASK_DF \
TASK_DMESG \
TASK_MYSQL_PROCESSES \
TASK_SYSTEMCTL
do
eval "${option}=0"
done
;;
--etc)
DO_ETC=1
TASK_ETC=1
;;
--no-etc)
DO_ETC=0
TASK_ETC=0
;;
--dpkg-full)
DO_DPKG_FULL=1
TASK_DPKG_FULL=1
;;
--no-dpkg-full)
DO_DPKG_FULL=0
TASK_DPKG_FULL=0
;;
--dpkg-status)
DO_DPKG_STATUS=1
TASK_DPKG_STATUS=1
;;
--no-dpkg-status)
DO_DPKG_STATUS=0
TASK_DPKG_STATUS=0
;;
--apt-states)
DO_APT_STATES=1
TASK_APT_STATES=1
;;
--no-apt-states)
DO_APT_STATES=0
TASK_APT_STATES=0
;;
--apt-config)
DO_APT_CONFIG=1
TASK_APT_CONFIG=1
;;
--no-apt-config)
DO_APT_CONFIG=0
TASK_APT_CONFIG=0
;;
--packages)
DO_PACKAGES=1
TASK_PACKAGES=1
;;
--no-packages)
DO_PACKAGES=0
TASK_PACKAGES=0
;;
--processes)
DO_PROCESSES=1
TASK_PROCESSES=1
;;
--no-processes)
DO_PROCESSES=0
TASK_PROCESSES=0
;;
--uptime)
DO_UPTIME=1
TASK_UPTIME=1
;;
--no-uptime)
DO_UPTIME=0
TASK_UPTIME=0
;;
--uname)
DO_UNAME=1
TASK_UNAME=1
;;
--no-uname)
DO_UNAME=0
TASK_UNAME=0
;;
--netstat)
DO_NETSTAT=1
TASK_NETSTAT=1
;;
--no-netstat)
DO_NETSTAT=0
TASK_NETSTAT=0
;;
--netcfg)
DO_NETCFG=1
TASK_NETCFG=1
;;
--no-netcfg)
DO_NETCFG=0
TASK_NETCFG=0
;;
--iptables)
DO_IPTABLES=1
TASK_IPTABLES=1
;;
--no-iptables)
DO_IPTABLES=0
TASK_IPTABLES=0
;;
--sysctl)
DO_SYSCTL=1
TASK_SYSCTL=1
;;
--no-sysctl)
DO_SYSCTL=0
TASK_SYSCTL=0
;;
--virsh)
DO_VIRSH=1
TASK_VIRSH=1
;;
--no-virsh)
DO_VIRSH=0
TASK_VIRSH=0
;;
--lxc)
DO_LXC=1
TASK_LXC=1
;;
--no-lxc)
DO_LXC=0
TASK_LXC=0
;;
--disks)
DO_DISKS=1
TASK_DISKS=1
;;
--no-disks)
DO_DISKS=0
TASK_DISKS=0
;;
--mount)
DO_MOUNT=1
TASK_MOUNT=1
;;
--no-mount)
DO_MOUNT=0
TASK_MOUNT=0
;;
--df)
DO_DF=1
TASK_DF=1
;;
--no-df)
DO_DF=0
TASK_DF=0
;;
--dmesg)
DO_DMESG=1
TASK_DMESG=1
;;
--no-dmesg)
DO_DMESG=0
TASK_DMESG=0
;;
--mysql-processes)
DO_MYSQL_PROCESSES=1
TASK_MYSQL_PROCESSES=1
;;
--no-mysql-processes)
DO_MYSQL_PROCESSES=0
TASK_MYSQL_PROCESSES=0
;;
--systemctl)
DO_SYSTEMCTL=1
TASK_SYSTEMCTL=1
;;
--no-systemctl)
DO_SYSTEMCTL=0
TASK_SYSTEMCTL=0
;;
--)
@ -990,27 +1115,27 @@ done
# Default values
: "${VERBOSE:=0}"
: "${FORCE:=0}"
: "${DO_ETC:=0}"
: "${DO_DPKG_FULL:=0}"
: "${DO_DPKG_STATUS:=1}"
: "${DO_APT_STATES:=1}"
: "${DO_APT_CONFIG:=1}"
: "${DO_PACKAGES:=1}"
: "${DO_PROCESSES:=1}"
: "${DO_UNAME:=1}"
: "${DO_UPTIME:=1}"
: "${DO_NETSTAT:=1}"
: "${DO_NETCFG:=1}"
: "${DO_IPTABLES:=1}"
: "${DO_SYSCTL:=1}"
: "${DO_VIRSH:=1}"
: "${DO_LXC:=1}"
: "${DO_DISKS:=1}"
: "${DO_MOUNT:=1}"
: "${DO_DF:=1}"
: "${DO_DMESG:=1}"
: "${DO_MYSQL_PROCESSES:=1}"
: "${DO_SYSTEMCTL:=1}"
: "${TASK_ETC:=0}"
: "${TASK_DPKG_FULL:=0}"
: "${TASK_DPKG_STATUS:=1}"
: "${TASK_APT_STATES:=1}"
: "${TASK_APT_CONFIG:=1}"
: "${TASK_PACKAGES:=1}"
: "${TASK_PROCESSES:=1}"
: "${TASK_UNAME:=1}"
: "${TASK_UPTIME:=1}"
: "${TASK_NETSTAT:=1}"
: "${TASK_NETCFG:=1}"
: "${TASK_IPTABLES:=1}"
: "${TASK_SYSCTL:=1}"
: "${TASK_VIRSH:=1}"
: "${TASK_LXC:=1}"
: "${TASK_DISKS:=1}"
: "${TASK_MOUNT:=1}"
: "${TASK_DF:=1}"
: "${TASK_DMESG:=1}"
: "${TASK_MYSQL_PROCESSES:=1}"
: "${TASK_SYSTEMCTL:=1}"
export LC_ALL=C

24
evolinux-base/files/topdefaultrc
View file

@ -1,15 +1,15 @@
top's Config File (Linux processes with windows)
Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
Def fieldscur=ķ&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=1, msgsclr=1, headclr=3, taskclr=1
Job fieldscur=(Ļ@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem fieldscur=<MBND34&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
Def fieldscur=¥¨³´»½À¼Ä·º¹Å&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=177460, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=1, msgsclr=1, headclr=3, taskclr=1
Job fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0

5
evolinux-base/tasks/hardware.yml
View file

@ -32,11 +32,14 @@
## Dedicated hardware
- name: Install freepmi when it's dedicated hardware
- name: Install some additionnals tools when it dedicated hardware
apt:
name:
- libipc-run-perl
- freeipmi
- ipmitool
- firmware-linux-nonfree
- intel-microcode
state: present
tags:
- packages

39
evolinux-base/tasks/main.yml
View file

@ -14,6 +14,7 @@
apt_install_basics: "{{ evolinux_apt_replace_default_sources }}"
apt_install_evolix_public: "{{ evolinux_apt_public_sources }}"
apt_upgrade: "{{ evolinux_apt_upgrade }}"
apt_basics_components: "{{ 'main contrib non-free' if ansible_virtualization_role == 'host' else 'main' }}"
when: evolinux_apt_include | bool
- name: /etc versioning with Git
@ -22,27 +23,27 @@
when: evolinux_etcgit_include | bool
- name: /etc/evolinux base
include: etc-evolinux.yml
import_tasks: etc-evolinux.yml
when: evolinux_etcevolinux_include | bool
- name: Hostname
include: hostname.yml
import_tasks: hostname.yml
when: evolinux_hostname_include | bool
- name: Kernel tuning
include: kernel.yml
import_tasks: kernel.yml
when: evolinux_kernel_include | bool
- name: Fstab configuration
include: fstab.yml
import_tasks: fstab.yml
when: evolinux_fstab_include | bool
- name: Packages
include: packages.yml
import_tasks: packages.yml
when: evolinux_packages_include | bool
- name: System settings
include: system.yml
import_tasks: system.yml
when: evolinux_system_include | bool
- name: Minifirewall
@ -56,7 +57,7 @@
when: evolinux_evomaintenance_include | bool
- name: SSH configuration
include: ssh.yml
import_tasks: ssh.yml
when: evolinux_ssh_include | bool
### disabled because of a memory leak
@ -66,41 +67,41 @@
# when: evolinux_users_include
- name: Root user configuration
include: root.yml
import_tasks: root.yml
when: evolinux_root_include | bool
- name: Postfix
include: postfix.yml
import_tasks: postfix.yml
when: evolinux_postfix_include | bool
- name: Logs management
include: logs.yml
import_tasks: logs.yml
when: evolinux_logs_include | bool
- name: Default index page
include: default_www.yml
import_tasks: default_www.yml
when: evolinux_default_www_include | bool
- name: Hardware drivers and tools
include: hardware.yml
import_tasks: hardware.yml
when: evolinux_hardware_include | bool
- name: Customize for Online.net
include: provider_online.yml
import_tasks: provider_online.yml
when: evolinux_provider_online_include | bool
- name: Customize for Orange FCE
include: provider_orange_fce.yml
import_tasks: provider_orange_fce.yml
when: evolinux_provider_orange_fce_include | bool
- name: Override Log2mail service
include: log2mail.yml
import_tasks: log2mail.yml
when: evolinux_log2mail_include | bool
- include: motd.yml
- import_tasks: motd.yml
when: evolinux_motd_include | bool
- include: utils.yml
- import_tasks: utils.yml
- name: Munin
include_role:
@ -132,6 +133,6 @@
name: evolix/generate-ldif
when: evolinux_generateldif_include | bool
- include: top.yml
- import_tasks: top.yml
- include: htop.yml
- import_tasks: htop.yml

2
evolinux-base/tasks/top.yml
View file

@ -2,6 +2,6 @@
- name: Deploy top configuration file
copy:
# The config format is unredable; ATM it only add the SWAP column
src: htoprc
src: topdefaultrc
dest: /etc/topdefaultrc
mode: "0644"

15
evolinux-base/tasks/utils.yml
View file

@ -3,15 +3,22 @@
- include_role:
name: evolix/remount-usr
- name: backup-server-state script is present
- name: dump-server-state script is present
copy:
src: "backup-server-state.sh"
dest: /usr/local/sbin/backup-server-state
src: "dump-server-state.sh"
dest: /usr/local/sbin/dump-server-state
force: True
owner: root
group: root
mode: "0750"
- name: symlink backup-server-state to dump-server-state
file:
src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state
state: link
force: yes
- name: "/sbin/deny script is present"
copy:
src: deny.sh
@ -19,4 +26,4 @@
mode: "0700"
owner: root
group: root
force: no
force: no

