forked from evolix/ansible-roles
Compare commits
1 commit
stable
...
ansible-ma
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Lecour | e77d1d1b17 |
36
.drone.yml
36
.drone.yml
|
@ -1,36 +0,0 @@
|
|||
kind: pipeline
|
||||
name: default
|
||||
|
||||
steps:
|
||||
- name: build tagged docker image
|
||||
image: plugins/docker
|
||||
settings:
|
||||
username:
|
||||
from_secret: docker_username
|
||||
password:
|
||||
from_secret: docker_password
|
||||
dockerfile: Dockerfile
|
||||
repo: evolix/ansible-roles
|
||||
auto_tag: true
|
||||
environment:
|
||||
ROLES_VERSION: $DRONE_COMMIT_SHA
|
||||
when:
|
||||
event:
|
||||
- tag
|
||||
|
||||
- name: build latest docker image
|
||||
image: plugins/docker
|
||||
settings:
|
||||
username:
|
||||
from_secret: docker_username
|
||||
password:
|
||||
from_secret: docker_password
|
||||
dockerfile: Dockerfile
|
||||
repo: evolix/ansible-roles
|
||||
tags: latest
|
||||
environment:
|
||||
ROLES_VERSION: $DRONE_COMMIT_SHA
|
||||
when:
|
||||
branch:
|
||||
- unstable
|
||||
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,4 +1,3 @@
|
|||
.kitchen/
|
||||
.kateproject.d
|
||||
.vagrant/
|
||||
*.swp
|
||||
|
|
989
CHANGELOG.md
989
CHANGELOG.md
|
@ -1,989 +0,0 @@
|
|||
# Changelog
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
||||
|
||||
This project does not follow semantic versioning.
|
||||
The **major** part of the version is the year
|
||||
The **minor** part changes is the month
|
||||
The **patch** part changes is incremented if multiple releases happen the same month
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
### Changed
|
||||
|
||||
* minifirewall: tail template follows symlinks
|
||||
|
||||
### Fixed
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
||||
## [22.03] 2022-03-02
|
||||
|
||||
### Added
|
||||
|
||||
* apt: apt_hold_packages: broadcast message with wall, if present
|
||||
* evolinux-base: option to bypass raid-related tasks
|
||||
* Explicit permissions for systemd overrides
|
||||
* generate-ldif: Add support for php-fpm in containers
|
||||
* kvm-host: add missing default value
|
||||
* lxc-php: preliminary support for PHP 8.1 container
|
||||
* openvpn: now check that openvpn has been restarted since last certificates renewal
|
||||
* redis: always install check_redis_instances
|
||||
* redis: check_redis_instances tolerates absence of instances
|
||||
|
||||
### Changed
|
||||
|
||||
* elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
|
||||
* evolinux-users: check permissions for /etc/sudoers.d
|
||||
* evolinux-users: optimize sudo configuration
|
||||
* lxc: Fail if /var is nosuid
|
||||
* openvpn: make it compatible with OpenBSD and add some improvements
|
||||
|
||||
|
||||
|
||||
## [22.01.3] 2022-01-31
|
||||
|
||||
### Changed
|
||||
|
||||
* rbenv: install Ruby 3.1.0 by default
|
||||
* evolinux-base: backup-server-state: add "force" mode
|
||||
|
||||
### Fixed
|
||||
|
||||
* evolinux-base: backup-server-state: fix systemctl invocation
|
||||
* varnish: update munin plugin to work with recent varnish versions
|
||||
|
||||
## [22.01.2] 2022-01-27
|
||||
|
||||
### Changed
|
||||
|
||||
* evolinux-base: many improvements for backup-server-state script
|
||||
* remount-usr: use findmnt to find if usr is a readonly partition
|
||||
|
||||
## [22.01] 2022-01-25
|
||||
|
||||
### Added
|
||||
|
||||
* Support for Debian 11 « Bullseye » (with possible remaining blind spots)
|
||||
* apache: new variable for MPM mode (+ updated default config accordingly)
|
||||
* apache: prevent accessing Git or "env" related files
|
||||
* certbot: add script for manual deploy hooks execution
|
||||
* docker-host: install additional dependencies
|
||||
* dovecot: switch to TLS 1.2+ and external DH params
|
||||
* etc-git: centralize cron jobs in dedicated crontab
|
||||
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
|
||||
* evolinux-base: add script backup-server-state
|
||||
* evolinux-base: configure top and htop to display the swap column
|
||||
* evolinux-base: install molly-guard by default
|
||||
* generate-ldif: detect RAID controller
|
||||
* generate-ldif: detect mdadm
|
||||
* listupgrade: crontab is configurable
|
||||
* logstash: logging to syslog is configurable (default: True)
|
||||
* mongodb: create munin plugins directory if missing
|
||||
* munin: systemd override to unprotect home directory
|
||||
* mysql: add evomariabackup 21.11
|
||||
* mysql: improve Bullseye compatibility
|
||||
* mysql: script "mysql_connections" to display a compact list of connections
|
||||
* mysql: script "mysql-queries-killer.sh" to kill MySQL queries
|
||||
* nagios-nrpe + evolinux-users: new check for ipmi
|
||||
* nagios-nrpe + evolinux-users: new check for RAID (soft + hard)
|
||||
* nagios-nrpe + evolinux-users: new checks for bkctld
|
||||
* nagios-nrpe: new check influxdb
|
||||
* openvpn: new role (beta)
|
||||
* redis: instance service for Debian 11
|
||||
* squid: add *.o.lencr.org to default whitelist
|
||||
|
||||
### Changed
|
||||
|
||||
* Change version pattern
|
||||
* Install python 2 or 3 libraries according to running python version
|
||||
* Remove embedded GPG keys only if legacy keyring is present
|
||||
* apt: remove workaround for Evolix public repositories with Debian 11
|
||||
* apt: upgrade packages after all the configuration is done
|
||||
* apt: use the new security repository for Bullseye
|
||||
* certbot: silence letsencrypt deprecation warnings
|
||||
* elasticsearch: elastic_stack_version = 7.x
|
||||
* evoacme: exclude renewal-hooks directory from cron
|
||||
* evoadmin-web: simpler PHP packages lists
|
||||
* evocheck: upstream release 21.10.4
|
||||
* evolinux-base: alert5 comes after the network
|
||||
* evolinux-base: force Debian version to buster for Evolix repository (temporary)
|
||||
* evolinux-base: install freeipmi by default on dedicated hw
|
||||
* evolinux-base: logs are rotated with dateext by default
|
||||
* evolinux-base: split dpkg logrotate configuration
|
||||
* evolinux-users + nagios-nrpe: Add support for php-fpm80 in lxc
|
||||
* evomaintenance: extract a config.yml tasks file
|
||||
* evomaintenance: upstream release 22.01
|
||||
* filebeat/metricbeat: elastic_stack_version = 7.x
|
||||
* kibana: elastic_stack_version = 7.x
|
||||
* listupgrade: old-kernel-removal version 21.10
|
||||
* listupgrade: upstream release 21.06.3
|
||||
* logstash: elastic_stack_version = 7.x
|
||||
* mongodb: Allow to specify a mongodb version for buster & bullseye
|
||||
* mongodb: Deny the install on Debian 11 « Bullseye » when the version is unsupported
|
||||
* mongodb: Support version 5.0 (for buster)
|
||||
* mysql: use python3 and mariadb-client-10.5 with Debian 11 and later
|
||||
* nodejs: default to version 16 LTS
|
||||
* php: enforce Debian version with assert instead of fail
|
||||
* squid: improve default whitelist (more specific patterns)
|
||||
* squid: must be started in foreground mode for systemd
|
||||
* squid: remove obsolete variable on Squid 4
|
||||
|
||||
### Fixed
|
||||
|
||||
* evolinux-base: fix alert5.service dependency syntax
|
||||
* certbot: sync_remote excludes itself
|
||||
* lxc-php: fix config for opensmtpd on bullseye containers
|
||||
* mysql : Create a default ~root/.my.cnf for compatibility reasons
|
||||
* nginx : fix variable name and debug to actually use nginx-light
|
||||
* packweb-apache : Support php 8.0
|
||||
* nagios-nrpe: Fix check_nfsserver for buster and bullseye
|
||||
|
||||
### Removed
|
||||
|
||||
* evocheck: package install is not supported anymore
|
||||
* logstash: no more dependency on Java
|
||||
* php: remove php-gettext for 7.4
|
||||
|
||||
## [10.6.0] 2021-06-28
|
||||
|
||||
### Added
|
||||
|
||||
* Add Elastic GPG key to kibana, filebeat, logstash, metricbeat roles
|
||||
* apache: new variable for mpm mode (+ updated default config accordingly)
|
||||
* evolinux-base: add default motd template
|
||||
* kvm-host: add migrate-vm script
|
||||
* mysql: variable to disable myadd script overwrite (default: True)
|
||||
* nodejs: update apt cache before installing the package
|
||||
* squid: add Yarn apt repository in default whitelist
|
||||
|
||||
### Changed
|
||||
|
||||
* Update Galaxy metadata (company, platforms and galaxy_tags)
|
||||
* Use 'loop' syntax instead of 'with_first_found/with_items/with_dict/with_nested/with_list'
|
||||
* Use Ansible syntax used in Ansible 2.8+
|
||||
* apt: store keys in /etc/apt/trusted.gpg.d in ascii format
|
||||
* certbot: sync_remote.sh is configurable
|
||||
* evolinux-base: copy GPG key instead of using apt-key
|
||||
* evomaintenance: upstream release 0.6.4
|
||||
* kvm-host: replace the "kvm-tools" package with scripts deployed by Ansible
|
||||
* listupgrade: upstream release 21.06.2
|
||||
* nodejs: change GPG key name
|
||||
* ntpd: Add leapfile configuration setting to ntpd on debian 10+
|
||||
* packweb-apache: install phpMyAdmin from buster-backports
|
||||
* spamassassin: change dependency on evomaintenance
|
||||
* squid: remove obsolete variable on Squid 4
|
||||
|
||||
### Fixed
|
||||
|
||||
* add default (useless) value for file lookup (first_found)
|
||||
* fix pipefail option for shell invocations
|
||||
* elasticsearch: inline YAML formatting of seed_hosts and initial_master_nodes
|
||||
* evolinux-base: fix motd lookup path
|
||||
* ldap: fix edge cases where passwords were not set/get properly
|
||||
* listupgrade: fix wget error + shellcheck cleanup
|
||||
|
||||
### Removed
|
||||
|
||||
* elasticsearch: recent versiond don't depend on external JRE
|
||||
|
||||
## [10.5.1] 2021-04-13
|
||||
|
||||
### Added
|
||||
|
||||
* haproxy: dedicated internal address/binding (without SSL)
|
||||
|
||||
### Changed
|
||||
|
||||
* etc-git: commit in /usr/share/scripts when there's an active repository
|
||||
|
||||
## [10.5.0] 2021-04-01
|
||||
|
||||
### Added
|
||||
|
||||
* apache: new variables for logrotate + server-status
|
||||
* filebeat: package can be upgraded to latest (default: False)
|
||||
* haproxy: possible admin access with login/pass
|
||||
* lxc-php: Add PHP 7.4 support
|
||||
* metricbeat: package can be upgraded to latest (default: False)
|
||||
* metricbeat: new variables to configure SSL mode
|
||||
* nagios-nrpe: new script check_phpfpm_multi
|
||||
* nginx: add access to server status on default VHost
|
||||
* postfix: add smtpd_relay_restrictions in configuration
|
||||
|
||||
### Changed
|
||||
|
||||
* apache: rotate logs daily instead of weekly
|
||||
* apache: deny requests to ^/evolinux_fpm_status-.*
|
||||
* certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
|
||||
* certbot: use the legacy script on Debian 8 and 9
|
||||
* elasticsearch: log rotation is more readable/maintainable
|
||||
* evoacme: upstream release 21.01
|
||||
* evolinux-users: Add sudo rights for nagios for multi-php lxc
|
||||
* listupgrade: update script from upstream
|
||||
* minifirewall: change some defaults
|
||||
* nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
|
||||
* redis: use /run instead or /var/run
|
||||
* redis: escape password in Munin configuration
|
||||
|
||||
### Fixed
|
||||
|
||||
* bind9: added log files to apparmor definition so bind can run
|
||||
* filebeat: fix Ansible syntax error
|
||||
* nagios-nrpe: libfcgi-client-perl is not available before Debian 10
|
||||
* redis: socket/pid directories have the correct permissions
|
||||
|
||||
### Removed
|
||||
|
||||
* nginx: no more "minimal" mode, but the package remains customizable.
|
||||
|
||||
## [10.4.0] 2020-12-24
|
||||
|
||||
### Added
|
||||
|
||||
* certbot: detect domains if missing
|
||||
* certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers
|
||||
* varnish: variable for jail configuration
|
||||
|
||||
### Changed
|
||||
|
||||
* certbot: disable auth for Let's Encrypt challenge
|
||||
* nginx: change from "nginx_status-XXX" to "server-status-XXX"
|
||||
|
||||
## [10.3.0] 2020-12-21
|
||||
|
||||
### Added
|
||||
|
||||
* dovecot: Update munin plugin & configure it
|
||||
* dovecot: vmail uid/gid are configurable
|
||||
* evoacme: variable to disable Debian version check (default: False)
|
||||
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
|
||||
* minifirewall: upstream release 20.12
|
||||
* minifirewall: add variables to force upgrade the script and the config (default: False)
|
||||
* mysql: install save_mysql_processlist script
|
||||
* nextcloud: New role to setup a nextcloud instance
|
||||
* redis: variable to force use of port 6379 in instances mode
|
||||
* redis: check maxmemory in NRPE check
|
||||
* lxc-php: Allow php containers to contact local MySQL with localhost
|
||||
* varnish: config file name is configurable
|
||||
|
||||
### Changed
|
||||
|
||||
* Create system users for vmail (dovecot) and evoadmin
|
||||
* apt: disable APT Periodic
|
||||
* evoacme: upstream release 20.12
|
||||
* evocheck: upstream release 20.12
|
||||
* evolinux-users: improve uid/login checks
|
||||
* tomcat-instance: fail if uid already exists
|
||||
* varnish: change template name for better readability
|
||||
* varnish: no threadpool delay by default
|
||||
* varnish: no custom reload script for Debian 10 and later
|
||||
|
||||
### Fixed
|
||||
|
||||
* cerbot: parse HAProxy config file only if HAProxy is found
|
||||
|
||||
## [10.2.0] 2020-09-17
|
||||
|
||||
### Added
|
||||
|
||||
* evoacme: remount /usr if necessary
|
||||
* evolinux-base: swappiness is customizable
|
||||
* evolinux-base: install wget
|
||||
* tomcat: root directory owner/group are configurable
|
||||
|
||||
### Changed
|
||||
|
||||
* Change default public SSH/SFTP port from 2222 to 22222
|
||||
|
||||
### Fixed
|
||||
|
||||
* certbot: an empty change shouldn't raise an exception
|
||||
* certbot: fix "no-self-upgrade" option
|
||||
|
||||
### Removed
|
||||
|
||||
* evoacme: remove Debian 9 support
|
||||
|
||||
## [10.1.0] 2020-08-21
|
||||
|
||||
### Added
|
||||
|
||||
* certbot: detect HAProxy cert directory
|
||||
* filebeat: allow using a template
|
||||
* generate-ldif: add NVMe disk support
|
||||
* haproxy: add deny_ips file to reject connections
|
||||
* haproxy: add some comments to default config
|
||||
* haproxy: enable stats frontend with access lists
|
||||
* haproxy: preconfigure SSL with defaults
|
||||
* lxc-php: Don't disable putenv() by default in PHP settings
|
||||
* lxc-php: Install php-sqlite by default
|
||||
* metricbeat: allow using a template
|
||||
* mysql: activate binary logs by specifying log_bin path
|
||||
* mysql: option to define as read only
|
||||
* mysql: specify a custom server_id
|
||||
* nagios-nrpe/evolinux-base: brand new check for hardware raid on HP servers gen 10
|
||||
* nginx: make default vhost configurable
|
||||
* packweb-apache: Install zip & unzip by default
|
||||
* php: Don't disable putenv() by default in PHP settings
|
||||
* php: Install php-sqlite by default
|
||||
|
||||
### Changed
|
||||
|
||||
* certbot: fix haproxy hook (ssl cert directory detection)
|
||||
* certbot: install certbot dependencies non-interactively for jessie
|
||||
* elasticsearch: configure cluster with seed hosts and initial masters
|
||||
* elasticsearch: set tmpdir before datadir
|
||||
* evoacme: read values from environment before defaults file
|
||||
* evoacme: update for new certbot role
|
||||
* evoacme: upstream release 20.08
|
||||
* haproxy: adapt backports installed package list to distibution
|
||||
* haproxy: chroot and socket path are configurable
|
||||
* haproxy: deport SSL tuning to Mozilla SSL generator
|
||||
* haproxy: rotate logs with date extension and immediate compression
|
||||
* haproxy: split stats variables
|
||||
* lxc-php: Do --no-install-recommends for ssmtp/opensmtpd
|
||||
* mongodb: install custom munin plugins
|
||||
* nginx: read server-status values before changing the config
|
||||
* packweb-apache: Don't turn on mod-evasive emails by default
|
||||
* redis: create sudoers file if missing
|
||||
* redis: new syntax for match filter
|
||||
* redis: raise an error is port 6379 is used in "instance" mode
|
||||
|
||||
### Fixed
|
||||
|
||||
* certbot: restore compatibility with old Nginx
|
||||
* evobackup-client: fixed the ssh connection test
|
||||
* generate-ldif: better detection of computerOS field
|
||||
* generate-ldif: skip some odd ethernet devices
|
||||
* lxc-php: Install opensmtpd as intended
|
||||
* mongodb: fix logrotate patterm on Debian buster
|
||||
* nagios-nrpe: check_amavis: updated regex
|
||||
* squid: better regex to match sa-update domains
|
||||
* varnish: fix start command when multiple addresses are present
|
||||
|
||||
## [10.0.0] - 2020-05-13
|
||||
|
||||
### Added
|
||||
* apache: the default VHost doesn't redirect to https for ".well-known" paths
|
||||
* apt: added buster backports prerferences
|
||||
* apt: check if cron is installed before adding a cron job
|
||||
* apt: remove jessie/buster sources from Gandi servers
|
||||
* apt: verify that /etc/evolinux is present
|
||||
* certbot : new role to install and configure certbot
|
||||
* etc-git: add versioning for /usr/share/scripts on Debian 10+
|
||||
* evoacme: upstream version 19.11
|
||||
* evolinux-base: default value for "evolinux_ssh_group"
|
||||
* evolinux-base: install /sbin/deny
|
||||
* evolinux-base: install Evocheck (default: `True`)
|
||||
* evolinux-base: on debian 10 and later, add noexec on /dev/shm
|
||||
* evolinux-base: on debian 10 and later, add /usr/share/scripts in root's PATH
|
||||
* evolinux-base: remove the chrony package
|
||||
* evomaintenance: don't configure firewall for database if not necessary
|
||||
* generate-ldif: support MariaDB 10.3
|
||||
* haproxy: add a variable to keep the existing configuration
|
||||
* java: add Java 11 as possible version to install
|
||||
* listupgrade: install old-kernel-autoremoval script
|
||||
* minifirewall: add a variable to force the check scripts update
|
||||
* mongodb: mongodb: compatibility with Debian 10
|
||||
* mysql-oracle: backport tasks from mysql role
|
||||
* networkd-to-ifconfig: add variables for configuration by variables
|
||||
* packweb-apache: Deploy opcache.php to give some insights on PHP's opcache status
|
||||
* php: variable to install the mysqlnd module instead of the default mysql module
|
||||
* postgresql : variable to install PostGIS (default: `False`)
|
||||
* redis: rewrite of the role (separate instances, better systemd units…)
|
||||
* webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
|
||||
* webapps/evoadmin-web Overload templates if needed
|
||||
* evolinux-base: install ssacli for HP Smart Array
|
||||
* evobackup-client role to configure a machine for backups with bkctld(8)
|
||||
* bind: enable query logging for recursive resolvers
|
||||
* bind: enable logrotate for recursive resolvers
|
||||
* bind: enable bind9 munin plugin for recursive resolvers
|
||||
|
||||
### Changed
|
||||
* replace version_compare() with version()s
|
||||
* removed some deprecations for Ansible 2.7
|
||||
* apache: improve permissions in save_apache_status script
|
||||
* apt: hold packages only if package is installed
|
||||
* bind: the munin task was present, but not included
|
||||
* bind: change name of logrotate file to bind9
|
||||
* certbot: commit hook must be executed at the end
|
||||
* elasticsearch: listen on local interface only by default
|
||||
* evocheck: upstream version 20.04.4
|
||||
* evocheck: cron jobs execute in verbose
|
||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||
* evolinux-base: Don't customize the logcheck recipient by default.
|
||||
* evolinux-base: configure cciss-vol-statusd in the proper file
|
||||
* evomaintenance: upstream release 0.6.3
|
||||
* evomaintenance: Turn on API by default (instead of DB)
|
||||
* evomaintenance: install PG dependencies only when needed
|
||||
* listupgrade: update from upstream
|
||||
* lxc: rely on lxc_container module instead of command module
|
||||
* lxc: remove useless loop in apt execution
|
||||
* lxc: update our default template to be compatible with Debian 10
|
||||
* lxc-php: refactor tasks for better maintainability
|
||||
* lxc-php: Use OpenSMTPD for Stretch/Buster containers, and ssmtp for Jessie containers
|
||||
* lxc-solr: changed default Solr version to 8.4.1
|
||||
* minifirewall: better alert5 activation
|
||||
* minifirewall: no http filtering by default
|
||||
* minifirewall: /bin/true command doesn't report "changed" anymore
|
||||
* nagios-nrpe: update check_redis_instances (same as redis role)
|
||||
* nagios-nrpe: change default haproxy socket path
|
||||
* nagios-nrpe: check_mode per cpu dynamically
|
||||
* nodejs: change default version to 12 (new LTS)
|
||||
* packweb-apache: Do the install & conffigure phpContainer script (instead of evoadmin-web role)
|
||||
* php: By default, allow 128M for OpCache (instead of 64M)
|
||||
* php: Don't set a chroot for the default fpm pool
|
||||
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
|
||||
* php: Change the default pool names to something more explicit (and same for the variables names)
|
||||
* php: Add a task to remove Debian's default FPM pool file (off by default)
|
||||
* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
|
||||
* postgresql : changed logrotate config to 10 days (and fixed permissions)
|
||||
* rbenv: changed default Ruby version to 2.7.0
|
||||
* squid: Remove wait time when we turn off squid
|
||||
* squid: compatibility wit Debian 10
|
||||
* tomcat: package version derived from Debian version if missing
|
||||
* varnish: remove custom ExecReload= script for Debian 10+
|
||||
|
||||
### Fixed
|
||||
* etc-git: fix warnings ansible-lint
|
||||
* evoadmin-web: Put the php config at the right place for Buster
|
||||
* lxc: Don't stop the container if it already exists
|
||||
* lxc: Fix container existance check to be able to run in check_mode
|
||||
* lxc-php: Don't remove the default pool
|
||||
* minifirewall: fix warnings ansible-lint
|
||||
* nginx: fix munin fcgi not working (missing chmod 660 on logs)
|
||||
* php: add missing handler for php7.3-fpm
|
||||
* roundcube: fix typo for roundcube vhost
|
||||
* tomcat: fix typo for default tomcat_version
|
||||
* evolinux-base: Fix our zsyslog rotate config that doesn't work on Debian 10
|
||||
* certbot: Properly evaluate when apache is installed
|
||||
* evolinux-base: Don't make alert5.service executable as systemd will complain
|
||||
* webapps/evoadmin-web: Set default evoadmin_mail_tpl_force to True to fix a regression where the mail template would not get updated because the file is created before the role is first run.
|
||||
* minifirewall: Backport changes from minifirewall (properly open outgoing smtp(s))
|
||||
* minifirewall: Properly detect alert5.sh to turn on firewall at boot
|
||||
* packweb-apache: Add missing dependency to evoacme role
|
||||
* php: Chose the debian version repo archive for packages.sury.org
|
||||
* php: update surry_post.yml to match current latest PHP release
|
||||
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
|
||||
|
||||
### Removed
|
||||
* clamav : do not install the zoo package anymore
|
||||
|
||||
## [9.10.1] - 2019-06-21
|
||||
|
||||
### Changed
|
||||
* evocheck : update (version 19.06) from upstream
|
||||
|
||||
## [9.10.0] - 2019-06-21
|
||||
|
||||
### Added
|
||||
* apache: add server status suffix in VHost (and default site) if missing
|
||||
* apache: add a variable to customize the server-status host
|
||||
* apt: add a script to manage packages with "hold" mark
|
||||
* etc-git: gitignore /etc/letsencrypt/.certbot.lock
|
||||
* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
|
||||
* evomaintenance: make hooks configurable
|
||||
* nginx: add server status suffix in VHost (and default site) if missing
|
||||
* redmine: enable gzip compression in nginx vhost
|
||||
|
||||
### Changed
|
||||
* evocheck : update (unreleased) from upstream
|
||||
* evomaintenance : use the web API instead of PG Insert
|
||||
* fluentd: store gpg key locally
|
||||
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
|
||||
* redmine: update default version to 4.0.3
|
||||
* nagios-nrpe: change required status code for http and https check
|
||||
* redmine: use custom errors-pages in Nginx vhost
|
||||
* nagios-nrpe: check_load is now based on ansible_processor_vcpus
|
||||
* php: Stop enforcing /var/www/html as chroot while we use /var/www
|
||||
* apt: Add Debian Buster repositories
|
||||
|
||||
### Fixed
|
||||
* rbenv: add check_mode for check rbenv and ruby versions
|
||||
* nagios-nrpe: fix redis_instances check when Redis port equal 0
|
||||
* redmine: fix 500 error on logging
|
||||
* evolinux-base: Validate sshd config with "-t" instead of "-T"
|
||||
* evolinux-base: Ensure rename is present
|
||||
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
||||
|
||||
## [9.9.0] - 2019-04-16
|
||||
|
||||
### Added
|
||||
* etc-git: ignore evobackup/.keep-* files
|
||||
* lxc: /home is mounted in the container by default
|
||||
* nginx : add "x-frame-options: sameorigin" for Munin
|
||||
|
||||
### Changed
|
||||
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
|
||||
* apt: Ensure jessie-backport from archives.debian.org is accepted
|
||||
* apt: Remove jessie-update suite as it's no longer exists
|
||||
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
|
||||
* evocheck : update script from upstream
|
||||
* evolinux-base: remove apt-listchanges on Stretch and later
|
||||
* evomaintenance: embed version 0.5.0
|
||||
* opendkim: aligning roles with our conventions, major changes in opendkim-add.sh
|
||||
* redis: higher limit of open files
|
||||
* redis: set variables on inclusion, not with set_facts
|
||||
* tomcat: better tomcat version management
|
||||
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
|
||||
|
||||
|
||||
### Fixed
|
||||
* spamassasin: fix sa-update.sh and ensure service is started and enabled
|
||||
* tomcat-instance: deploy correct version of config files
|
||||
* tomcat-instance: deploy correct version of server.xml
|
||||
|
||||
## [9.8.0] - 2019-01-31
|
||||
|
||||
### Added
|
||||
* filebeat: disable cloud_metadata processor by default
|
||||
* metricbeat: disable cloud_metadata processor by default
|
||||
* percona : new role to install Percona repositories and tools
|
||||
* redis: add variable for configure unixsocketperm
|
||||
|
||||
### Changed
|
||||
* redmine: refactoring of redmine role with use of rbenv
|
||||
|
||||
### Fixed
|
||||
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
|
||||
|
||||
## [9.7.0] - 2019-01-17
|
||||
|
||||
### Added
|
||||
* apache: add Munin configuration for Apache server-status URL
|
||||
* evomaintenance: database variables must be set or the task fails
|
||||
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
|
||||
* metricbeat: add a variable for the protocol to use with Elasticsearch
|
||||
* rbenv: add pkg-config to the list of packages to install
|
||||
* redis: Configure munin when working in instance mode
|
||||
* redis: add a variable for renamed/disabled commands
|
||||
* redis: add a variable to disable the restart handler
|
||||
* redis: add a variable to force a restart (even with no change)
|
||||
* proftpd: add FTPS and SFTP support
|
||||
|
||||
### Changed
|
||||
* redis: distinction between main and master password
|
||||
* evocheck: update evocheck.sh for source install
|
||||
* php: added php-zip in the installed package list for debian 9 (and later)
|
||||
* squid: added packagist.org in the whitelist
|
||||
* java: update Oracle java package to 8u192
|
||||
|
||||
### Fixed
|
||||
* fail2ban: fix "ignoreip" update
|
||||
* metricbeat: fix username/password replacement
|
||||
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
|
||||
* nginx: Munin url config is now a template to insert the server-status prefix
|
||||
* nodejs: Update yarn repo GPG key (current key expired)
|
||||
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
|
||||
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
|
||||
|
||||
|
||||
## [9.6.0] - 2018-12-04
|
||||
|
||||
### Added
|
||||
* evolinux-base: deploy custom motd if template are present
|
||||
* minifirewall: all variables are configurable (untouched by default)
|
||||
* minifirewall: main file is configurable
|
||||
* squid: minifirewall main file is configurable
|
||||
|
||||
### Changed
|
||||
* minifirewall: compare config before/after (for restart condition)
|
||||
* squid: better replacement in minifirewall config
|
||||
* evoadmin-mail: complete refactoring, use Debian Package
|
||||
|
||||
## [9.5.0] - 2018-11-14
|
||||
|
||||
### Added
|
||||
* apache: separate task to update IP whitelist
|
||||
* evolinux-base: install man package
|
||||
* evolinux-users: add newaliases handler
|
||||
* evomaintenance: FROM domain is configurable
|
||||
* fail2ban: separate task to update IP whitelist
|
||||
* nginx: add tag for ips management
|
||||
* nginx: separate task to update IP whitelist
|
||||
* postfix: enable SSL/TLS client
|
||||
* ssl: add an SSL role for certificates deployment
|
||||
* haproxy: add vars for tls configuration
|
||||
* mysql: logdir can be customized
|
||||
|
||||
### Changed
|
||||
* evocheck: update script from upstream
|
||||
* evomaintenance: update script from upstream
|
||||
* mysql: restart service if systemd unit has been patched
|
||||
|
||||
### Fixed
|
||||
* packweb-apache: mod-security config is already included elsewhere
|
||||
* redis: for permissions on log and lib directories
|
||||
* redis: fix shell for instance users
|
||||
* evoacme: fix error handling in sed_cert_path_for_(apache|nginx)
|
||||
|
||||
## [9.4.2] - 2018-10-12
|
||||
|
||||
### Added
|
||||
* evomaintenance: install dependencies manually when installing vendored version
|
||||
* nagios-nrpe: add an option to ignore servers in NOLB status
|
||||
|
||||
### Changed
|
||||
* haproxy: move check_haproxy_stats to nagios-nrpe role
|
||||
|
||||
### Fixed
|
||||
* evoacme: better error when apache2ctl fails
|
||||
* evomaintenance: fix role compatibility with OpenBSD
|
||||
* spamassassin: add missing right for amavis
|
||||
* amavis: fix output result checking
|
||||
|
||||
## [9.4.1] - 2018-09-28
|
||||
|
||||
### Added
|
||||
* redis: set masterauth when redis_password is defined
|
||||
* evomaintenance: variable to install a vendored version
|
||||
* evomaintenance: tasks/variables to handle minifirewall restarts
|
||||
|
||||
### Changed
|
||||
* mysql-oracle: better handle packages and users
|
||||
|
||||
## [9.4.0] - 2018-09-20
|
||||
|
||||
### Added
|
||||
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
|
||||
* evolinux-base: better shell history
|
||||
* evolinux-users: add user to /etc/aliases
|
||||
* generate-ldif: add a section for postgresql
|
||||
* logstash: tmp directory can be customized
|
||||
* logstash: max memory is set to 512M by default
|
||||
* logstash: version 6.x is installed by default
|
||||
* mysql: add a variable to prevent mysql from restarting
|
||||
* networkd-to-ifconfig: add a role to switch from networkd to ifconfig
|
||||
* webapps/evoadmin-web: add users to /etc/aliases
|
||||
* redis: add support for multi instances
|
||||
* nagios-nrpe: add check_redis_instances
|
||||
|
||||
### Changed
|
||||
* dovecot: stronger TLS configuration
|
||||
|
||||
### Fixed
|
||||
* apache: cleaner way to overwrite the server status suffix
|
||||
* packweb-apache: don't regenerate phpMyAdmin suffix each time
|
||||
* nginx: cleaner way to overwrite the server status suffix
|
||||
* redis: add missing tags
|
||||
|
||||
## [9.3.2] - 2018-09-06
|
||||
|
||||
### Added
|
||||
* minifirewall: add a variable to disable the restart handler
|
||||
* minifirewall: add a variable to force a restart of the firewall (even with no change)
|
||||
* minifirewall: improve variables values and documentation
|
||||
|
||||
### Changed
|
||||
* dovecot: enable SSL/TLS by default with snakeoil certificate
|
||||
|
||||
### Fixed
|
||||
|
||||
### Security
|
||||
|
||||
## [9.3.1] - 2018-08-30
|
||||
|
||||
### Added
|
||||
* metricbeat: new variables to configure elasticsearch hosts and auth
|
||||
|
||||
## [9.3.0] - 2018-08-24
|
||||
|
||||
### Added
|
||||
* elasticsearch: tmpdir configuration compatible with 5.x also
|
||||
* elasticsearch: add http.publish_host variable
|
||||
* evoacme: disable old certbot cron also in cron.daily
|
||||
* evocheck: detect installed packages even if "held" by APT (manual fix)
|
||||
* evocheck: the crontab is updated by the role (default: `True`)
|
||||
* evolinux-base: add mail related aliases
|
||||
* evolinux-todo: new role, to help maintain a file of todo tasks
|
||||
* fail2ban: add a variable to disable the ssh filter (default: `False`)
|
||||
* etc-git: install a script to optimize the repository each month
|
||||
* fail2ban: add a variable to update the list of ignored IP addresses/blocs (default: `False`)
|
||||
* generate-ldif: detect installed packages even if "held" by APT
|
||||
* java: support for Oracle JRE
|
||||
* kibana: log messages go to /var/log/kibana/kibana.log
|
||||
* metricbeat: add a role (copied from filebeat)
|
||||
* munin: properly rename Munin cache directory
|
||||
* mysql: add an option to install the client development libraries (default: `False`)
|
||||
* mysql: add a few variables to customize the configuration
|
||||
* nagios-nrpe: add check_postgrey
|
||||
|
||||
### Changed
|
||||
* etc-git: some entries of .gitignore are mandatory
|
||||
* evocheck: update upstream script
|
||||
* evolinux-base: improve hostname configuration (real vs. internal)
|
||||
* evolinux-base: use the "evolinux-todo" role
|
||||
* evolinux-users: add sudo permission for bkctld check
|
||||
* java8: renamed to java (java8 symlinked to java for backward compatibility)
|
||||
* minifirewall: the tail file can be overwritten, or not (default: `True`)
|
||||
* nagios-nrpe: use bkctld internal check instead of nrpe plugin
|
||||
* php: reorganization of the role for Sury overrides and more clear configuration
|
||||
* redmine: use .my.cnf for mysql password
|
||||
* rbenv: change default Ruby version (2.5.1)
|
||||
* rbenv: switch from copy to lineinfile for default gems
|
||||
* remount-usr: mount doesn't report a change
|
||||
* squid: add a few news sites to the whitelist
|
||||
* tomcat: better nrpe check output
|
||||
* kvm-host: install kvm-tools package instead of copying add-vm.sh
|
||||
|
||||
### Fixed
|
||||
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
|
||||
* bind: chroot-bind.sh must not be executed in check mode
|
||||
* evoacme: fix module detection in apache config
|
||||
* fail2ban: fix fail2ban_ignore_ips definition
|
||||
* mysql-oracle: fix configuration directory variable
|
||||
* php: fpm slowlog needs an absolute path
|
||||
* roundcube: add missing slash to https redirection
|
||||
|
||||
## [9.2.0] - 2018-05-16
|
||||
|
||||
### Changed
|
||||
* filebeat: install version 6.x by default
|
||||
* filebeat: cleanup unused code
|
||||
* squid: add some domaine and fix broken restrictions
|
||||
* elasticsearch: defaults to version 6.x
|
||||
|
||||
### Fixed
|
||||
* evolinux-users: secondary groups are comma-separated
|
||||
* ntpd: fix configuration (server and ACL)
|
||||
* varnish: don't fork the process on startup with systemd
|
||||
|
||||
## [9.1.9] - 2018-04-24
|
||||
|
||||
### Added
|
||||
|
||||
### Changed
|
||||
* apache: customize logrotate (52 weeks)
|
||||
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
||||
* evolinux-base: fail2ban is not enabled by default
|
||||
* evolinux-users: refactoring of the SSH configuration
|
||||
* mysql-oracle: copy evolinux config files in mysql.cond.d
|
||||
* mysql/mysql-oracle: mysqltuner cron scripts is 0755
|
||||
* generate-ldif: add a minifirewall service when /etc/default/minifirewall exists
|
||||
|
||||
## [9.1.8] - 2018-04-16
|
||||
|
||||
### Changed
|
||||
* packweb-apache: use dependencies instead of include_role for apache and php roles
|
||||
|
||||
### Fixed
|
||||
* mysql: use check_mode for apg command (Fix --check)
|
||||
* mysql/mysql-oracle: properly reload systemd
|
||||
* packweb-apache: use check_mode for apg command (Fix --check)
|
||||
|
||||
## [9.1.7] - 2018-04-06
|
||||
|
||||
### Added
|
||||
* added a few become attributes where missing
|
||||
* etc-git: add tags for Ansible
|
||||
* evolinux-base: install ncurses-term package
|
||||
* haproxy: install Munin plugins
|
||||
* listupgrade: add service restart notification for Squid and libstdc++6
|
||||
* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
|
||||
* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
|
||||
* mysql: remount /usr before creating scripts directory
|
||||
* nagios-nrpe: add "check_open_files" plugin
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* nodejs: Yarn package manager can be installed (default: `false`)
|
||||
* packweb-apache: choose mysql variant (default: `debian`)
|
||||
* postfix: add lines in /etc/.gitignore
|
||||
* proftpd: use "proftpd_accounts" list to manage ftp accounts
|
||||
* redmine: added missing tags
|
||||
|
||||
### Changed
|
||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||
* evolinux-users: split AllowGroups/AllowUsers modes for SSH directives
|
||||
* mongodb: allow unauthenticated packages for Jessie
|
||||
* mongodb: configuration is forced by default but it's configurable (default: `false`)
|
||||
* mongodb: rename logrotate script
|
||||
* nagios-nrpe: mark plugins as executable
|
||||
* nginx: don't debug variables in verbosity 0
|
||||
* nginx: package name can be specified (default: `nginx-full`)
|
||||
* php: fix FPM custom file permissions
|
||||
* php: more tasks notify FPM handler to restart if needed
|
||||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||
|
||||
### Fixed
|
||||
* dovecot: fix support of plus sign
|
||||
* mysql/mysql-oracle: mysqltuner cron task is executable
|
||||
* nginx: fix basic auth for default vhost
|
||||
* rbenv: fix become user issue with copy tasks
|
||||
|
||||
## [9.1.6] - 2018-02-02
|
||||
|
||||
### Added
|
||||
* mongodb: install python-pymongo for monitoring
|
||||
* nagios-nrpe: allowed_hosts can be updated
|
||||
|
||||
### Changed
|
||||
* Changelog: explain the versioning scheme
|
||||
* Changelog: add a release date for 9.1.5
|
||||
* evoacme: exclude typical certbot directories
|
||||
|
||||
### Fixed
|
||||
* fail2ban: fix horrible typo, Python is not Ruby
|
||||
* nginx: fix servers status dirname
|
||||
|
||||
## [9.1.5] - 2018-01-18
|
||||
|
||||
### Added
|
||||
* There is a changelog!
|
||||
* redis: configuration variable for protected mode (v3.2+)
|
||||
* evolinux-users: users are in "adm" group for Debian 9 or later
|
||||
* evolinx-base: purge locate/mlocate packages
|
||||
* evolinx-base: create /etc/evolinux if missing
|
||||
* many Ansible tags for easier fine grained execution of playbooks
|
||||
* apache/nginx: server status suffix management
|
||||
* unbound: retrieve list of root DNS servers
|
||||
* redmine: ability to install themes and plugins
|
||||
|
||||
### Changed
|
||||
* rbenv: Ruby 2.5 becomes the default version
|
||||
* evocheck: update upstream version embedded in role (c993244)
|
||||
* bind: keep 52 weeks of logs
|
||||
|
||||
### Fixed
|
||||
* squid: different logrotate file for Jessie or Stretch+
|
||||
* evoacme: don't invoke evoacme if no vhost is found
|
||||
* evomaintenance: explicit quotes in config file
|
||||
* redmine: force xpath gem < 3.0.0
|
||||
|
||||
### Security
|
||||
* evomaintenance: fix permissions for config file
|
||||
|
||||
## [9.1.4] - 2017-12-20
|
||||
|
||||
### Added
|
||||
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
|
||||
* mysql: add a check_mysql_slave in nrpe configuration
|
||||
* ldap: slapd tcp port is configurable
|
||||
* elasticsearch: broader patterns for log rotation
|
||||
|
||||
### Changed
|
||||
* split IP lists in 2 – default and additional – for easier customization.
|
||||
|
||||
### Fixed
|
||||
* minifirewall: allow outgoing SSH connections over IPv6
|
||||
* nodejs: rename source.list file
|
||||
|
||||
### Security
|
||||
* evoadmin-web: change config.local.php file permissions
|
||||
* evolinux-base: change default_www file permissions
|
||||
|
||||
## [9.1.3] 2017-12-08
|
||||
|
||||
### Added
|
||||
* evolinux-base: install traceroute package
|
||||
* evolinux-base/ntpd: purge openntpd
|
||||
* tomcat: add Tomcat 8 cmpatibility
|
||||
* log2mail: add "The total blob data length" pattern for MySQL
|
||||
* nagios-nrpe: add bkctld check in evolix.cfg
|
||||
* varnish: reload or restart if needed
|
||||
* rabbitmq: add a munin plugin and an NRPE check
|
||||
* minifirewall: add debug for variables
|
||||
* elastic: option for stack main version
|
||||
|
||||
### Changed
|
||||
* nginx: rename Let's Encrypt snippet
|
||||
* nginx: simpler apt preferences for backports
|
||||
* generate-ldif: add clamd service instead of clamav_db
|
||||
* mysql: parameterize evolinux config files
|
||||
* rbenv: use Rbenv 1.1.1 and Ruby 2.4.2 by default
|
||||
* elasticsearch: update curator debian repository
|
||||
* evoacme: crontab management
|
||||
* evoacme: better documentation
|
||||
* mongodb: comatible with Stretch
|
||||
|
||||
### Removed
|
||||
* mongodb: logfile/pidfile are not configurable on Jessie
|
||||
* minifirewall: remove zidane.evolix.net from HTTPSITES
|
||||
|
||||
### Fixed
|
||||
* nginx: fix munin CGI graphs
|
||||
* ntpd: fix default configuration (localhost only)
|
||||
* logstash: fix permissions on pipeline configuration
|
||||
* postfix/spamassassin: add user in cron job
|
||||
* php: php.ini custom file are now readable
|
||||
* hostname customization needs the dbus package
|
||||
|
||||
## [9.1.2] 2017-12-05
|
||||
|
||||
### Fixed
|
||||
* listupgrade: remount /usr as rw
|
||||
|
||||
## [9.1.1] 2017-11-21
|
||||
|
||||
### Added
|
||||
* amazon-ec2: add egress rules
|
||||
|
||||
### Fixed
|
||||
* evoacme: fix multiple bugs
|
||||
|
||||
## [9.1.0] 2017-11-19
|
||||
|
||||
_Warning: huge release, many entries are missing below._
|
||||
|
||||
### Added
|
||||
* amazon-ec2: new role, for EC2 instances creation
|
||||
* Move /usr rw remount into remount-usr role
|
||||
* kibana: host and basepath configuration
|
||||
* kibana: move optimize and data to /var
|
||||
* logstash: daily job for log rotation
|
||||
* elasticsearch: daily job for log rotation
|
||||
* roundcube: add link in default site index
|
||||
* nagios-nrpe: add opendkim check
|
||||
|
||||
### Changed
|
||||
* Combine evolix and additional trusted IP addresses
|
||||
* amazon-ec2: split tasks
|
||||
* apt: don't upgrade by default
|
||||
* postfix: extract main.cf md5sum into variables
|
||||
* evolinux-base: cache hwraid pgp key locally
|
||||
* evoacme: improve cron task
|
||||
* elasticsearch: use elastic.list APT source list for curator
|
||||
* ldap: better variables
|
||||
|
||||
### Fixed
|
||||
* fail2ban: create config hierarchy beforehand
|
||||
* elasticsearch: fix datadir/tmpdir conditions
|
||||
* elastic: remove double ".list" suffix
|
||||
* nagios-nrpe: fix check_free_mem for OpenBSD 6.2
|
||||
* nagios-nrpe: fix check_amavis
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
||||
|
||||
## [9.0.1] 2017-10-02
|
||||
|
||||
### Added
|
||||
* haproxy: add a Nagios check
|
||||
* php: add "sury" mode for PHP 7.1 on Stretch
|
||||
* minifirewall: explicit dependency on iptables
|
||||
* apt: remove Gandi source files
|
||||
* docker-host: new variable for docker home
|
||||
|
||||
### Changed
|
||||
* php: install php5/php package after fpm/libapache2-mod-php
|
||||
|
||||
### Fixed
|
||||
* mysql: add "REPLICATION CLIENT" privilege for nrpe
|
||||
* evoadmin-web: revert from variables to keywords in the templates
|
||||
* evoacme: many fixes
|
||||
* etc-git: detect user if root (without su or sudo)
|
||||
* docker-host: clean override of docker systemd unit
|
||||
* varnish: fix systemd unit override
|
||||
|
||||
## [9.0.0] 2017-09-19
|
||||
|
||||
First official release
|
22
Dockerfile
22
Dockerfile
|
@ -1,22 +0,0 @@
|
|||
FROM debian:stretch-slim
|
||||
|
||||
ENV ROLES_VERSION=${ROLES_VERSION:-unstable}
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y --no-install-recommends \
|
||||
git \
|
||||
ansible \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN ansible-galaxy install --force \
|
||||
--roles-path /etc/ansible \
|
||||
"git+https://gitea.evolix.org/evolix/ansible-roles.git,${ROLES_VERSION},roles"
|
||||
|
||||
ENV ANSIBLE_FORCE_COLOR=1
|
||||
ENV ANSIBLE_HOST_KEY_CHECKING=false
|
||||
ENV ANSIBLE_RETRY_FILES_ENABLED=false
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
|
||||
WORKDIR /data
|
||||
|
||||
ENTRYPOINT ["ansible-playbook"]
|
57
README.md
57
README.md
|
@ -1,63 +1,10 @@
|
|||
# Ansible-roles
|
||||
|
||||
A repository for Ansible roles used by Evolix on Debian GNU/Linux 9 (stretch) servers.
|
||||
Few roles are also be compatible with Debian GNU/Linux 8 (jessie) servers.
|
||||
A repository for Ansible roles used by Evolix.
|
||||
|
||||
It contains only roles, everything else is available at
|
||||
https://gitea.evolix.org/evolix/ansible-public
|
||||
|
||||
## Branches
|
||||
https://forge.evolix.org/projects/ansible-public
|
||||
|
||||
The **stable** branch contains roles that we consider ready for production.
|
||||
|
||||
The **unstable** branch contains not sufficiently tested roles (or evolutions on existing roles) that we don't consider ready for production yet.
|
||||
|
||||
Many feature branches may exist in the repository. They represent "work in progress". They may be used, for testing purposes.
|
||||
|
||||
## Install and usage
|
||||
|
||||
First, check-out the repository :
|
||||
|
||||
```
|
||||
$ cd ~/GIT/
|
||||
$ git clone https://gitea.evolix.org/evolix/ansible-roles
|
||||
```
|
||||
|
||||
Then, add its path to your ansible load path :
|
||||
|
||||
```
|
||||
$ vim ~/.ansible.cfg
|
||||
[defaults]
|
||||
roles_path = $HOME/GIT/ansible-roles
|
||||
```
|
||||
|
||||
Then, include roles in your playbooks :
|
||||
|
||||
```
|
||||
- hosts: all
|
||||
gather_facts: yes
|
||||
become: yes
|
||||
roles:
|
||||
- etc-git
|
||||
- evolinux-base
|
||||
```
|
||||
|
||||
## Contributing
|
||||
|
||||
Contributions are welcome, especially bug fixes and "ansible good practices". They will be merged in if they are consistent with our conventions and use cases. They might be rejected if they introduce complexity, cover features we don't need or don't fit "style".
|
||||
|
||||
Before starting anything of importance, we suggest contacting us to discuss what you'd like to add or change.
|
||||
|
||||
Our conventions are available in the "ansible-public":https://gitea.evolix.org/evolix/ansible-public repository, in the CONVENTIONS.md file.
|
||||
|
||||
All modifications should be documented in the CHANGELOG file, to help review releases. We encourage atomic commits, on a single role, and with the CHANGELOG in the same commit.
|
||||
|
||||
## Workflow
|
||||
|
||||
The ideal and most typical workflow is to create a branch, based on the "unstable" branch. The branch should have a descriptive name (a ticket/issue number is great). The branch can be treated as a pull-request or merge-request. It should be propery tested and reviewed before merging into "unstable".
|
||||
|
||||
Changes that don't introduce significant changes — or that must go faster that the typical workflow — can be commited directly into "unstable".
|
||||
|
||||
Hotfixes, can be prepared on a new branch, based on "stable" or "unstable" (to be decided by the author). When ready, it can be merged back to "stable" for immediate deployment and to "unstable" for proper backporting.
|
||||
|
||||
Other workflow are not forbidden, but should be discussed in advance.
|
||||
|
|
|
@ -31,7 +31,7 @@ suites:
|
|||
playbook: ./tests/test.yml
|
||||
verifier:
|
||||
patterns:
|
||||
- evolinux-users/tests/spec/evolinux-users_spec.rb
|
||||
- admin-users/tests/spec/admin-users_spec.rb
|
||||
bundler_path: '/usr/local/bin'
|
||||
rspec_path: '/usr/local/bin'
|
||||
|
27
admin-users/README.md
Normal file
27
admin-users/README.md
Normal file
|
@ -0,0 +1,27 @@
|
|||
# admin-users
|
||||
|
||||
Creates admin users accounts, based on a configuration data structure.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
The variable `admin_users` must be a "dict" of one or more users :
|
||||
|
||||
```
|
||||
admin_users:
|
||||
foo:
|
||||
name: foo
|
||||
uid: 1001
|
||||
fullname: 'Mr Foo'
|
||||
password_hash: 'sdfgsdfgsdfgsdfg'
|
||||
ssh_key: 'ssh-rsa AZERTYXYZ'
|
||||
bar:
|
||||
name: bar
|
||||
uid: 1002
|
||||
fullname: 'Mr Bar'
|
||||
password_hash: 'gsdfgsdfgsdfgsdf'
|
||||
ssh_key: 'ssh-rsa QWERTYUIOP'
|
||||
```
|
2
admin-users/defaults/main.yml
Normal file
2
admin-users/defaults/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
admin_users: {}
|
|
@ -3,7 +3,3 @@
|
|||
service:
|
||||
name: sshd
|
||||
state: reloaded
|
||||
|
||||
- name: newaliases
|
||||
command: newaliases
|
||||
changed_when: False
|
19
admin-users/meta/main.yml
Normal file
19
admin-users/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Creates admin users accounts.
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
137
admin-users/tasks/adduser_debian.yml
Normal file
137
admin-users/tasks/adduser_debian.yml
Normal file
|
@ -0,0 +1,137 @@
|
|||
---
|
||||
|
||||
- name: "Test if uid exists for '{{ user.name }}'"
|
||||
command: 'getent passwd {{ user.uid }}'
|
||||
register: uidisbusy
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
|
||||
- name: "Add Unix account with classical uid for '{{ user.name }}'"
|
||||
user:
|
||||
state: present
|
||||
uid: '{{ user.uid }}'
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: uidisbusy.rc != 0
|
||||
|
||||
- name: "Add Unix account with random uid for '{{ user.name }}'"
|
||||
user:
|
||||
state: present
|
||||
name: '{{ user.name }}'
|
||||
comment: '{{ user.fullname }}'
|
||||
shell: /bin/bash
|
||||
password: '{{ user.password_hash }}'
|
||||
update_password: on_create
|
||||
when: uidisbusy.rc == 0
|
||||
|
||||
- name: "Fix perms on homedirectory for '{{ user.name }}'"
|
||||
file:
|
||||
name: '/home/{{ user.name }}'
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
- name: is evomaintenance installed?
|
||||
stat:
|
||||
path: "/usr/share/scripts/evomaintenance.sh"
|
||||
register: evomaintenance_script
|
||||
check_mode: no
|
||||
|
||||
- name: "Add evomaintenance trap for '{{ user.name }}'"
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: '/home/{{ user.name }}/.profile'
|
||||
insertafter: EOF
|
||||
line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
|
||||
when: evomaintenance_script.stat.exists
|
||||
|
||||
- name: "Create .ssh directory for '{{ user.name }}'"
|
||||
file:
|
||||
dest: '/home/{{ user.name }}/.ssh/'
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: '{{ user.name }}'
|
||||
group: '{{ user.name }}'
|
||||
|
||||
- name: "Add user's SSH public key for '{{ user.name }}'"
|
||||
authorized_key:
|
||||
user: "{{ user.name }}"
|
||||
key: "{{ user.ssh_key }}"
|
||||
state: present
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
shell: "egrep '^AllowUsers' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: '^# ForceCommand cvs server'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: verify Match User directive
|
||||
command: "grep 'Match User' /etc/ssh/sshd_config"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: grep_matchuser_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: "Add Match User sshd directive for '{{ user.name }}'"
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc != 0
|
||||
|
||||
- name: "Modify Match User's sshd directive for '{{ user.name }}'"
|
||||
replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc == 0
|
||||
|
||||
- name: Verify Evolinux sudoers file presence
|
||||
template:
|
||||
src: sudoers_debian.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: false
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
||||
- name: Verify Evolinux sudoers file permissions
|
||||
file:
|
||||
path: /etc/sudoers.d/evolinux
|
||||
mode: "0440"
|
||||
state: file
|
||||
|
||||
- name: "Add user in sudoers file for '{{ user.name }}'"
|
||||
replace:
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
when: not copy_sudoers_evolinux.changed
|
||||
|
||||
- meta: flush_handlers
|
15
admin-users/tasks/main.yml
Normal file
15
admin-users/tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
msg: "Error: empty variable 'admin_users'!"
|
||||
when: admin_users == {}
|
||||
|
||||
- include: adduser_debian.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
with_dict: "{{ admin_users }}"
|
||||
when: ansible_distribution == "Debian"
|
||||
|
||||
# - include: adduser_openbsd.yml user={{ item.value }}
|
||||
# with_dict: "{{ admin_users }}"
|
||||
# when: ansible_distribution == "OpenBSD"
|
|
@ -4,11 +4,6 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts
|
|||
User_Alias ADMINS = {{ user.name }}
|
||||
|
||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
|
||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check
|
||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails
|
||||
nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
ADMINS ALL = (ALL:ALL) ALL
|
|
@ -2,7 +2,7 @@
|
|||
- hosts: test-kitchen
|
||||
|
||||
vars:
|
||||
evolinux_users:
|
||||
admin_users:
|
||||
foo:
|
||||
name: foo
|
||||
uid: 1001
|
||||
|
@ -20,4 +20,4 @@
|
|||
# state: directory
|
||||
|
||||
roles:
|
||||
- role: evolinux-users
|
||||
- role: admin-users
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- name: restart amavis
|
||||
service:
|
||||
name: amavis
|
||||
state: restarted
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
- name: install Amavis
|
||||
apt:
|
||||
name:
|
||||
- postgrey
|
||||
- amavisd-new
|
||||
state: present
|
||||
tags:
|
||||
- amavis
|
||||
|
||||
- name: configure Amavis
|
||||
template:
|
||||
src: amavis.conf.j2
|
||||
dest: /etc/amavis/conf.d/49-evolinux-defaults
|
||||
mode: "0644"
|
||||
notify: restart amavis
|
||||
tags:
|
||||
- amavis
|
|
@ -1,57 +0,0 @@
|
|||
use strict;
|
||||
|
||||
## Liste des domaines considérés comme locaux
|
||||
#@local_domains_acl = qw(.);
|
||||
@local_domains_acl = (".example.net","example.com");
|
||||
|
||||
# On customise la ligne ajoutée dans les entêtes
|
||||
$X_HEADER_LINE = "by Amavis at $mydomain";
|
||||
|
||||
# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
|
||||
$mailfrom_notify_admin = "postmaster\@$mydomain";
|
||||
$mailfrom_notify_recip = "postmaster\@$mydomain";
|
||||
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
|
||||
|
||||
# Notifications de fichiers bannis / virus
|
||||
$virus_admin = "postmaster\@$mydomain";
|
||||
# Ne pas recevoir des notifications pour les mails UNCHECKED
|
||||
delete $admin_maps_by_ccat{&CC_UNCHECKED};
|
||||
|
||||
# Que faire avec les messages détectés
|
||||
$final_virus_destiny = D_DISCARD;
|
||||
$final_banned_destiny = D_BOUNCE;
|
||||
$final_spam_destiny = D_BOUNCE;
|
||||
$final_bad_header_destiny = D_PASS;
|
||||
|
||||
# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
|
||||
#$banned_quarantine_to = "banned\@$mydomain";
|
||||
#$virus_quarantine_to = "virus\@$mydomain";
|
||||
|
||||
# Note tueuse
|
||||
$sa_tag2_level_deflt = 6.31;
|
||||
# Pour un comportement "normal" de SA
|
||||
$sa_tag_level_deflt = -1999;
|
||||
$sa_kill_level_deflt = 1999;
|
||||
$sa_dsn_cutoff_level = -99;
|
||||
$sa_spam_subject_tag = '[SPAM]';
|
||||
|
||||
# log
|
||||
$log_level = 2;
|
||||
|
||||
# En fonction besoin/ressources, on a juste le nbre de process
|
||||
$max_servers = 2;
|
||||
|
||||
$enable_ldap = 1;
|
||||
$default_ldap = {
|
||||
hostname => '127.0.0.1', tls => 0,
|
||||
base => '{{ ldap_suffix }}', scope => 'sub',
|
||||
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
||||
};
|
||||
|
||||
# Activer l'antivirus et antivirus
|
||||
@bypass_virus_checks_maps = (
|
||||
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
||||
@bypass_spam_checks_maps = (
|
||||
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
|
||||
|
||||
1; # ensure a defined return
|
|
@ -1,60 +0,0 @@
|
|||
# amazon-ec2
|
||||
|
||||
Manage Amazon EC2 instances.
|
||||
|
||||
This role is intended to be called before any other role to setup and start EC2
|
||||
instances.
|
||||
|
||||
## Dependencies
|
||||
|
||||
You should first ensure that you have `python-boto` package installed on your
|
||||
machine and an Amazon security access key pair created for your account.
|
||||
|
||||
## Tasks
|
||||
|
||||
By default, this role does nothing (no `main.yml` file).
|
||||
|
||||
* `setup.yml`: create a security group and ssh keys
|
||||
* `create-instance.yml`: create new EC2 instances
|
||||
* `post-install.yml`: remove admin user created on Debian instances
|
||||
|
||||
## Variables
|
||||
|
||||
- `aws_access_key` and `aws_secret_key`: your AWS credentials
|
||||
- `aws_region`: where to create instances. Default: ca-central-1
|
||||
- `ec2_public_ip`: assign public elastic IP address. Default: False
|
||||
- `ec2_instance_count`: how many instance to launch. Default: 1
|
||||
- `ec2_security_group: EC2 security group to use. See
|
||||
ec2_evolinux_security_group in `defaults/main.yml` to define your own.
|
||||
Default: ec2_evolinux_security_group
|
||||
- `ec2_base_ami`: EC2 image to use. Default is to use Debian official ones,
|
||||
depending on the region
|
||||
- `ec2_instance_type`: EC2 instance type to use
|
||||
- `ssh_pubkey_file`: SSH public key file to push to AWS. Do not try to put
|
||||
your ED25519 key here, AWS does not support it. Default: ~/.ssh/id_rsa.pub
|
||||
- `ec2_keyname: a name to give to your public key on AWS. Default is to use
|
||||
$USER environment variable.
|
||||
|
||||
## Examples
|
||||
|
||||
In your main evolinux playbook put this play before Evolinux one:
|
||||
|
||||
```
|
||||
---
|
||||
- name: Prepare Amazon EC2 instance
|
||||
hosts: localhost
|
||||
gather_facts: False
|
||||
|
||||
vars:
|
||||
aws_access_key:
|
||||
aws_secret_key:
|
||||
# Any other variable you want to set.
|
||||
|
||||
tasks:
|
||||
- include_role:
|
||||
name: evolix/amazon-ec2
|
||||
tasks_from: create-instance.yml
|
||||
```
|
||||
|
||||
See amazon-ec2-evolinux.yml for an almost ready-to-use playbook to set up
|
||||
Amazon EC2 instances running Evolinux.