6
evolinux-users/tasks/main.yml
View file

@ -12,15 +12,15 @@
when: evolinux_users | length == 0
- name: Create user accounts
include: user.yml
include_tasks: user.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when: evolinux_users | length > 0
- name: Configure sudo
include: sudo.yml
import_tasks: sudo.yml
- name: Configure SSH
include: ssh.yml
import_tasks: ssh.yml
when: evolinux_users | length > 0

4
evolinux-users/tasks/ssh.yml
View file

@ -40,12 +40,12 @@
var: ssh_allowusers
verbosity: 1
- include: ssh_allowgroups.yml
- import_tasks: ssh_allowgroups.yml
when:
- ssh_allowgroups
- not ssh_allowusers
- include: ssh_allowusers.yml
- include_tasks: ssh_allowusers.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"

6
evolinux-users/tasks/sudo.yml
View file

@ -1,6 +1,6 @@
---
- include: sudo_jessie.yml
- include_tasks: sudo_jessie.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
@ -10,9 +10,9 @@
- block:
- include: sudo_stretch_common.yml
- import_tasks: sudo_stretch_common.yml
- include: sudo_stretch_user.yml
- include_tasks: sudo_stretch_user.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"

2
evomaintenance/tasks/install_package_debian.yml
View file

@ -12,4 +12,4 @@
name: evomaintenance
allow_unauthenticated: yes
tags:
- evomaintenance
- evomaintenance

2
evomaintenance/tasks/install_vendor_debian.yml
View file

@ -46,4 +46,4 @@
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
tags:
- evomaintenance
- evomaintenance

31
evomaintenance/tasks/install_vendor_other.yml Normal file
View file

@ -0,0 +1,31 @@
---
- include_role:
name: evolix/remount-usr
tags:
- evomaintenance
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- evomaintenance
- name: Evomaintenance script and template are installed
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: "{{ item.mode }}"
force: yes
backup: yes
loop:
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
tags:
- evomaintenance

14
evomaintenance/tasks/main.yml
View file

@ -1,18 +1,24 @@
---
- include: install_package_debian.yml
- import_tasks: install_package_debian.yml
when:
- not (evomaintenance_install_vendor | bool)
- ansible_distribution == "Debian"
- include: install_vendor_debian.yml
- import_tasks: install_vendor_debian.yml
when:
- evomaintenance_install_vendor | bool
- ansible_distribution == "Debian"
- include: config.yml
- import_tasks: install_vendor_other.yml
when:
- evomaintenance_install_vendor | bool
- ansible_distribution != "Debian"
- include: minifirewall.yml
- import_tasks: config.yml
- import_tasks: minifirewall.yml
when:
- evomaintenance_hook_db | bool
- ansible_distribution == "Debian"

3
fail2ban/handlers/main.yml
View file

@ -3,8 +3,11 @@
service:
name: fail2ban
state: restarted
tags:
- fail2ban
- name: restart munin-node
service:
name: munin-node
state: restarted
tags: fail2ban

2
fail2ban/tasks/main.yml
View file

@ -31,7 +31,7 @@
- fail2ban
- name: Include ignoredips update task
include: ip_whitelist.yml
import_tasks: ip_whitelist.yml
when: fail2ban_force_update_ignore_ips | bool
tags:
- fail2ban

55
generate-ldif/templates/generateldif.sh.j2
View file

@ -608,11 +608,11 @@ if is_pkg_installed lxc; then
if lxc-ls | grep -q php56 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm56,${computer_dn}
dn: ServiceName=php-fpm56,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm56
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 5.6 (multiphp)
@ -622,11 +622,11 @@ fi
if lxc-ls | grep -q php70 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm70,${computer_dn}
dn: ServiceName=php-fpm70,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm70
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 7.0 (multiphp)
@ -636,11 +636,11 @@ fi
if lxc-ls | grep -q php73 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm73,${computer_dn}
dn: ServiceName=php-fpm73,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm73
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 7.3 (multiphp)
@ -650,11 +650,11 @@ fi
if lxc-ls | grep -q php74 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm74,${computer_dn}
dn: ServiceName=php-fpm74,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm74
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 7.4 (multiphp)
@ -664,11 +664,11 @@ fi
if lxc-ls | grep -q php80 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm80,${computer_dn}
dn: ServiceName=php-fpm80,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm80
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 8.0 (multiphp)
@ -678,11 +678,11 @@ fi
if lxc-ls | grep -q php81 ; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=ServiceName=php-fpm81,${computer_dn}
dn: ServiceName=php-fpm81,${computer_dn}
NagiosEnabled: TRUE
ipServiceProtocol: tcp
objectClass: EvoService
ServiceName: PHP-FPM (multiphp)
ServiceName: php-fpm81
ipServicePort: 443
ServiceType: web
ServiceVersion: PHP-FPM 8.1 (multiphp)
@ -709,6 +709,37 @@ EOT
fi
# bkctld
if is_pkg_installed bkctld; then
bkctld_version=$(get_pkg_version bkctld)
fi
if [ -n "${bkctld_version}" ]; then
cat <<EOT >> "${ldif_file}"
dn: ServiceName=bkctld_jails,${computer_dn}
NagiosEnabled: TRUE
objectClass: EvoService
ServiceName: bkctld_jails
ServiceType: backup
ServiceVersion: bkctld ${bkctld_version}
dn: ServiceName=bkctld_setup,${computer_dn}
NagiosEnabled: TRUE
objectClass: EvoService
ServiceName: bkctld_setup
ServiceType: backup
ServiceVersion: bkctld ${bkctld_version}
dn: ServiceName=disk-worktime,${computer_dn}
NagiosEnabled: TRUE
objectClass: EvoService
ServiceName: disk-worktime
ServiceType: disk
ServiceVersion: Undefined
EOT
fi
# test if we have a stdout
if [ -t 1 ]; then
echo "Output is in ${ldif_file}"

4
haproxy/tasks/main.yml
View file

@ -83,7 +83,7 @@
- config
- update-config
- include: packages_backports.yml
- import_tasks: packages_backports.yml
when: haproxy_backports | bool
- name: Install HAProxy package
@ -134,4 +134,4 @@
- haproxy
- logrotate
- include: munin.yml
- import_tasks: munin.yml

4
java/tasks/main.yml
View file

@ -3,8 +3,8 @@
# msg: "This role support only java 8 for now !"
# when: java_version != 8
- include: openjdk.yml
- import_tasks: openjdk.yml
when: java_alternative == 'openjdk'
- include: oracle.yml
- import_tasks: oracle.yml
when: java_alternative == 'oracle'

2
keepalived/tasks/main.yml
View file

@ -28,7 +28,7 @@
owner: root
group: root
force: yes
tags:
tags:
- keepalived
- nrpe

2
kibana/tasks/main.yml
View file

@ -136,7 +136,7 @@
# - optimize
# - data
- include: proxy_nginx.yml
- import_tasks: proxy_nginx.yml
when: kibana_proxy_nginx | bool
tags:
- kibana

10
kvm-host/tasks/main.yml
View file

@ -5,12 +5,12 @@
when: kvm_install_drbd
## TODO: check why it's disabled
- include: ssh.yml
- import_tasks: ssh.yml
- include: packages.yml
- import_tasks: packages.yml
- include: munin.yml
- import_tasks: munin.yml
- include: images.yml
- import_tasks: images.yml
- include: tools.yml
- import_tasks: tools.yml

2
kvm-host/tasks/ssh.yml
View file

@ -33,7 +33,7 @@
state: present
special_time: "hourly"
user: root
job: "rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/"
job: "if ls /etc/libvirt/qemu/*xml > /dev/null 2> /dev/null; then rsync -a --delete /etc/libvirt/qemu/*xml {{ hostvars[kvm_pair]['lan.ip'] }}:/root/libvirt-{{ inventory_hostname }}/; fi"
when:
- kvm_pair is defined
- kvm_pair is not none

2
kvm-host/tasks/tools.yml
View file

@ -64,4 +64,4 @@
file:
path: /usr/share/scripts/kvmstats
state: absent
when: "'/usr/share/scripts' not in kvm_scripts_dir"
when: "'/usr/share/scripts' not in kvm_scripts_dir"

8
ldap/tasks/main.yml
View file

@ -16,11 +16,11 @@
notify: restart slapd
- name: ldapvirc file
include: ldapvirc.yml
import_tasks: ldapvirc.yml
- name: nagios config file for LDAP
include: nagios.yml
import_tasks: nagios.yml
- name: initialize database
include: init.yml
when: not root_ldapvirc_path.stat.exists
import_tasks: init.yml
when: not root_ldapvirc_path.stat.exists

4
logstash/tasks/main.yml
View file

@ -105,6 +105,6 @@
var: logstash_template
verbosity: 1
- include: logs.yml
- import_tasks: logs.yml
- include: tmpdir.yml
- import_tasks: tmpdir.yml

14
lxc-php/tasks/main.yml
View file

@ -9,22 +9,22 @@
name: "{{ lxc_php_version }}"
container_command: "apt-get update"
- include: "php56.yml"
- import_tasks: "php56.yml"
when: lxc_php_version == "php56"
- include: "php70.yml"
- import_tasks: "php70.yml"
when: lxc_php_version == "php70"
- include: "php73.yml"
- import_tasks: "php73.yml"
when: lxc_php_version == "php73"
- include: "php74.yml"
- import_tasks: "php74.yml"
when: lxc_php_version == "php74"
- include: "php80.yml"
- import_tasks: "php80.yml"
when: lxc_php_version == "php80"
- include: "php81.yml"
- import_tasks: "php81.yml"
when: lxc_php_version == "php81"
- include: "misc.yml"
- import_tasks: "misc.yml"

2
lxc-php/tasks/php56.yml
View file

@ -17,4 +17,4 @@
loop_control:
loop_var: line_item
- include: "mail_ssmtp.yml"
- import_tasks: "mail_ssmtp.yml"

2
lxc-php/tasks/php70.yml
View file

@ -17,4 +17,4 @@
loop_control:
loop_var: line_item
- include: "mail_opensmtpd.yml"
- import_tasks: "mail_opensmtpd.yml"

2
lxc-php/tasks/php73.yml
View file

@ -17,4 +17,4 @@
loop_control:
loop_var: line_item
- include: "mail_opensmtpd.yml"
- import_tasks: "mail_opensmtpd.yml"

2
lxc-php/tasks/php74.yml
View file

@ -23,4 +23,4 @@
loop_control:
loop_var: line_item
- include: "mail_opensmtpd.yml"
- import_tasks: "mail_opensmtpd.yml"

2
lxc-php/tasks/php80.yml
View file

@ -60,4 +60,4 @@
loop_control:
loop_var: line_item
- include: "mail_opensmtpd.yml"
- import_tasks: "mail_opensmtpd.yml"

2
lxc/tasks/main.yml
View file

@ -50,7 +50,7 @@
failed_when: "check_var.rc == 0"
- name: Create containers
include: create-container.yml
include_tasks: create-container.yml
vars:
name: "{{ item.name }}"
release: "{{ item.release }}"

2
lxc/templates/default.conf
View file

@ -36,4 +36,6 @@ lxc.start.auto = 1
{% if ansible_distribution_major_version is version('9', '>') %}
# Set LXC container unconfined in AppArmor
lxc.apparmor.profile = unconfined
{% else %}
lxc.aa_profile = unconfined
{% endif %}

4
memcached/tasks/main.yml
View file

@ -69,6 +69,6 @@
- memcached
when: memcached_instance_name | length > 0
- include: munin.yml
- import_tasks: munin.yml
- include: nrpe.yml
- import_tasks: nrpe.yml

28
minifirewall/defaults/main.yml
View file

@ -1,13 +1,19 @@
---
minifirewall_main_file: /etc/default/minifirewall
minifirewall_tail_file: /etc/default/minifirewall.tail
# Deprecated variable
# minifirewall_main_file: /etc/default/minifirewall
minifirewall_tail_file: zzz-tail
minifirewall_tail_included: False
minifirewall_tail_force: True
# Overwrite files completely
minifirewall_force_upgrade_script: False
minifirewall_force_upgrade_config: False
# Update specific values in configuration
minifirewall_update_config: True
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
minifirewall_checkout_path: "/tmp/minifirewall"
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
@ -31,7 +37,7 @@ minifirewall_private_ports_tcp: [5666]
minifirewall_private_ports_udp: []
# Keep a null value to leave the setting as is
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0']"
# otherwise use an Array, eg. "minifirewall_ssh_ok: ['0.0.0.0/0', '::/0']"
minifirewall_dns_servers: Null
minifirewall_http_sites: Null
minifirewall_https_sites: Null
@ -41,6 +47,22 @@ minifirewall_smtp_ok: Null
minifirewall_smtp_secure_ok: Null
minifirewall_ntp_ok: Null
minifirewall_proxy: "off"
minifirewall_proxyport: 8888
minifirewall_proxybypass:
- "${INTLAN}"
- "127.0.0.0/8"
- "::1/128"
minifirewall_backupservers: Null
minifirewall_sysctl_icmp_echo_ignore_broadcasts : Null
minifirewall_sysctl_icmp_ignore_bogus_error_responses : Null
minifirewall_sysctl_accept_source_route : Null
minifirewall_sysctl_tcp_syncookies : Null
minifirewall_sysctl_icmp_redirects : Null
minifirewall_sysctl_rp_filter : Null
minifirewall_sysctl_log_martians : Null
minifirewall_autostart: False
minifirewall_restart_if_needed: True
minifirewall_restart_force: False

23
minifirewall/files/blacklist-countries.sh Normal file
View file

@ -0,0 +1,23 @@
#!/bin/sh
ripedeny_file=/var/tmp/ripe_deny
cd /var/tmp
rm -f $ripedeny_file
GET http://antispam00.evolix.org/spam/ripe.cidr.md5 > ripe.cidr.md5
GET http://antispam00.evolix.org/spam/ripe.cidr > ripe.cidr
for i in CN KR RU; do
grep "^$i|" ripe.cidr >> $ripedeny_file
done
/sbin/iptables -F NEEDRESTRICT
for i in $(cat $ripedeny_file); do
BLOCK=$(echo $i | cut -d"|" -f2)
/sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
done