|
|
@ -1,62 +0,0 @@
|
|||
---
|
||||
- name: Prepare Amazon EC2 instance
|
||||
hosts: localhost
|
||||
gather_facts: False
|
||||
|
||||
vars:
|
||||
aws_access_key:
|
||||
aws_secret_key:
|
||||
aws_region: ca-central-1
|
||||
|
||||
tasks:
|
||||
- include_role:
|
||||
name: evolix/amazon-ec2
|
||||
tasks_from: setup.yml
|
||||
- include_role:
|
||||
name: evolix/amazon-ec2
|
||||
tasks_from: create-instance.yml
|
||||
|
||||
- name: Install Evolinux
|
||||
hosts: launched-instances
|
||||
become: yes
|
||||
|
||||
vars_files:
|
||||
- 'vars/secrets.yml'
|
||||
|
||||
vars:
|
||||
admin_users: "{{ admin_users }}"
|
||||
minifirewall_trusted_ips: "{{ trusted_ips }}"
|
||||
fail2ban_ignore_ips: "{{ trusted_ips }}"
|
||||
evolinux_hostname:
|
||||
evolinux_domain:
|
||||
evolinux_fqdn:
|
||||
evolinux_internal_hostname:
|
||||
minifirewall_public_ports_tcp: [80, 443]
|
||||
minifirewall_public_ports_udp: []
|
||||
minifirewall_semipublic_ports_tcp: [22]
|
||||
nagios_nrpe_allowed_hosts: "{{ trusted_ips }}"
|
||||
|
||||
roles:
|
||||
- etc-git
|
||||
- evolinux-base
|
||||
- admin-users
|
||||
- munin
|
||||
- minifirewall
|
||||
- fail2ban
|
||||
- nagios-nrpe
|
||||
- listupgrade
|
||||
- evomaintenance
|
||||
- evocheck
|
||||
- packweb-apache
|
||||
- mysql
|
||||
|
||||
post_tasks:
|
||||
- include_role:
|
||||
name: evolix/etc-git
|
||||
tasks_from: commit.yml
|
||||
vars:
|
||||
commit_message: "Ansible post-run Evolinux playbook"
|
||||
|
||||
- include_role:
|
||||
name: evolix/evocheck
|
||||
tasks_from: exec.yml
|
|
@ -1,139 +0,0 @@
|
|||
---
|
||||
aws_region: ca-central-1
|
||||
ec2_public_ip: False
|
||||
ec2_instance_count: 1
|
||||
ec2_security_group: "{{ ec2_evolinux_security_group }}"
|
||||
ec2_base_ami: "{{ ec2_debian_base_ami[aws_region] }}"
|
||||
ec2_instance_type: t2.micro
|
||||
# Note: Do not try to put your ED25519 key here, AWS does not support it...
|
||||
ssh_pubkey_file: ~/.ssh/id_rsa.pub
|
||||
ec2_keyname: "{{ lookup('env', 'USER') }}"
|
||||
|
||||
# From https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch
|
||||
ec2_debian_base_ami:
|
||||
ap-northeast-1: ami-032dd665
|
||||
ap-northeast-2: ami-e174ac8f
|
||||
ap-south-1: ami-6e7a3e01
|
||||
ap-southeast-1: ami-41365b22
|
||||
ap-southeast-2: ami-51f61333
|
||||
ca-central-1: ami-18239d7c
|
||||
eu-central-1: ami-11bb0e7e
|
||||
eu-west-1: ami-d037cda9
|
||||
eu-west-2: ami-ece3f388
|
||||
sa-east-1: ami-a24635ce
|
||||
us-east-1: ami-ac5e55d7
|
||||
us-east-2: ami-9fbb98fa
|
||||
us-west-1: ami-560c3836
|
||||
us-west-2: ami-fa18f282
|
||||
|
||||
ec2_evolinux_security_group:
|
||||
name: evolinux-default
|
||||
description: Evolinux default security group
|
||||
rules:
|
||||
- proto: icmp
|
||||
cidr_ip: 0.0.0.0/0
|
||||
from_port: -1
|
||||
to_port: -1
|
||||
- proto: tcp
|
||||
from_port: 22
|
||||
to_port: 22
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 5666
|
||||
to_port: 5666
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 53
|
||||
to_port: 53
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: udp
|
||||
from_port: 53
|
||||
to_port: 53
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 389
|
||||
to_port: 389
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 636
|
||||
to_port: 636
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 143
|
||||
to_port: 143
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 993
|
||||
to_port: 993
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 110
|
||||
to_port: 110
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 995
|
||||
to_port: 995
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 25
|
||||
to_port: 25
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 80
|
||||
to_port: 80
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 443
|
||||
to_port: 443
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 21
|
||||
to_port: 21
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 20
|
||||
to_port: 20
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 5001
|
||||
to_port: 5001
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 465
|
||||
to_port: 465
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 587
|
||||
to_port: 587
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 8181
|
||||
to_port: 8181
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 8282
|
||||
to_port: 8282
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 9091
|
||||
to_port: 9091
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 2222
|
||||
to_port: 2222
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 22222
|
||||
to_port: 22222
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: tcp
|
||||
from_port: 2223
|
||||
to_port: 2223
|
||||
cidr_ip: 0.0.0.0/0
|
||||
- proto: udp
|
||||
from_port: 123
|
||||
to_port: 123
|
||||
cidr_ip: 0.0.0.0/0
|
||||
rules_egress:
|
||||
- proto: all
|
||||
cidr_ip: 0.0.0.0/0
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Launch new instance(s)
|
||||
ec2:
|
||||
state: present
|
||||
aws_access_key: "{{aws_access_key}}"
|
||||
aws_secret_key: "{{aws_secret_key}}"
|
||||
region: "{{aws_region}}"
|
||||
image: "{{ec2_base_ami}}"
|
||||
instance_type: "{{ec2_instance_type}}"
|
||||
count: "{{ec2_instance_count}}"
|
||||
assign_public_ip: "{{ec2_public_ip}}"
|
||||
group: "{{ec2_security_group.name}}"
|
||||
key_name: "{{ec2_keyname}}"
|
||||
wait: yes
|
||||
register: ec2
|
||||
|
||||
- name: Add newly created instance(s) to inventory
|
||||
add_host:
|
||||
hostname: "{{item.public_dns_name}}"
|
||||
groupname: launched-instances
|
||||
ansible_user: admin
|
||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
||||
loop: "{{ec2.instances}}"
|
||||
|
||||
- debug:
|
||||
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
|
||||
loop: "{{ec2.instances}}"
|
||||
|
||||
- name: Wait for SSH to come up on all instances (give up after 2m)
|
||||
wait_for:
|
||||
state: started
|
||||
host: "{{item.public_dns_name}}"
|
||||
port: 22
|
||||
timeout: 120
|
||||
loop: "{{ec2.instances}}"
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- name: Remove admin user
|
||||
user:
|
||||
name: admin
|
||||
state: absent
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Create default security group
|
||||
ec2_group:
|
||||
name: "{{ ec2_security_group.name }}"
|
||||
state: present
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
region: "{{ aws_region }}"
|
||||
description: "{{ ec2_security_group.description }}"
|
||||
rules: "{{ ec2_security_group.rules }}"
|
||||
rules_egress: "{{ ec2_security_group.rules_egress }}"
|
||||
|
||||
- name: Create key pair
|
||||
ec2_key:
|
||||
name: "{{ ec2_keyname }}"
|
||||
state: present
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
region: "{{ aws_region }}"
|
||||
key_material: "{{ item }}"
|
||||
with_file: "{{ ssh_pubkey_file }}"
|
11
ansible-managed/README.md
Normal file
11
ansible-managed/README.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# ansible-managed
|
||||
|
||||
Set some indications that the server is managed by Ansible and extra care yshould be given not no mess with it manually.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `project_repository` : project URL for the repository.
|
2
ansible-managed/defaults/main.yml
Normal file
2
ansible-managed/defaults/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
project_repository: "/!\\ No repository set, contact Evolix"
|
6
ansible-managed/tasks/main.yml
Normal file
6
ansible-managed/tasks/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Set message of the day
|
||||
template:
|
||||
src: motd.j2
|
||||
dest: /etc/motd
|
||||
force: yes
|
4
ansible-managed/templates/motd.j2
Normal file
4
ansible-managed/templates/motd.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
|
||||
SERVER MANAGED BY EVOLIX VIA ANSIBLE
|
||||
------------------------------------
|
||||
{{ project_repository | mandatory }}
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
- hosts: test-kitchen
|
||||
roles:
|
||||
- role: metricbeat
|
||||
- role: ansible-managed
|
|
@ -6,16 +6,13 @@ Install Apache
|
|||
|
||||
Everything is in the `tasks/main.yml` file for now.
|
||||
|
||||
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
||||
* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
||||
* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
||||
* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
||||
* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -1,27 +1,14 @@
|
|||
---
|
||||
apache_default_ipaddr_whitelist_ips: []
|
||||
apache_additional_ipaddr_whitelist_ips: []
|
||||
apache_ipaddr_whitelist_present: "{{ apache_default_ipaddr_whitelist_ips | union(apache_additional_ipaddr_whitelist_ips) | unique }}"
|
||||
apache_ipaddr_whitelist_absent: []
|
||||
apache_private_ipaddr_whitelist_present: []
|
||||
apache_private_ipaddr_whitelist_absent: []
|
||||
|
||||
apache_private_htpasswd_present: []
|
||||
apache_private_htpasswd_absent: []
|
||||
|
||||
apache_default_redirect_url: "http://evolix.fr"
|
||||
apache_evolinux_default_enabled: True
|
||||
apache_evolinux_default_ssl_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
||||
apache_serverstatus_host: 127.0.0.1
|
||||
apache_phpmyadmin_suffix: ""
|
||||
apache_serverstatus_suffix: ""
|
||||
apache_serverstatus_suffix_file: "/etc/evolinux/apache_serverstatus_suffix"
|
||||
|
||||
apache_log2mail_include: True
|
||||
apache_munin_include: True
|
||||
|
||||
general_alert_email: "root@localhost"
|
||||
log2mail_alert_email: Null
|
||||
|
||||
apache_logrotate_frequency: daily
|
||||
apache_logrotate_rotate: 365
|
||||
|
||||
apache_mpm: "itk"
|
|
@ -8,22 +8,3 @@ SetEnvIf User-Agent "^BadBot$" GoAway=1
|
|||
SetEnvIf User-Agent "Nutch" GoAway=1
|
||||
SetEnvIf User-Agent "ApacheBench" GoAway=1
|
||||
|
||||
# Uncomment for SSL strong security
|
||||
#<IfModule mod_ssl.c>
|
||||
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
#SSLProtocol All -SSLv2 -SSLv3
|
||||
#SSLHonorCipherOrder On
|
||||
#SSLCompression off
|
||||
#SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
|
||||
#SSLSessionCacheTimeout 600
|
||||
## Stapling not activated by default. Need config.
|
||||
##SSLUseStapling on
|
||||
##SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)
|
||||
#</IfModule>
|
||||
|
||||
#<FilesMatch ".(eot|ttf|otf|woff)">
|
||||
# Header set Access-Control-Allow-Origin "*"
|
||||
#</FilesMatch>
|
||||
|
||||
# you need disable EnableCapabilities to use data on NFS mounts
|
||||
#EnableCapabilities off
|
||||
|
|
|
@ -3,68 +3,15 @@ Timeout 10
|
|||
KeepAliveTimeout 2
|
||||
MaxKeepAliveRequests 10
|
||||
#MaxClients 250
|
||||
|
||||
<IfModule mpm_prefork_module>
|
||||
MaxRequestWorkers 250
|
||||
ServerLimit 250
|
||||
StartServers 50
|
||||
MinSpareServers 20
|
||||
MaxSpareServers 30
|
||||
MaxRequestsPerChild 0
|
||||
</IfModule>
|
||||
|
||||
<IfModule mpm_worker_module>
|
||||
StartServers 3
|
||||
MinSpareThreads 25
|
||||
MaxSpareThreads 75
|
||||
ThreadLimit 64
|
||||
ThreadsPerChild 25
|
||||
MaxRequestWorkers 150
|
||||
MaxConnectionsPerChild 0
|
||||
</IfModule>
|
||||
|
||||
<IfModule mpm_itk_module>
|
||||
LimitUIDRange 0 6000
|
||||
LimitGIDRange 0 6000
|
||||
</IfModule>
|
||||
|
||||
<IfModule ssl_module>
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
|
||||
</IfModule>
|
||||
|
||||
<IfModule status_module>
|
||||
ExtendedStatus On
|
||||
<IfModule proxy_module>
|
||||
ProxyStatus On
|
||||
</IfModule>
|
||||
</IfModule>
|
||||
|
||||
|
||||
MaxRequestWorkers 250
|
||||
ServerLimit 250
|
||||
StartServers 50
|
||||
MinSpareServers 20
|
||||
MaxSpareServers 30
|
||||
MaxRequestsPerChild 0
|
||||
<Directory /home/>
|
||||
AllowOverride None
|
||||
Require all granted
|
||||
# "Require not env XXX" is not supported :(
|
||||
Deny from env=GoAway
|
||||
# "Require not env XXX" is not supported
|
||||
# Deny from env=GoAway
|
||||
</Directory>
|
||||
|
||||
<DirectoryMatch "/\.git">
|
||||
# We don't want to let the client know a file exist on the server,
|
||||
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||
Redirect 404
|
||||
</DirectoryMatch>
|
||||
|
||||
# File names starting with
|
||||
<FilesMatch "^\.(git|env)">
|
||||
Redirect 404
|
||||
</FilesMatch>
|
||||
|
||||
# File names ending with
|
||||
<FilesMatch "\.(inc|bak)$">
|
||||
Redirect 404
|
||||
</FilesMatch>
|
||||
|
||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||
Require all denied
|
||||
</LocationMatch>
|
||||
|
||||
|
|
11
apache/files/evolinux-ssl.conf
Normal file
11
apache/files/evolinux-ssl.conf
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Strong security.
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder On
|
||||
SSLCompression off
|
||||
SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
|
||||
SSLSessionCacheTimeout 600
|
||||
|
||||
# Stapling not activated by default. Need config.
|
||||
#SSLUseStapling on
|
||||
#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
DIR="/var/log/apache-status"
|
||||
URL="http://127.0.0.1/server-status"
|
||||
TS=$(date +%Y%m%d%H%M%S)
|
||||
FILE="${DIR}/${TS}.html"
|
||||
|
||||
if [ ! -d "${DIR}" ]; then
|
||||
mkdir -p "${DIR}"
|
||||
chown root:adm "${DIR}"
|
||||
chmod 750 "${DIR}"
|
||||
fi
|
||||
|
||||
wget -q -U "save_apache_status" -O "${FILE}" "${URL}"
|
||||
chmod 640 "${FILE}"
|
||||
chown root:adm "${FILE}"
|
||||
|
||||
find "${DIR}" -type f -mtime +1 -delete
|
||||
|
||||
exit 0
|
|
@ -8,8 +8,3 @@
|
|||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
||||
|
||||
- name: restart munin-node
|
||||
service:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
|
|
@ -1,24 +1,17 @@
|
|||
---
|
||||
galaxy_info:
|
||||
company: Evolix
|
||||
author: Evolix
|
||||
description: Installation and basic configuration of Apache
|
||||
|
||||
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: "2.2"
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
|
|
|
@ -1,27 +1,44 @@
|
|||
---
|
||||
|
||||
- name: Init ipaddr_whitelist.conf file
|
||||
- name: Init private_ipaddr_whitelist.conf file
|
||||
copy:
|
||||
src: ipaddr_whitelist.conf
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
src: private_ipaddr_whitelist.conf
|
||||
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: Load IP whitelist task
|
||||
include: ip_whitelist.yml
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: include private IP whitelist for server-status
|
||||
lineinfile:
|
||||
dest: /etc/apache2/mods-available/status.conf
|
||||
line: " include /etc/apache2/ipaddr_whitelist.conf"
|
||||
line: " include /etc/apache2/private_ipaddr_whitelist.conf"
|
||||
insertafter: 'SetHandler server-status'
|
||||
state: present
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: Copy private_htpasswd
|
||||
copy:
|
||||
|
@ -33,24 +50,24 @@
|
|||
force: no
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: add user:pwd to private htpasswd
|
||||
lineinfile:
|
||||
dest: /etc/apache2/private_htpasswd
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
loop: "{{ apache_private_htpasswd_present }}"
|
||||
with_items: "{{ apache_private_htpasswd_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: remove user:pwd from private htpasswd
|
||||
lineinfile:
|
||||
dest: /etc/apache2/private_htpasswd
|
||||
line: "{{ item }}"
|
||||
state: absent
|
||||
loop: "{{ apache_private_htpasswd_absent }}"
|
||||
with_items: "{{ apache_private_htpasswd_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
loop: "{{ apache_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- ips
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: absent
|
||||
loop: "{{ apache_ipaddr_whitelist_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- ips
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
|
||||
- name: log2mail is installed
|
||||
apt:
|
||||
name: log2mail
|
||||
state: present
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Add log2mail config for Apache segfaults
|
||||
template:
|
||||
src: log2mail-apache.j2
|
||||
dest: "/etc/log2mail/config/apache"
|
||||
owner: log2mail
|
||||
group: adm
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
|
@ -1,70 +1,78 @@
|
|||
---
|
||||
|
||||
- name: packages are installed (Debian 9 or later)
|
||||
- name: Main packages are installed
|
||||
apt:
|
||||
name:
|
||||
- apache2
|
||||
- libapache2-mod-evasive
|
||||
- apachetop
|
||||
- libwww-perl
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- apache2
|
||||
tags:
|
||||
- apache
|
||||
- packages
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
- apache
|
||||
- packages
|
||||
|
||||
- name: itk package is installed if required (Debian 9 or later)
|
||||
- name: Install packages for Jessie
|
||||
apt:
|
||||
name:
|
||||
- libapache2-mpm-itk
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- apache2-mpm-prefork
|
||||
tags:
|
||||
- apache
|
||||
- packages
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
- apache_mpm == "itk"
|
||||
|
||||
- name: packages are installed (jessie)
|
||||
apt:
|
||||
name:
|
||||
- apache2-mpm-itk
|
||||
- libapache2-mod-evasive
|
||||
- apachetop
|
||||
- libwww-perl
|
||||
state: present
|
||||
tags:
|
||||
- apache
|
||||
- packages
|
||||
- apache
|
||||
- packages
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: basic modules are enabled
|
||||
apache2_module:
|
||||
- name: manually disable mpm_event
|
||||
command: a2dismod mpm_event
|
||||
register: cmd_disable_event
|
||||
changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
|
||||
notify: restart apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: manually enable mpm_prefork
|
||||
command: a2enmod mpm_prefork
|
||||
register: cmd_disable_prefork
|
||||
changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
|
||||
notify: restart apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
# With Ansible 2.2 the module check the config for conflicts
|
||||
# With 2.3 it can be disabled.
|
||||
# https://docs.ansible.com/ansible/apache2_module_module.html
|
||||
# - name: mpm_event modules is disabled
|
||||
# apache2_module:
|
||||
# name: '{{ item }}'
|
||||
# state: absent
|
||||
# with_items:
|
||||
# - mpm_event
|
||||
# tags:
|
||||
# - apache
|
||||
|
||||
- name: Additional packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- rewrite
|
||||
- expires
|
||||
- headers
|
||||
- ssl
|
||||
- include
|
||||
- negotiation
|
||||
- alias
|
||||
notify: reload apache
|
||||
with_items:
|
||||
- apg
|
||||
- apachetop
|
||||
- libwww-perl
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
- packages
|
||||
|
||||
- name: basic modules are enabled
|
||||
apache2_module:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
loop:
|
||||
- cgi
|
||||
notify: reload apache
|
||||
when: apache_mpm == "prefork" or apache_mpm == "itk"
|
||||
with_items:
|
||||
- rewrite
|
||||
- expires
|
||||
- headers
|
||||
- cgi
|
||||
- ssl
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- apache
|
||||
|
||||
- name: Copy Apache defaults config file
|
||||
copy:
|
||||
|
@ -72,9 +80,8 @@
|
|||
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -84,44 +91,44 @@
|
|||
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
mode: "0644"
|
||||
force: no
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: disable status.conf
|
||||
file:
|
||||
dest: /etc/apache2/mods-enabled/status.conf
|
||||
state: absent
|
||||
notify: reload apache
|
||||
- name: Copy Apache SSL (strong security) config file
|
||||
copy:
|
||||
src: evolinux-ssl.conf
|
||||
dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: Ensure Apache config files are enabled
|
||||
command: "a2enconf {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
loop:
|
||||
- z-evolinux-defaults.conf
|
||||
- zzz-evolinux-custom.conf
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: auth.yml
|
||||
with_items:
|
||||
- z-evolinux-defaults.conf
|
||||
- zzz-evolinux-custom.conf
|
||||
- evolinux-ssl.conf
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: auth.yml
|
||||
|
||||
- name: default vhost is installed
|
||||
template:
|
||||
src: evolinux-default.conf.j2
|
||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||
mode: "0640"
|
||||
force: no
|
||||
# force: yes
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: default vhost is enabled
|
||||
file:
|
||||
|
@ -130,13 +137,9 @@
|
|||
state: link
|
||||
force: yes
|
||||
notify: reload apache
|
||||
when: apache_evolinux_default_enabled | bool
|
||||
when: apache_evolinux_default_enabled
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: server_status.yml
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: is umask already present?
|
||||
command: "grep -E '^umask ' /etc/apache2/envvars"
|
||||
|
@ -145,7 +148,7 @@
|
|||
register: envvar_grep_umask
|
||||
check_mode: no
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: Add a mark in envvars for umask
|
||||
blockinfile:
|
||||
|
@ -157,54 +160,33 @@
|
|||
umask 007
|
||||
when: envvar_grep_umask.rc != 0
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
- name: Stat /default index
|
||||
stat:
|
||||
path: /var/www/index.html
|
||||
register: _default_index
|
||||
check_mode: no
|
||||
tags:
|
||||
- apache
|
||||
- apache
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- apache
|
||||
- include: phpmyadmin.yml
|
||||
when: _default_index.stat.exists
|
||||
|
||||
- name: "Install save_apache_status.sh"
|
||||
copy:
|
||||
src: save_apache_status.sh
|
||||
dest: /usr/share/scripts/save_apache_status.sh
|
||||
mode: "0755"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: "logrotate: {{ apache_logrotate_frequency }}"
|
||||
replace:
|
||||
dest: /etc/logrotate.d/apache2
|
||||
regexp: "(daily|weekly|monthly)"
|
||||
replace: "{{ apache_logrotate_frequency }}"
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: "logrotate: rotate {{ apache_logrotate_rotate }}"
|
||||
replace:
|
||||
dest: /etc/logrotate.d/apache2
|
||||
regexp: '^(\s+rotate) \d+$'
|
||||
replace: '\1 {{ apache_logrotate_rotate }}'
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: log2mail.yml
|
||||
when: apache_log2mail_include
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- include: munin.yml
|
||||
when: apache_munin_include | bool
|
||||
tags:
|
||||
- apache
|
||||
# - block:
|
||||
# - name: generate random string for serverstatus suffix
|
||||
# command: "apg -a 1 -M N -n 1"
|
||||
# changed_when: False
|
||||
# register: _random_serverstatus_suffix
|
||||
#
|
||||
# - name: overwrite apache_serverstatus_suffix
|
||||
# set_fact:
|
||||
# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}"
|
||||
# when: apache_serverstatus_suffix == ""
|
||||
#
|
||||
# - name: replace server-status suffix in default site index
|
||||
# replace:
|
||||
# dest: /var/www/index.html
|
||||
# regexp: '__SERVERSTATUS_SUFFIX__'
|
||||
# replace: "{{ apache_serverstatus_suffix }}"
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "Install munin-node and core plugins packages"
|
||||
apt:
|
||||
name:
|
||||
- munin-node
|
||||
- munin-plugins-core
|
||||
state: present
|
||||
tags:
|
||||
- apache
|
||||
- munin
|
||||
|
||||
- name: "Enable Munin plugins"
|
||||
file:
|
||||
src: "/usr/share/munin/plugins/{{ item }}"
|
||||
dest: "/etc/munin/plugins/{{ item }}"
|
||||
state: link
|
||||
loop:
|
||||
- apache_accesses
|
||||
- apache_processes
|
||||
- apache_volume
|
||||
notify: restart munin-node
|
||||
tags:
|
||||
- apache
|
||||
- munin
|
||||
|
||||
- name: "Install fcgi packages for Munin graphs"
|
||||
apt:
|
||||
name:
|
||||
- libapache2-mod-fcgid
|
||||
- libcgi-fast-perl
|
||||
state: present
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- munin
|
||||
|
||||
- name: "Enable libapache2-mod-fcgid"
|
||||
command: a2enmod fcgid
|
||||
register: cmd_enable_fcgid
|
||||
changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
|
||||
notify: restart apache
|
||||
tags:
|
||||
- apache
|
||||
- munin
|
||||
|
||||
- name: "Apache has access to /var/log/munin/"
|
||||
file:
|
||||
path: /var/log/munin/
|
||||
group: www-data
|
||||
tags:
|
||||
- apache
|
||||
- munin
|
24
apache/tasks/phpmyadmin.yml
Normal file
24
apache/tasks/phpmyadmin.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- name: generate random string for phpmyadmin suffix
|
||||
command: "apg -a 1 -M N -n 1"
|
||||
changed_when: False
|
||||
register: _random_phpmyadmin_suffix
|
||||
|
||||
- name: overwrite apache_phpmyadmin_suffix
|
||||
set_fact:
|
||||
apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}"
|
||||
when: apache_phpmyadmin_suffix == ""
|
||||
tags:
|
||||
- apache
|
||||
- phpmyadmin
|
||||
|
||||
- name: replace phpmyadmin suffix in default site index
|
||||
replace:
|
||||
dest: /var/www/index.html
|
||||
regexp: '__PHPMYADMIN_SUFFIX__'
|
||||
replace: "{{ apache_phpmyadmin_suffix }}"
|
||||
tags:
|
||||
- apache
|
||||
- phpmyadmin
|
|
@ -1,70 +0,0 @@
|
|||
---
|
||||
|
||||
- name: server status dirname exists
|
||||
file:
|
||||
dest: "{{ apache_serverstatus_suffix_file | dirname }}"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: set apache serverstatus suffix if provided
|
||||
copy:
|
||||
dest: "{{ apache_serverstatus_suffix_file }}"
|
||||
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||
content: "{{ apache_serverstatus_suffix }}\u000A"
|
||||
force: yes
|
||||
when: apache_serverstatus_suffix | length > 0
|
||||
|
||||
- name: generate random string for server-status suffix
|
||||
shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
|
||||
args:
|
||||
creates: "{{ apache_serverstatus_suffix_file }}"
|
||||
|
||||
- name: read apache server status suffix
|
||||
command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: new_apache_serverstatus_suffix
|
||||
|
||||
- name: overwrite apache_serverstatus_suffix
|
||||
set_fact:
|
||||
apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
|
||||
|
||||
- debug:
|
||||
var: apache_serverstatus_suffix
|
||||
verbosity: 1
|
||||
|
||||
- name: replace server-status suffix in default site index
|
||||
replace:
|
||||
dest: /var/www/index.html
|
||||
regexp: '__SERVERSTATUS_SUFFIX__'
|
||||
replace: "{{ apache_serverstatus_suffix }}"
|
||||
|
||||
- name: add server-status suffix in default site index if missing
|
||||
replace:
|
||||
dest: /var/www/index.html
|
||||
regexp: '"/server-status-?"'
|
||||
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
|
||||
|
||||
- name: add server-status suffix in default VHost
|
||||
replace:
|
||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||
regexp: '<Location /server-status-?>'
|
||||
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
|
||||
notify: reload apache
|
||||
|
||||
- name: Munin configuration has a section for apache
|
||||
lineinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
line: "[apache_*]"
|
||||
create: no
|
||||
|
||||
- name: apache-status URL is configured for Munin
|
||||
lineinfile:
|
||||
dest: /etc/munin/plugin-conf.d/munin-node
|
||||
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
|
||||
regexp: 'env.url http://[^\\/]+/server-status'
|
||||
insertafter: "[apache_*]"
|
||||
create: no
|
||||
notify: restart munin-node
|
|
@ -1,141 +1,61 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName {{ ansible_fqdn }}
|
||||
#ServerAlias {{ ansible_fqdn }}
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
RewriteEngine on
|
||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
|
||||
# RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName {{ ansible_fqdn }}
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
DocumentRoot /var/www/
|
||||
|
||||
<Directory />
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
|
||||
# SSLProtocol all -SSLv2 -SSLv3
|
||||
|
||||
<Directory /var/www/>
|
||||
Options -Indexes
|
||||
Options +Indexes +FollowSymLinks +MultiViews
|
||||
AllowOverride None
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
# Munin. We need to set Directory directive as Alias take precedence.
|
||||
Alias /munin /var/cache/munin/www
|
||||
<Directory /var/cache/munin/>
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
<Directory /var/cache/munin/www/>
|
||||
Options +Indexes +FollowSymLinks +MultiViews
|
||||
AllowOverride None
|
||||
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
# munin-cgi-graph, used for zooming on graphs.
|
||||
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
|
||||
<Location /munin-cgi/munin-cgi-graph>
|
||||
Options +ExecCGI
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
|
||||
<Location /munin_opcache.php>
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Location>
|
||||
|
||||
# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
#ErrorDocument 403 {{ apache_default_redirect_url }}
|
||||
|
||||
CustomLog /var/log/apache2/access.log vhost_combined
|
||||
ErrorLog /var/log/apache2/error.log
|
||||
LogLevel warn
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
RewriteEngine on
|
||||
# Redirect to HTTPS, execpt for munin, because some plugins
|
||||
# can't handle HTTPS! :(
|
||||
RewriteCond %{REQUEST_URI} !^/.well-known.*$ [NC] [OR]
|
||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
|
||||
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
||||
</IfModule>
|
||||
Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
|
||||
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
||||
|
||||
<Location /munin_opcache.php>
|
||||
Require local
|
||||
</Location>
|
||||
|
||||
<IfModule mod_status.c>
|
||||
<Location /server-status-{{ apache_serverstatus_suffix | mandatory }}>
|
||||
SetHandler server-status
|
||||
include /etc/apache2/ipaddr_whitelist.conf
|
||||
Require local
|
||||
</Location>
|
||||
</IfModule>
|
||||
|
||||
<IfModule security2_module>
|
||||
SecRuleEngine Off
|
||||
</IfModule>
|
||||
<Files ~ "\.(inc|bak)$">
|
||||
Require all denied
|
||||
</Files>
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost *:443>
|
||||
ServerName {{ ansible_fqdn }}
|
||||
#ServerAlias {{ ansible_fqdn }}
|
||||
|
||||
DocumentRoot /var/www/
|
||||
|
||||
# We override these 2 Directory directives setted in apache2.conf.
|
||||
# We want no access except from allowed IP address.
|
||||
<Directory />
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
|
||||
|
||||
# Munin. We need to set Directory directive as Alias take precedence.
|
||||
Alias /munin /var/cache/munin/www
|
||||
<Directory /var/cache/munin/>
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
<Directory /usr/lib/munin/cgi/>
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
|
||||
<Location /munin-cgi/munin-cgi-graph>
|
||||
Options +ExecCGI
|
||||
<IfModule mod_fcgid.c>
|
||||
SetHandler fcgid-script
|
||||
</IfModule>
|
||||
Require all denied
|
||||
Include /etc/apache2/ipaddr_whitelist.conf
|
||||
</Location>
|
||||
|
||||
# BEGIN phpMyAdmin section
|
||||
# END phpMyAdmin section
|
||||
|
||||
CustomLog /var/log/apache2/access.log vhost_combined
|
||||
ErrorLog /var/log/apache2/error.log
|
||||
LogLevel warn
|
||||
|
||||
<IfModule mod_status.c>
|
||||
<Location /server-status-{{ apache_serverstatus_suffix | mandatory }}>
|
||||
SetHandler server-status
|
||||
include /etc/apache2/ipaddr_whitelist.conf
|
||||
Require local
|
||||
</Location>
|
||||
</IfModule>
|
||||
|
||||
<IfModule security2_module>
|
||||
SecRuleEngine Off
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
||||
</IfModule>
|
||||
|
|
|
@ -7,20 +7,15 @@ A few APT related operations, like easily install backports of change components
|
|||
Tasks are extracted in several files, included in `tasks/main.yml` :
|
||||
|
||||
* `backports.yml` : add a sources list for backports ;
|
||||
* `basics_components.yml` : replace components for the basic sources ;
|
||||
* `hold_packages.yml` : install script to automatically hold packages.
|
||||
* `basics_components.yml` : replace components for the basic sources.