902
minifirewall/files/minifirewall Executable file
View file

@ -0,0 +1,902 @@
#!/bin/sh
# minifirewall is shellscripts for easy firewalling on a standalone server
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2022 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
VERSION="22.03.4"
NAME="minifirewall"
# shellcheck disable=SC2034
DESC="Firewall designed for standalone server"
set -u
# Variables configuration
#########################
config_file="/etc/default/minifirewall"
includes_dir="/etc/minifirewall.d"
# iptables paths
IPT=$(command -v iptables)
if [ -z "${IPT}" ]; then
echo "Unable to find 'iptables\` command in PATH." >&2
exit 1
fi
IPT6=$(command -v ip6tables)
if [ -z "${IPT6}" ]; then
echo "Unable to find 'ip6tables\` command in PATH." >&2
exit 1
fi
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
sort_values() {
echo "$*" | tr ' ' '\n' | sort -h
}
is_ipv6_enabled() {
test "${IPV6}" != "off"
}
is_docker_enabled() {
test "${DOCKER}" = "on"
}
is_proxy_enabled() {
test "${PROXY}" = "on"
}
is_ipv6() {
echo "$1" | grep -q ':'
}
is_legacy_config() {
test "${LEGACY_CONFIG}" != "off"
}
chain_exists() {
chain_name="$1"
if [ $# -ge 2 ]; then
intable="--table $2"
else
intable=""
fi
# shellcheck disable=SC2086
iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
}
source_file_or_error() {
file=$1
echo "...sourcing '${file}\`"
tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX)
. "${file}" 2>"${tmpfile}" >&2
if [ -s "${tmpfile}" ]; then
echo "${file} returns standard or error output (see below). Stopping." >&2
cat "${tmpfile}"
exit 1
fi
rm "${tmpfile}"
}
source_configuration() {
if ! test -f ${config_file}; then
echo "${config_file} does not exist" >&2
## We still want to deal with this really old configuration file
## even if it has been deprecated since Debian 8
old_config_file="/etc/firewall.rc"
if test -f ${old_config_file}; then
echo "${old_config_file} is deprecated. Rename it to ${config_file}" >&2
fi
exit 1
fi
if grep -e "iptables" -e "ip6tables" "${config_file}" | grep -qvE "^#"; then
# Backward compatible mode
###########################
echo "Legacy config detected"
LEGACY_CONFIG='on'
# Non-backward compatible mode
###############################
# If we ever want to remove the backward compatible mode
# we can remove the two lines above and uncomment the lines below.
# They break if any iptables/ip6tables command is found in the configuration file
# echo "iptables/ip6tables commands found in ${config_file}." >&2
# echo "Move them in included files (in ${includes_dir})." >&2
# exit 1
fi
if is_legacy_config; then
# In this mode, we extract all variable definitions
# to a temporary file that we can source.
# It allow iptables/ip6tables commands to remain in the configuration file
# and not interfere with the configuration step.
tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX)
grep -E "^\s*[_a-zA-Z0-9]+=" "${config_file}" > "${tmp_config_file}"
source_file_or_error "${tmp_config_file}"
rm "${tmp_config_file}"
else
source_file_or_error "${config_file}"
fi
}
source_includes() {
if [ -d "${includes_dir}" ]; then
include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h)
for include_file in ${include_files}; do
source_file_or_error "${include_file}"
done
fi
}
start() {
echo "Start IPTables rules..."
# Stop and warn if error!
set -e
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
# sysctl network security settings
##################################
# Set 1 to ignore broadcast pings (default)
: "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS:=1}"
# Set 1 to ignore bogus ICMP responses (default)
: "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES:=1}"
# Set 0 to disable source routing (default)
: "${SYSCTL_ACCEPT_SOURCE_ROUTE:=0}"
# Set 1 to enable TCP SYN cookies (default)
# cf http://cr.yp.to/syncookies.html
: "${SYSCTL_TCP_SYNCOOKIES:=1}"
# Set 0 to disable ICMP redirects (default)
: "${SYSCTL_ICMP_REDIRECTS:=0}"
# Set 1 to enable Reverse Path filtering (default)
# Set 0 if VRRP is used
: "${SYSCTL_RP_FILTER:=1}"
# Set 1 to log packets with inconsistent address (default)
: "${SYSCTL_LOG_MARTIANS:=1}"
if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then
echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
echo "Invalid SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS value '${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then
echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
else
echo "Invalid SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES value '${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "1" ] || [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "0" ]; then
for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = > "${proc_sys_file}"
done
else
echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then
echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies
else
echo "Invalid SYSCTL_TCP_SYNCOOKIES value '${SYSCTL_TCP_SYNCOOKIES}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_ICMP_REDIRECTS}" = "1" ] || [ "${SYSCTL_ICMP_REDIRECTS}" = "0" ]; then
for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
done
for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
done
else
echo "Invalid SYSCTL_ICMP_REDIRECTS value '${SYSCTL_ICMP_REDIRECTS}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_RP_FILTER}" = "1" ] || [ "${SYSCTL_RP_FILTER}" = "0" ]; then
for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}"
done
else
echo "Invalid SYSCTL_RP_FILTER value '${SYSCTL_RP_FILTER}', must be '0' or '1'." >&2
exit 1
fi
if [ "${SYSCTL_LOG_MARTIANS}" = "1" ] || [ "${SYSCTL_LOG_MARTIANS}" = "0" ]; then
for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}"
done
else
echo "Invalid SYSCTL_LOG_MARTIANS value '${SYSCTL_LOG_MARTIANS}', must be '0' or '1'." >&2
exit 1
fi
# IPTables configuration
########################
${IPT} -N LOG_DROP
${IPT} -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
${IPT} -A LOG_DROP -j DROP
${IPT} -N LOG_ACCEPT
${IPT} -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
${IPT} -A LOG_ACCEPT -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -N LOG_DROP
${IPT6} -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
${IPT6} -A LOG_DROP -j DROP
${IPT6} -N LOG_ACCEPT
${IPT6} -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
${IPT6} -A LOG_ACCEPT -j ACCEPT
fi
# Source additional rules and commands
# * from legacy configuration file (/etc/default/minifirewall)
# * from configuration directory (/etc/minifirewall.d/*)
source_includes
# IP/ports lists are sorted to have consistent ordering
# You can disable this feature by simply commenting the following lines
LOOPBACK=$(sort_values ${LOOPBACK})
INTLAN=$(sort_values ${INTLAN})
TRUSTEDIPS=$(sort_values ${TRUSTEDIPS})
PRIVILEGIEDIPS=$(sort_values ${PRIVILEGIEDIPS})
SERVICESTCP1p=$(sort_values ${SERVICESTCP1p})
SERVICESUDP1p=$(sort_values ${SERVICESUDP1p})
SERVICESTCP1=$(sort_values ${SERVICESTCP1})
SERVICESUDP1=$(sort_values ${SERVICESUDP1})
SERVICESTCP2=$(sort_values ${SERVICESTCP2})
SERVICESUDP2=$(sort_values ${SERVICESUDP2})
SERVICESTCP3=$(sort_values ${SERVICESTCP3})
SERVICESUDP3=$(sort_values ${SERVICESUDP3})
DNSSERVEURS=$(sort_values ${DNSSERVEURS})
HTTPSITES=$(sort_values ${HTTPSITES})
HTTPSSITES=$(sort_values ${HTTPSSITES})
FTPSITES=$(sort_values ${FTPSITES})
SSHOK=$(sort_values ${SSHOK})
SMTPOK=$(sort_values ${SMTPOK})
SMTPSECUREOK=$(sort_values ${SMTPSECUREOK})
NTPOK=$(sort_values ${NTPOK})
PROXYBYPASS=$(sort_values ${PROXYBYPASS})
BACKUPSERVERS=$(sort_values ${BACKUPSERVERS})
# Trusted ip addresses
${IPT} -N ONLYTRUSTED
${IPT} -A ONLYTRUSTED -j LOG_DROP
if is_ipv6_enabled; then
${IPT6} -N ONLYTRUSTED
${IPT6} -A ONLYTRUSTED -j LOG_DROP
fi
for ip in ${TRUSTEDIPS}; do
if is_ipv6 ${ip}; then
if is_ipv6_enabled; then
${IPT6} -I ONLYTRUSTED -s ${ip} -j ACCEPT
fi
else
${IPT} -I ONLYTRUSTED -s ${ip} -j ACCEPT
fi
done
# Privilegied ip addresses
# (trusted ip addresses *are* privilegied)
${IPT} -N ONLYPRIVILEGIED
${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED
if is_ipv6_enabled; then
${IPT6} -N ONLYPRIVILEGIED
${IPT6} -A ONLYPRIVILEGIED -j ONLYTRUSTED
fi
for ip in ${PRIVILEGIEDIPS}; do
if is_ipv6 ${ip}; then
if is_ipv6_enabled; then
${IPT6} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
fi
else
${IPT} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
fi
done
# Chain for restrictions (blacklist IPs/ranges)
${IPT} -N NEEDRESTRICT
if is_ipv6_enabled; then
${IPT6} -N NEEDRESTRICT
fi
# We allow all on loopback interface
${IPT} -A INPUT -i lo -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A INPUT -i lo -j ACCEPT
fi
# if OUTPUTDROP
${IPT} -A OUTPUT -o lo -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A OUTPUT -o lo -j ACCEPT
fi
# We avoid "martians" packets, typical when W32/Blaster virus
# attacked windowsupdate.com and DNS was changed to 127.0.0.1
# ${IPT} -t NAT -I PREROUTING -s ${LOOPBACK} -i ! lo -j DROP
for IP in ${LOOPBACK}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -s ${IP} ! -i lo -j DROP
fi
else
${IPT} -A INPUT -s ${IP} ! -i lo -j DROP
fi
done
if is_docker_enabled; then
# WARN: IPv6 not yet supported for Docker rules
${IPT} -N MINIFW-DOCKER-TRUSTED
${IPT} -A MINIFW-DOCKER-TRUSTED -j DROP
${IPT} -N MINIFW-DOCKER-PRIVILEGED
${IPT} -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
${IPT} -A MINIFW-DOCKER-PRIVILEGED -j RETURN
${IPT} -N MINIFW-DOCKER-PUB
${IPT} -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
${IPT} -A MINIFW-DOCKER-PUB -j RETURN
# Flush DOCKER-USER if exist, create it if absent
if chain_exists 'DOCKER-USER'; then
${IPT} -F DOCKER-USER
else
${IPT} -N DOCKER-USER
fi;
# Pipe new connection through MINIFW-DOCKER-PUB
${IPT} -A DOCKER-USER -i ${INT} -m state --state NEW -j MINIFW-DOCKER-PUB
${IPT} -A DOCKER-USER -j RETURN
fi
# Local services restrictions
#############################
# Allow services for ${INTLAN} (local server or local network)
for IP in ${INTLAN}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -s ${IP} -j ACCEPT
fi
done
# Enable protection chain for sensible services
for port in ${SERVICESTCP1p}; do
${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
fi
done
for port in ${SERVICESUDP1p}; do
${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
if is_ipv6_enabled; then
${IPT6} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
fi
done
# Public service
for port in ${SERVICESTCP1}; do
${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT
fi
done
for port in ${SERVICESUDP1}; do
${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT
fi
done
# Privilegied services
for port in ${SERVICESTCP2}; do
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
fi
done
for port in ${SERVICESUDP2}; do
${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
if is_ipv6_enabled; then
${IPT6} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
fi
done
# Private services
for port in ${SERVICESTCP3}; do
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
fi
done
for port in ${SERVICESUDP3}; do
${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
if is_ipv6_enabled; then
${IPT6} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
fi
done
if is_docker_enabled; then
# WARN: IPv6 not yet supported
# Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in ${SERVICESTCP1}; do
${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN
done
for dstport in ${SERVICESUDP1}; do
${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN
done
# Privileged services (accessible from privileged & trusted IPs)
for dstport in ${SERVICESTCP2}; do
for srcip in ${PRIVILEGIEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
for srcip in ${TRUSTEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
done
for dstport in ${SERVICESUDP2}; do
for srcip in ${PRIVILEGIEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
for srcip in ${TRUSTEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
done
# Trusted services (accessible from trusted IPs)
for dstport in ${SERVICESTCP3}; do
for srcip in ${TRUSTEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
done
for dstport in ${SERVICESUDP3}; do
for srcip in ${TRUSTEDIPS}; do
if ! is_ipv6 ${srcip}; then
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
fi
done
done
fi
# External services
###################
# DNS authorizations
for IP in ${DNSSERVEURS}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
${IPT6} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${IP} -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 53 --match state --state NEW -j ACCEPT
fi
done
# HTTP (TCP/80) authorizations
for IP in ${HTTPSITES}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# HTTPS (TCP/443) authorizations
for IP in ${HTTPSSITES}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# FTP (so complex protocol...) authorizations
for IP in ${FTPSITES}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
# requests on Control connection
${IPT6} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
# FTP port-mode on Data Connection
${IPT6} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
# FTP passive-mode on Data Connection
# WARNING, this allow all connections on TCP ports > 1024
${IPT6} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
# requests on Control connection
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
# FTP port-mode on Data Connection
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
# FTP passive-mode on Data Connection
# WARNING, this allow all connections on TCP ports > 1024
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# SSH authorizations
for IP in ${SSHOK}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# SMTP authorizations
for IP in ${SMTPOK}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# secure SMTP (TCP/465 et TCP/587) authorizations
for IP in ${SMTPSECUREOK}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
${IPT6} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${IP} -j ACCEPT
fi
done
# NTP authorizations
for IP in ${NTPOK}; do
if is_ipv6 ${IP}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p udp --sport 123 -s ${IP} -j ACCEPT
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 123 --match state --state NEW -j ACCEPT
fi
else
${IPT} -A INPUT -p udp --sport 123 -s ${IP} -j ACCEPT
${IPT} -A OUTPUT -o ${INT} -p udp -d ${IP} --dport 123 --match state --state NEW -j ACCEPT
fi
done
# Proxy (Squid)
if is_proxy_enabled; then
# WARN: Squid only listen on IPv4 yet
# TODO: verify that the pattern used for IPv4 is relevant with IPv6
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
for dstip in ${PROXYBYPASS}; do
if ! is_ipv6 ${dstip}; then
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -d "${dstip}" -j ACCEPT
fi
done
${IPT} -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port "${PROXYPORT:-'8888'}"
fi
# Output for backup servers
for server in ${BACKUPSERVERS}; do
server_port=$(echo "${server}" | awk -F : '{print $(NF)}')
server_ip=$(echo "${server}" | sed -e "s/:${server_port}$//")
if [ -n "${server_ip}" ] && [ -n "${server_port}" ]; then
if is_ipv6 ${server_ip}; then
if is_ipv6_enabled; then
${IPT6} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
else
${IPT} -A INPUT -p tcp --sport "${server_port}" --dport 1024:65535 -s "${server_ip}" -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
else
echo "Unrecognized syntax for BACKUPSERVERS '${server}\`. Use space-separated IP:PORT tuples." >&2
exit 1
fi
done
# Always allow ICMP
${IPT} -A INPUT -p icmp -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A INPUT -p icmpv6 -j ACCEPT
fi
# IPTables policy
#################
# by default DROP INPUT packets
${IPT} -P INPUT DROP
if is_ipv6_enabled; then
${IPT6} -P INPUT DROP
fi
# by default, no FORWARDING (deprecated for Virtual Machines)
#echo 0 > /proc/sys/net/ipv4/ip_forward
#${IPT} -P FORWARD DROP
#${IPT6} -P FORWARD DROP
# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
${IPT} -P OUTPUT ACCEPT
if is_ipv6_enabled; then
${IPT6} -P OUTPUT ACCEPT
fi
${IPT} -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A OUTPUT -o ${INT} -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
fi
${IPT} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
if is_ipv6_enabled; then
${IPT6} -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
fi
${IPT} -A OUTPUT -p udp -j DROP
if is_ipv6_enabled; then
${IPT6} -A OUTPUT -p udp -j DROP
fi
if is_legacy_config; then
source_file_or_error "${config_file}"
fi
trap - INT TERM EXIT
echo "...starting IPTables rules is now finish : OK"
}
stop() {
echo "Flush all rules and accept everything..."
# Delete all rules
${IPT} -F INPUT
if is_ipv6_enabled; then
${IPT6} -F INPUT
fi
${IPT} -F OUTPUT
if is_ipv6_enabled; then
${IPT6} -F OUTPUT
fi
${IPT} -F LOG_DROP
${IPT} -F LOG_ACCEPT
${IPT} -F ONLYTRUSTED
${IPT} -F ONLYPRIVILEGIED
${IPT} -F NEEDRESTRICT
if is_ipv6_enabled; then
${IPT6} -F LOG_DROP
${IPT6} -F LOG_ACCEPT
${IPT6} -F ONLYTRUSTED
${IPT6} -F ONLYPRIVILEGIED
${IPT6} -F NEEDRESTRICT
fi
${IPT} -t mangle -F
if is_ipv6_enabled; then
${IPT6} -t mangle -F
fi
if is_docker_enabled; then
# WARN: IPv6 not yet supported
${IPT} -F DOCKER-USER
${IPT} -A DOCKER-USER -j RETURN
${IPT} -F MINIFW-DOCKER-PUB
${IPT} -X MINIFW-DOCKER-PUB
${IPT} -F MINIFW-DOCKER-PRIVILEGED
${IPT} -X MINIFW-DOCKER-PRIVILEGED
${IPT} -F MINIFW-DOCKER-TRUSTED
${IPT} -X MINIFW-DOCKER-TRUSTED
else
${IPT} -t nat -F
fi
# Accept all
${IPT} -P INPUT ACCEPT
if is_ipv6_enabled; then
${IPT6} -P INPUT ACCEPT
fi
${IPT} -P OUTPUT ACCEPT
if is_ipv6_enabled; then
${IPT6} -P OUTPUT ACCEPT
fi
#${IPT} -P FORWARD ACCEPT
#${IPT} -t nat -P PREROUTING ACCEPT
#${IPT} -t nat -P POSTROUTING ACCEPT
# Delete non-standard chains
${IPT} -X LOG_DROP
${IPT} -X LOG_ACCEPT
${IPT} -X ONLYPRIVILEGIED
${IPT} -X ONLYTRUSTED
${IPT} -X NEEDRESTRICT
if is_ipv6_enabled; then
${IPT6} -X LOG_DROP
${IPT6} -X LOG_ACCEPT
${IPT6} -X ONLYPRIVILEGIED
${IPT6} -X ONLYTRUSTED
${IPT6} -X NEEDRESTRICT
fi
echo "...flushing IPTables rules is now finish : OK"
}
status() {
${IPT} -L -n -v --line-numbers
${IPT} -t nat -L -n -v --line-numbers
${IPT} -t mangle -L -n -v --line-numbers
${IPT6} -L -n -v --line-numbers
${IPT6} -t mangle -L -n -v --line-numbers
}
reset() {
echo "Reset all IPTables counters..."
${IPT} -Z
if is_ipv6_enabled; then
${IPT6} -Z
fi
${IPT} -t nat -Z
${IPT} -t mangle -Z
if is_ipv6_enabled; then
${IPT6} -t mangle -Z
fi
echo "...reseting IPTables counters is now finish : OK"
}
echo "${NAME} version ${VERSION}"
source_configuration
case "${1:-''}" in
start)
start
;;
stop)
stop
;;
status)
status
;;
reset)
reset
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset}"
exit 1
;;
esac
exit 0

106
minifirewall/files/minifirewall.conf
View file

@ -1,31 +1,37 @@
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# Version 20.12 — 2020-12-01 22:55:35
# Version 22.03.1 — 2022-03-15
# shellcheck shell=sh disable=SC2034
# Main interface
INT='eth0'
# IPv6
IPV6=on
IPV6='on'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
# Also, we'll add the DOCKER-USER chain, in iptables
#
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='off'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'
# Trusted local network
# ...will be often IPv4/32 or IPv6/128 if you don't trust anything
INTLAN='192.0.2.1/32 2001:db8::1/128'
# Trusted IPv4 addresses for private and semi-public services
TRUSTEDIPS='31.170.9.129 62.212.121.90 31.170.8.4 82.65.34.85 54.37.106.210 51.210.84.146'
# Trusted IP addresses for private and semi-public services
# TODO: add all our IPv6 adresses
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 62.212.121.90 31.170.8.4 2a01:9500::fada/128 82.65.34.85 54.37.106.210 51.210.84.146'
# Privilegied IPv4 addresses for semi-public services
# Privilegied IP addresses for semi-public services
# (no need to add again TRUSTEDIPS)
PRIVILEGIEDIPS=''
# Local services IPv4/IPv6 restrictions
# Local services IP restrictions
#######################################
# Protected services
@ -45,62 +51,86 @@ SERVICESUDP2=''
SERVICESTCP3='5666'
SERVICESUDP3=''
# Standard output IPv4 access restrictions
# Standard output IPv4/IPv6 access restrictions
##########################################
# DNS authorizations
# (if you have local DNS server, set 0.0.0.0/0)
DNSSERVEURS='0.0.0.0/0'
DNSSERVEURS='0.0.0.0/0 ::/0'
# HTTP authorizations
# (you can use DNS names but set cron to reload minifirewall regularly)
# (if you have HTTP proxy, set 0.0.0.0/0)
# HTTPSITES='security.debian.org pub.evolix.net security-cdn.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org ocsp.int-x3.letsencrypt.org'
HTTPSITES='0.0.0.0/0'
HTTPSITES='0.0.0.0/0 ::/0'
# HTTPS authorizations
HTTPSSITES='0.0.0.0/0'
HTTPSSITES='0.0.0.0/0 ::/0'
# FTP authorizations
FTPSITES=''
# SSH authorizations
SSHOK='0.0.0.0/0'
SSHOK='0.0.0.0/0 ::/0'
# SMTP authorizations
SMTPOK='0.0.0.0/0'
SMTPOK='0.0.0.0/0 ::/0'
# SMTP secure authorizations (ports TCP/465 and TCP/587)
SMTPSECUREOK=''
# NTP authorizations
NTPOK='0.0.0.0/0'
NTPOK='0.0.0.0/0 ::/0'
# Proxy (Squid)
PROXY='off'
# (proxy port)
PROXYPORT='8888'
# (destinations that bypass the proxy)
PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
# Backup servers
# (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
BACKUPSERVERS=''
# IPv6 Specific rules
# Includes
#####################
# Example: allow SSH from Trusted IPv6 addresses
/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT
# Files in /etc/minifirewall.d/* (without "." in name)
# are automatically included in alphanumerical order.
#
# Within included files, you can use those helper functions :
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
# * is_docker_enabled: returns true if Docker mode is eabled, or false
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT
# Example: allow output DNS, NTP and traceroute traffic
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT
#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
# Custom sysctl values (advanced)
#################################
# Example: allow DHCPv6
/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT
/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT
# In most cases, the default values set by minifirewall are good.
# If you really know what you are doing,
# you can uncomment some lines and customize the values.
# IPv4 Specific rules
#####################
# Set 1 to ignore broadcast pings (default)
# SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1'
# /sbin/iptables ...
# Set 1 to ignore bogus ICMP responses (default)
# SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1'
# Set 0 to disable source routing (default)
# SYSCTL_ACCEPT_SOURCE_ROUTE='0'
# Set 1 to enable TCP SYN cookies (default)
# SYSCTL_TCP_SYNCOOKIES='1'
# Set 0 to disable ICMP redirects (default)
# SYSCTL_ICMP_REDIRECTS='0'
# Set 1 to enable Reverse Path filtering (default)
# Set 0 if VRRP is used
# SYSCTL_RP_FILTER='1'
# Set 1 to log packets with inconsistent address (default)
# SYSCTL_LOG_MARTIANS='1'

11
minifirewall/files/minifirewall.d/zzz-custom Normal file
View file

@ -0,0 +1,11 @@
### custom minifirewall commands
#
# You can add any custom command in files like this;
# either this one, or others in the same directory.
# They are executed as shell scripts.
# They are automatically included in alphanumerical order.
#
# Within included files, you can use those helper functions :
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
# * is_docker_enabled: returns true if Docker mode is eabled, or false
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false

7
minifirewall/files/minifirewall.d/zzzz-ban Normal file
View file

@ -0,0 +1,7 @@
### ban rules
#
# If you have ban rules in /root/ban.iptables
# (either manually or with /usr/share/scripts/blacklist-countries.sh)
# ou can automatically import them with the following command:
#
# cat /root/ban.iptables | iptables-restore -n

176
minifirewall/tasks/config.yml
View file

@ -9,11 +9,12 @@
- name: Stat minifirewall config file (before)
stat:
path: "{{ minifirewall_main_file }}"
path: "/etc/default/minifirewall"
register: minifirewall_before
- name: Check if minifirewall is running
shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
shell:
cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
changed_when: False
failed_when: False
check_mode: no
@ -25,14 +26,14 @@
- name: Begin marker for IP addresses
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
insertbefore: '^# Main interface'
create: no
- name: End marker for IP addresses
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
create: no
line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
insertafter: '^PRIVILEGIEDIPS='
@ -43,12 +44,16 @@
msg: You must provide at least 1 trusted IP
- debug:
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!"
when: "'0.0.0.0/0' in minifirewall_trusted_ips"
- debug:
msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!"
when: "'::/0' in minifirewall_trusted_ips"
- name: Configure IP addresses
blockinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
block: |
# Main interface
@ -60,8 +65,12 @@
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='{{ minifirewall_docker }}'
# Also, we'll add the DOCKER-USER chain, in iptables
#
# WARNING : If the port mapping is different between the host and the container
# (ie: Listen on :8090 on host, but :8080 in container)
# then you need to give the port used inside the container
DOCKER='off'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
@ -78,21 +87,21 @@
- name: Begin marker for ports
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
insertbefore: '^# Protected services'
create: no
- name: End marker for ports
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
insertafter: '^SERVICESUDP3='
create: no
- name: Configure ports
blockinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
block: |
# Protected services
@ -116,106 +125,171 @@
- name: Configure DNSSERVEURS
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
regexp: "DNSSERVEURS='.*'"
regexp: "DNSSERVEURS=('|\").*('|\")"
create: no
when: minifirewall_dns_servers is not none
- name: Configure HTTPSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
regexp: "HTTPSITES='.*'"
regexp: "HTTPSITES=('|\").*('|\")"
create: no
when: minifirewall_http_sites is not none
- name: Configure HTTPSSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
regexp: "HTTPSSITES='.*'"
regexp: "HTTPSSITES=('|\").*('|\")"
create: no
when: minifirewall_https_sites is not none
- name: Configure FTPSITES
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
regexp: "FTPSITES='.*'"
regexp: "FTPSITES=('|\").*('|\")"
create: no
when: minifirewall_ftp_sites is not none
- name: Configure SSHOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
regexp: "SSHOK='.*'"
regexp: "SSHOK=('|\").*('|\")"
create: no
when: minifirewall_ssh_ok is not none
- name: Configure SMTPOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
regexp: "SMTPOK='.*'"
regexp: "SMTPOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_ok is not none
- name: Configure SMTPSECUREOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
regexp: "SMTPSECUREOK='.*'"
regexp: "SMTPSECUREOK=('|\").*('|\")"
create: no
when: minifirewall_smtp_secure_ok is not none
- name: Configure NTPOK
lineinfile:
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
regexp: "NTPOK='.*'"
regexp: "NTPOK=('|\").*('|\")"
create: no
when: minifirewall_ntp_ok is not none
- name: evomaintenance
- name: Configure PROXY
lineinfile:
dest: "{{ minifirewall_main_file }}"
line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT"
insertafter: "^# EvoMaintenance"
loop: "{{ evomaintenance_hosts }}"
dest: "/etc/default/minifirewall"
line: "PROXY='{{ minifirewall_proxy }}'"
regexp: "PROXY=('|\").*('|\")"
create: no
when: minifirewall_proxy is not none
- name: remove minifirewall example rule for the evomaintenance
- name: Configure PROXYPORT
lineinfile:
dest: "{{ minifirewall_main_file }}"
regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)'
state: absent
when: evomaintenance_hosts | length > 0
dest: "/etc/default/minifirewall"
line: "PROXYPORT='{{ minifirewall_proxyport }}'"
regexp: "PROXYPORT=('|\").*('|\")"
create: no
when: minifirewall_proxyport is not none
# Warning: keep double quotes for the value,
# since we often reference a shell variable that needs to be interpolated
- name: Configure PROXYBYPASS
lineinfile:
dest: "/etc/default/minifirewall"
line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
regexp: "PROXYBYPASS=('|\").*('|\")"
create: no
when: minifirewall_proxybypass is not none
- name: Configure BACKUPSERVERS
lineinfile:
dest: "/etc/default/minifirewall"
line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
regexp: "BACKUPSERVERS=('|\").*('|\")"
create: no
when: minifirewall_backupservers is not none
- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none
- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none
- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
create: no
when: minifirewall_sysctl_accept_source_route is not none
- name: Configure SYSCTL_TCP_SYNCOOKIES
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
create: no
when: minifirewall_sysctl_tcp_syncookies is not none
- name: Configure SYSCTL_ICMP_REDIRECTS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_icmp_redirects is not none
- name: Configure SYSCTL_RP_FILTER
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
create: no
when: minifirewall_sysctl_rp_filter is not none
- name: Configure SYSCTL_LOG_MARTIANS
lineinfile:
dest: "/etc/default/minifirewall"
line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
create: no
when: minifirewall_sysctl_log_martians is not none
- name: Stat minifirewall config file (after)
stat:
path: "{{ minifirewall_main_file }}"
path: "/etc/default/minifirewall"
register: minifirewall_after
- name: restart minifirewall
# service:
# name: minifirewall
# state: restarted
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
when:
- minifirewall_restart_if_needed | bool
- minifirewall_is_running.rc == 0
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
- name: restart minifirewall (noop)
meta: noop
register: minifirewall_init_restart
failed_when: False
changed_when: False
when: not (minifirewall_restart_if_needed | bool)
- minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed
- debug:
var: minifirewall_init_restart