|
||||
|
||||
## Available variables
|
||||
|
||||
* `apt_config` : customize apt configuration (default: `True`) ;
|
||||
* `apt_install_basics` : change basic sources components (default: `True`) ;
|
||||
* `apt_basics_components` : basic sources components (default: `main`) ;
|
||||
* `apt_install_backports` : install backports sources (default: `False`) ;
|
||||
* `apt_backports_components` : backports sources (default: `main`) ;
|
||||
* `apt_install_evolix_public` : install Evolix public repositories (default: `True`) ;
|
||||
* `apt_install_hold_packages` : install script to automatically hold packages (default: `True`).
|
||||
* `apt_hold_packages`: list of packages that must have a "hold" mark (default: `[]`)
|
||||
* `apt_unhold_packages`: list of packages that must not have a "hold" mark (default: `[]`)
|
||||
* `apt_install_evolix_public` : install Evolix public repositories (default: `True`).
|
||||
|
||||
## Examples
|
||||
|
||||
|
|
|
@ -1,10 +1,3 @@
|
|||
---
|
||||
apt_config: True
|
||||
apt_evolinux_config: True
|
||||
apt_hooks: True
|
||||
apt_remove_aptitude: True
|
||||
apt_upgrade: False
|
||||
|
||||
apt_install_basics: True
|
||||
apt_basics_components: "main"
|
||||
|
||||
|
@ -12,16 +5,3 @@ apt_install_backports: False
|
|||
apt_backports_components: "main"
|
||||
|
||||
apt_install_evolix_public: True
|
||||
|
||||
apt_clean_gandi_sourceslist: False
|
||||
|
||||
apt_install_hold_packages: True
|
||||
|
||||
apt_hold_packages: []
|
||||
apt_unhold_packages: []
|
||||
|
||||
apt_check_hold_cron_minute: "45"
|
||||
apt_check_hold_cron_hour: "*/4"
|
||||
apt_check_hold_cron_weekday: "*"
|
||||
apt_check_hold_cron_day: "*"
|
||||
apt_check_hold_cron_month: "*"
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=bullseye-backports
|
||||
Pin-Priority: 50
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=buster-backports
|
||||
Pin-Priority: 50
|
|
@ -1,37 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
is_held() {
|
||||
package=$1
|
||||
apt-mark showhold ${package} | grep --silent ${package}
|
||||
}
|
||||
|
||||
is_installed() {
|
||||
package=$1
|
||||
dpkg -l "${package}" 2>/dev/null | grep -q -E '^(i|h)i'
|
||||
}
|
||||
|
||||
config_file="/etc/evolinux/apt_hold_packages.cf"
|
||||
return_code=0
|
||||
|
||||
if [ -f ${config_file} ]; then
|
||||
packages="$(cat ${config_file})"
|
||||
|
||||
if [ -n "${packages}" ]; then
|
||||
for package in ${packages}; do
|
||||
if [ -n "${package}" ]; then
|
||||
if is_installed ${package} && ! is_held ${package}; then
|
||||
apt-mark hold ${package}
|
||||
msg="Package \`${package}' has been marked \`hold'."
|
||||
>&2 echo "${msg}"
|
||||
wall_bin=$(command -v wall)
|
||||
if [ -n "${wall_bin}" ]; then
|
||||
"${wall_bin}" --timeout 5 "${msg}"
|
||||
fi
|
||||
return_code=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
exit ${return_code}
|
|
@ -1,920 +0,0 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: SKS 1.1.6
|
||||
Comment: Hostname: keyserver.ubuntu.com
|
||||
|
||||
mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5
|
||||
sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu
|
||||
Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR
|
||||
xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC
|
||||
aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a
|
||||
w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP
|
||||
xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V
|
||||
P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA
|
||||
u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/
|
||||
rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv
|
||||
bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC
|
||||
AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4
|
||||
dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf
|
||||
ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa
|
||||
wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK
|
||||
vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu
|
||||
0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM
|
||||
NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1
|
||||
s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2
|
||||
dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp
|
||||
MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH
|
||||
cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy
|
||||
xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR
|
||||
AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM
|
||||
vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC
|
||||
yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir
|
||||
CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR
|
||||
CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60
|
||||
yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5
|
||||
wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo
|
||||
xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR
|
||||
CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs
|
||||
iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V
|
||||
esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B
|
||||
QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq
|
||||
yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq
|
||||
W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P
|
||||
p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9
|
||||
lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ
|
||||
omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G
|
||||
mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG
|
||||
iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO
|
||||
Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX
|
||||
FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV
|
||||
5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm
|
||||
iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS
|
||||
H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N
|
||||
q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj
|
||||
InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1
|
||||
VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af
|
||||
RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2
|
||||
dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX
|
||||
lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE
|
||||
EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y
|
||||
Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N
|
||||
wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f
|
||||
7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th
|
||||
RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev
|
||||
Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2
|
||||
TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq
|
||||
5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb
|
||||
fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7
|
||||
vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ
|
||||
AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR
|
||||
PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6
|
||||
G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX
|
||||
Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG
|
||||
PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI
|
||||
+P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG
|
||||
zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D
|
||||
Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93
|
||||
bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF
|
||||
/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl
|
||||
k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK
|
||||
nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F
|
||||
2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR
|
||||
fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax
|
||||
wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH
|
||||
0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI
|
||||
BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl
|
||||
q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9
|
||||
dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE
|
||||
FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322
|
||||
8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp
|
||||
yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF
|
||||
IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g
|
||||
zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp
|
||||
3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode
|
||||
hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n
|
||||
0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE
|
||||
VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA
|
||||
NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q
|
||||
55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4
|
||||
+vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU
|
||||
9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx
|
||||
5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x
|
||||
YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F
|
||||
QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn
|
||||
iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d
|
||||
arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp
|
||||
jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I
|
||||
B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7
|
||||
jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0
|
||||
+VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C
|
||||
U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I
|
||||
j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup
|
||||
1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD
|
||||
PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3
|
||||
KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq
|
||||
M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO
|
||||
JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls
|
||||
oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL
|
||||
0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c
|
||||
WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl
|
||||
OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS
|
||||
1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+
|
||||
kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl
|
||||
UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp
|
||||
lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI
|
||||
wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR
|
||||
Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0
|
||||
QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS
|
||||
+KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V
|
||||
nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP
|
||||
vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS
|
||||
Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6
|
||||
pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz
|
||||
VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh
|
||||
pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5
|
||||
zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k
|
||||
57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq
|
||||
zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM
|
||||
/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc
|
||||
jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV
|
||||
wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28
|
||||
9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB
|
||||
3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq
|
||||
ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr
|
||||
e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W
|
||||
YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF
|
||||
OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W
|
||||
+sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb
|
||||
VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf
|
||||
zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q//
|
||||
YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ
|
||||
VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam
|
||||
5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH
|
||||
TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc
|
||||
982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR
|
||||
/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv
|
||||
LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T
|
||||
bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW
|
||||
fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3
|
||||
8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z
|
||||
KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu
|
||||
Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME
|
||||
SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb
|
||||
Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf
|
||||
vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw
|
||||
fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE
|
||||
MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw
|
||||
5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk
|
||||
hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena
|
||||
YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA
|
||||
QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B
|
||||
8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs
|
||||
ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY
|
||||
TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw
|
||||
XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI
|
||||
AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/
|
||||
bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl
|
||||
wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t
|
||||
CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh
|
||||
6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8
|
||||
8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o
|
||||
U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz
|
||||
5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA
|
||||
6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg
|
||||
+P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM
|
||||
jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U
|
||||
tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc
|
||||
oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd
|
||||
zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m
|
||||
KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ
|
||||
dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr
|
||||
F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT
|
||||
XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC
|
||||
drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU
|
||||
y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL
|
||||
nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL
|
||||
6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq
|
||||
fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ
|
||||
iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc
|
||||
vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A
|
||||
CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G
|
||||
bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6
|
||||
9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474
|
||||
4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4
|
||||
0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW
|
||||
aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM
|
||||
rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo
|
||||
/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL
|
||||
jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y
|
||||
xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn
|
||||
Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR
|
||||
/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo
|
||||
4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN
|
||||
2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y
|
||||
qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW
|
||||
iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8
|
||||
sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs
|
||||
FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8
|
||||
UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro
|
||||
GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF
|
||||
Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4
|
||||
CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV
|
||||
FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz
|
||||
vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ
|
||||
YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5
|
||||
D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7
|
||||
/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2
|
||||
Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2
|
||||
fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0
|
||||
LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI
|
||||
AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm
|
||||
YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c
|
||||
zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK
|
||||
Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk
|
||||
EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+
|
||||
8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf
|
||||
Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F
|
||||
cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8
|
||||
vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg
|
||||
V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE
|
||||
EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj
|
||||
GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL
|
||||
qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ
|
||||
f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD
|
||||
a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4
|
||||
FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY
|
||||
/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob
|
||||
ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R
|
||||
oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+
|
||||
BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ
|
||||
AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI
|
||||
Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr
|
||||
ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx
|
||||
+VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa
|
||||
HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS
|
||||
bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU
|
||||
2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s
|
||||
CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X
|
||||
AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx
|
||||
T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa
|
||||
uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe
|
||||
JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL
|
||||
FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx
|
||||
1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S
|
||||
fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE
|
||||
JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM
|
||||
kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs
|
||||
KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5
|
||||
yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ
|
||||
0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj
|
||||
1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU
|
||||
47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX
|
||||
deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo
|
||||
1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm
|
||||
GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB
|
||||
ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB
|
||||
bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49
|
||||
bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+
|
||||
Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4
|
||||
wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv
|
||||
bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN
|
||||
nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf
|
||||
gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp
|
||||
eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK
|
||||
U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80
|
||||
PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7
|
||||
FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6
|
||||
/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU
|
||||
hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40
|
||||
FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE
|
||||
ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO
|
||||
8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm
|
||||
I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I
|
||||
WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp
|
||||
wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx
|
||||
wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72
|
||||
eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p
|
||||
E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o
|
||||
K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf
|
||||
Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM
|
||||
NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp
|
||||
Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK
|
||||
2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU
|
||||
0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr
|
||||
eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k
|
||||
1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs
|
||||
/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ
|
||||
dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39
|
||||
GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg
|
||||
YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV
|
||||
rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF
|
||||
FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO
|
||||
j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3
|
||||
9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD
|
||||
q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ
|
||||
HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je
|
||||
py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol
|
||||
p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN
|
||||
gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3
|
||||
PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy
|
||||
7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0
|
||||
IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV
|
||||
ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I
|
||||
RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX
|
||||
Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA
|
||||
k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh
|
||||
VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI
|
||||
RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x
|
||||
FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp
|
||||
1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf
|
||||
ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI
|
||||
RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl
|
||||
k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd
|
||||
FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H
|
||||
XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ
|
||||
9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn
|
||||
3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX
|
||||
f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi
|
||||
OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw
|
||||
E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4
|
||||
GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s
|
||||
loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2
|
||||
il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4
|
||||
m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2
|
||||
ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G
|
||||
SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx
|
||||
6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF
|
||||
R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz
|
||||
dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B
|
||||
4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG
|
||||
OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7
|
||||
CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G
|
||||
tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs
|
||||
iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb
|
||||
idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY
|
||||
EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1
|
||||
juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd
|
||||
0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7
|
||||
3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq
|
||||
a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX
|
||||
diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j
|
||||
3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ
|
||||
+cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa
|
||||
fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI
|
||||
jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S
|
||||
UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G
|
||||
hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE
|
||||
QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp
|
||||
mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u
|
||||
hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b
|
||||
HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt
|
||||
2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx
|
||||
pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE
|
||||
1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O
|
||||
BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG
|
||||
N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB
|
||||
WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9
|
||||
BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR
|
||||
DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn
|
||||
E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ
|
||||
5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd
|
||||
T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r
|
||||
uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0
|
||||
POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN
|
||||
q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2
|
||||
aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu
|
||||
O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j
|
||||
o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG
|
||||
4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV
|
||||
RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX
|
||||
eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2
|
||||
OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO
|
||||
Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV
|
||||
YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf
|
||||
wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC
|
||||
yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY
|
||||
EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH
|
||||
oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD
|
||||
Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h
|
||||
fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5
|
||||
nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn
|
||||
IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE
|
||||
NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7
|
||||
kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p
|
||||
oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg
|
||||
W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8
|
||||
x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk
|
||||
dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W
|
||||
MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl
|
||||
rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv
|
||||
1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy
|
||||
xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO
|
||||
NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3
|
||||
fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL
|
||||
zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI
|
||||
yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj
|
||||
SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR
|
||||
rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83
|
||||
vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U
|
||||
pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O
|
||||
FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK
|
||||
cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd
|
||||
zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat
|
||||
JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd
|
||||
2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb
|
||||
jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz
|
||||
p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM
|
||||
fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG
|
||||
57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo
|
||||
jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv
|
||||
54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx
|
||||
NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4
|
||||
ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV
|
||||
qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP
|
||||
/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof
|
||||
NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY
|
||||
ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/
|
||||
TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s
|
||||
rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI
|
||||
5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc
|
||||
M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3
|
||||
ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx
|
||||
Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m
|
||||
NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR
|
||||
rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx
|
||||
nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy
|
||||
7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK
|
||||
n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l
|
||||
ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u
|
||||
2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu
|
||||
PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY
|
||||
B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV
|
||||
Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY
|
||||
UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2
|
||||
NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J
|
||||
I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji
|
||||
2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7
|
||||
E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd
|
||||
iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte
|
||||
/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A
|
||||
/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO
|
||||
KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6
|
||||
c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY
|
||||
maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd
|
||||
MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh
|
||||
bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ
|
||||
ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj
|
||||
qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La
|
||||
2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB
|
||||
fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z
|
||||
zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN
|
||||
sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe
|
||||
epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L
|
||||
eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ
|
||||
EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY
|
||||
3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5
|
||||
ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs
|
||||
8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF
|
||||
Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip
|
||||
ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d
|
||||
NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu
|
||||
mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa
|
||||
rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl
|
||||
0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5
|
||||
AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y
|
||||
oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH
|
||||
vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY
|
||||
XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q
|
||||
/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE
|
||||
F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU
|
||||
cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy
|
||||
fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/
|
||||
M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D
|
||||
LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM
|
||||
Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65
|
||||
HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq
|
||||
eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM
|
||||
2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG
|
||||
WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK
|
||||
q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx
|
||||
o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2
|
||||
s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj
|
||||
M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw
|
||||
IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG
|
||||
BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd
|
||||
PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER
|
||||
OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy
|
||||
0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN
|
||||
X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW
|
||||
mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4
|
||||
8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG
|
||||
6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke
|
||||
6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr
|
||||
ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB
|
||||
CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+
|
||||
QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK
|
||||
2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR
|
||||
3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI
|
||||
ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP
|
||||
oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs
|
||||
UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp
|
||||
PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby
|
||||
hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco
|
||||
lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc
|
||||
BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi
|
||||
3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6
|
||||
1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT
|
||||
6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3
|
||||
VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY
|
||||
kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj
|
||||
EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD
|
||||
o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3
|
||||
RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O
|
||||
zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y
|
||||
iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ
|
||||
GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16
|
||||
sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV
|
||||
HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF
|
||||
A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM
|
||||
raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt
|
||||
MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr
|
||||
BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH
|
||||
IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0
|
||||
jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye
|
||||
45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo
|
||||
ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw
|
||||
1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs
|
||||
IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm
|
||||
zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk
|
||||
TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v
|
||||
Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa
|
||||
PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue
|
||||
OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg
|
||||
es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh
|
||||
QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD
|
||||
YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD
|
||||
CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD
|
||||
4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv
|
||||
i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu
|
||||
6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9
|
||||
NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O
|
||||
X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6
|
||||
J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk
|
||||
1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5
|
||||
50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I
|
||||
oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY
|
||||
a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E
|
||||
sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL
|
||||
hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ
|
||||
eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx
|
||||
KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk
|
||||
n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq
|
||||
ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+
|
||||
z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy
|
||||
o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao
|
||||
2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S
|
||||
iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8
|
||||
J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV
|
||||
uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY
|
||||
rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o
|
||||
CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/
|
||||
7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO
|
||||
VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO
|
||||
Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z
|
||||
HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K
|
||||
y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT
|
||||
ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn
|
||||
tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5
|
||||
n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5
|
||||
E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo
|
||||
NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A
|
||||
lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF
|
||||
FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe
|
||||
8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH
|
||||
/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP
|
||||
/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF
|
||||
bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8
|
||||
7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO
|
||||
CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk
|
||||
xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX
|
||||
l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy
|
||||
TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k
|
||||
xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx
|
||||
6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW
|
||||
f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ
|
||||
CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd
|
||||
z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa
|
||||
eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A
|
||||
h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5
|
||||
TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin
|
||||
Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp
|
||||
PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV
|
||||
YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy
|
||||
eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx
|
||||
fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW
|
||||
Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF
|
||||
Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T
|
||||
192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof
|
||||
BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B
|
||||
0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF
|
||||
AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL
|
||||
h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V
|
||||
9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl
|
||||
2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF
|
||||
AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl
|
||||
PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy
|
||||
Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S
|
||||
LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr
|
||||
8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr
|
||||
SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls
|
||||
HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5
|
||||
P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF
|
||||
Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64
|
||||
bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att
|
||||
791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w
|
||||
/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL
|
||||
QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP
|
||||
1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha
|
||||
6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus
|
||||
K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga
|
||||
fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x
|
||||
xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di
|
||||
oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP
|
||||
6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym
|
||||
u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG
|
||||
qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A
|
||||
/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp
|
||||
dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP
|
||||
NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr
|
||||
dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL
|
||||
eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS
|
||||
jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK
|
||||
1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ
|
||||
iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu
|
||||
uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR
|
||||
5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b
|
||||
hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl
|
||||
vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC
|
||||
taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu
|
||||
ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy
|
||||
CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n
|
||||
8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj
|
||||
ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq
|
||||
BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7
|
||||
RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW
|
||||
PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef
|
||||
Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x
|
||||
ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9
|
||||
8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3
|
||||
SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W
|
||||
E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy
|
||||
j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1
|
||||
rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q
|
||||
o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU
|
||||
NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg
|
||||
L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae
|
||||
cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG
|
||||
2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3
|
||||
VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k
|
||||
bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr
|
||||
f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s
|
||||
oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U
|
||||
saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs
|
||||
Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW
|
||||
ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt
|
||||
vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94
|
||||
TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi
|
||||
wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y
|
||||
7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8
|
||||
PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO
|
||||
nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp
|
||||
cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv
|
||||
CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4
|
||||
byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs
|
||||
VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY
|
||||
PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L
|
||||
BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6
|
||||
buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L
|
||||
EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF
|
||||
M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi
|
||||
/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F
|
||||
STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt
|
||||
KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C
|
||||
Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ
|
||||
gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC
|
||||
ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp
|
||||
4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW
|
||||
FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6
|
||||
OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2
|
||||
oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E
|
||||
JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK
|
||||
/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB
|
||||
tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k
|
||||
9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y
|
||||
FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz
|
||||
rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM
|
||||
0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6
|
||||
k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM
|
||||
CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh
|
||||
akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8
|
||||
HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i
|
||||
yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz
|
||||
KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG
|
||||
TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF
|
||||
WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS
|
||||
ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk
|
||||
ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK
|
||||
aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH
|
||||
L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T
|
||||
ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE
|
||||
j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV
|
||||
fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU
|
||||
SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0
|
||||
hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X
|
||||
GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR
|
||||
QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA
|
||||
LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6
|
||||
7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK
|
||||
CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc
|
||||
l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG
|
||||
+1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN
|
||||
pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y
|
||||
SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7
|
||||
exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh
|
||||
d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit
|
||||
VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK
|
||||
UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL
|
||||
IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j
|
||||
ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0
|
||||
nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i
|
||||
uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k
|
||||
rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR
|
||||
CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi
|
||||
g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj
|
||||
H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd
|
||||
u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T
|
||||
4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4
|
||||
x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC
|
||||
TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t
|
||||
1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y
|
||||
AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM
|
||||
mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o
|
||||
4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+
|
||||
cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn
|
||||
Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0
|
||||
aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ
|
||||
UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW
|
||||
Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA
|
||||
BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5
|
||||
Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x
|
||||
fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd
|
||||
HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc
|
||||
ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN
|
||||
f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG
|
||||
3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI
|
||||
Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI
|
||||
LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp
|
||||
IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ
|
||||
AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1
|
||||
Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd
|
||||
Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9
|
||||
zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj
|
||||
KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu
|
||||
XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ
|
||||
fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1
|
||||
2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU
|
||||
XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb
|
||||
ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC
|
||||
HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0
|
||||
5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa
|
||||
HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws
|
||||
SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE
|
||||
oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT
|
||||
4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5
|
||||
90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J
|
||||
GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc
|
||||
F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy
|
||||
OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm
|
||||
hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB
|
||||
epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K
|
||||
BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os
|
||||
qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb
|
||||
/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM
|
||||
sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4
|
||||
jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB
|
||||
7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq
|
||||
M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6
|
||||
tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso
|
||||
bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp
|
||||
95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA
|
||||
HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc
|
||||
lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD
|
||||
eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z
|
||||
hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1
|
||||
1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL
|
||||
8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J
|
||||
ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P
|
||||
JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z
|
||||
4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX
|
||||
d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS
|
||||
ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u
|
||||
ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm
|
||||
rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB
|
||||
7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR
|
||||
kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc
|
||||
Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr
|
||||
8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn
|
||||
gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah
|
||||
LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS
|
||||
Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC
|
||||
QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn
|
||||
UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9
|
||||
/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI
|
||||
tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN
|
||||
wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv
|
||||
NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC
|
||||
8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj
|
||||
blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS
|
||||
adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5
|
||||
Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx
|
||||
uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp
|
||||
XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G
|
||||
w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD
|
||||
NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm
|
||||
1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag
|
||||
713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp
|
||||
Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX
|
||||
TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt
|
||||
3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu
|
||||
xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV
|
||||
Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH
|
||||
k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG
|
||||
JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0
|
||||
m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn
|
||||
liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH
|
||||
St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853
|
||||
cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9
|
||||
FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ
|
||||
lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY
|
||||
37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0
|
||||
Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w
|
||||
SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz
|
||||
ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy
|
||||
zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW
|
||||
lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ
|
||||
L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6
|
||||
jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp
|
||||
tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua
|
||||
qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X
|
||||
xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ
|
||||
7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q
|
||||
nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7
|
||||
LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv
|
||||
rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6
|
||||
w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv
|
||||
/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD
|
||||
VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx
|
||||
8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt
|
||||
i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U
|
||||
0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB
|
||||
djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE
|
||||
AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e
|
||||
GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP
|
||||
4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1
|
||||
7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH
|
||||
iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns
|
||||
URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H
|
||||
sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ
|
||||
Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC
|
||||
Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV
|
||||
eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy
|
||||
i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei
|
||||
sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS
|
||||
rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2
|
||||
J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa
|
||||
xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4
|
||||
9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r
|
||||
haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA
|
||||
zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe
|
||||
fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN
|
||||
iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz
|
||||
rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0
|
||||
FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu
|
||||
ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf
|
||||
igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6
|
||||
Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+
|
||||
+o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm
|
||||
Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj
|
||||
886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC
|
||||
HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/
|
||||
sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8
|
||||
SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ
|
||||
yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd
|
||||
pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO
|
||||
5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m
|
||||
S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL
|
||||
CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z
|
||||
yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS
|
||||
g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz
|
||||
BWcdiQ==
|
||||
=iUyJ
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
Binary file not shown.
4
apt/handlers/main.yml
Normal file
4
apt/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: apt update
|
||||
apt:
|
||||
update_cache: yes
|
|
@ -1,23 +1,17 @@
|
|||
galaxy_info:
|
||||
company: Evolix
|
||||
author: Evolix
|
||||
description: Add repositories to APT sources list.
|
||||
|
||||
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: "2.2"
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
regexp: "backports"
|
||||
state: absent
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Backports sources list is installed
|
||||
template:
|
||||
|
@ -13,9 +13,9 @@
|
|||
dest: /etc/apt/sources.list.d/backports.list
|
||||
force: yes
|
||||
mode: "0640"
|
||||
register: apt_backports_list
|
||||
notify: apt update
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Backports configuration
|
||||
copy:
|
||||
|
@ -23,23 +23,11 @@
|
|||
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||
force: yes
|
||||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
notify: apt update
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Archived backport are accepted (jessie)
|
||||
lineinfile:
|
||||
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
||||
line: 'Acquire::Check-Valid-Until no;'
|
||||
create: yes
|
||||
state: present
|
||||
when: ansible_distribution_release == "jessie"
|
||||
- name: Intermediate flush of handlers
|
||||
meta: flush_handlers
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_backports_list is changed or apt_backports_config is changed
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -6,28 +6,11 @@
|
|||
dest: /etc/apt/sources.list
|
||||
mode: "0644"
|
||||
force: yes
|
||||
register: apt_basic_list
|
||||
notify: apt update
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Clean GANDI sources.list.d/debian-security.list
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/apt/sources.list.d/debian-security.list
|
||||
- /etc/apt/sources.list.d/debian-jessie.list
|
||||
- /etc/apt/sources.list.d/debian-stretch.list
|
||||
- /etc/apt/sources.list.d/debian-buster.list
|
||||
- /etc/apt/sources.list.d/debian-bullseye.list
|
||||
- /etc/apt/sources.list.d/debian-update.list
|
||||
when: apt_clean_gandi_sourceslist | bool
|
||||
- name: Intermediate flush of handlers
|
||||
meta: flush_handlers
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_basic_list is changed
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Evolinux config for APT
|
||||
lineinfile:
|
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||
line: "{{ item.line }}"
|
||||
regexp: "{{ item.regexp }}"
|
||||
create: yes
|
||||
state: present
|
||||
mode: "0640"
|
||||
loop:
|
||||
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
|
||||
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
|
||||
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
|
||||
when: apt_evolinux_config | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: DPkg invoke hooks
|
||||
lineinfile:
|
||||
dest: /etc/apt/apt.conf.d/z-evolinux.conf
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
state: present
|
||||
mode: "0640"
|
||||
loop:
|
||||
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
|
||||
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
|
||||
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
|
||||
when: apt_hooks | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Remove Aptitude
|
||||
apt:
|
||||
name: aptitude
|
||||
state: absent
|
||||
when: apt_remove_aptitude | bool
|
||||
tags:
|
||||
- apt
|
|
@ -1,31 +1,17 @@
|
|||
---
|
||||
|
||||
- name: Look for legacy apt keyring
|
||||
stat:
|
||||
path: /etc/apt/trusted.gpg
|
||||
register: _trusted_gpg_keyring
|
||||
tags:
|
||||
- apt
|
||||
# - name: Fail if distribution is not supported
|
||||
# fail:
|
||||
# msg: "Error: Evolix public repository is not compatble with 'Debian Stretch' yet."
|
||||
# when: ansible_distribution_release == "stretch"
|
||||
# tags:
|
||||
# - apt
|
||||
|
||||
- name: Evolix embedded GPG key is absent
|
||||
apt_key:
|
||||
id: "B8612B5D"
|
||||
keyring: /etc/apt/trusted.gpg
|
||||
state: absent
|
||||
when: _trusted_gpg_keyring.stat.exists
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
copy:
|
||||
src: reg.asc
|
||||
dest: /etc/apt/trusted.gpg.d/reg.asc
|
||||
force: yes
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
tags:
|
||||
- apt
|
||||
apt_key:
|
||||
keyserver: "hkp://keyserver.ubuntu.com:80"
|
||||
id: 44975278B8612B5D
|
||||
|
||||
- name: Evolix public list is installed
|
||||
template:
|
||||
|
@ -33,13 +19,11 @@
|
|||
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||
force: yes
|
||||
mode: "0640"
|
||||
register: apt_evolix_public
|
||||
notify: apt update
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: apt_evolix_public is changed
|
||||
- name: Intermediate flush of handlers
|
||||
meta: flush_handlers
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -1,99 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "hold packages (apt)"
|
||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
check_mode: no
|
||||
register: apt_mark
|
||||
changed_when: "item + ' set on hold.' in apt_mark.stdout"
|
||||
failed_when:
|
||||
- apt_mark.rc != 0
|
||||
- apt_mark.stdout | length > 0
|
||||
loop: "{{ apt_hold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "/etc/evolinux is present"
|
||||
file:
|
||||
dest: /etc/evolinux
|
||||
mode: "0700"
|
||||
state: directory
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "hold packages (config)"
|
||||
lineinfile:
|
||||
dest: /etc/evolinux/apt_hold_packages.cf
|
||||
line: "{{ item }}"
|
||||
create: True
|
||||
state: present
|
||||
loop: "{{ apt_hold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "unhold packages (apt)"
|
||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
check_mode: no
|
||||
register: apt_mark
|
||||
changed_when: "'Canceled hold on' + item in apt_mark.stdout"
|
||||
failed_when: apt_mark.rc != 0 and not apt_mark.stdout = ''
|
||||
loop: "{{ apt_unhold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: "unhold packages (config)"
|
||||
lineinfile:
|
||||
dest: /etc/evolinux/apt_hold_packages.cf
|
||||
line: "{{ item }}"
|
||||
create: True
|
||||
state: absent
|
||||
loop: "{{ apt_unhold_packages }}"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: /usr/share/scripts exists
|
||||
file:
|
||||
dest: /usr/share/scripts
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check scripts is installed
|
||||
copy:
|
||||
src: check_held_packages.sh
|
||||
dest: /usr/share/scripts/check_held_packages.sh
|
||||
force: yes
|
||||
mode: "0755"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check if Cron is installed
|
||||
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||
register: is_cron
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check for held packages (script)
|
||||
cron:
|
||||
cron_file: apt-hold-packages
|
||||
name: check_held_packages
|
||||
job: "/usr/share/scripts/check_held_packages.sh"
|
||||
user: root
|
||||
minute: "{{ apt_check_hold_cron_minute }}"
|
||||
hour: "{{ apt_check_hold_cron_hour }}"
|
||||
weekday: "{{ apt_check_hold_cron_weekday }}"
|
||||
day: "{{ apt_check_hold_cron_day }}"
|
||||
month: "{{ apt_check_hold_cron_month }}"
|
||||
state: "present"
|
||||
when: is_cron.rc == 0
|
||||
tags:
|
||||
- apt
|
|
@ -1,53 +1,31 @@
|
|||
---
|
||||
|
||||
- name: "Compatibility check"
|
||||
- name: Fail if distribution is not supported
|
||||
fail:
|
||||
msg: only compatible with Debian >= 8
|
||||
msg: "Error: '{{ ansible_os_family }} {{ ansible_distribution_release }}' is not a supported distribution."