45
minifirewall/tasks/install.yml
View file

@ -6,19 +6,58 @@
state: present
- name: init script is copied
template:
src: minifirewall.j2
copy:
src: minifirewall
dest: /etc/init.d/minifirewall
force: "{{ minifirewall_force_upgrade_script | default('no') }}"
mode: "0700"
owner: root
group: root
register: minifirewall_upgrade_script
- name: configuration is copied
copy:
src: minifirewall.conf
dest: "{{ minifirewall_main_file }}"
dest: "/etc/default/minifirewall"
force: "{{ minifirewall_force_upgrade_config | default('no') }}"
mode: "0600"
owner: root
group: root
register: minifirewall_upgrade_config
- name: includes directory is present
file:
path: /etc/minifirewall.d/
state: directory
owner: root
group: root
mode: "0700"
- name: examples for includes are present
copy:
src: "minifirewall.d/"
dest: "/etc/minifirewall.d/"
force: "no"
mode: "0600"
owner: root
group: root
- include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
- name: blacklist-countries.sh is copied
copy:
src: blacklist-countries.sh
dest: /usr/share/scripts/blacklist-countries.sh
force: "no"
mode: "0700"
owner: root
group: root

22
minifirewall/tasks/main.yml
View file

@ -4,19 +4,25 @@
set_fact:
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
- include: install.yml
- name: Fail if minifirewall_main_file is defined
fail:
msg: "Variable minifirewall_main_file is deprecated and not configurable anymore."
when: minifirewall_main_file is defined
- include: config.yml
- import_tasks: install.yml
- include: nrpe.yml
- import_tasks: config.yml
when: minifirewall_update_config | bool
- include: activate.yml
- import_tasks: nrpe.yml
- include: tail.yml
- import_tasks: activate.yml
- import_tasks: tail.yml
when: minifirewall_tail_included | bool
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
changed_when: False
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
when: minifirewall_restart_force | bool

15
minifirewall/tasks/tail.yml
View file

@ -2,8 +2,9 @@
- name: Add some rules at the end of minifirewall file
template:
src: "{{ item }}"
dest: "{{ minifirewall_tail_file }}"
dest: "/etc/minifirewall.d/{{ minifirewall_tail_file }}"
force: "{{ minifirewall_tail_force | bool }}"
follow: yes
loop: "{{ query('first_found', templates) }}"
vars:
templates:
@ -17,18 +18,6 @@
var: minifirewall_tail_template
verbosity: 1
- name: source minifirewall.tail at the end of the main file
blockinfile:
dest: "{{ minifirewall_main_file }}"
marker: "# {mark} ANSIBLE MANAGED EXTERNAL RULES"
block: ". {{ minifirewall_tail_file }}"
insertbefore: EOF
register: minifirewall_tail_source
- debug:
var: minifirewall_tail_source
verbosity: 1
- name: restart minifirewall
# service:
# name: minifirewall

492
minifirewall/templates/minifirewall.j2
View file

@ -1,492 +0,0 @@
#!/bin/sh
# minifirewall is shellscripts for easy firewalling on a standalone server
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2020 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minfirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
DESC="minifirewall"
NAME="minifirewall"
# Variables configuration
#########################
# iptables paths
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local intable="--table $1"
iptables $intable -nL "$chain_name" >/dev/null 2>&1
}
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="{{ minifirewall_main_file }}"
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
case "$1" in
start)
echo "Start IPTables rules..."
# Stop and warn if error!
set -e
trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
# sysctl network security settings
##################################
# Don't answer to broadcast pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignore bogus ICMP responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Disable Source Routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks
# cf http://cr.yp.to/syncookies.html
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP redirects
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $i
done
# Enable Reverse Path filtering : verify if responses use same network interface
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
# log des paquets avec adresse incoherente
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
# IPTables configuration
########################
$IPT -N LOG_DROP
$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
$IPT -A LOG_DROP -j DROP
$IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT
if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
exit 1
fi
if ! test -f $configfile; then
echo "$configfile does not exist" >&2
exit 1
fi
tmpfile=`mktemp`
. $configfile 2>$tmpfile >&2
if [ -s $tmpfile ]; then
echo "$configfile returns standard or error output (see below). Stopping." >&2
cat $tmpfile
exit 1
fi
rm $tmpfile
# Trusted ip addresses
$IPT -N ONLYTRUSTED
$IPT -A ONLYTRUSTED -j LOG_DROP
for x in $TRUSTEDIPS
do
$IPT -I ONLYTRUSTED -s $x -j ACCEPT
done
# Privilegied ip addresses
# (trusted ip addresses *are* privilegied)
$IPT -N ONLYPRIVILEGIED
$IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED
for x in $PRIVILEGIEDIPS
do
$IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT
done
# Chain for restrictions (blacklist IPs/ranges)
$IPT -N NEEDRESTRICT
# We allow all on loopback interface
$IPT -A INPUT -i lo -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT
# if OUTPUTDROP
$IPT -A OUTPUT -o lo -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT
# We avoid "martians" packets, typical when W32/Blaster virus
# attacked windowsupdate.com and DNS was changed to 127.0.0.1
# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
if [ "$DOCKER" = "on" ]; then
$IPT -N MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
$IPT -N MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
$IPT -N MINIFW-DOCKER-PUB
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PUB -j RETURN
# Flush DOCKER-USER if exist, create it if absent
if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;
# Pipe new connection through MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -j RETURN
fi
# Local services restrictions
#############################
# Allow services for $INTLAN (local server or local network)
$IPT -A INPUT -s $INTLAN -j ACCEPT
# Enable protection chain for sensible services
for x in $SERVICESTCP1p
do
$IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT
done
for x in $SERVICESUDP1p
do
$IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT
done
# Public service
for x in $SERVICESTCP1
do
$IPT -A INPUT -p tcp --dport $x -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
done
for x in $SERVICESUDP1
do
$IPT -A INPUT -p udp --dport $x -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT
done
# Privilegied services
for x in $SERVICESTCP2
do
$IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED
done
for x in $SERVICESUDP2
do
$IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED
done
# Private services
for x in $SERVICESTCP3
do
$IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED
done
for x in $SERVICESUDP3
do
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
done
if [ "$DOCKER" = "on" ]; then
# Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in $SERVICESTCP1
do
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
done
for dstport in $SERVICESUDP1
do
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
done
# Privileged services (accessible from privileged & trusted IPs)
for dstport in $SERVICESTCP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
# Trusted services (accessible from trusted IPs)
for dstport in $SERVICESTCP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
fi
# External services
###################
# DNS authorizations
for x in $DNSSERVEURS
do
$IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
$IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
done
# HTTP (TCP/80) authorizations
for x in $HTTPSITES
do
$IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT
done
# HTTPS (TCP/443) authorizations
for x in $HTTPSSITES
do
$IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT
done
# FTP (so complex protocol...) authorizations
for x in $FTPSITES
do
# requests on Control connection
$IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT
# FTP port-mode on Data Connection
$IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT
# FTP passive-mode on Data Connection
# WARNING, this allow all connections on TCP ports > 1024
$IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT
done
# SSH authorizations
for x in $SSHOK
do
$IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT
done
# SMTP authorizations
for x in $SMTPOK
do
$IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $x -j ACCEPT
done
# secure SMTP (TCP/465 et TCP/587) authorizations
for x in $SMTPSECUREOK
do
$IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $x -j ACCEPT
$IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $x -j ACCEPT
done
# NTP authorizations
for x in $NTPOK
do
$IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
$IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
done
# Always allow ICMP
$IPT -A INPUT -p icmp -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
# IPTables policy
#################
# by default DROP INPUT packets
$IPT -P INPUT DROP
[ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP
# by default, no FORWARING (deprecated for Virtual Machines)
#echo 0 > /proc/sys/net/ipv4/ip_forward
#$IPT -P FORWARD DROP
#$IPT6 -P FORWARD DROP
# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
$IPT -P OUTPUT ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP
trap - INT TERM EXIT
echo "...starting IPTables rules is now finish : OK"
;;
stop)
echo "Flush all rules and accept everything..."
# Delete all rules
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F LOG_DROP
$IPT -F LOG_ACCEPT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
[ "$DOCKER" = "off" ] && $IPT -t nat -F
$IPT -t mangle -F
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
if [ "$DOCKER" = "on" ]; then
$IPT -F DOCKER-USER
$IPT -A DOCKER-USER -j RETURN
$IPT -F MINIFW-DOCKER-PUB
$IPT -X MINIFW-DOCKER-PUB
$IPT -F MINIFW-DOCKER-PRIVILEGED
$IPT -X MINIFW-DOCKER-PRIVILEGED
$IPT -F MINIFW-DOCKER-TRUSTED
$IPT -X MINIFW-DOCKER-TRUSTED
fi
# Accept all
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT
[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
#$IPT -P FORWARD ACCEPT
#$IPT -t nat -P PREROUTING ACCEPT
#$IPT -t nat -P POSTROUTING ACCEPT
# Delete non-standard chains
$IPT -X LOG_DROP
$IPT -X LOG_ACCEPT
$IPT -X ONLYPRIVILEGIED
$IPT -X ONLYTRUSTED
$IPT -X NEEDRESTRICT
echo "...flushing IPTables rules is now finish : OK"
;;
status)
$IPT -L -n -v --line-numbers
$IPT -t nat -L -n -v --line-numbers
$IPT -t mangle -L -n -v --line-numbers
$IPT6 -L -n -v --line-numbers
$IPT6 -t mangle -L -n -v --line-numbers
;;
reset)
echo "Reset all IPTables counters..."
$IPT -Z
$IPT -t nat -Z
$IPT -t mangle -Z
[ "$IPV6" != "off" ] && $IPT6 -Z
[ "$IPV6" != "off" ] && $IPT6 -t mangle -Z
echo "...reseting IPTables counters is now finish : OK"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset|squid}"
exit 1
esac
exit 0