|
||||
when:
|
||||
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
|
||||
- ansible_distribution_release != "jessie"
|
||||
- ansible_distribution_release != "stretch"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Custom configuration
|
||||
include: config.yml
|
||||
when: apt_config | bool
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install basics repositories
|
||||
include: basics.yml
|
||||
when: apt_install_basics | bool
|
||||
when: apt_install_basics
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Install APT Backports repository
|
||||
include: backports.yml
|
||||
when: apt_install_backports | bool
|
||||
when: apt_install_backports
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- debug:
|
||||
var: apt_install_evolix_public
|
||||
|
||||
- name: Install Evolix Public APT repository
|
||||
include: evolix_public.yml
|
||||
when: apt_install_evolix_public | bool
|
||||
when: apt_install_evolix_public
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Install check for packages marked hold
|
||||
include: hold_packages.yml
|
||||
when: apt_install_hold_packages | bool
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Updating APT cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
changed_when: False
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Upgrading system
|
||||
apt:
|
||||
upgrade: dist
|
||||
when: apt_upgrade | bool
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }}
|
|
@ -1,5 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
|
||||
deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
|
@ -1,3 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }}
|
|
@ -1,5 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}
|
|
@ -1,3 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://archive.debian.org/debian jessie-backports {{ apt_backports_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian jessie-backports {{ apt_backports_components | mandatory }}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ jessie-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
|
@ -9,5 +9,3 @@ Minimal configuration is in `tasks/main.yml`
|
|||
## Available variables
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
waening : sync chroot-bind.sh
|
||||
|
|
|
@ -1,11 +1,6 @@
|
|||
---
|
||||
bind_recursive_server: False
|
||||
bind_authoritative_server: True
|
||||
bind_chroot_set: True
|
||||
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
||||
#bind_chroot_path: /var/chroot-bind
|
||||
bind_systemd_service_path: /etc/systemd/system/bind9.service
|
||||
bind_chroot_root: /var/chroot-bind
|
||||
bind_statistics_file: /var/run/named.stats
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_cache_dir: /var/cache/bind
|
||||
bind_query_file: /var/log/query.log
|
||||
|
|
|
@ -1,76 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Gregory Colpart <reg@debian.org>
|
||||
# chroot (or re-chroot) script for bind9
|
||||
|
||||
# tested on Debian Wheezy/Jessie/Stretch
|
||||
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
||||
# and after *each* bind9 upgrade
|
||||
|
||||
# When the script is finished, ensure you have
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
|
||||
# and /etc/init.d/bind9 (re)start
|
||||
#
|
||||
# for Jessie/systemd only:
|
||||
# cp -a /lib/systemd/system/bind9.service /etc/systemd/system/
|
||||
# and modify section [Service] to have :
|
||||
# EnvironmentFile=-/etc/default/bind9
|
||||
# ExecStart=/usr/sbin/named -f $OPTIONS
|
||||
|
||||
# essential dirs
|
||||
mkdir -p /var/chroot-bind
|
||||
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
||||
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
||||
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
|
||||
/var/chroot-bind/run/named/
|
||||
|
||||
# for conf
|
||||
if [ ! -h "/etc/bind" ]; then
|
||||
mv /etc/bind/ /var/chroot-bind/etc/
|
||||
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
||||
fi
|
||||
|
||||
# for logs
|
||||
touch /var/chroot-bind/var/log/bind.log
|
||||
if [ ! -h "/var/log/bind.log" ]; then
|
||||
ln -s /var/chroot-bind/var/log/bind.log /var/log/bind.log
|
||||
fi
|
||||
|
||||
# for pid
|
||||
if [ -f "/var/run/named/named.pid" ]; then
|
||||
cat /var/run/named/named.pid > /var/chroot-bind/var/run/named/named.pid
|
||||
rm -f /var/run/named/named.pid
|
||||
fi
|
||||
|
||||
if [ ! -e "/var/chroot-bind/dev/random" ]; then
|
||||
mknod /var/chroot-bind/dev/random c 1 8
|
||||
chmod 666 /var/chroot-bind/dev/random
|
||||
fi
|
||||
|
||||
if [ ! -e "/var/chroot-bind/dev/urandom" ]; then
|
||||
mknod /var/chroot-bind/dev/urandom c 1 9
|
||||
chmod 666 /var/chroot-bind/dev/urandom
|
||||
fi
|
||||
|
||||
# essential dev (hum, null is required ??)
|
||||
#mknod /var/chroot-bind/dev/null c 1 3
|
||||
#chmod 666 /var/chroot-bind/dev/{null,random}
|
||||
|
||||
# essential libs
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
|
||||
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
|
||||
install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
|
||||
# essential (hum, bash is required ??)
|
||||
#cp /bin/bash /var/chroot-bind/bin/
|
||||
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
||||
|
||||
# minimal passwd & group file (hum, is required ??)
|
||||
#grep "bind\|root" /etc/passwd > /var/chroot-bind/etc/passwd
|
||||
#grep "bind\|root" /etc/group > /var/chroot-bind/etc/group
|
||||
|
||||
# just bind
|
||||
chown -R bind.bind /var/chroot-bind/
|
||||
|
|
@ -1,12 +1,4 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
|
||||
- name: restart apparmor
|
||||
service:
|
||||
name: apparmor
|
||||
state: restarted
|
||||
|
||||
- name: restart bind
|
||||
service:
|
||||
name: bind9
|
||||
|
@ -17,3 +9,4 @@
|
|||
name: munin-node
|
||||
state: restarted
|
||||
|
||||
|
||||
|
|
|
@ -1,23 +1,17 @@
|
|||
galaxy_info:
|
||||
company: Evolix
|
||||
author: Evolix
|
||||
description: Installation and basic configuration of bind9.
|
||||
|
||||
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: "2.2"
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
|
|
|
@ -1,59 +1,24 @@
|
|||
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
||||
- name: set chroot variables
|
||||
set_fact:
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_cache_dir: /var/cache/bind
|
||||
bind_statistics_file: /var/run/named.stats
|
||||
bind_chroot_path: /var/chroot-bind
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
- name: configure apparmor
|
||||
template:
|
||||
src: apparmor.usr.sbin.named.j2
|
||||
dest: /etc/apparmor.d/usr.sbin.named
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
force: yes
|
||||
notify: restart apparmor
|
||||
|
||||
- name: package are installed
|
||||
- name: Ensure bind9 installed
|
||||
apt:
|
||||
name:
|
||||
- bind9
|
||||
- dnstop
|
||||
name: bind9
|
||||
state: present
|
||||
|
||||
- name: Set bind configuration for recursive server
|
||||
- name: Set bind configuration
|
||||
template:
|
||||
src: named.conf.options_recursive.j2
|
||||
src: named.conf.options.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
- name: Modify OPTIONS in /etc/default/bind9
|
||||
replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_root }}"'
|
||||
notify: restart bind
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_authoritative_server | bool
|
||||
|
||||
- name: Create systemd service
|
||||
template:
|
||||
|
@ -63,67 +28,174 @@
|
|||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart bind
|
||||
when: ansible_distribution_release == "jessie"
|
||||
notify: restart bind
|
||||
|
||||
- name: "touch {{ bind_log_file }} if non chroot"
|
||||
- name: Create directories
|
||||
file:
|
||||
path: "{{ bind_log_file }}"
|
||||
path: "{{ bind_chroot_root }}/{{ item }}"
|
||||
state: directory
|
||||
owner: bind
|
||||
group: adm
|
||||
mode: "0640"
|
||||
state: touch
|
||||
when: not (bind_chroot_set | bool)
|
||||
|
||||
- name: "touch {{ bind_query_file }} if non chroot"
|
||||
file:
|
||||
path: "{{ bind_query_file }}"
|
||||
owner: bind
|
||||
group: adm
|
||||
mode: "0640"
|
||||
state: touch
|
||||
when: not (bind_chroot_set | bool)
|
||||
|
||||
- name: send chroot-bind.sh in /root
|
||||
copy:
|
||||
src: chroot-bind.sh
|
||||
dest: /root/chroot-bind.sh
|
||||
group: bind
|
||||
mode: "0700"
|
||||
owner: root
|
||||
force: yes
|
||||
backup: yes
|
||||
when: bind_chroot_set | bool
|
||||
recurse: no
|
||||
with_items:
|
||||
- bin
|
||||
- dev
|
||||
- etc
|
||||
- lib
|
||||
- usr/lib
|
||||
- usr/sbin
|
||||
- var/cache/bind
|
||||
- var/log
|
||||
- var/run/bind/run
|
||||
register: create_bind_dir
|
||||
notify: restart bind
|
||||
|
||||
- name: exec chroot-bind.sh
|
||||
command: "/root/chroot-bind.sh"
|
||||
register: chrootbind_run
|
||||
- name: Stat /etc/bind
|
||||
stat:
|
||||
path: "/etc/bind"
|
||||
check_mode: no
|
||||
register: etc_bind
|
||||
|
||||
- name: Move /etc/bind in chroot
|
||||
command: "mv /etc/bind/ {{ bind_chroot_root }}/etc/"
|
||||
when: etc_bind.stat.exists and not etc_bind.stat.islnk
|
||||
notify: restart bind
|
||||
|
||||
- name: Create symlink
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/etc/bind"
|
||||
dest: "/etc/bind"
|
||||
state: link
|
||||
notify: restart bind
|
||||
|
||||
- name: is there a log file?
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
register: bind_log
|
||||
|
||||
- name: create log file
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
state: touch
|
||||
when: not bind_log.stat.exists
|
||||
|
||||
- name: verify log file permissions
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0640"
|
||||
state: file
|
||||
|
||||
- name: Create log symlink
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/var/log/bind.log"
|
||||
dest: "/var/log/bind.log"
|
||||
state: link
|
||||
notify: restart bind
|
||||
|
||||
- name: Create run directory
|
||||
file:
|
||||
path: "/var/run/bind/run"
|
||||
state: directory
|
||||
owner: root
|
||||
group: bind
|
||||
mode: "0770"
|
||||
recurse: yes
|
||||
notify: restart bind
|
||||
|
||||
- name: "Stat var/run/bind/run/named in chroot"
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
|
||||
check_mode: no
|
||||
register: named_run
|
||||
|
||||
- name: "Clean var/run/bind/run/named in chroot"
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}/var/run/bind/run/named"
|
||||
state: absent
|
||||
when: named_run.stat.exists and named_run.stat.isdir
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_run.stat.exists and named_run.stat.isdir
|
||||
|
||||
- name: Stat /var/run/bind/run/named.pid
|
||||
stat:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
check_mode: no
|
||||
register: named_pid
|
||||
|
||||
- name: Cat pid content
|
||||
command: "cat /var/run/bind/run/named.pid > {{ bind_chroot_root }}/var/run/bind/run/named.pid"
|
||||
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_pid.stat.exists and named_pid.stat.isreg and not named_pid.stat.islnk
|
||||
|
||||
- name: Clean /var/run/bind/run/named.pid
|
||||
file:
|
||||
path: "/var/run/bind/run/named.pid"
|
||||
state: absent
|
||||
when: named_pid.stat.exists and not named_pid.stat.islnk
|
||||
|
||||
- name: Create pid symlink in chroot
|
||||
file:
|
||||
src: "{{ bind_chroot_root }}/var/run/bind/run/named.pid"
|
||||
dest: "/var/run/bind/run/named.pid"
|
||||
state: link
|
||||
when: named_pid.stat.exists and not named_pid.stat.islnk
|
||||
notify: restart bind
|
||||
|
||||
- name: "Stat dev/random in chroot"
|
||||
stat:
|
||||
path: "{{ bind_chroot_root }}/dev/random"
|
||||
check_mode: no
|
||||
register: named_random
|
||||
|
||||
- name: clean dev/random in chroot
|
||||
shell: "mv {{ bind_chroot_root }}/dev/random {{ bind_chroot_root }}/dev/random.$(date +%s)"
|
||||
when: named_random.stat.exists and not named_random.stat.ischr
|
||||
|
||||
- name: mknod dev/random in chroot
|
||||
command: "mknod -m 666 {{ bind_chroot_root }}/dev/random c 1 3"
|
||||
args:
|
||||
creates: "{{ bind_chroot_root }}/dev/random"
|
||||
notify: restart bind
|
||||
|
||||
- name: get essential libraries
|
||||
shell: 'ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1 | grep -oE "\S+"'
|
||||
register: bind_ldd
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
- debug:
|
||||
var: chrootbind_run.stdout_lines
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- chrootbind_run.stdout | length > 0
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
||||
replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
- name: logrotate for bind
|
||||
template:
|
||||
src: logrotate_bind.j2
|
||||
dest: /etc/logrotate.d/bind9
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
- name: copy essential libs
|
||||
command: "install -D {{ item }} {{ bind_chroot_root }}{{ item }}"
|
||||
args:
|
||||
creates: "{{ bind_chroot_root }}{{ item }}"
|
||||
with_items:
|
||||
- "{{ bind_ldd.stdout_lines }}"
|
||||
- /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
|
||||
register: install_libraries
|
||||
notify: restart bind
|
||||
|
||||
- include: munin.yml
|
||||
- name: Copy bind
|
||||
copy:
|
||||
src: /usr/sbin/named
|
||||
dest: "{{ bind_chroot_root }}/usr/sbin/"
|
||||
remote_src: True
|
||||
notify: restart bind
|
||||
|
||||
- name: Set the good rights
|
||||
file:
|
||||
path: "{{ bind_chroot_root }}"
|
||||
owner: bind
|
||||
group: bind
|
||||
recurse: yes
|
||||
notify: restart bind
|
||||
|
|
|
@ -9,47 +9,29 @@
|
|||
- bind
|
||||
- munin
|
||||
|
||||
- name: Enable munin plugins for authoritative server
|
||||
- name: Enable munin plugins
|
||||
file:
|
||||
src: "/usr/share/munin/plugins/{{ item }}"
|
||||
dest: "/etc/munin/plugins/{{ item }}"
|
||||
state: link
|
||||
loop:
|
||||
with_items:
|
||||
- bind9
|
||||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_authoritative_server
|
||||
- munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
- munin
|
||||
|
||||
- name: Enable munin plugins for recursive server
|
||||
file:
|
||||
src: "/usr/share/munin/plugins/{{ item }}"
|
||||
dest: "/etc/munin/plugins/{{ item }}"
|
||||
state: link
|
||||
loop:
|
||||
- bind9
|
||||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_recursive_server
|
||||
- munin_node_plugins_config.stat.exists
|
||||
notify: restart munin
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
- munin
|
||||
|
||||
- name: Add munin plugin configuration
|
||||
template:
|
||||
src: munin-env_bind9.j2
|
||||
src: bind9.j2
|
||||
dest: /etc/munin/plugin-conf.d/bind9
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart munin-node
|
||||
notify: restart munin
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
|
|
|
@ -1,95 +0,0 @@
|
|||
# vim:syntax=apparmor
|
||||
# Last Modified: Tue Mar 9 14:17:50 EST 2021
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/named flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
|
||||
# /etc/bind should be read-only for bind
|
||||
# /var/lib/bind is for dynamically updated zone (and journal) files.
|
||||
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
|
||||
# See /usr/share/doc/bind9/README.Debian.gz
|
||||
/etc/bind/** r,
|
||||
/var/lib/bind/** rw,
|
||||
/var/lib/bind/ rw,
|
||||
/var/cache/bind/** lrw,
|
||||
/var/cache/bind/ rw,
|
||||
|
||||
# Database file used by allow-new-zones
|
||||
/var/cache/bind/_default.nzd-lock rwk,
|
||||
|
||||
# gssapi
|
||||
/etc/krb5.keytab kr,
|
||||
/etc/bind/krb5.keytab kr,
|
||||
|
||||
# ssl
|
||||
/etc/ssl/openssl.cnf r,
|
||||
|
||||
# root hints from dns-data-root
|
||||
/usr/share/dns/root.* r,
|
||||
|
||||
# GeoIP data files for GeoIP ACLs
|
||||
/usr/share/GeoIP/** r,
|
||||
|
||||
# dnscvsutil package
|
||||
/var/lib/dnscvsutil/compiled/** rw,
|
||||
|
||||
# Allow changing worker thread names
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
@{PROC}/net/if_inet6 r,
|
||||
@{PROC}/*/net/if_inet6 r,
|
||||
@{PROC}/sys/net/ipv4/ip_local_port_range r,
|
||||
/usr/sbin/named mr,
|
||||
/{,var/}run/named/named.pid w,
|
||||
/{,var/}run/named/session.key w,
|
||||
# support for resolvconf
|
||||
/{,var/}run/named/named.options r,
|
||||
|
||||
# some people like to put logs in /var/log/named/ instead of having
|
||||
# syslog do the heavy lifting.
|
||||
{{ bind_log_file }} rw,
|
||||
{{ bind_query_file }} rw,
|
||||
|
||||
# gssapi
|
||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||
/var/lib/sss/pubconf/krb5.include.d/ r,
|
||||
/var/lib/sss/mc/initgroups r,
|
||||
/etc/gss/mech.d/ r,
|
||||
|
||||
# ldap
|
||||
/etc/ldap/ldap.conf r,
|
||||
/{,var/}run/slapd-*.socket rw,
|
||||
|
||||
# dynamic updates
|
||||
/var/tmp/DNS_* rw,
|
||||
|
||||
# dyndb backends
|
||||
/usr/lib/bind/*.so rm,
|
||||
|
||||
# Samba DLZ
|
||||
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
|
||||
/var/lib/samba/bind-dns/dns.keytab rk,
|
||||
/var/lib/samba/bind-dns/named.conf r,
|
||||
/var/lib/samba/bind-dns/dns/** rwk,
|
||||
/var/lib/samba/private/dns.keytab rk,
|
||||
/var/lib/samba/private/named.conf r,
|
||||
/var/lib/samba/private/dns/** rwk,
|
||||
/etc/samba/smb.conf r,
|
||||
/dev/urandom rwmk,
|
||||
owner /var/tmp/krb5_* rwk,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.named>
|
||||
}
|
||||
|
6
bind/templates/bind9.j2
Normal file
6
bind/templates/bind9.j2
Normal file
|
@ -0,0 +1,6 @@
|
|||
[bind*]
|
||||
user root
|
||||
env.logfile {{ bind_query_file }}
|
||||
env.querystats {{ bind_chroot_root }}{{ bind_statistics_file }}
|
||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||
timeout 120
|
|
@ -1,3 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=BIND Domain Name Server
|
||||
Documentation=man:named(8)
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
{% if bind_chroot_set %}
|
||||
{{ bind_chroot_path }}{{bind_log_file}} {
|
||||
{% else %}
|
||||
{{bind_log_file}} {
|
||||
{% endif %}
|
||||
weekly
|
||||
missingok
|
||||
rotate 52
|
||||
create 640 bind bind
|
||||
sharedscripts
|
||||
postrotate
|
||||
rndc reload > /dev/null
|
||||
endscript
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
[bind*]
|
||||
user root
|
||||
|
||||
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
|
||||
{% if bind_authoritative_server %}
|
||||
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
||||
{% endif %}
|
||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||
timeout 120
|
58
bind/templates/named.conf.options.j2
Normal file
58
bind/templates/named.conf.options.j2
Normal file
|
@ -0,0 +1,58 @@
|
|||
// {{ ansible_managed }}
|
||||
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
// forwarders {
|
||||
// 0.0.0.0;
|
||||
// };
|
||||
|
||||
version "Bingo";
|
||||
|
||||
auth-nxdomain no; # conform to RFC1035
|
||||
//listen-on-v6 { ::1; };
|
||||
//listen-on { 127.0.0.1; };
|
||||
|
||||
allow-query { localhost;};
|
||||
allow-transfer { localhost; };
|
||||
allow-recursion { localhost; };
|
||||
|
||||
statistics-file "/var/run/named.stats";
|
||||
};
|
||||
|
||||
logging {
|
||||
//category default { default_syslog; default_debug; };
|
||||
category default { default_debug; };
|
||||
|
||||
channel default_syslog {
|
||||
syslog daemon;
|
||||
severity info;
|
||||
};
|
||||
|
||||
channel default_debug {
|
||||
file "/var/log/bind.log";
|
||||
severity debug;
|
||||
};
|
||||
channel query {
|
||||
file "/var/log/query.log" versions 2 size 1m;
|
||||
print-time yes;
|
||||
severity info;
|
||||
};
|
||||
category queries { query; };
|
||||
};
|
||||
|
||||
//key "external" {
|
||||
// algorithm hmac-md5;
|
||||
// secret "UOQfHEoBzBSC6sD4mwfxLw==";
|
||||
//};
|
||||
//
|
||||
//server 85.118.59.1 { keys external; };
|
|
@ -1,35 +0,0 @@
|
|||
acl "foo" {
|
||||
::ffff:192.0.2.21; 192.0.2.21;
|
||||
2001:db8::21;
|
||||
};
|
||||
|
||||
options {
|
||||
directory "{{ bind_cache_dir }}";
|
||||
version "Bingo";
|
||||
auth-nxdomain no;
|
||||
masterfile-format text;
|
||||
statistics-file "{{ bind_statistics_file }}";
|
||||
|
||||
listen-on-v6 { any; };
|
||||
listen-on { any; };
|
||||
|
||||
allow-query { localhost; };
|
||||
allow-recursion { localhost; };
|
||||
allow-transfer { localhost; };
|
||||
};
|
||||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
category queries { query_logging; };
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
};
|
|
@ -1,24 +0,0 @@
|
|||
options {
|
||||
directory "{{ bind_cache_dir }}";
|
||||
version "Bingo";
|
||||
auth-nxdomain no;
|
||||
listen-on-v6 { ::1; };
|
||||
listen-on { 127.0.0.1; };
|
||||
allow-recursion { ::1; 127.0.0.1; };
|
||||
};
|
||||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
category queries { query_logging; };
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
};
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
|
||||
# Force facts until Debian 11 is released because Ansible is dumb
|
||||
- set_fact:
|
||||
ansible_distribution_major_version: 11
|
||||
ansible_distribution: "Debian"
|
||||
ansible_distribution_release: "bullseye"
|
||||
when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'"
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
|
||||
certbot_work_dir: /var/lib/letsencrypt
|
||||
certbot_custom_crontab: True
|
||||
|
||||
certbot_hooks_sync_remote_servers: []
|
|
@ -1,11 +0,0 @@
|
|||
# /etc/cron.d/certbot: crontab entries for the certbot package
|
||||
#
|
||||
# Upstream recommends attempting renewal twice a day
|
||||
#
|
||||
# Eventually, this will be an opportunity to validate certificates
|
||||
# haven't been revoked, etc. Renewal will only occur if expiration
|
||||
# is within 30 days.
|
||||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-upgrade -q renew
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof apache2)" && test -n "${apache2ctl_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${apache2ctl_bin} configtest > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
grep -q -r -E "letsencrypt" /etc/apache2/
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Apache detected... reloading"
|
||||
systemctl reload apache2
|
||||
else
|
||||
error "Apache config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
debug "Apache doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Apache is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly apache2ctl_bin=$(command -v apache2ctl)
|
||||
|
||||
main
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof dovecot)" && test -n "${doveconf_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${doveconf_bin} > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Dovecot detected... reloading"
|
||||
systemctl reload dovecot
|
||||
else
|
||||
error "Dovecot config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Dovecot is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly doveconf_bin=$(command -v doveconf)
|
||||
|
||||
main
|
|
@ -1,93 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
|
||||
}
|
||||
found_renewed_lineage() {
|
||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||
}
|
||||
config_check() {
|
||||
${haproxy_bin} -c -f "${haproxy_config_file}" > /dev/null 2>&1
|
||||
}
|
||||
concat_files() {
|
||||
# shellcheck disable=SC2174
|
||||
mkdir --mode=700 --parents "${haproxy_cert_dir}"
|
||||
chown root: "${haproxy_cert_dir}"
|
||||
|
||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
||||
chmod 600 "${haproxy_cert_file}"
|
||||
chown root: "${haproxy_cert_file}"
|
||||
}
|
||||
cert_and_key_mismatch() {
|
||||
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
|
||||
test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
|
||||
}
|
||||
detect_haproxy_cert_dir() {
|
||||
# get last field or line wich defines the crt directory
|
||||
config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${haproxy_config_file}" | head -1 | awk '{ print $(NF)}')
|
||||
if [ -n "${config_cert_dir}" ]; then
|
||||
debug "Cert directory is configured with ${config_cert_dir}"
|
||||
echo "${config_cert_dir}"
|
||||
elif [ -d "/etc/haproxy/ssl" ]; then
|
||||
debug "No configured cert directory found, but /etc/haproxy/ssl exists"
|
||||
echo "/etc/haproxy/ssl"
|
||||
elif [ -d "/etc/ssl/haproxy" ]; then
|
||||
debug "No configured cert directory found, but /etc/ssl/haproxy exists"
|
||||
echo "/etc/ssl/haproxy"
|
||||
else
|
||||
error "Cert directory not found."
|
||||
fi
|
||||
}
|
||||
main() {
|
||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||
error "This script must be called only by certbot!"
|
||||
fi
|
||||
|
||||
if daemon_found_and_running; then
|
||||
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
|
||||
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
|
||||
|
||||
if found_renewed_lineage; then
|
||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
|
||||
concat_files
|
||||
|
||||
if cert_and_key_mismatch; then
|
||||
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
||||
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||
fi
|
||||
|
||||
if config_check; then
|
||||
debug "HAProxy detected... reloading"
|
||||
systemctl reload haproxy
|
||||
else
|
||||
error "HAProxy config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
||||
fi
|
||||
else
|
||||
debug "HAProxy is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly haproxy_bin=$(command -v haproxy)
|
||||
|
||||
main
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof nginx)" && test -n "${nginx_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${nginx_bin} -t > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Nginx detected... reloading"
|
||||
systemctl reload nginx
|
||||
else
|
||||
error "Nginx config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
debug "Nginx doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Nginx is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly nginx_bin=$(command -v nginx)
|
||||
|
||||
main
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof master)" && test -n "${postconf_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${postconf_bin} > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Postfix detected... reloading"
|
||||
systemctl reload postfix
|
||||
else
|
||||
error "Postfix config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
debug "Postfix doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Postfix is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly postconf_bin=$(command -v postconf)
|
||||
|
||||
main
|
|
@ -1,81 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -u
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
found_renewed_lineage() {
|
||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||
}
|
||||
cert_content() {
|
||||
openssl x509 -text -in "${RENEWED_LINEAGE}/fullchain.pem"
|
||||
}
|
||||
domain_from_cert() {
|
||||
if cert_content | grep -q "X509v3 Subject Alternative Name:" && cert_content | grep -q "DNS:"; then
|
||||
cert_content | grep "DNS:" | sed -e 's/\s\+//g' -e 's/DNS://g'
|
||||
else
|
||||
cert_content | sed 's/^.*CN\ *=\ *//'
|
||||
fi
|
||||
}
|
||||
main() {
|
||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||
error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
|
||||
fi
|
||||
if [ -z "${servers}" ]; then
|
||||
debug "Empty server list, skip."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if found_renewed_lineage; then
|
||||
RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)}
|
||||
|
||||
remote_lineage=${remote_dir}/renewed_lineage/$(basename "${RENEWED_LINEAGE}")
|
||||
|
||||
for server in ${servers}; do
|
||||
remote_host="root@${server}"
|
||||
# shellcheck disable=SC2029
|
||||
ssh "${remote_host}" "mkdir -p ${remote_lineage}" \
|
||||
|| error "Couldn't create ${remote_dir} directory ${server}"
|
||||
|
||||
rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \
|
||||
|| error "Couldn't sync certificate on ${server}"
|
||||
|
||||
rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \
|
||||
|| error "Couldn't sync hooks on ${server}"
|
||||
|
||||
# shellcheck disable=SC2029
|
||||
ssh "${remote_host}" "export RENEWED_LINEAGE=\"${remote_lineage}/\" RENEWED_DOMAINS=\"${RENEWED_DOMAINS}\"; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \
|
||||
|| error "Something went wrong on ${server} for deploy hooks"
|
||||
done
|
||||
else
|
||||
error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
|
||||
fi
|
||||
}
|
||||
|
||||
PROGNAME=$(basename "$0")
|
||||
VERBOSE=${VERBOSE:-"0"}
|
||||
QUIET=${QUIET:-"0"}
|
||||
|
||||
hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
|
||||
# The config file lust have the same name as the script, with a different extension (.cf instead of .sh)
|
||||
config_file="${0%.*}.cf"
|
||||
remote_dir="/root/cert_sync"
|
||||
|
||||
if [ -f "${config_file}" ]; then
|
||||
. "${config_file}"
|
||||
fi
|
||||
servers=${servers:-""}
|
||||
|
||||
if [ -z "${servers}" ]; then
|
||||
echo "${PROGNAME}: No server provided. Skip." >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
main
|
|
@ -1,46 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
domain_from_cert() {
|
||||
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ]; then
|
||||
openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//'
|
||||
else
|
||||
debug "Unable to find \`${RENEWED_LINEAGE}/fullchain.pem', skip domain detection."
|
||||
fi
|
||||
}
|
||||
main() {
|
||||
export GIT_DIR="/etc/.git"
|
||||
export GIT_WORK_TREE="/etc"
|
||||
|
||||
if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
|
||||
changed_lines=$(${git_bin} status --porcelain | wc -l | tr -d ' ')
|
||||
|
||||
if [ "${changed_lines}" != "0" ]; then
|
||||
if [ -z "${RENEWED_DOMAINS}" ] && [ -n "${RENEWED_LINEAGE}" ]; then
|
||||
RENEWED_DOMAINS=$(domain_from_cert)
|
||||
fi
|
||||
debug "Committing for ${RENEWED_DOMAINS}"
|
||||
${git_bin} add --all
|
||||
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
||||
${git_bin} commit --message "${message}" --quiet
|
||||
else
|
||||
debug "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly git_bin=$(command -v git)
|
||||
|
||||
main
|
|
@ -1,40 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -u
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
found_renewed_lineage() {
|
||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||
}
|
||||
main() {
|
||||
if [ -z "${RENEWED_LINEAGE:-}" ]; then
|
||||
error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)."
|
||||
fi
|
||||
if [ "${VERBOSE}" = "1" ]; then
|
||||
xargs_verbose="--verbose"
|
||||
else
|
||||
xargs_verbose=""
|
||||
fi
|
||||
if found_renewed_lineage; then
|
||||
find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c
|
||||
else
|
||||
error "Couldn't find required files in \`${RENEWED_LINEAGE}'"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
PROGNAME=$(basename "$0")
|
||||
VERBOSE=${VERBOSE:-"0"}
|
||||
QUIET=${QUIET:-"0"}
|
||||
|
||||
hooks_dir="/etc/letsencrypt/renewal-hooks/deploy"
|
||||
|
||||
main
|
|
@ -1,1988 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Download and run the latest release version of the Certbot client.
|
||||
#
|
||||
# NOTE: THIS SCRIPT IS AUTO-GENERATED AND SELF-UPDATING
|
||||
#
|
||||
# IF YOU WANT TO EDIT IT LOCALLY, *ALWAYS* RUN YOUR COPY WITH THE
|
||||
# "--no-self-upgrade" FLAG
|
||||
#
|
||||
# IF YOU WANT TO SEND PULL REQUESTS, THE REAL SOURCE FOR THIS FILE IS
|
||||
# letsencrypt-auto-source/letsencrypt-auto.template AND
|
||||
# letsencrypt-auto-source/pieces/bootstrappers/*
|
||||
|
||||
set -e # Work even if somebody does "sh thisscript.sh".
|
||||
|
||||
# Note: you can set XDG_DATA_HOME or VENV_PATH before running this script,
|
||||
# if you want to change where the virtual environment will be installed
|
||||
|
||||
# HOME might not be defined when being run through something like systemd
|
||||
if [ -z "$HOME" ]; then
|
||||
HOME=~root
|
||||
fi
|
||||
if [ -z "$XDG_DATA_HOME" ]; then
|
||||
XDG_DATA_HOME=~/.local/share
|
||||
fi
|
||||
if [ -z "$VENV_PATH" ]; then
|
||||
# We export these values so they are preserved properly if this script is
|
||||
# rerun with sudo/su where $HOME/$XDG_DATA_HOME may have a different value.
|
||||
export OLD_VENV_PATH="$XDG_DATA_HOME/letsencrypt"
|
||||
export VENV_PATH="/opt/eff.org/certbot/venv"
|
||||
fi
|
||||
VENV_BIN="$VENV_PATH/bin"
|
||||
BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt"
|
||||
LE_AUTO_VERSION="1.14.0"
|
||||
BASENAME=$(basename $0)
|
||||
USAGE="Usage: $BASENAME [OPTIONS]
|
||||
A self-updating wrapper script for the Certbot ACME client. When run, updates
|
||||
to both this script and certbot will be downloaded and installed. After
|
||||
ensuring you have the latest versions installed, certbot will be invoked with
|
||||
all arguments you have provided.
|
||||
|
||||
Help for certbot itself cannot be provided until it is installed.
|
||||
|
||||
--debug attempt experimental installation
|
||||
-h, --help print this help
|
||||
-n, --non-interactive, --noninteractive run without asking for user input
|
||||
--no-bootstrap do not install OS dependencies
|
||||
--no-permissions-check do not warn about file system permissions
|
||||
--no-self-upgrade do not download updates
|
||||
--os-packages-only install OS dependencies and exit
|
||||
--install-only install certbot, upgrade if needed, and exit
|
||||
-v, --verbose provide more output
|
||||
-q, --quiet provide only update/error output;
|
||||
implies --non-interactive
|
||||
|
||||
All arguments are accepted and forwarded to the Certbot client when run."
|
||||
export CERTBOT_AUTO="$0"
|
||||
|
||||
for arg in "$@" ; do
|
||||
case "$arg" in
|
||||
--debug)
|
||||
DEBUG=1;;
|
||||
--os-packages-only)
|
||||
OS_PACKAGES_ONLY=1;;
|
||||
--install-only)
|
||||
INSTALL_ONLY=1;;
|
||||
--no-self-upgrade)
|
||||
# Do not upgrade this script (also prevents client upgrades, because each
|
||||
# copy of the script pins a hash of the python client)
|
||||
NO_SELF_UPGRADE=1;;
|
||||
--no-permissions-check)
|
||||
NO_PERMISSIONS_CHECK=1;;
|
||||
--no-bootstrap)
|
||||
NO_BOOTSTRAP=1;;
|
||||
--help)
|
||||
HELP=1;;
|
||||
--noninteractive|--non-interactive)
|
||||
NONINTERACTIVE=1;;
|
||||
--quiet)
|
||||
QUIET=1;;
|
||||
renew)
|
||||
ASSUME_YES=1;;
|
||||
--verbose)
|
||||
VERBOSE=1;;
|
||||
-[!-]*)
|
||||
OPTIND=1
|
||||
while getopts ":hnvq" short_arg $arg; do
|
||||
case "$short_arg" in
|
||||
h)
|
||||
HELP=1;;
|
||||
n)
|
||||
NONINTERACTIVE=1;;
|
||||
q)
|
||||
QUIET=1;;
|
||||
v)
|
||||
VERBOSE=1;;
|
||||
esac
|
||||
done;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ $BASENAME = "letsencrypt-auto" ]; then
|
||||
# letsencrypt-auto does not respect --help or --yes for backwards compatibility
|
||||
NONINTERACTIVE=1
|
||||
HELP=0
|
||||
fi
|
||||
|
||||
# Set ASSUME_YES to 1 if QUIET or NONINTERACTIVE
|
||||
if [ "$QUIET" = 1 -o "$NONINTERACTIVE" = 1 ]; then
|
||||
ASSUME_YES=1
|
||||
fi
|
||||
|
||||
say() {
|
||||
if [ "$QUIET" != 1 ]; then
|
||||
echo "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
error() {
|
||||
echo "$@"
|
||||
}
|
||||
|
||||
# Support for busybox and others where there is no "command",
|
||||
# but "which" instead
|
||||
if command -v command > /dev/null 2>&1 ; then
|
||||
export EXISTS="command -v"
|
||||
elif which which > /dev/null 2>&1 ; then
|
||||
export EXISTS="which"
|
||||
else
|
||||
error "Cannot find command nor which... please install one!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Certbot itself needs root access for almost all modes of operation.
|
||||
# certbot-auto needs root access to bootstrap OS dependencies and install
|
||||
# Certbot at a protected path so it can be safely run as root. To accomplish
|
||||
# this, this script will attempt to run itself as root if it doesn't have the
|
||||
# necessary privileges by using `sudo` or falling back to `su` if it is not
|
||||
# available. The mechanism used to obtain root access can be set explicitly by
|
||||
# setting the environment variable LE_AUTO_SUDO to 'sudo', 'su', 'su_sudo',
|
||||
# 'SuSudo', or '' as used below.
|
||||
|
||||
# Because the parameters in `su -c` has to be a string,
|
||||
# we need to properly escape it.
|
||||
SuSudo() {
|
||||
args=""
|
||||
# This `while` loop iterates over all parameters given to this function.
|
||||
# For each parameter, all `'` will be replace by `'"'"'`, and the escaped string
|
||||
# will be wrapped in a pair of `'`, then appended to `$args` string
|
||||
# For example, `echo "It's only 1\$\!"` will be escaped to:
|
||||
# 'echo' 'It'"'"'s only 1$!'
|
||||
# │ │└┼┘│
|
||||
# │ │ │ └── `'s only 1$!'` the literal string
|
||||
# │ │ └── `\"'\"` is a single quote (as a string)
|
||||
# │ └── `'It'`, to be concatenated with the strings following it
|
||||
# └── `echo` wrapped in a pair of `'`, it's totally fine for the shell command itself
|
||||
while [ $# -ne 0 ]; do
|
||||
args="$args'$(printf "%s" "$1" | sed -e "s/'/'\"'\"'/g")' "
|
||||
shift
|
||||
done
|
||||
su root -c "$args"
|
||||
}
|
||||
|
||||
# Sets the environment variable SUDO to be the name of the program or function
|
||||
# to call to get root access. If this script already has root privleges, SUDO
|
||||
# is set to an empty string. The value in SUDO should be run with the command
|
||||
# to called with root privileges as arguments.
|
||||
SetRootAuthMechanism() {
|
||||
SUDO=""
|
||||
if [ -n "${LE_AUTO_SUDO+x}" ]; then
|
||||
case "$LE_AUTO_SUDO" in
|
||||
SuSudo|su_sudo|su)
|
||||
SUDO=SuSudo
|
||||
;;
|
||||
sudo)
|
||||
SUDO="sudo -E"
|
||||
;;
|
||||
'')
|
||||
# If we're not running with root, don't check that this script can only
|
||||
# be modified by system users and groups.
|
||||
NO_PERMISSIONS_CHECK=1
|
||||
;;
|
||||
*)
|
||||
error "Error: unknown root authorization mechanism '$LE_AUTO_SUDO'."
|
||||
exit 1
|
||||
esac
|
||||
say "Using preset root authorization mechanism '$LE_AUTO_SUDO'."
|
||||
else
|
||||
if test "`id -u`" -ne "0" ; then
|
||||
if $EXISTS sudo 1>/dev/null 2>&1; then
|
||||
SUDO="sudo -E"
|
||||
else
|
||||
say \"sudo\" is not available, will use \"su\" for installation steps...
|
||||
SUDO=SuSudo
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "$1" = "--cb-auto-has-root" ]; then
|
||||
shift 1
|
||||
else
|
||||
SetRootAuthMechanism
|
||||
if [ -n "$SUDO" ]; then
|
||||
say "Requesting to rerun $0 with root privileges..."
|
||||
$SUDO "$0" --cb-auto-has-root "$@"
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
# Runs this script again with the given arguments. --cb-auto-has-root is added
|
||||
# to the command line arguments to ensure we don't try to acquire root a
|
||||
# second time. After the script is rerun, we exit the current script.
|
||||
RerunWithArgs() {
|
||||
"$0" --cb-auto-has-root "$@"
|
||||
exit 0
|
||||
}
|
||||
|
||||
BootstrapMessage() {
|
||||
# Arguments: Platform name
|
||||
say "Bootstrapping dependencies for $1... (you can skip this with --no-bootstrap)"
|
||||
}
|
||||
|
||||
ExperimentalBootstrap() {
|
||||
# Arguments: Platform name, bootstrap function name
|
||||
if [ "$DEBUG" = 1 ]; then
|
||||
if [ "$2" != "" ]; then
|
||||
BootstrapMessage $1
|
||||
$2
|
||||
fi
|
||||
else
|
||||
error "FATAL: $1 support is very experimental at present..."
|
||||
error "if you would like to work on improving it, please ensure you have backups"
|
||||
error "and then run this script again with the --debug flag!"
|
||||
error "Alternatively, you can install OS dependencies yourself and run this script"
|
||||
error "again with --no-bootstrap."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
DeprecationBootstrap() {
|
||||
# Arguments: Platform name, bootstrap function name
|
||||
if [ "$DEBUG" = 1 ]; then
|
||||
if [ "$2" != "" ]; then
|
||||
BootstrapMessage $1
|
||||
$2
|
||||
fi
|
||||
else
|
||||
error "WARNING: certbot-auto support for this $1 is DEPRECATED!"
|
||||
error "Please visit certbot.eff.org to learn how to download a version of"
|
||||
error "Certbot that is packaged for your system. While an existing version"
|
||||
error "of certbot-auto may work currently, we have stopped supporting updating"
|
||||
error "system packages for your system. Please switch to a packaged version"
|
||||
error "as soon as possible."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
MIN_PYTHON_2_VERSION="2.7"
|
||||
MIN_PYVER2=$(echo "$MIN_PYTHON_2_VERSION" | sed 's/\.//')
|
||||
MIN_PYTHON_3_VERSION="3.6"
|
||||
MIN_PYVER3=$(echo "$MIN_PYTHON_3_VERSION" | sed 's/\.//')
|
||||
# Sets LE_PYTHON to Python version string and PYVER to the first two
|
||||
# digits of the python version.
|
||||
# MIN_PYVER and MIN_PYTHON_VERSION are also set by this function, and their
|
||||
# values depend on if we try to use Python 3 or Python 2.
|
||||
DeterminePythonVersion() {
|
||||
# Arguments: "NOCRASH" if we shouldn't crash if we don't find a good python
|
||||
#
|
||||
# If no Python is found, PYVER is set to 0.
|
||||
if [ "$USE_PYTHON_3" = 1 ]; then
|
||||
MIN_PYVER=$MIN_PYVER3
|
||||
MIN_PYTHON_VERSION=$MIN_PYTHON_3_VERSION
|
||||
for LE_PYTHON in "$LE_PYTHON" python3; do
|
||||
# Break (while keeping the LE_PYTHON value) if found.
|
||||
$EXISTS "$LE_PYTHON" > /dev/null && break
|
||||
done
|
||||
else
|
||||
MIN_PYVER=$MIN_PYVER2
|
||||
MIN_PYTHON_VERSION=$MIN_PYTHON_2_VERSION
|
||||
for LE_PYTHON in "$LE_PYTHON" python2.7 python27 python2 python; do
|
||||
# Break (while keeping the LE_PYTHON value) if found.
|
||||
$EXISTS "$LE_PYTHON" > /dev/null && break
|
||||
done
|
||||
fi
|
||||
if [ "$?" != "0" ]; then
|
||||
if [ "$1" != "NOCRASH" ]; then
|
||||
error "Cannot find any Pythons; please install one!"
|
||||
exit 1
|
||||
else
|
||||
PYVER=0
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
PYVER=$("$LE_PYTHON" -V 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//')
|
||||
if [ "$PYVER" -lt "$MIN_PYVER" ]; then
|
||||
if [ "$1" != "NOCRASH" ]; then
|
||||
error "You have an ancient version of Python entombed in your operating system..."
|
||||
error "This isn't going to work; you'll need at least version $MIN_PYTHON_VERSION."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapDebCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_DEB_COMMON_VERSION=1
|
||||
|
||||
BootstrapDebCommon() {
|
||||
# Current version tested with:
|
||||
#
|
||||
# - Ubuntu
|
||||
# - 14.04 (x64)
|
||||
# - 15.04 (x64)
|
||||
# - Debian
|
||||
# - 7.9 "wheezy" (x64)
|
||||
# - sid (2015-10-21) (x64)
|
||||
|
||||
# Past versions tested with:
|
||||
#
|
||||
# - Debian 8.0 "jessie" (x64)
|
||||
# - Raspbian 7.8 (armhf)
|
||||
|
||||
# Believed not to work:
|
||||
#
|
||||
# - Debian 6.0.10 "squeeze" (x64)
|
||||
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
QUIET_FLAG='-qq'
|
||||
fi
|
||||
|
||||
apt-get $QUIET_FLAG update || error apt-get update hit problems but continuing anyway...
|
||||
|
||||
# virtualenv binary can be found in different packages depending on
|
||||
# distro version (#346)
|
||||
|
||||
virtualenv=
|
||||
# virtual env is known to apt and is installable
|
||||
if apt-cache show virtualenv > /dev/null 2>&1 ; then
|
||||
if ! LC_ALL=C apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
|
||||
virtualenv="virtualenv"
|
||||
fi
|
||||
fi
|
||||
|
||||
if apt-cache show python-virtualenv > /dev/null 2>&1; then
|
||||
virtualenv="$virtualenv python-virtualenv"
|
||||
fi
|
||||
|
||||
augeas_pkg="libaugeas0 augeas-lenses"
|
||||
|
||||
if [ "$ASSUME_YES" = 1 ]; then
|
||||
YES_FLAG="-y"
|
||||
fi
|
||||
|
||||
apt-get install $QUIET_FLAG $YES_FLAG --no-install-recommends \
|
||||
python \
|
||||
python-dev \
|
||||
$virtualenv \
|
||||
gcc \
|
||||
$augeas_pkg \
|
||||
libssl-dev \
|
||||
openssl \
|
||||
libffi-dev \
|
||||
ca-certificates \
|
||||
|
||||
|
||||
if ! $EXISTS virtualenv > /dev/null ; then
|
||||
error Failed to install a working \"virtualenv\" command, exiting
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapRpmCommonBase below, version
|
||||
# numbers in rpm_common.sh and rpm_python3.sh must be increased.
|
||||
|
||||
# Sets TOOL to the name of the package manager
|
||||
# Sets appropriate values for YES_FLAG and QUIET_FLAG based on $ASSUME_YES and $QUIET_FLAG.
|
||||
# Note: this function is called both while selecting the bootstrap scripts and
|
||||
# during the actual bootstrap. Some things like prompting to user can be done in the latter
|
||||
# case, but not in the former one.
|
||||
InitializeRPMCommonBase() {
|
||||
if type dnf 2>/dev/null
|
||||
then
|
||||
TOOL=dnf
|
||||
elif type yum 2>/dev/null
|
||||
then
|
||||
TOOL=yum
|
||||
|
||||
else
|
||||
error "Neither yum nor dnf found. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$ASSUME_YES" = 1 ]; then
|
||||
YES_FLAG="-y"
|
||||
fi
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
QUIET_FLAG='--quiet'
|
||||
fi
|
||||
}
|
||||
|
||||
BootstrapRpmCommonBase() {
|
||||
# Arguments: whitespace-delimited python packages to install
|
||||
|
||||
InitializeRPMCommonBase # This call is superfluous in practice
|
||||
|
||||
pkgs="
|
||||
gcc
|
||||
augeas-libs
|
||||
openssl
|
||||
openssl-devel
|
||||
libffi-devel
|
||||
redhat-rpm-config
|
||||
ca-certificates
|
||||
"
|
||||
|
||||
# Add the python packages
|
||||
pkgs="$pkgs
|
||||
$1
|
||||
"
|
||||
|
||||
if $TOOL list installed "httpd" >/dev/null 2>&1; then
|
||||
pkgs="$pkgs
|
||||
mod_ssl
|
||||
"
|
||||
fi
|
||||
|
||||
if ! $TOOL install $YES_FLAG $QUIET_FLAG $pkgs; then
|
||||
error "Could not install OS dependencies. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapRpmCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_RPM_COMMON_VERSION=1
|
||||
|
||||
BootstrapRpmCommon() {
|
||||
# Tested with:
|
||||
# - Fedora 20, 21, 22, 23 (x64)
|
||||
# - Centos 7 (x64: on DigitalOcean droplet)
|
||||
# - CentOS 7 Minimal install in a Hyper-V VM
|
||||
# - CentOS 6
|
||||
|
||||
InitializeRPMCommonBase
|
||||
|
||||
# Most RPM distros use the "python" or "python-" naming convention. Let's try that first.
|
||||
if $TOOL list python >/dev/null 2>&1; then
|
||||
python_pkgs="$python
|
||||
python-devel
|
||||
python-virtualenv
|
||||
python-tools
|
||||
python-pip
|
||||
"
|
||||
# Fedora 26 starts to use the prefix python2 for python2 based packages.
|
||||
# this elseif is theoretically for any Fedora over version 26:
|
||||
elif $TOOL list python2 >/dev/null 2>&1; then
|
||||
python_pkgs="$python2
|
||||
python2-libs
|
||||
python2-setuptools
|
||||
python2-devel
|
||||
python2-virtualenv
|
||||
python2-tools
|
||||
python2-pip
|
||||
"
|
||||
# Some distros and older versions of current distros use a "python27"
|
||||
# instead of the "python" or "python-" naming convention.
|
||||
else
|
||||
python_pkgs="$python27
|
||||
python27-devel
|
||||
python27-virtualenv
|
||||
python27-tools
|
||||
python27-pip
|
||||
"
|
||||
fi
|
||||
|
||||
BootstrapRpmCommonBase "$python_pkgs"
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapRpmPython3 below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION=1
|
||||
|
||||
# Checks if rh-python36 can be installed.
|
||||
Python36SclIsAvailable() {
|
||||
InitializeRPMCommonBase >/dev/null 2>&1;
|
||||
|
||||
if "${TOOL}" list rh-python36 >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
if "${TOOL}" list centos-release-scl >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
# Try to enable rh-python36 from SCL if it is necessary and possible.
|
||||
EnablePython36SCL() {
|
||||
if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then
|
||||
return 0
|
||||
fi
|
||||
if [ ! -f /opt/rh/rh-python36/enable ]; then
|
||||
return 0
|
||||
fi
|
||||
set +e
|
||||
if ! . /opt/rh/rh-python36/enable; then
|
||||
error 'Unable to enable rh-python36!'
|
||||
exit 1
|
||||
fi
|
||||
set -e
|
||||
}
|
||||
|
||||
# This bootstrap concerns old RedHat-based distributions that do not ship by default
|
||||
# with Python 2.7, but only Python 2.6. We bootstrap them by enabling SCL and installing
|
||||
# Python 3.6. Some of these distributions are: CentOS/RHEL/OL/SL 6.
|
||||
BootstrapRpmPython3Legacy() {
|
||||
# Tested with:
|
||||
# - CentOS 6
|
||||
|
||||
InitializeRPMCommonBase
|
||||
|
||||
if ! "${TOOL}" list rh-python36 >/dev/null 2>&1; then
|
||||
echo "To use Certbot on this operating system, packages from the SCL repository need to be installed."
|
||||
if ! "${TOOL}" list centos-release-scl >/dev/null 2>&1; then
|
||||
error "Enable the SCL repository and try running Certbot again."
|
||||
exit 1
|
||||
fi
|
||||
if [ "${ASSUME_YES}" = 1 ]; then
|
||||
/bin/echo -n "Enabling the SCL repository in 3 seconds... (Press Ctrl-C to cancel)"
|
||||
sleep 1s
|
||||
/bin/echo -ne "\e[0K\rEnabling the SCL repository in 2 seconds... (Press Ctrl-C to cancel)"
|
||||
sleep 1s
|
||||
/bin/echo -e "\e[0K\rEnabling the SCL repository in 1 second... (Press Ctrl-C to cancel)"
|
||||
sleep 1s
|
||||
fi
|
||||
if ! "${TOOL}" install "${YES_FLAG}" "${QUIET_FLAG}" centos-release-scl; then
|
||||
error "Could not enable SCL. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# CentOS 6 must use rh-python36 from SCL
|
||||
if "${TOOL}" list rh-python36 >/dev/null 2>&1; then
|
||||
python_pkgs="rh-python36-python
|
||||
rh-python36-python-virtualenv
|
||||
rh-python36-python-devel
|
||||
"
|
||||
else
|
||||
error "No supported Python package available to install. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BootstrapRpmCommonBase "${python_pkgs}"
|
||||
|
||||
# Enable SCL rh-python36 after bootstrapping.
|
||||
EnablePython36SCL
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapRpmPython3 below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_RPM_PYTHON3_VERSION=1
|
||||
|
||||
BootstrapRpmPython3() {
|
||||
# Tested with:
|
||||
# - Fedora 29
|
||||
|
||||
InitializeRPMCommonBase
|
||||
|
||||
# Fedora 29 must use python3-virtualenv
|
||||
if $TOOL list python3-virtualenv >/dev/null 2>&1; then
|
||||
python_pkgs="python3
|
||||
python3-virtualenv
|
||||
python3-devel
|
||||
"
|
||||
else
|
||||
error "No supported Python package available to install. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BootstrapRpmCommonBase "$python_pkgs"
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapSuseCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_SUSE_COMMON_VERSION=1
|
||||
|
||||
BootstrapSuseCommon() {
|
||||
# SLE12 don't have python-virtualenv
|
||||
|
||||
if [ "$ASSUME_YES" = 1 ]; then
|
||||
zypper_flags="-nq"
|
||||
install_flags="-l"
|
||||
fi
|
||||
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
QUIET_FLAG='-qq'
|
||||
fi
|
||||
|
||||
if zypper search -x python-virtualenv >/dev/null 2>&1; then
|
||||
OPENSUSE_VIRTUALENV_PACKAGES="python-virtualenv"
|
||||
else
|
||||
# Since Leap 15.0 (and associated Tumbleweed version), python-virtualenv
|
||||
# is a source package, and python2-virtualenv must be used instead.
|
||||
# Also currently python2-setuptools is not a dependency of python2-virtualenv,
|
||||
# while it should be. Installing it explicitly until upstream fix.
|
||||
OPENSUSE_VIRTUALENV_PACKAGES="python2-virtualenv python2-setuptools"
|
||||
fi
|
||||
|
||||
zypper $QUIET_FLAG $zypper_flags in $install_flags \
|
||||
python \
|
||||
python-devel \
|
||||
$OPENSUSE_VIRTUALENV_PACKAGES \
|
||||
gcc \
|
||||
augeas-lenses \
|
||||
libopenssl-devel \
|
||||
libffi-devel \
|
||||
ca-certificates
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapArchCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_ARCH_COMMON_VERSION=1
|
||||
|
||||
BootstrapArchCommon() {
|
||||
# Tested with:
|
||||
# - ArchLinux (x86_64)
|
||||
#
|
||||
# "python-virtualenv" is Python3, but "python2-virtualenv" provides
|
||||
# only "virtualenv2" binary, not "virtualenv".
|
||||
|
||||
deps="
|
||||
python2
|
||||
python-virtualenv
|
||||
gcc
|
||||
augeas
|
||||
openssl
|
||||
libffi
|
||||
ca-certificates
|
||||
pkg-config
|
||||
"
|
||||
|
||||
# pacman -T exits with 127 if there are missing dependencies
|
||||
missing=$(pacman -T $deps) || true
|
||||
|
||||
if [ "$ASSUME_YES" = 1 ]; then
|
||||
noconfirm="--noconfirm"
|
||||
fi
|
||||
|
||||
if [ "$missing" ]; then
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
pacman -S --needed $missing $noconfirm > /dev/null
|
||||
else
|
||||
pacman -S --needed $missing $noconfirm
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapGentooCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_GENTOO_COMMON_VERSION=1
|
||||
|
||||
BootstrapGentooCommon() {
|
||||
PACKAGES="
|
||||
dev-lang/python:2.7
|
||||
dev-python/virtualenv
|
||||
app-admin/augeas
|
||||
dev-libs/openssl
|
||||
dev-libs/libffi
|
||||
app-misc/ca-certificates
|
||||
virtual/pkgconfig"
|
||||
|
||||
ASK_OPTION="--ask"
|
||||
if [ "$ASSUME_YES" = 1 ]; then
|
||||
ASK_OPTION=""
|
||||
fi
|
||||
|
||||
case "$PACKAGE_MANAGER" in
|
||||
(paludis)
|
||||
cave resolve --preserve-world --keep-targets if-possible $PACKAGES -x
|
||||
;;
|
||||
(pkgcore)
|
||||
pmerge --noreplace --oneshot $ASK_OPTION $PACKAGES
|
||||
;;
|
||||
(portage|*)
|
||||
emerge --noreplace --oneshot $ASK_OPTION $PACKAGES
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapFreeBsd below, this version number
|
||||
# must be increased.
|
||||
BOOTSTRAP_FREEBSD_VERSION=1
|
||||
|
||||
BootstrapFreeBsd() {
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
QUIET_FLAG="--quiet"
|
||||
fi
|
||||
|
||||
pkg install -Ay $QUIET_FLAG \
|
||||
python \
|
||||
py27-virtualenv \
|
||||
augeas \
|
||||
libffi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapMac below, this version number must
|
||||
# be increased.
|
||||
BOOTSTRAP_MAC_VERSION=1
|
||||
|
||||
BootstrapMac() {
|
||||
if hash brew 2>/dev/null; then
|
||||
say "Using Homebrew to install dependencies..."
|
||||
pkgman=brew
|
||||
pkgcmd="brew install"
|
||||
elif hash port 2>/dev/null; then
|
||||
say "Using MacPorts to install dependencies..."
|
||||
pkgman=port
|
||||
pkgcmd="port install"
|
||||
else
|
||||
say "No Homebrew/MacPorts; installing Homebrew..."
|
||||
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
|
||||
pkgman=brew
|
||||
pkgcmd="brew install"
|
||||
fi
|
||||
|
||||
$pkgcmd augeas
|
||||
if [ "$(which python)" = "/System/Library/Frameworks/Python.framework/Versions/2.7/bin/python" \
|
||||
-o "$(which python)" = "/usr/bin/python" ]; then
|
||||
# We want to avoid using the system Python because it requires root to use pip.
|
||||
# python.org, MacPorts or HomeBrew Python installations should all be OK.
|
||||
say "Installing python..."
|
||||
$pkgcmd python
|
||||
fi
|
||||
|
||||
# Workaround for _dlopen not finding augeas on macOS
|
||||
if [ "$pkgman" = "port" ] && ! [ -e "/usr/local/lib/libaugeas.dylib" ] && [ -e "/opt/local/lib/libaugeas.dylib" ]; then
|
||||
say "Applying augeas workaround"
|
||||
mkdir -p /usr/local/lib/
|
||||
ln -s /opt/local/lib/libaugeas.dylib /usr/local/lib/
|
||||
fi
|
||||
|
||||
if ! hash pip 2>/dev/null; then
|
||||
say "pip not installed"
|
||||
say "Installing pip..."
|
||||
curl --silent --show-error --retry 5 https://bootstrap.pypa.io/get-pip.py | python
|
||||
fi
|
||||
|
||||
if ! hash virtualenv 2>/dev/null; then
|
||||
say "virtualenv not installed."
|
||||
say "Installing with pip..."
|
||||
pip install virtualenv
|
||||
fi
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapSmartOS below, this version number
|
||||
# must be increased.
|
||||
BOOTSTRAP_SMARTOS_VERSION=1
|
||||
|
||||
BootstrapSmartOS() {
|
||||
pkgin update
|
||||
pkgin -y install 'gcc49' 'py27-augeas' 'py27-virtualenv'
|
||||
}
|
||||
|
||||
# If new packages are installed by BootstrapMageiaCommon below, this version
|
||||
# number must be increased.
|
||||
BOOTSTRAP_MAGEIA_COMMON_VERSION=1
|
||||
|
||||
BootstrapMageiaCommon() {
|
||||
if [ "$QUIET" = 1 ]; then
|
||||
QUIET_FLAG='--quiet'
|
||||
fi
|
||||
|
||||
if ! urpmi --force $QUIET_FLAG \
|
||||
python \
|
||||
libpython-devel \
|
||||
python-virtualenv
|
||||
then
|
||||
error "Could not install Python dependencies. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! urpmi --force $QUIET_FLAG \
|
||||
git \
|
||||
gcc \
|
||||
python-augeas \
|
||||
libopenssl-devel \
|
||||
libffi-devel \
|
||||
rootcerts
|
||||
then
|
||||
error "Could not install additional dependencies. Aborting bootstrap!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# Set Bootstrap to the function that installs OS dependencies on this system
|
||||
# and BOOTSTRAP_VERSION to the unique identifier for the current version of
|
||||
# that function. If Bootstrap is set to a function that doesn't install any
|
||||
# packages BOOTSTRAP_VERSION is not set.
|
||||
if [ -f /etc/debian_version ]; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/mageia-release ]; then
|
||||
# Mageia has both /etc/mageia-release and /etc/redhat-release
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/redhat-release ]; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
# Run DeterminePythonVersion to decide on the basis of available Python versions
|
||||
# whether to use 2.x or 3.x on RedHat-like systems.
|
||||
# Then, revert LE_PYTHON to its previous state.
|
||||
prev_le_python="$LE_PYTHON"
|
||||
unset LE_PYTHON
|
||||
DeterminePythonVersion "NOCRASH"
|
||||
|
||||
RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"`
|
||||
|
||||
if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then
|
||||
# 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto.
|
||||
DEPRECATED_OS=1
|
||||
fi
|
||||
|
||||
# Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on
|
||||
# '.' characters (e.g. "8.0" becomes "8"). If the command exits with an
|
||||
# error, RPM_DIST_VERSION is set to "unknown".
|
||||
RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown")
|
||||
|
||||
# If RPM_DIST_VERSION is an empty string or it contains any nonnumeric
|
||||
# characters, the value is unexpected so we set RPM_DIST_VERSION to 0.
|
||||
if [ -z "$RPM_DIST_VERSION" ] || [ -n "$(echo "$RPM_DIST_VERSION" | tr -d '[0-9]')" ]; then
|
||||
RPM_DIST_VERSION=0
|
||||
fi
|
||||
|
||||
# Handle legacy RPM distributions
|
||||
if [ "$PYVER" -eq 26 ]; then
|
||||
# Check if an automated bootstrap can be achieved on this system.
|
||||
if ! Python36SclIsAvailable; then
|
||||
INTERACTIVE_BOOTSTRAP=1
|
||||
fi
|
||||
|
||||
USE_PYTHON_3=1
|
||||
|
||||
# Try now to enable SCL rh-python36 for systems already bootstrapped
|
||||
# NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto
|
||||
EnablePython36SCL
|
||||
else
|
||||
# Starting to Fedora 29, python2 is on a deprecation path. Let's move to python3 then.
|
||||
# RHEL 8 also uses python3 by default.
|
||||
if [ "$RPM_DIST_NAME" = "fedora" -a "$RPM_DIST_VERSION" -ge 29 ]; then
|
||||
RPM_USE_PYTHON_3=1
|
||||
elif [ "$RPM_DIST_NAME" = "rhel" -a "$RPM_DIST_VERSION" -ge 8 ]; then
|
||||
RPM_USE_PYTHON_3=1
|
||||
elif [ "$RPM_DIST_NAME" = "centos" -a "$RPM_DIST_VERSION" -ge 8 ]; then
|
||||
RPM_USE_PYTHON_3=1
|
||||
else
|
||||
RPM_USE_PYTHON_3=0
|
||||
fi
|
||||
|
||||
if [ "$RPM_USE_PYTHON_3" = 1 ]; then
|
||||
USE_PYTHON_3=1
|
||||
fi
|
||||
fi
|
||||
|
||||
LE_PYTHON="$prev_le_python"
|
||||
elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/arch-release ]; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/manjaro-release ]; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/gentoo-release ]; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif uname | grep -iq FreeBSD ; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif uname | grep -iq Darwin ; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
else
|
||||
DEPRECATED_OS=1
|
||||
NO_SELF_UPGRADE=1
|
||||
fi
|
||||
|
||||
# We handle this case after determining the normal bootstrap version to allow
|
||||
# variables like USE_PYTHON_3 to be properly set. As described above, if the
|
||||
# Bootstrap function doesn't install any packages, BOOTSTRAP_VERSION should not
|
||||
# be set so we unset it here.
|
||||
if [ "$NO_BOOTSTRAP" = 1 ]; then
|
||||
Bootstrap() {
|
||||
:
|
||||
}
|
||||
unset BOOTSTRAP_VERSION
|
||||
fi
|
||||
|
||||
if [ "$DEPRECATED_OS" = 1 ]; then
|
||||
Bootstrap() {
|
||||
error "Skipping bootstrap because certbot-auto is deprecated on this system."