8
mongodb/tasks/main.yml
View file

@ -1,13 +1,13 @@
---
- include: main_jessie.yml
- import_tasks: main_jessie.yml
when: ansible_distribution_release == "jessie"
- include: main_stretch.yml
- import_tasks: main_stretch.yml
when: ansible_distribution_release == "stretch"
- include: main_buster.yml
- import_tasks: main_buster.yml
when: ansible_distribution_release == "buster"
- include: main_bullseye.yml
- import_tasks: main_bullseye.yml
when: ansible_distribution_major_version is version('11', '>=')

18
mysql-oracle/tasks/main.yml
View file

@ -3,20 +3,20 @@
- set_fact:
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
- include: packages.yml
- import_tasks: packages.yml
- include: users.yml
- import_tasks: users.yml
- include: config.yml
- import_tasks: config.yml
- include: datadir.yml
- import_tasks: datadir.yml
- include: tmpdir.yml
- import_tasks: tmpdir.yml
- include: nrpe.yml
- import_tasks: nrpe.yml
- include: munin.yml
- import_tasks: munin.yml
- include: log2mail.yml
- import_tasks: log2mail.yml
- include: utils.yml
- import_tasks: utils.yml

32
mysql/tasks/main.yml
View file

@ -4,44 +4,44 @@
set_fact:
mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"
- include: packages_stretch.yml
- import_tasks: packages_stretch.yml
when: ansible_distribution_major_version is version('9', '>=')
- include: packages_jessie.yml
- import_tasks: packages_jessie.yml
when: ansible_distribution_release == "jessie"
## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility
- include: users_bullseye.yml
- import_tasks: users_bullseye.yml
when: ansible_distribution_release == "bullseye"
- include: users_buster.yml
- import_tasks: users_buster.yml
when: ansible_distribution_release == "buster"
- include: users_stretch.yml
- import_tasks: users_stretch.yml
when: ansible_distribution_release == "stretch"
- include: users_jessie.yml
- import_tasks: users_jessie.yml
when: ansible_distribution_release == "jessie"
- include: config_stretch.yml
- import_tasks: config_stretch.yml
when: ansible_distribution_major_version is version('9', '>=')
- include: config_jessie.yml
- import_tasks: config_jessie.yml
when: ansible_distribution_release == "jessie"
- include: replication.yml
- import_tasks: replication.yml
when: mysql_replication | bool
- include: datadir.yml
- import_tasks: datadir.yml
- include: logdir.yml
- import_tasks: logdir.yml
- include: tmpdir.yml
- import_tasks: tmpdir.yml
- include: nrpe.yml
- import_tasks: nrpe.yml
- include: munin.yml
- import_tasks: munin.yml
- include: log2mail.yml
- import_tasks: log2mail.yml
- include: utils.yml
- import_tasks: utils.yml

2
mysql/tasks/utils.yml
View file

@ -239,4 +239,4 @@
mode: "0755"
force: no
tags:
- mysql
- mysql

22
nagios-nrpe/files/plugins/check_mount_rw
View file

@ -1,30 +1,40 @@
#!/bin/sh
#
# Verify that given mountpoints have 'read-write' option.
output=$(mktemp --tmpdir $(basename $0).XXXXXXXXXX)
output=$(mktemp --tmpdir $(basename "$0").XXXXXXXXXX)
critical_count=0
ok_count=0
trap "rm -f $output" EXIT
for mountpoint in $@; do
# We verify no mointpoints have 'read-only' option instead of checking
# for 'read-write' option, because there could be multiple device
# mounted on a sigle path. In that edge case only checking for the
# presence of the 'read-write' option would yeild a flase positive.
if findmnt -O ro --noheadings "$mountpoint" 1>/dev/null 2>&1; then
echo "CRITICAL - $mountpoint" >> "$output"
critical_count=$(( critical_count + 1))
critical_count=$(( critical_count + 1))
else
echo "OK - $mountpoint" >> "$output"
ok_count=$(( ok_count + 1))
ok_count=$(( ok_count + 1))
fi
done
total_count=$(( ok_count + critical_count ))
plural=''
test "$total_count" -gt 1 && plural='s'
if [ $ok_count -eq $total_count ]; then
printf "OK - %d/%d no read-only mountpoint\n\n" "$ok_count" "$total_count"
printf "OK - %d/%d mountpoint%s have 'read-write' option\n\n" \
"$ok_count" "$total_count" "$plural"
cat "$output"
exit 0
else
printf "CRITICAL - %d/%d read-only mountpoint\n\n" "$critical_count" "$total_count"
printf "CRITICAL - %d/%d mountpoint%s don't have 'read-write' option\n\n" \
"$critical_count" "$total_count" "$plural"
cat "$output"
exit 2
fi

4
networkd-to-ifconfig/tasks/main.yml
View file

@ -21,10 +21,10 @@
set_fact:
eni_interface_name: "{{ ansible_default_ipv4.interface }}"
- include: set_facts_from_systemd.yml
- import_tasks: set_facts_from_systemd.yml
when: systemd_network_file.stat.exists
- include: set_facts_from_ansible.yml
- import_tasks: set_facts_from_ansible.yml
when: not systemd_network_file.stat.exists
- name: Check config (IPv4)

6
newrelic/tasks/main.yml
View file

@ -1,9 +1,9 @@
---
- include: sources.yml
- import_tasks: sources.yml
- include: php.yml
- import_tasks: php.yml
when: newrelic_php | bool
- include: sysmond.yml
- import_tasks: sysmond.yml
when: newrelic_sysmond | bool

1
nginx/files/nginx/evolinux-defaults.conf
View file

@ -1,4 +1,5 @@
# Evolix default customizations
server_tokens off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;

14
nginx/tasks/main.yml
View file

@ -8,9 +8,9 @@
msg: "Nginx minimal mode has been set, using minimal mode."
when: nginx_minimal | bool
- include: packages.yml
- import_tasks: packages.yml
- include: server_status_read.yml
- import_tasks: server_status_read.yml
tags:
- nginx
@ -64,7 +64,7 @@
- ips
- name: Include IP address whitelist task
include: ip_whitelist.yml
import_tasks: ip_whitelist.yml
- name: Copy evolinux_server_custom
copy:
@ -134,7 +134,7 @@
tags:
- nginx
- include: server_status_write.yml
- import_tasks: server_status_write.yml
tags:
- nginx
@ -155,16 +155,16 @@
- nginx
- munin
- include: munin_vhost.yml
- import_tasks: munin_vhost.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: munin_graphs.yml
- import_tasks: munin_graphs.yml
when: stat_munin_node.stat.exists
tags:
- nginx
- munin
- include: logrotate.yml
- import_tasks: logrotate.yml

2
nginx/tasks/packages.yml
View file

@ -4,7 +4,7 @@
nginx_default_package_name: nginx-light
when: nginx_minimal | bool
- include: packages_backports.yml
- import_tasks: packages_backports.yml
when: nginx_backports | bool
# TODO: install "nginx" + only necessary modules, instead of "nginx-full"

2
nodejs/tasks/main.yml
View file

@ -61,5 +61,5 @@
- packages
- nodejs
- include: yarn.yml
- import_tasks: yarn.yml
when: nodejs_install_yarn | bool

4
openvpn/tasks/main.yml
View file

@ -6,10 +6,10 @@
msg: "Only compatible with Debian and OpenBSD"
- name: Include Debian version
include: debian.yml
import_tasks: debian.yml
when: ansible_distribution == "Debian"
- name: Include OpenBSD version
include: openbsd.yml
import_tasks: openbsd.yml
when: ansible_distribution == "OpenBSD"

1
openvpn/templates/server.conf.j2
View file

@ -6,6 +6,7 @@ port 1194
proto udp
dev tun
mode server
topology subnet
keepalive 10 120
tls-exit

10
packweb-apache/tasks/main.yml
View file

@ -82,13 +82,13 @@
regexp: '^DIR_MODE='
line: 'DIR_MODE=0750'
- include: apache.yml
- import_tasks: apache.yml
- include: phpmyadmin.yml
- import_tasks: phpmyadmin.yml
- include: awstats.yml
- import_tasks: awstats.yml
- include: fhs_retrictions.yml
- import_tasks: fhs_retrictions.yml
when: packweb_fhs_retrictions | bool
- name: Periodically cache ftp directory sizes for ftpadmin.sh
@ -97,5 +97,5 @@
special_time: daily
job: "/usr/share/scripts/evoadmin/stats.sh"
- include: multiphp.yml
- import_tasks: multiphp.yml
when: packweb_multiphp_versions | length > 0

2
percona/tasks/main.yml
View file

@ -61,5 +61,5 @@
update_cache: yes
when: percona__apt_config_deb is changed
- include: xtrabackup.yml
- import_tasks: xtrabackup.yml
when: percona__install_xtrabackup | bool

8
php/tasks/main.yml
View file

@ -7,14 +7,14 @@
- ansible_distribution_major_version is version('11', '<=')
msg: This is only compatible with Debian 8 → 11
- include: main_jessie.yml
- import_tasks: main_jessie.yml
when: ansible_distribution_release == "jessie"
- include: main_stretch.yml
- import_tasks: main_stretch.yml
when: ansible_distribution_release == "stretch"
- include: main_buster.yml
- import_tasks: main_buster.yml
when: ansible_distribution_release == "buster"
- include: main_bullseye.yml
- import_tasks: main_bullseye.yml
when: ansible_distribution_release == "bullseye"

10
php/tasks/main_bullseye.yml
View file

@ -34,7 +34,7 @@
- composer
- libphp-phpmailer
- include: sury_pre.yml
- import_tasks: sury_pre.yml
when: php_sury_enable
- name: "Install PHP packages (Debian 11)"
@ -68,13 +68,13 @@
- /etc/php
- /etc/php/7.4
- include: config_cli.yml
- import_tasks: config_cli.yml
- name: "Enforce permissions on PHP cli directory (Debian 11)"
file:
dest: /etc/php/7.4/cli
mode: "0755"
- include: config_fpm.yml
- import_tasks: config_fpm.yml
when: php_fpm_enable
- name: "Enforce permissions on PHP fpm directory (Debian 11)"
@ -83,7 +83,7 @@
mode: "0755"
when: php_fpm_enable
- include: config_apache.yml
- import_tasks: config_apache.yml
when: php_apache_enable
- name: "Enforce permissions on PHP apache2 directory (Debian 11)"
@ -92,5 +92,5 @@
mode: "0755"
when: php_apache_enable
- include: sury_post.yml
- import_tasks: sury_post.yml
when: php_sury_enable