|
||||
}
|
||||
unset BOOTSTRAP_VERSION
|
||||
fi
|
||||
|
||||
# Sets PREV_BOOTSTRAP_VERSION to the identifier for the bootstrap script used
|
||||
# to install OS dependencies on this system. PREV_BOOTSTRAP_VERSION isn't set
|
||||
# if it is unknown how OS dependencies were installed on this system.
|
||||
SetPrevBootstrapVersion() {
|
||||
if [ -f $BOOTSTRAP_VERSION_PATH ]; then
|
||||
PREV_BOOTSTRAP_VERSION=$(cat "$BOOTSTRAP_VERSION_PATH")
|
||||
# The list below only contains bootstrap version strings that existed before
|
||||
# we started writing them to disk.
|
||||
#
|
||||
# DO NOT MODIFY THIS LIST UNLESS YOU KNOW WHAT YOU'RE DOING!
|
||||
elif grep -Fqx "$BOOTSTRAP_VERSION" << "UNLIKELY_EOF"
|
||||
BootstrapDebCommon 1
|
||||
BootstrapMageiaCommon 1
|
||||
BootstrapRpmCommon 1
|
||||
BootstrapSuseCommon 1
|
||||
BootstrapArchCommon 1
|
||||
BootstrapGentooCommon 1
|
||||
BootstrapFreeBsd 1
|
||||
BootstrapMac 1
|
||||
BootstrapSmartOS 1
|
||||
UNLIKELY_EOF
|
||||
then
|
||||
# If there's no bootstrap version saved to disk, but the currently selected
|
||||
# bootstrap script is from before we started saving the version number,
|
||||
# return the currently selected version to prevent us from rebootstrapping
|
||||
# unnecessarily.
|
||||
PREV_BOOTSTRAP_VERSION="$BOOTSTRAP_VERSION"
|
||||
fi
|
||||
}
|
||||
|
||||
TempDir() {
|
||||
mktemp -d 2>/dev/null || mktemp -d -t 'le' # Linux || macOS
|
||||
}
|
||||
|
||||
# Returns 0 if a letsencrypt installation exists at $OLD_VENV_PATH, otherwise,
|
||||
# returns a non-zero number.
|
||||
OldVenvExists() {
|
||||
[ -n "$OLD_VENV_PATH" -a -f "$OLD_VENV_PATH/bin/letsencrypt" ]
|
||||
}
|
||||
|
||||
# Given python path, version 1 and version 2, check if version 1 is outdated compared to version 2.
|
||||
# An unofficial version provided as version 1 (eg. 0.28.0.dev0) will be treated
|
||||
# specifically by printing "UNOFFICIAL". Otherwise, print "OUTDATED" if version 1
|
||||
# is outdated, and "UP_TO_DATE" if not.
|
||||
# This function relies only on installed python environment (2.x or 3.x) by certbot-auto.
|
||||
CompareVersions() {
|
||||
"$1" - "$2" "$3" << "UNLIKELY_EOF"
|
||||
import sys
|
||||
from distutils.version import StrictVersion
|
||||
|
||||
try:
|
||||
current = StrictVersion(sys.argv[1])
|
||||
except ValueError:
|
||||
sys.stdout.write('UNOFFICIAL')
|
||||
sys.exit()
|
||||
|
||||
try:
|
||||
remote = StrictVersion(sys.argv[2])
|
||||
except ValueError:
|
||||
sys.stdout.write('UP_TO_DATE')
|
||||
sys.exit()
|
||||
|
||||
if current < remote:
|
||||
sys.stdout.write('OUTDATED')
|
||||
else:
|
||||
sys.stdout.write('UP_TO_DATE')
|
||||
UNLIKELY_EOF
|
||||
}
|
||||
|
||||
# Create a new virtual environment for Certbot. It will overwrite any existing one.
|
||||
# Parameters: LE_PYTHON, VENV_PATH, PYVER, VERBOSE
|
||||
CreateVenv() {
|
||||
"$1" - "$2" "$3" "$4" << "UNLIKELY_EOF"
|
||||
#!/usr/bin/env python
|
||||
import os
|
||||
import shutil
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
|
||||
def create_venv(venv_path, pyver, verbose):
|
||||
if os.path.exists(venv_path):
|
||||
shutil.rmtree(venv_path)
|
||||
|
||||
stdout = sys.stdout if verbose == '1' else open(os.devnull, 'w')
|
||||
|
||||
if int(pyver) <= 27:
|
||||
# Use virtualenv binary
|
||||
environ = os.environ.copy()
|
||||
environ['VIRTUALENV_NO_DOWNLOAD'] = '1'
|
||||
command = ['virtualenv', '--no-site-packages', '--python', sys.executable, venv_path]
|
||||
subprocess.check_call(command, stdout=stdout, env=environ)
|
||||
else:
|
||||
# Use embedded venv module in Python 3
|
||||
command = [sys.executable, '-m', 'venv', venv_path]
|
||||
subprocess.check_call(command, stdout=stdout)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
create_venv(*sys.argv[1:])
|
||||
|
||||
UNLIKELY_EOF
|
||||
}
|
||||
|
||||
# Check that the given PATH_TO_CHECK has secured permissions.
|
||||
# Parameters: LE_PYTHON, PATH_TO_CHECK
|
||||
CheckPathPermissions() {
|
||||
"$1" - "$2" << "UNLIKELY_EOF"
|
||||
"""Verifies certbot-auto cannot be modified by unprivileged users.
|
||||
|
||||
This script takes the path to certbot-auto as its only command line
|
||||
argument. It then checks that the file can only be modified by uid/gid
|
||||
< 1000 and if other users can modify the file, it prints a warning with
|
||||
a suggestion on how to solve the problem.
|
||||
|
||||
Permissions on symlinks in the absolute path of certbot-auto are ignored
|
||||
and only the canonical path to certbot-auto is checked. There could be
|
||||
permissions problems due to the symlinks that are unreported by this
|
||||
script, however, issues like this were not caused by our documentation
|
||||
and are ignored for the sake of simplicity.
|
||||
|
||||
All warnings are printed to stdout rather than stderr so all stderr
|
||||
output from this script can be suppressed to avoid printing messages if
|
||||
this script fails for some reason.
|
||||
|
||||
"""
|
||||
from __future__ import print_function
|
||||
|
||||
import os
|
||||
import stat
|
||||
import sys
|
||||
|
||||
|
||||
FORUM_POST_URL = 'https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/'
|
||||
|
||||
|
||||
def has_safe_permissions(path):
|
||||
"""Returns True if the given path has secure permissions.
|
||||
|
||||
The permissions are considered safe if the file is only writable by
|
||||
uid/gid < 1000.
|
||||
|
||||
The reason we allow more IDs than 0 is because on some systems such
|
||||
as Debian, system users/groups other than uid/gid 0 are used for the
|
||||
path we recommend in our instructions which is /usr/local/bin. 1000
|
||||
was chosen because on Debian 0-999 is reserved for system IDs[1] and
|
||||
on RHEL either 0-499 or 0-999 is reserved depending on the
|
||||
version[2][3]. Due to these differences across different OSes, this
|
||||
detection isn't perfect so we only determine permissions are
|
||||
insecure when we can be reasonably confident there is a problem
|
||||
regardless of the underlying OS.
|
||||
|
||||
[1] https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
|
||||
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-managing_users_and_groups
|
||||
[3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-managing_users_and_groups
|
||||
|
||||
:param str path: filesystem path to check
|
||||
:returns: True if the path has secure permissions, otherwise, False
|
||||
:rtype: bool
|
||||
|
||||
"""
|
||||
# os.stat follows symlinks before obtaining information about a file.
|
||||
stat_result = os.stat(path)
|
||||
if stat_result.st_mode & stat.S_IWOTH:
|
||||
return False
|
||||
if stat_result.st_mode & stat.S_IWGRP and stat_result.st_gid >= 1000:
|
||||
return False
|
||||
if stat_result.st_mode & stat.S_IWUSR and stat_result.st_uid >= 1000:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
def main(certbot_auto_path):
|
||||
current_path = os.path.realpath(certbot_auto_path)
|
||||
last_path = None
|
||||
permissions_ok = True
|
||||
# This loop makes use of the fact that os.path.dirname('/') == '/'.
|
||||
while current_path != last_path and permissions_ok:
|
||||
permissions_ok = has_safe_permissions(current_path)
|
||||
last_path = current_path
|
||||
current_path = os.path.dirname(current_path)
|
||||
|
||||
if not permissions_ok:
|
||||
print('{0} has insecure permissions!'.format(certbot_auto_path))
|
||||
print('To learn how to fix them, visit {0}'.format(FORUM_POST_URL))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv[1])
|
||||
|
||||
UNLIKELY_EOF
|
||||
}
|
||||
|
||||
if [ "$1" = "--le-auto-phase2" ]; then
|
||||
# Phase 2: Create venv, install LE, and run.
|
||||
|
||||
shift 1 # the --le-auto-phase2 arg
|
||||
|
||||
if [ "$DEPRECATED_OS" = 1 ]; then
|
||||
# Phase 2 damage control mode for deprecated OSes.
|
||||
# In this situation, we bypass any bootstrap or certbot venv setup.
|
||||
# error "Your system is not supported by certbot-auto anymore."
|
||||
|
||||
if [ ! -d "$VENV_PATH" ] && OldVenvExists; then
|
||||
VENV_BIN="$OLD_VENV_PATH/bin"
|
||||
fi
|
||||
|
||||
if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then
|
||||
# error "certbot-auto and its Certbot installation will no longer receive updates."
|
||||
# error "You will not receive any bug fixes including those fixing server compatibility"
|
||||
# error "or security problems."
|
||||
# error "Please visit https://certbot.eff.org/ to check for other alternatives."
|
||||
"$VENV_BIN/letsencrypt" "$@"
|
||||
exit 0
|
||||
else
|
||||
error "Certbot cannot be installed."
|
||||
error "Please visit https://certbot.eff.org/ to check for other alternatives."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
SetPrevBootstrapVersion
|
||||
|
||||
if [ -z "$PHASE_1_VERSION" -a "$USE_PYTHON_3" = 1 ]; then
|
||||
unset LE_PYTHON
|
||||
fi
|
||||
|
||||
INSTALLED_VERSION="none"
|
||||
if [ -d "$VENV_PATH" ] || OldVenvExists; then
|
||||
# If the selected Bootstrap function isn't a noop and it differs from the
|
||||
# previously used version
|
||||
if [ -n "$BOOTSTRAP_VERSION" -a "$BOOTSTRAP_VERSION" != "$PREV_BOOTSTRAP_VERSION" ]; then
|
||||
# Check if we can rebootstrap without manual user intervention: this requires that
|
||||
# certbot-auto is in non-interactive mode AND selected bootstrap does not claim to
|
||||
# require a manual user intervention.
|
||||
if [ "$NONINTERACTIVE" = 1 -a "$INTERACTIVE_BOOTSTRAP" != 1 ]; then
|
||||
CAN_REBOOTSTRAP=1
|
||||
fi
|
||||
# Check if rebootstrap can be done non-interactively and current shell is non-interactive
|
||||
# (true if stdin and stdout are not attached to a terminal).
|
||||
if [ \( "$CAN_REBOOTSTRAP" = 1 \) -o \( \( -t 0 \) -a \( -t 1 \) \) ]; then
|
||||
if [ -d "$VENV_PATH" ]; then
|
||||
rm -rf "$VENV_PATH"
|
||||
fi
|
||||
# In the case the old venv was just a symlink to the new one,
|
||||
# OldVenvExists is now false because we deleted the venv at VENV_PATH.
|
||||
if OldVenvExists; then
|
||||
rm -rf "$OLD_VENV_PATH"
|
||||
ln -s "$VENV_PATH" "$OLD_VENV_PATH"
|
||||
fi
|
||||
RerunWithArgs "$@"
|
||||
# Otherwise bootstrap needs to be done manually by the user.
|
||||
else
|
||||
# If it is because bootstrapping is interactive, --non-interactive will be of no use.
|
||||
if [ "$INTERACTIVE_BOOTSTRAP" = 1 ]; then
|
||||
error "Skipping upgrade because new OS dependencies may need to be installed."
|
||||
error "This requires manual user intervention: please run this script again manually."
|
||||
# If this is because of the environment (eg. non interactive shell without
|
||||
# --non-interactive flag set), help the user in that direction.
|
||||
else
|
||||
error "Skipping upgrade because new OS dependencies may need to be installed."
|
||||
error
|
||||
error "To upgrade to a newer version, please run this script again manually so you can"
|
||||
error "approve changes or with --non-interactive on the command line to automatically"
|
||||
error "install any required packages."
|
||||
fi
|
||||
# Set INSTALLED_VERSION to be the same so we don't update the venv
|
||||
INSTALLED_VERSION="$LE_AUTO_VERSION"
|
||||
# Continue to use OLD_VENV_PATH if the new venv doesn't exist
|
||||
if [ ! -d "$VENV_PATH" ]; then
|
||||
VENV_BIN="$OLD_VENV_PATH/bin"
|
||||
fi
|
||||
fi
|
||||
elif [ -f "$VENV_BIN/letsencrypt" ]; then
|
||||
# --version output ran through grep due to python-cryptography DeprecationWarnings
|
||||
# grep for both certbot and letsencrypt until certbot and shim packages have been released
|
||||
INSTALLED_VERSION=$("$VENV_BIN/letsencrypt" --version 2>&1 | grep "^certbot\|^letsencrypt" | cut -d " " -f 2)
|
||||
if [ -z "$INSTALLED_VERSION" ]; then
|
||||
error "Error: couldn't get currently installed version for $VENV_BIN/letsencrypt: " 1>&2
|
||||
"$VENV_BIN/letsencrypt" --version
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$LE_AUTO_VERSION" != "$INSTALLED_VERSION" ]; then
|
||||
say "Creating virtual environment..."
|
||||
DeterminePythonVersion
|
||||
CreateVenv "$LE_PYTHON" "$VENV_PATH" "$PYVER" "$VERBOSE"
|
||||
|
||||
if [ -n "$BOOTSTRAP_VERSION" ]; then
|
||||
echo "$BOOTSTRAP_VERSION" > "$BOOTSTRAP_VERSION_PATH"
|
||||
elif [ -n "$PREV_BOOTSTRAP_VERSION" ]; then
|
||||
echo "$PREV_BOOTSTRAP_VERSION" > "$BOOTSTRAP_VERSION_PATH"
|
||||
fi
|
||||
|
||||
say "Installing Python packages..."
|
||||
TEMP_DIR=$(TempDir)
|
||||
trap 'rm -rf "$TEMP_DIR"' EXIT
|
||||
# There is no $ interpolation due to quotes on starting heredoc delimiter.
|
||||
# -------------------------------------------------------------------------
|
||||
cat << "UNLIKELY_EOF" > "$TEMP_DIR/letsencrypt-auto-requirements.txt"
|
||||
# This is the flattened list of packages certbot-auto installs.
|
||||
# To generate this, do (with docker and package hashin installed):
|
||||
# ```
|
||||
# letsencrypt-auto-source/rebuild_dependencies.py \
|
||||
# letsencrypt-auto-source/pieces/dependency-requirements.txt
|
||||
# ```
|
||||
# If you want to update a single dependency, run commands similar to these:
|
||||
# ```
|
||||
# pip install hashin
|
||||
# hashin -r dependency-requirements.txt cryptography==1.5.2
|
||||
# ```
|
||||
ConfigArgParse==1.2.3 \
|
||||
--hash=sha256:edd17be986d5c1ba2e307150b8e5f5107aba125f3574dddd02c85d5cdcfd37dc
|
||||
certifi==2020.4.5.1 \
|
||||
--hash=sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304 \
|
||||
--hash=sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519
|
||||
cffi==1.14.0 \
|
||||
--hash=sha256:001bf3242a1bb04d985d63e138230802c6c8d4db3668fb545fb5005ddf5bb5ff \
|
||||
--hash=sha256:00789914be39dffba161cfc5be31b55775de5ba2235fe49aa28c148236c4e06b \
|
||||
--hash=sha256:028a579fc9aed3af38f4892bdcc7390508adabc30c6af4a6e4f611b0c680e6ac \
|
||||
--hash=sha256:14491a910663bf9f13ddf2bc8f60562d6bc5315c1f09c704937ef17293fb85b0 \
|
||||
--hash=sha256:1cae98a7054b5c9391eb3249b86e0e99ab1e02bb0cc0575da191aedadbdf4384 \
|
||||
--hash=sha256:2089ed025da3919d2e75a4d963d008330c96751127dd6f73c8dc0c65041b4c26 \
|
||||
--hash=sha256:2d384f4a127a15ba701207f7639d94106693b6cd64173d6c8988e2c25f3ac2b6 \
|
||||
--hash=sha256:337d448e5a725bba2d8293c48d9353fc68d0e9e4088d62a9571def317797522b \
|
||||
--hash=sha256:399aed636c7d3749bbed55bc907c3288cb43c65c4389964ad5ff849b6370603e \
|
||||
--hash=sha256:3b911c2dbd4f423b4c4fcca138cadde747abdb20d196c4a48708b8a2d32b16dd \
|
||||
--hash=sha256:3d311bcc4a41408cf5854f06ef2c5cab88f9fded37a3b95936c9879c1640d4c2 \
|
||||
--hash=sha256:62ae9af2d069ea2698bf536dcfe1e4eed9090211dbaafeeedf5cb6c41b352f66 \
|
||||
--hash=sha256:66e41db66b47d0d8672d8ed2708ba91b2f2524ece3dee48b5dfb36be8c2f21dc \
|
||||
--hash=sha256:675686925a9fb403edba0114db74e741d8181683dcf216be697d208857e04ca8 \
|
||||
--hash=sha256:7e63cbcf2429a8dbfe48dcc2322d5f2220b77b2e17b7ba023d6166d84655da55 \
|
||||
--hash=sha256:8a6c688fefb4e1cd56feb6c511984a6c4f7ec7d2a1ff31a10254f3c817054ae4 \
|
||||
--hash=sha256:8c0ffc886aea5df6a1762d0019e9cb05f825d0eec1f520c51be9d198701daee5 \
|
||||
--hash=sha256:95cd16d3dee553f882540c1ffe331d085c9e629499ceadfbda4d4fde635f4b7d \
|
||||
--hash=sha256:99f748a7e71ff382613b4e1acc0ac83bf7ad167fb3802e35e90d9763daba4d78 \
|
||||
--hash=sha256:b8c78301cefcf5fd914aad35d3c04c2b21ce8629b5e4f4e45ae6812e461910fa \
|
||||
--hash=sha256:c420917b188a5582a56d8b93bdd8e0f6eca08c84ff623a4c16e809152cd35793 \
|
||||
--hash=sha256:c43866529f2f06fe0edc6246eb4faa34f03fe88b64a0a9a942561c8e22f4b71f \
|
||||
--hash=sha256:cab50b8c2250b46fe738c77dbd25ce017d5e6fb35d3407606e7a4180656a5a6a \
|
||||
--hash=sha256:cef128cb4d5e0b3493f058f10ce32365972c554572ff821e175dbc6f8ff6924f \
|
||||
--hash=sha256:cf16e3cf6c0a5fdd9bc10c21687e19d29ad1fe863372b5543deaec1039581a30 \
|
||||
--hash=sha256:e56c744aa6ff427a607763346e4170629caf7e48ead6921745986db3692f987f \
|
||||
--hash=sha256:e577934fc5f8779c554639376beeaa5657d54349096ef24abe8c74c5d9c117c3 \
|
||||
--hash=sha256:f2b0fa0c01d8a0c7483afd9f31d7ecf2d71760ca24499c8697aeb5ca37dc090c
|
||||
chardet==3.0.4 \
|
||||
--hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \
|
||||
--hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691
|
||||
configobj==5.0.6 \
|
||||
--hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902
|
||||
cryptography==2.8 \
|
||||
--hash=sha256:02079a6addc7b5140ba0825f542c0869ff4df9a69c360e339ecead5baefa843c \
|
||||
--hash=sha256:1df22371fbf2004c6f64e927668734070a8953362cd8370ddd336774d6743595 \
|
||||
--hash=sha256:369d2346db5934345787451504853ad9d342d7f721ae82d098083e1f49a582ad \
|
||||
--hash=sha256:3cda1f0ed8747339bbdf71b9f38ca74c7b592f24f65cdb3ab3765e4b02871651 \
|
||||
--hash=sha256:44ff04138935882fef7c686878e1c8fd80a723161ad6a98da31e14b7553170c2 \
|
||||
--hash=sha256:4b1030728872c59687badcca1e225a9103440e467c17d6d1730ab3d2d64bfeff \
|
||||
--hash=sha256:58363dbd966afb4f89b3b11dfb8ff200058fbc3b947507675c19ceb46104b48d \
|
||||
--hash=sha256:6ec280fb24d27e3d97aa731e16207d58bd8ae94ef6eab97249a2afe4ba643d42 \
|
||||
--hash=sha256:7270a6c29199adc1297776937a05b59720e8a782531f1f122f2eb8467f9aab4d \
|
||||
--hash=sha256:73fd30c57fa2d0a1d7a49c561c40c2f79c7d6c374cc7750e9ac7c99176f6428e \
|
||||
--hash=sha256:7f09806ed4fbea8f51585231ba742b58cbcfbfe823ea197d8c89a5e433c7e912 \
|
||||
--hash=sha256:90df0cc93e1f8d2fba8365fb59a858f51a11a394d64dbf3ef844f783844cc793 \
|
||||
--hash=sha256:971221ed40f058f5662a604bd1ae6e4521d84e6cad0b7b170564cc34169c8f13 \
|
||||
--hash=sha256:a518c153a2b5ed6b8cc03f7ae79d5ffad7315ad4569b2d5333a13c38d64bd8d7 \
|
||||
--hash=sha256:b0de590a8b0979649ebeef8bb9f54394d3a41f66c5584fff4220901739b6b2f0 \
|
||||
--hash=sha256:b43f53f29816ba1db8525f006fa6f49292e9b029554b3eb56a189a70f2a40879 \
|
||||
--hash=sha256:d31402aad60ed889c7e57934a03477b572a03af7794fa8fb1780f21ea8f6551f \
|
||||
--hash=sha256:de96157ec73458a7f14e3d26f17f8128c959084931e8997b9e655a39c8fde9f9 \
|
||||
--hash=sha256:df6b4dca2e11865e6cfbfb708e800efb18370f5a46fd601d3755bc7f85b3a8a2 \
|
||||
--hash=sha256:ecadccc7ba52193963c0475ac9f6fa28ac01e01349a2ca48509667ef41ffd2cf \
|
||||
--hash=sha256:fb81c17e0ebe3358486cd8cc3ad78adbae58af12fc2bf2bc0bb84e8090fa5ce8
|
||||
distro==1.5.0 \
|
||||
--hash=sha256:0e58756ae38fbd8fc3020d54badb8eae17c5b9dcbed388b17bb55b8a5928df92 \
|
||||
--hash=sha256:df74eed763e18d10d0da624258524ae80486432cd17392d9c3d96f5e83cd2799
|
||||
enum34==1.1.10; python_version < '3.4' \
|
||||
--hash=sha256:a98a201d6de3f2ab3db284e70a33b0f896fbf35f8086594e8c9e74b909058d53 \
|
||||
--hash=sha256:c3858660960c984d6ab0ebad691265180da2b43f07e061c0f8dca9ef3cffd328 \
|
||||
--hash=sha256:cce6a7477ed816bd2542d03d53db9f0db935dd013b70f336a95c73979289f248
|
||||
funcsigs==1.0.2 \
|
||||
--hash=sha256:330cc27ccbf7f1e992e69fef78261dc7c6569012cf397db8d3de0234e6c937ca \
|
||||
--hash=sha256:a7bb0f2cf3a3fd1ab2732cb49eba4252c2af4240442415b4abce3b87022a8f50
|
||||
idna==2.9 \
|
||||
--hash=sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb \
|
||||
--hash=sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa
|
||||
ipaddress==1.0.23 \
|
||||
--hash=sha256:6e0f4a39e66cb5bb9a137b00276a2eff74f93b71dcbdad6f10ff7df9d3557fcc \
|
||||
--hash=sha256:b7f8e0369580bb4a24d5ba1d7cc29660a4a6987763faf1d8a8046830e020e7e2
|
||||
josepy==1.3.0 \
|
||||
--hash=sha256:c341ffa403399b18e9eae9012f804843045764d1390f9cb4648980a7569b1619 \
|
||||
--hash=sha256:e54882c64be12a2a76533f73d33cba9e331950fda9e2731e843490b774e7a01c
|
||||
mock==1.3.0 \
|
||||
--hash=sha256:1e247dbecc6ce057299eb7ee019ad68314bb93152e81d9a6110d35f4d5eca0f6 \
|
||||
--hash=sha256:3f573a18be94de886d1191f27c168427ef693e8dcfcecf95b170577b2eb69cbb
|
||||
parsedatetime==2.5 \
|
||||
--hash=sha256:3b835fc54e472c17ef447be37458b400e3fefdf14bb1ffdedb5d2c853acf4ba1 \
|
||||
--hash=sha256:d2e9ddb1e463de871d32088a3f3cea3dc8282b1b2800e081bd0ef86900451667
|
||||
pbr==5.4.5 \
|
||||
--hash=sha256:07f558fece33b05caf857474a366dfcc00562bca13dd8b47b2b3e22d9f9bf55c \
|
||||
--hash=sha256:579170e23f8e0c2f24b0de612f71f648eccb79fb1322c814ae6b3c07b5ba23e8
|
||||
pyOpenSSL==19.1.0 \
|
||||
--hash=sha256:621880965a720b8ece2f1b2f54ea2071966ab00e2970ad2ce11d596102063504 \
|
||||
--hash=sha256:9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507
|
||||
pyRFC3339==1.1 \
|
||||
--hash=sha256:67196cb83b470709c580bb4738b83165e67c6cc60e1f2e4f286cfcb402a926f4 \
|
||||
--hash=sha256:81b8cbe1519cdb79bed04910dd6fa4e181faf8c88dff1e1b987b5f7ab23a5b1a
|
||||
pycparser==2.20 \
|
||||
--hash=sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0 \
|
||||
--hash=sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705
|
||||
pyparsing==2.4.7 \
|
||||
--hash=sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1 \
|
||||
--hash=sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b
|
||||
python-augeas==0.5.0 \
|
||||
--hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2
|
||||
pytz==2020.1 \
|
||||
--hash=sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed \
|
||||
--hash=sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048
|
||||
requests==2.23.0 \
|
||||
--hash=sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee \
|
||||
--hash=sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6
|
||||
requests-toolbelt==0.9.1 \
|
||||
--hash=sha256:380606e1d10dc85c3bd47bf5a6095f815ec007be7a8b69c878507068df059e6f \
|
||||
--hash=sha256:968089d4584ad4ad7c171454f0a5c6dac23971e9472521ea3b6d49d610aa6fc0
|
||||
six==1.15.0 \
|
||||
--hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
|
||||
--hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
|
||||
urllib3==1.25.9 \
|
||||
--hash=sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527 \
|
||||
--hash=sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115
|
||||
zope.component==4.6.1 \
|
||||
--hash=sha256:bfbe55d4a93e70a78b10edc3aad4de31bb8860919b7cbd8d66f717f7d7b279ac \
|
||||
--hash=sha256:d9c7c27673d787faff8a83797ce34d6ebcae26a370e25bddb465ac2182766aca
|
||||
zope.deferredimport==4.3.1 \
|
||||
--hash=sha256:57b2345e7b5eef47efcd4f634ff16c93e4265de3dcf325afc7315ade48d909e1 \
|
||||
--hash=sha256:9a0c211df44aa95f1c4e6d2626f90b400f56989180d3ef96032d708da3d23e0a
|
||||
zope.deprecation==4.4.0 \
|
||||
--hash=sha256:0d453338f04bacf91bbfba545d8bcdf529aa829e67b705eac8c1a7fdce66e2df \
|
||||
--hash=sha256:f1480b74995958b24ce37b0ef04d3663d2683e5d6debc96726eff18acf4ea113
|
||||
zope.event==4.4 \
|
||||
--hash=sha256:69c27debad9bdacd9ce9b735dad382142281ac770c4a432b533d6d65c4614bcf \
|
||||
--hash=sha256:d8e97d165fd5a0997b45f5303ae11ea3338becfe68c401dd88ffd2113fe5cae7
|
||||
zope.hookable==5.0.1 \
|
||||
--hash=sha256:0194b9b9e7f614abba60c90b231908861036578297515d3d6508eb10190f266d \
|
||||
--hash=sha256:0c2977473918bdefc6fa8dfb311f154e7f13c6133957fe649704deca79b92093 \
|
||||
--hash=sha256:17b8bdb3b77e03a152ca0d5ca185a7ae0156f5e5a2dbddf538676633a1f7380f \
|
||||
--hash=sha256:29d07681a78042cdd15b268ae9decffed9ace68a53eebeb61d65ae931d158841 \
|
||||
--hash=sha256:36fb1b35d1150267cb0543a1ddd950c0bc2c75ed0e6e92e3aaa6ac2e29416cb7 \
|
||||
--hash=sha256:3aed60c2bb5e812bbf9295c70f25b17ac37c233f30447a96c67913ba5073642f \
|
||||
--hash=sha256:3cac1565cc768911e72ca9ec4ddf5c5109e1fef0104f19f06649cf1874943b60 \
|
||||
--hash=sha256:3d4bc0cc4a37c3cd3081063142eeb2125511db3c13f6dc932d899c512690378e \
|
||||
--hash=sha256:3f73096f27b8c28be53ffb6604f7b570fbbb82f273c6febe5f58119009b59898 \
|
||||
--hash=sha256:522d1153d93f2d48aa0bd9fb778d8d4500be2e4dcf86c3150768f0e3adbbc4ef \
|
||||
--hash=sha256:523d2928fb7377bbdbc9af9c0b14ad73e6eaf226349f105733bdae27efd15b5a \
|
||||
--hash=sha256:5848309d4fc5c02150a45e8f8d2227e5bfda386a508bbd3160fed7c633c5a2fa \
|
||||
--hash=sha256:6781f86e6d54a110980a76e761eb54590630fd2af2a17d7edf02a079d2646c1d \
|
||||
--hash=sha256:6fd27921ebf3aaa945fa25d790f1f2046204f24dba4946f82f5f0a442577c3e9 \
|
||||
--hash=sha256:70d581862863f6bf9e175e85c9d70c2d7155f53fb04dcdb2f73cf288ca559a53 \
|
||||
--hash=sha256:81867c23b0dc66c8366f351d00923f2bc5902820a24c2534dfd7bf01a5879963 \
|
||||
--hash=sha256:81db29edadcbb740cd2716c95a297893a546ed89db1bfe9110168732d7f0afdd \
|
||||
--hash=sha256:86bd12624068cea60860a0759af5e2c3adc89c12aef6f71cf12f577e28deefe3 \
|
||||
--hash=sha256:9c184d8f9f7a76e1ced99855ccf390ffdd0ec3765e5cbf7b9cada600accc0a1e \
|
||||
--hash=sha256:acc789e8c29c13555e43fe4bf9fcd15a65512c9645e97bbaa5602e3201252b02 \
|
||||
--hash=sha256:afaa740206b7660d4cc3b8f120426c85761f51379af7a5b05451f624ad12b0af \
|
||||
--hash=sha256:b5f5fa323f878bb16eae68ea1ba7f6c0419d4695d0248bed4b18f51d7ce5ab85 \
|
||||