10
php/tasks/main_buster.yml
View file

@ -35,7 +35,7 @@
- composer
- libphp-phpmailer
- include: sury_pre.yml
- import_tasks: sury_pre.yml
when: php_sury_enable | bool
- name: "Install PHP packages (Debian 10)"
@ -69,13 +69,13 @@
- /etc/php
- /etc/php/7.3
- include: config_cli.yml
- import_tasks: config_cli.yml
- name: "Enforce permissions on PHP cli directory (Debian 10)"
file:
dest: /etc/php/7.3/cli
mode: "0755"
- include: config_fpm.yml
- import_tasks: config_fpm.yml
when: php_fpm_enable | bool
- name: "Enforce permissions on PHP fpm directory (Debian 10)"
@ -84,7 +84,7 @@
mode: "0755"
when: php_fpm_enable | bool
- include: config_apache.yml
- import_tasks: config_apache.yml
when: php_apache_enable | bool
- name: "Enforce permissions on PHP apache2 directory (Debian 10)"
@ -93,5 +93,5 @@
mode: "0755"
when: php_apache_enable | bool
- include: sury_post.yml
- import_tasks: sury_post.yml
when: php_sury_enable | bool

6
php/tasks/main_jessie.yml
View file

@ -57,14 +57,14 @@
dest: /etc/php5
mode: "0755"
- include: config_cli.yml
- import_tasks: config_cli.yml
- name: Enforce permissions on PHP cli directory (Debian 8)
file:
dest: /etc/php5/cli
mode: "0755"
- include: config_fpm.yml
- import_tasks: config_fpm.yml
when: php_fpm_enable | bool
- name: Enforce permissions on PHP fpm directory (Debian 8)
@ -73,7 +73,7 @@
mode: "0755"
when: php_fpm_enable | bool
- include: config_apache.yml
- import_tasks: config_apache.yml
when: php_apache_enable | bool
- name: Enforce permissions on PHP apache2 directory (Debian 8)

10
php/tasks/main_stretch.yml
View file

@ -35,7 +35,7 @@
- composer
- libphp-phpmailer
- include: sury_pre.yml
- import_tasks: sury_pre.yml
when: php_sury_enable | bool
- name: "Install PHP packages (Debian 9)"
@ -69,14 +69,14 @@
- /etc/php
- /etc/php/7.0
- include: config_cli.yml
- import_tasks: config_cli.yml
- name: "Enforce permissions on PHP cli directory (Debian 9)"
file:
dest: /etc/php/7.0/cli
mode: "0755"
- include: config_fpm.yml
- import_tasks: config_fpm.yml
when: php_fpm_enable | bool
- name: "Enforce permissions on PHP fpm directory (Debian 9)"
@ -85,7 +85,7 @@
mode: "0755"
when: php_fpm_enable | bool
- include: config_apache.yml
- import_tasks: config_apache.yml
when: php_apache_enable | bool
- name: "Enforce permissions on PHP apache2 directory (Debian 9)"
@ -94,5 +94,5 @@
mode: "0755"
when: php_apache_enable | bool
- include: sury_post.yml
- import_tasks: sury_post.yml
when: php_sury_enable | bool

8
postfix/tasks/main.yml
View file

@ -1,12 +1,12 @@
---
- include: common.yml
- import_tasks: common.yml
- include: minimal.yml
- import_tasks: minimal.yml
when: not (postfix_packmail | bool)
- include: packmail.yml
- import_tasks: packmail.yml
when: postfix_packmail | bool
- include: slow_transport.yml
- import_tasks: slow_transport.yml
when: postfix_slow_transport_include | bool

2
postfix/templates/packmail_master.cf.j2
View file

@ -158,7 +158,7 @@ smtp-amavis unix - - y - 2 lmtp
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=

20
postgresql/tasks/main.yml
View file

@ -1,25 +1,25 @@
---
- include: locales.yml
- import_tasks: locales.yml
- include: packages_jessie.yml
- import_tasks: packages_jessie.yml
when: ansible_distribution_release == "jessie"
- include: packages_stretch.yml
- import_tasks: packages_stretch.yml
when: ansible_distribution_release == "stretch"
- include: packages_buster.yml
- import_tasks: packages_buster.yml
when: ansible_distribution_release == "buster"
- include: packages_bullseye.yml
- import_tasks: packages_bullseye.yml
when: ansible_distribution_major_version is version('11', '>=')
- include: config.yml
- import_tasks: config.yml
- include: nrpe.yml
- import_tasks: nrpe.yml
- include: munin.yml
- import_tasks: munin.yml
- include: logrotate.yml
- import_tasks: logrotate.yml
- include: postgis.yml
- import_tasks: postgis.yml
when: postgresql_install_postgis | bool

2
postgresql/tasks/packages_bullseye.yml
View file

@ -5,7 +5,7 @@
postgresql_version: '13'
when: postgresql_version is none or postgresql_version | length == 0
- include: pgdg-repo.yml
- import_tasks: pgdg-repo.yml
when: postgresql_version != '13'
- name: Install postgresql package

2
postgresql/tasks/packages_buster.yml
View file

@ -5,7 +5,7 @@
postgresql_version: '11'
when: postgresql_version is none or postgresql_version | length == 0
- include: pgdg-repo.yml
- import_tasks: pgdg-repo.yml
when: postgresql_version != '11'
- name: Install postgresql package

2
postgresql/tasks/packages_jessie.yml
View file

@ -5,7 +5,7 @@
postgresql_version: '9.4'
when: postgresql_version is none or postgresql_version | length == 0
- include: pgdg-repo.yml
- import_tasks: pgdg-repo.yml
when: postgresql_version != '9.4'
- name: Install postgresql package

2
postgresql/tasks/packages_stretch.yml
View file

@ -5,7 +5,7 @@
postgresql_version: '9.6'
when: postgresql_version is none or postgresql_version | length == 0
- include: pgdg-repo.yml
- import_tasks: pgdg-repo.yml
when: postgresql_version != '9.6'
- name: Install postgresql package

2
proftpd/tasks/accounts.yml
View file

@ -1,5 +1,5 @@
---
- include: accounts_password.yml
- include_tasks: accounts_password.yml
when: item.password is undefined
loop: "{{ proftpd_accounts }}"
tags:

2
proftpd/tasks/main.yml
View file

@ -79,5 +79,5 @@
tags:
- proftpd
- include: accounts.yml
- import_tasks: accounts.yml
when: proftpd_accounts | length > 0

4
rabbitmq/tasks/main.yml
View file

@ -34,7 +34,7 @@
tags:
- nrpe
- include: nrpe.yml
- import_tasks: nrpe.yml
when: nrpe_evolix_config.stat.exists
- name: is Munin present ?
@ -45,5 +45,5 @@
tags:
- nrpe
- include: munin.yml
- import_tasks: munin.yml
when: etc_munin_directory.stat.exists

2
redis/README.md
View file

@ -1,4 +1,4 @@
# munin
# Redis
Installation and basic configuration of Redis.

14
redis/tasks/main.yml
View file

@ -56,11 +56,11 @@
when: redis_instance_name is defined
- name: configure Redis for default mode
include: default-server.yml
import_tasks: default-server.yml
when: redis_instance_name is not defined
- name: configure Redis for instance mode
include: instance-server.yml
import_tasks: instance-server.yml
when: redis_instance_name is defined
- name: Is Munin installed
@ -72,7 +72,7 @@
- munin
- name: configure Munin for default mode
include: default-munin.yml
import_tasks: default-munin.yml
when:
- _munin_installed.stat.exists
- _munin_installed.stat.isdir
@ -82,7 +82,7 @@
- munin
- name: configure Munin for instance mode
include: instance-munin.yml
import_tasks: instance-munin.yml
when:
- _munin_installed.stat.exists
- _munin_installed.stat.isdir
@ -100,7 +100,7 @@
- log2mail
- name: configure log2mail for default mode
include: default-log2mail.yml
import_tasks: default-log2mail.yml
when:
- _log2mail_installed.stat.exists
- _log2mail_installed.stat.isdir
@ -110,7 +110,7 @@
- log2mail
- name: configure log2mail for instance mode
include: instance-log2mail.yml
import_tasks: instance-log2mail.yml
when:
- _log2mail_installed.stat.exists
- _log2mail_installed.stat.isdir
@ -128,7 +128,7 @@
- redis
- nrpe
- include: nrpe.yml
- import_tasks: nrpe.yml
when: nrpe_evolix_config.stat.exists
tags:
- redis

4
redis/tasks/nrpe.yml
View file

@ -79,6 +79,10 @@
- redis
- nrpe
- name: "Remount /usr with RW for 'install check_redis instance'"
include_role:
name: evolix/remount-usr
- name: install check_redis_instances
copy:
src: check_redis_instances.sh

16
redmine/tasks/main.yml
View file

@ -1,13 +1,13 @@
---
- include: packages.yml
- include: syslog.yml
- include: user.yml
- import_tasks: packages.yml
- import_tasks: syslog.yml
- import_tasks: user.yml
- include_role:
name: evolix/rbenv
vars:
- username: "{{ redmine_user }}"
- include: config.yml
- include: mysql.yml
- include: source.yml
- include: release.yml
- include: nginx.yml
- import_tasks: config.yml
- import_tasks: mysql.yml
- import_tasks: source.yml
- import_tasks: release.yml
- import_tasks: nginx.yml

10
squid/tasks/main.yml
View file

@ -152,15 +152,15 @@
notify: "reload squid"
when: ansible_distribution_major_version is version('9', '>=')
- include: systemd.yml
- import_tasks: systemd.yml
when: ansible_distribution_major_version is version('10', '>=')
- include: logrotate_jessie.yml
- import_tasks: logrotate_jessie.yml
when: ansible_distribution_release == "jessie"
- include: logrotate_stretch.yml
- import_tasks: logrotate_stretch.yml
when: ansible_distribution_major_version is version('9', '>=')
- include: minifirewall.yml
- import_tasks: minifirewall.yml
- include: log2mail.yml
- import_tasks: log2mail.yml

2
ssl/tasks/main.yml
View file

@ -39,5 +39,5 @@
tags:
- ssl
- include: haproxy.yml
- import_tasks: haproxy.yml
when: haproxy_check.rc == 0

Some files were not shown because too many files have changed in this diff Show more