--hash=sha256:bd89e0e2c67bf4ac3aca2a19702b1a37269fb1923827f68324ac2e7afd6e3406 \
|
||||
--hash=sha256:c212de743283ec0735db24ec6ad913758df3af1b7217550ff270038062afd6ae \
|
||||
--hash=sha256:ca553f524293a0bdea05e7f44c3e685e4b7b022cb37d87bc4a3efa0f86587a8d \
|
||||
--hash=sha256:cab67065a3db92f636128d3157cc5424a145f82d96fb47159c539132833a6d36 \
|
||||
--hash=sha256:d3b3b3eedfdbf6b02898216e85aa6baf50207f4378a2a6803d6d47650cd37031 \
|
||||
--hash=sha256:d9f4a5a72f40256b686d31c5c0b1fde503172307beb12c1568296e76118e402c \
|
||||
--hash=sha256:df5067d87aaa111ed5d050e1ee853ba284969497f91806efd42425f5348f1c06 \
|
||||
--hash=sha256:e2587644812c6138f05b8a41594a8337c6790e3baf9a01915e52438c13fc6bef \
|
||||
--hash=sha256:e27fd877662db94f897f3fd532ef211ca4901eb1a70ba456f15c0866a985464a \
|
||||
--hash=sha256:e427ebbdd223c72e06ba94c004bb04e996c84dec8a0fa84e837556ae145c439e \
|
||||
--hash=sha256:e583ad4309c203ef75a09d43434cf9c2b4fa247997ecb0dcad769982c39411c7 \
|
||||
--hash=sha256:e760b2bc8ece9200804f0c2b64d10147ecaf18455a2a90827fbec4c9d84f3ad5 \
|
||||
--hash=sha256:ea9a9cc8bcc70e18023f30fa2f53d11ae069572a162791224e60cd65df55fb69 \
|
||||
--hash=sha256:ecb3f17dce4803c1099bd21742cd126b59817a4e76a6544d31d2cca6e30dbffd \
|
||||
--hash=sha256:ed794e3b3de42486d30444fb60b5561e724ee8a2d1b17b0c2e0f81e3ddaf7a87 \
|
||||
--hash=sha256:ee885d347279e38226d0a437b6a932f207f691c502ee565aba27a7022f1285df \
|
||||
--hash=sha256:fd5e7bc5f24f7e3d490698f7b854659a9851da2187414617cd5ed360af7efd63 \
|
||||
--hash=sha256:fe45f6870f7588ac7b2763ff1ce98cce59369717afe70cc353ec5218bc854bcc
|
||||
zope.interface==5.1.0 \
|
||||
--hash=sha256:0103cba5ed09f27d2e3de7e48bb320338592e2fabc5ce1432cf33808eb2dfd8b \
|
||||
--hash=sha256:14415d6979356629f1c386c8c4249b4d0082f2ea7f75871ebad2e29584bd16c5 \
|
||||
--hash=sha256:1ae4693ccee94c6e0c88a4568fb3b34af8871c60f5ba30cf9f94977ed0e53ddd \
|
||||
--hash=sha256:1b87ed2dc05cb835138f6a6e3595593fea3564d712cb2eb2de963a41fd35758c \
|
||||
--hash=sha256:269b27f60bcf45438e8683269f8ecd1235fa13e5411de93dae3b9ee4fe7f7bc7 \
|
||||
--hash=sha256:27d287e61639d692563d9dab76bafe071fbeb26818dd6a32a0022f3f7ca884b5 \
|
||||
--hash=sha256:39106649c3082972106f930766ae23d1464a73b7d30b3698c986f74bf1256a34 \
|
||||
--hash=sha256:40e4c42bd27ed3c11b2c983fecfb03356fae1209de10686d03c02c8696a1d90e \
|
||||
--hash=sha256:461d4339b3b8f3335d7e2c90ce335eb275488c587b61aca4b305196dde2ff086 \
|
||||
--hash=sha256:4f98f70328bc788c86a6a1a8a14b0ea979f81ae6015dd6c72978f1feff70ecda \
|
||||
--hash=sha256:558a20a0845d1a5dc6ff87cd0f63d7dac982d7c3be05d2ffb6322a87c17fa286 \
|
||||
--hash=sha256:562dccd37acec149458c1791da459f130c6cf8902c94c93b8d47c6337b9fb826 \
|
||||
--hash=sha256:5e86c66a6dea8ab6152e83b0facc856dc4d435fe0f872f01d66ce0a2131b7f1d \
|
||||
--hash=sha256:60a207efcd8c11d6bbeb7862e33418fba4e4ad79846d88d160d7231fcb42a5ee \
|
||||
--hash=sha256:645a7092b77fdbc3f68d3cc98f9d3e71510e419f54019d6e282328c0dd140dcd \
|
||||
--hash=sha256:6874367586c020705a44eecdad5d6b587c64b892e34305bb6ed87c9bbe22a5e9 \
|
||||
--hash=sha256:74bf0a4f9091131de09286f9a605db449840e313753949fe07c8d0fe7659ad1e \
|
||||
--hash=sha256:7b726194f938791a6691c7592c8b9e805fc6d1b9632a833b9c0640828cd49cbc \
|
||||
--hash=sha256:8149ded7f90154fdc1a40e0c8975df58041a6f693b8f7edcd9348484e9dc17fe \
|
||||
--hash=sha256:8cccf7057c7d19064a9e27660f5aec4e5c4001ffcf653a47531bde19b5aa2a8a \
|
||||
--hash=sha256:911714b08b63d155f9c948da2b5534b223a1a4fc50bb67139ab68b277c938578 \
|
||||
--hash=sha256:a5f8f85986197d1dd6444763c4a15c991bfed86d835a1f6f7d476f7198d5f56a \
|
||||
--hash=sha256:a744132d0abaa854d1aad50ba9bc64e79c6f835b3e92521db4235a1991176813 \
|
||||
--hash=sha256:af2c14efc0bb0e91af63d00080ccc067866fb8cbbaca2b0438ab4105f5e0f08d \
|
||||
--hash=sha256:b054eb0a8aa712c8e9030065a59b5e6a5cf0746ecdb5f087cca5ec7685690c19 \
|
||||
--hash=sha256:b0becb75418f8a130e9d465e718316cd17c7a8acce6fe8fe07adc72762bee425 \
|
||||
--hash=sha256:b1d2ed1cbda2ae107283befd9284e650d840f8f7568cb9060b5466d25dc48975 \
|
||||
--hash=sha256:ba4261c8ad00b49d48bbb3b5af388bb7576edfc0ca50a49c11dcb77caa1d897e \
|
||||
--hash=sha256:d1fe9d7d09bb07228650903d6a9dc48ea649e3b8c69b1d263419cc722b3938e8 \
|
||||
--hash=sha256:d7804f6a71fc2dda888ef2de266727ec2f3915373d5a785ed4ddc603bbc91e08 \
|
||||
--hash=sha256:da2844fba024dd58eaa712561da47dcd1e7ad544a257482392472eae1c86d5e5 \
|
||||
--hash=sha256:dcefc97d1daf8d55199420e9162ab584ed0893a109f45e438b9794ced44c9fd0 \
|
||||
--hash=sha256:dd98c436a1fc56f48c70882cc243df89ad036210d871c7427dc164b31500dc11 \
|
||||
--hash=sha256:e74671e43ed4569fbd7989e5eecc7d06dc134b571872ab1d5a88f4a123814e9f \
|
||||
--hash=sha256:eb9b92f456ff3ec746cd4935b73c1117538d6124b8617bc0fe6fda0b3816e345 \
|
||||
--hash=sha256:ebb4e637a1fb861c34e48a00d03cffa9234f42bef923aec44e5625ffb9a8e8f9 \
|
||||
--hash=sha256:ef739fe89e7f43fb6494a43b1878a36273e5924869ba1d866f752c5812ae8d58 \
|
||||
--hash=sha256:f40db0e02a8157d2b90857c24d89b6310f9b6c3642369852cdc3b5ac49b92afc \
|
||||
--hash=sha256:f68bf937f113b88c866d090fea0bc52a098695173fc613b055a17ff0cf9683b6 \
|
||||
--hash=sha256:fb55c182a3f7b84c1a2d6de5fa7b1a05d4660d866b91dbf8d74549c57a1499e8
|
||||
zope.proxy==4.3.5 \
|
||||
--hash=sha256:00573dfa755d0703ab84bb23cb6ecf97bb683c34b340d4df76651f97b0bab068 \
|
||||
--hash=sha256:092049280f2848d2ba1b57b71fe04881762a220a97b65288bcb0968bb199ec30 \
|
||||
--hash=sha256:0cbd27b4d3718b5ec74fc65ffa53c78d34c65c6fd9411b8352d2a4f855220cf1 \
|
||||
--hash=sha256:17fc7e16d0c81f833a138818a30f366696653d521febc8e892858041c4d88785 \
|
||||
--hash=sha256:19577dfeb70e8a67249ba92c8ad20589a1a2d86a8d693647fa8385408a4c17b0 \
|
||||
--hash=sha256:207aa914576b1181597a1516e1b90599dc690c095343ae281b0772e44945e6a4 \
|
||||
--hash=sha256:219a7db5ed53e523eb4a4769f13105118b6d5b04ed169a283c9775af221e231f \
|
||||
--hash=sha256:2b50ea79849e46b5f4f2b0247a3687505d32d161eeb16a75f6f7e6cd81936e43 \
|
||||
--hash=sha256:5903d38362b6c716e66bbe470f190579c530a5baf03dbc8500e5c2357aa569a5 \
|
||||
--hash=sha256:5c24903675e271bd688c6e9e7df5775ac6b168feb87dbe0e4bcc90805f21b28f \
|
||||
--hash=sha256:5ef6bc5ed98139e084f4e91100f2b098a0cd3493d4e76f9d6b3f7b95d7ad0f06 \
|
||||
--hash=sha256:61b55ae3c23a126a788b33ffb18f37d6668e79a05e756588d9e4d4be7246ab1c \
|
||||
--hash=sha256:63ddb992931a5e616c87d3d89f5a58db086e617548005c7f9059fac68c03a5cc \
|
||||
--hash=sha256:6943da9c09870490dcfd50c4909c0cc19f434fa6948f61282dc9cb07bcf08160 \
|
||||
--hash=sha256:6ad40f85c1207803d581d5d75e9ea25327cd524925699a83dfc03bf8e4ba72b7 \
|
||||
--hash=sha256:6b44433a79bdd7af0e3337bd7bbcf53dd1f9b0fa66bf21bcb756060ce32a96c1 \
|
||||
--hash=sha256:6bbaa245015d933a4172395baad7874373f162955d73612f0b66b6c2c33b6366 \
|
||||
--hash=sha256:7007227f4ea85b40a2f5e5a244479f6a6dfcf906db9b55e812a814a8f0e2c28d \
|
||||
--hash=sha256:74884a0aec1f1609190ec8b34b5d58fb3b5353cf22b96161e13e0e835f13518f \
|
||||
--hash=sha256:7d25fe5571ddb16369054f54cdd883f23de9941476d97f2b92eb6d7d83afe22d \
|
||||
--hash=sha256:7e162bdc5e3baad26b2262240be7d2bab36991d85a6a556e48b9dfb402370261 \
|
||||
--hash=sha256:814d62678dc3a30f4aa081982d830b7c342cf230ffc9d030b020cb154eeebf9e \
|
||||
--hash=sha256:8878a34c5313ee52e20aa50b03138af8d472bae465710fb954d133a9bfd3c38d \
|
||||
--hash=sha256:a66a0d94e5b081d5d695e66d6667e91e74d79e273eee95c1747717ba9cb70792 \
|
||||
--hash=sha256:a69f5cbf4addcfdf03dda564a671040127a6b7c34cf9fe4973582e68441b63fa \
|
||||
--hash=sha256:b00f9f0c334d07709d3f73a7cb8ae63c6ca1a90c790a63b5e7effa666ef96021 \
|
||||
--hash=sha256:b6ed71e4a7b4690447b626f499d978aa13197a0e592950e5d7020308f6054698 \
|
||||
--hash=sha256:bdf5041e5851526e885af579d2f455348dba68d74f14a32781933569a327fddf \
|
||||
--hash=sha256:be034360dd34e62608419f86e799c97d389c10a0e677a25f236a971b2f40dac9 \
|
||||
--hash=sha256:cc8f590a5eed30b314ae6b0232d925519ade433f663de79cc3783e4b10d662ba \
|
||||
--hash=sha256:cd7a318a15fe6cc4584bf3c4426f092ed08c0fd012cf2a9173114234fe193e11 \
|
||||
--hash=sha256:cf19b5f63a59c20306e034e691402b02055c8f4e38bf6792c23cad489162a642 \
|
||||
--hash=sha256:cfc781ce442ec407c841e9aa51d0e1024f72b6ec34caa8fdb6ef9576d549acf2 \
|
||||
--hash=sha256:dea9f6f8633571e18bc20cad83603072e697103a567f4b0738d52dd0211b4527 \
|
||||
--hash=sha256:e4a86a1d5eb2cce83c5972b3930c7c1eac81ab3508464345e2b8e54f119d5505 \
|
||||
--hash=sha256:e7106374d4a74ed9ff00c46cc00f0a9f06a0775f8868e423f85d4464d2333679 \
|
||||
--hash=sha256:e98a8a585b5668aa9e34d10f7785abf9545fe72663b4bfc16c99a115185ae6a5 \
|
||||
--hash=sha256:f64840e68483316eb58d82c376ad3585ca995e69e33b230436de0cdddf7363f9 \
|
||||
--hash=sha256:f8f4b0a9e6683e43889852130595c8854d8ae237f2324a053cdd884de936aa9b \
|
||||
--hash=sha256:fc45a53219ed30a7f670a6d8c98527af0020e6fd4ee4c0a8fb59f147f06d816c
|
||||
|
||||
# Contains the requirements for the letsencrypt package.
|
||||
#
|
||||
# Since the letsencrypt package depends on certbot and using pip with hashes
|
||||
# requires that all installed packages have hashes listed, this allows
|
||||
# dependency-requirements.txt to be used without requiring a hash for a
|
||||
# (potentially unreleased) Certbot package.
|
||||
|
||||
letsencrypt==0.7.0 \
|
||||
--hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \
|
||||
--hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9
|
||||
|
||||
certbot==1.14.0 \
|
||||
--hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \
|
||||
--hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb
|
||||
acme==1.14.0 \
|
||||
--hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \
|
||||
--hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35
|
||||
certbot-apache==1.14.0 \
|
||||
--hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \
|
||||
--hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0
|
||||
certbot-nginx==1.14.0 \
|
||||
--hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \
|
||||
--hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597
|
||||
|
||||
UNLIKELY_EOF
|
||||
# -------------------------------------------------------------------------
|
||||
cat << "UNLIKELY_EOF" > "$TEMP_DIR/pipstrap.py"
|
||||
#!/usr/bin/env python
|
||||
"""A small script that can act as a trust root for installing pip >=8
|
||||
Embed this in your project, and your VCS checkout is all you have to trust. In
|
||||
a post-peep era, this lets you claw your way to a hash-checking version of pip,
|
||||
with which you can install the rest of your dependencies safely. All it assumes
|
||||
is Python 2.6 or better and *some* version of pip already installed. If
|
||||
anything goes wrong, it will exit with a non-zero status code.
|
||||
"""
|
||||
# This is here so embedded copies are MIT-compliant:
|
||||
# Copyright (c) 2016 Erik Rose
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to
|
||||
# deal in the Software without restriction, including without limitation the
|
||||
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
||||
# sell copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
from __future__ import print_function
|
||||
from distutils.version import StrictVersion
|
||||
from hashlib import sha256
|
||||
from os import environ
|
||||
from os.path import join
|
||||
from shutil import rmtree
|
||||
try:
|
||||
from subprocess import check_output
|
||||
except ImportError:
|
||||
from subprocess import CalledProcessError, PIPE, Popen
|
||||
|
||||
def check_output(*popenargs, **kwargs):
|
||||
if 'stdout' in kwargs:
|
||||
raise ValueError('stdout argument not allowed, it will be '
|
||||
'overridden.')
|
||||
process = Popen(stdout=PIPE, *popenargs, **kwargs)
|
||||
output, unused_err = process.communicate()
|
||||
retcode = process.poll()
|
||||
if retcode:
|
||||
cmd = kwargs.get("args")
|
||||
if cmd is None:
|
||||
cmd = popenargs[0]
|
||||
raise CalledProcessError(retcode, cmd)
|
||||
return output
|
||||
import sys
|
||||
from tempfile import mkdtemp
|
||||
try:
|
||||
from urllib2 import build_opener, HTTPHandler, HTTPSHandler
|
||||
except ImportError:
|
||||
from urllib.request import build_opener, HTTPHandler, HTTPSHandler
|
||||
try:
|
||||
from urlparse import urlparse
|
||||
except ImportError:
|
||||
from urllib.parse import urlparse # 3.4
|
||||
|
||||
|
||||
__version__ = 1, 5, 1
|
||||
PIP_VERSION = '9.0.1'
|
||||
DEFAULT_INDEX_BASE = 'https://pypi.python.org'
|
||||
|
||||
|
||||
# wheel has a conditional dependency on argparse:
|
||||
maybe_argparse = (
|
||||
[('18/dd/e617cfc3f6210ae183374cd9f6a26b20514bbb5a792af97949c5aacddf0f/'
|
||||
'argparse-1.4.0.tar.gz',
|
||||
'62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4')]
|
||||
if sys.version_info < (2, 7, 0) else [])
|
||||
|
||||
|
||||
# Be careful when updating the pinned versions here, in particular for pip.
|
||||
# Indeed starting from 10.0, pip will build dependencies in isolation if the
|
||||
# related projects are compliant with PEP 517. This is not something we want
|
||||
# as of now, so the isolation build will need to be disabled wherever
|
||||
# pipstrap is used (see https://github.com/certbot/certbot/issues/8256).
|
||||
PACKAGES = maybe_argparse + [
|
||||
# Pip has no dependencies, as it vendors everything:
|
||||
('11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/'
|
||||
'pip-{0}.tar.gz'.format(PIP_VERSION),
|
||||
'09f243e1a7b461f654c26a725fa373211bb7ff17a9300058b205c61658ca940d'),
|
||||
# This version of setuptools has only optional dependencies:
|
||||
('37/1b/b25507861991beeade31473868463dad0e58b1978c209de27384ae541b0b/'
|
||||
'setuptools-40.6.3.zip',
|
||||
'3b474dad69c49f0d2d86696b68105f3a6f195f7ab655af12ef9a9c326d2b08f8'),
|
||||
('c9/1d/bd19e691fd4cfe908c76c429fe6e4436c9e83583c4414b54f6c85471954a/'
|
||||
'wheel-0.29.0.tar.gz',
|
||||
'1ebb8ad7e26b448e9caa4773d2357849bf80ff9e313964bcaf79cbf0201a1648')
|
||||
]
|
||||
|
||||
|
||||
class HashError(Exception):
|
||||
def __str__(self):
|
||||
url, path, actual, expected = self.args
|
||||
return ('{url} did not match the expected hash {expected}. Instead, '
|
||||
'it was {actual}. The file (left at {path}) may have been '
|
||||
'tampered with.'.format(**locals()))
|
||||
|
||||
|
||||
def hashed_download(url, temp, digest):
|
||||
"""Download ``url`` to ``temp``, make sure it has the SHA-256 ``digest``,
|
||||
and return its path."""
|
||||
# Based on pip 1.4.1's URLOpener but with cert verification removed. Python
|
||||
# >=2.7.9 verifies HTTPS certs itself, and, in any case, the cert
|
||||
# authenticity has only privacy (not arbitrary code execution)
|
||||
# implications, since we're checking hashes.
|
||||
def opener(using_https=True):
|
||||
opener = build_opener(HTTPSHandler())
|
||||
if using_https:
|
||||
# Strip out HTTPHandler to prevent MITM spoof:
|
||||
for handler in opener.handlers:
|
||||
if isinstance(handler, HTTPHandler):
|
||||
opener.handlers.remove(handler)
|
||||
return opener
|
||||
|
||||
def read_chunks(response, chunk_size):
|
||||
while True:
|
||||
chunk = response.read(chunk_size)
|
||||
if not chunk:
|
||||
break
|
||||
yield chunk
|
||||
|
||||
parsed_url = urlparse(url)
|
||||
response = opener(using_https=parsed_url.scheme == 'https').open(url)
|
||||
path = join(temp, parsed_url.path.split('/')[-1])
|
||||
actual_hash = sha256()
|
||||
with open(path, 'wb') as file:
|
||||
for chunk in read_chunks(response, 4096):
|
||||
file.write(chunk)
|
||||
actual_hash.update(chunk)
|
||||
|
||||
actual_digest = actual_hash.hexdigest()
|
||||
if actual_digest != digest:
|
||||
raise HashError(url, path, actual_digest, digest)
|
||||
return path
|
||||
|
||||
|
||||
def get_index_base():
|
||||
"""Return the URL to the dir containing the "packages" folder.
|
||||
Try to wring something out of PIP_INDEX_URL, if set. Hack "/simple" off the
|
||||
end if it's there; that is likely to give us the right dir.
|
||||
"""
|
||||
env_var = environ.get('PIP_INDEX_URL', '').rstrip('/')
|
||||
if env_var:
|
||||
SIMPLE = '/simple'
|
||||
if env_var.endswith(SIMPLE):
|
||||
return env_var[:-len(SIMPLE)]
|
||||
else:
|
||||
return env_var
|
||||
else:
|
||||
return DEFAULT_INDEX_BASE
|
||||
|
||||
|
||||
def main():
|
||||
python = sys.executable or 'python'
|
||||
pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
|
||||
.decode('utf-8').split()[1])
|
||||
has_pip_cache = pip_version >= StrictVersion('6.0')
|
||||
index_base = get_index_base()
|
||||
temp = mkdtemp(prefix='pipstrap-')
|
||||
try:
|
||||
downloads = [hashed_download(index_base + '/packages/' + path,
|
||||
temp,
|
||||
digest)
|
||||
for path, digest in PACKAGES]
|
||||
# Calling pip as a module is the preferred way to avoid problems about pip self-upgrade.
|
||||
command = [python, '-m', 'pip', 'install', '--no-index', '--no-deps', '-U']
|
||||
# Disable cache since it is not used and it otherwise sometimes throws permission warnings:
|
||||
command.extend(['--no-cache-dir'] if has_pip_cache else [])
|
||||
command.extend(downloads)
|
||||
check_output(command)
|
||||
except HashError as exc:
|
||||
print(exc)
|
||||
except Exception:
|
||||
rmtree(temp)
|
||||
raise
|
||||
else:
|
||||
rmtree(temp)
|
||||
return 0
|
||||
return 1
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
sys.exit(main())
|
||||
|
||||
UNLIKELY_EOF
|
||||
# -------------------------------------------------------------------------
|
||||
# Set PATH so pipstrap upgrades the right (v)env:
|
||||
PATH="$VENV_BIN:$PATH" "$VENV_BIN/python" "$TEMP_DIR/pipstrap.py"
|
||||
set +e
|
||||
if [ "$VERBOSE" = 1 ]; then
|
||||
"$VENV_BIN/pip" install --disable-pip-version-check --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt"
|
||||
else
|
||||
PIP_OUT=`"$VENV_BIN/pip" install --disable-pip-version-check --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt" 2>&1`
|
||||
fi
|
||||
PIP_STATUS=$?
|
||||
set -e
|
||||
if [ "$PIP_STATUS" != 0 ]; then
|
||||
# Report error. (Otherwise, be quiet.)
|
||||
error "Had a problem while installing Python packages."
|
||||
if [ "$VERBOSE" != 1 ]; then
|
||||
error
|
||||
error "pip prints the following errors: "
|
||||
error "====================================================="
|
||||
error "$PIP_OUT"
|
||||
error "====================================================="
|
||||
error
|
||||
error "Certbot has problem setting up the virtual environment."
|
||||
|
||||
if `echo $PIP_OUT | grep -q Killed` || `echo $PIP_OUT | grep -q "allocate memory"` ; then
|
||||
error
|
||||
error "Based on your pip output, the problem can likely be fixed by "
|
||||
error "increasing the available memory."
|
||||
else
|
||||
error
|
||||
error "We were not be able to guess the right solution from your pip "
|
||||
error "output."
|
||||
fi
|
||||
|
||||
error
|
||||
error "Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment"
|
||||
error "for possible solutions."
|
||||
error "You may also find some support resources at https://certbot.eff.org/support/ ."
|
||||
fi
|
||||
rm -rf "$VENV_PATH"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -d "$OLD_VENV_PATH" -a ! -L "$OLD_VENV_PATH" ]; then
|
||||
rm -rf "$OLD_VENV_PATH"
|
||||
ln -s "$VENV_PATH" "$OLD_VENV_PATH"
|
||||
fi
|
||||
|
||||
say "Installation succeeded."
|
||||
fi
|
||||
|
||||
# If you're modifying any of the code after this point in this current `if` block, you
|
||||
# may need to update the "$DEPRECATED_OS" = 1 case at the beginning of phase 2 as well.
|
||||
|
||||
if [ "$INSTALL_ONLY" = 1 ]; then
|
||||
say "Certbot is installed."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
"$VENV_BIN/letsencrypt" "$@"
|
||||
|
||||
else
|
||||
# Phase 1: Upgrade certbot-auto if necessary, then self-invoke.
|
||||
#
|
||||
# Each phase checks the version of only the thing it is responsible for
|
||||
# upgrading. Phase 1 checks the version of the latest release of
|
||||
# certbot-auto (which is always the same as that of the certbot
|
||||
# package). Phase 2 checks the version of the locally installed certbot.
|
||||
export PHASE_1_VERSION="$LE_AUTO_VERSION"
|
||||
|
||||
if [ ! -f "$VENV_BIN/letsencrypt" ]; then
|
||||
if ! OldVenvExists; then
|
||||
if [ "$HELP" = 1 ]; then
|
||||
echo "$USAGE"
|
||||
exit 0
|
||||
fi
|
||||
# If it looks like we've never bootstrapped before, bootstrap:
|
||||
Bootstrap
|
||||
fi
|
||||
fi
|
||||
if [ "$OS_PACKAGES_ONLY" = 1 ]; then
|
||||
say "OS packages installed."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
DeterminePythonVersion "NOCRASH"
|
||||
# Don't warn about file permissions if the user disabled the check or we
|
||||
# can't find an up-to-date Python.
|
||||
if [ "$PYVER" -ge "$MIN_PYVER" -a "$NO_PERMISSIONS_CHECK" != 1 ]; then
|
||||
# If the script fails for some reason, don't break certbot-auto.
|
||||
set +e
|
||||
# Suppress unexpected error output.
|
||||
CHECK_PERM_OUT=$(CheckPathPermissions "$LE_PYTHON" "$0" 2>/dev/null)
|
||||
CHECK_PERM_STATUS="$?"
|
||||
set -e
|
||||
# Only print output if the script ran successfully and it actually produced
|
||||
# output. The latter check resolves
|
||||
# https://github.com/certbot/certbot/issues/7012.
|
||||
if [ "$CHECK_PERM_STATUS" = 0 -a -n "$CHECK_PERM_OUT" ]; then
|
||||
error "$CHECK_PERM_OUT"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$NO_SELF_UPGRADE" != 1 ]; then
|
||||
TEMP_DIR=$(TempDir)
|
||||
trap 'rm -rf "$TEMP_DIR"' EXIT
|
||||
# ---------------------------------------------------------------------------
|
||||
cat << "UNLIKELY_EOF" > "$TEMP_DIR/fetch.py"
|
||||
"""Do downloading and JSON parsing without additional dependencies. ::
|
||||
|
||||
# Print latest released version of LE to stdout:
|
||||
python fetch.py --latest-version
|
||||
|
||||
# Download letsencrypt-auto script from git tag v1.2.3 into the folder I'm
|
||||
# in, and make sure its signature verifies:
|
||||
python fetch.py --le-auto-script v1.2.3
|
||||
|
||||
On failure, return non-zero.
|
||||
|
||||
"""
|
||||
|
||||
from __future__ import print_function, unicode_literals
|
||||
|
||||
from distutils.version import LooseVersion
|
||||
from json import loads
|
||||
from os import devnull, environ
|
||||
from os.path import dirname, join
|
||||
import re
|
||||
import ssl
|
||||
from subprocess import check_call, CalledProcessError
|
||||
from sys import argv, exit
|
||||
try:
|
||||
from urllib2 import build_opener, HTTPHandler, HTTPSHandler
|
||||
from urllib2 import HTTPError, URLError
|
||||
except ImportError:
|
||||
from urllib.request import build_opener, HTTPHandler, HTTPSHandler
|
||||
from urllib.error import HTTPError, URLError
|
||||
|
||||
PUBLIC_KEY = environ.get('LE_AUTO_PUBLIC_KEY', """-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbq
|
||||
OzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18
|
||||
xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp
|
||||
9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiij
|
||||
n9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XH
|
||||
cXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+
|
||||
CQIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
""")
|
||||
|
||||
class ExpectedError(Exception):
|
||||
"""A novice-readable exception that also carries the original exception for
|
||||
debugging"""
|
||||
|
||||
|
||||
class HttpsGetter(object):
|
||||
def __init__(self):
|
||||
"""Build an HTTPS opener."""
|
||||
# Based on pip 1.4.1's URLOpener
|
||||
# This verifies certs on only Python >=2.7.9, and when NO_CERT_VERIFY isn't set.
|
||||
if environ.get('NO_CERT_VERIFY') == '1' and hasattr(ssl, 'SSLContext'):
|
||||
self._opener = build_opener(HTTPSHandler(context=cert_none_context()))
|
||||
else:
|
||||
self._opener = build_opener(HTTPSHandler())
|
||||
# Strip out HTTPHandler to prevent MITM spoof:
|
||||
for handler in self._opener.handlers:
|
||||
if isinstance(handler, HTTPHandler):
|
||||
self._opener.handlers.remove(handler)
|
||||
|
||||
def get(self, url):
|
||||
"""Return the document contents pointed to by an HTTPS URL.
|
||||
|
||||
If something goes wrong (404, timeout, etc.), raise ExpectedError.
|
||||
|
||||
"""
|
||||
try:
|
||||
# socket module docs say default timeout is None: that is, no
|
||||
# timeout
|
||||
return self._opener.open(url, timeout=30).read()
|
||||
except (HTTPError, IOError) as exc:
|
||||
raise ExpectedError("Couldn't download %s." % url, exc)
|
||||
|
||||
|
||||
def write(contents, dir, filename):
|
||||
"""Write something to a file in a certain directory."""
|
||||
with open(join(dir, filename), 'wb') as file:
|
||||
file.write(contents)
|
||||
|
||||
|
||||
def latest_stable_version(get):
|
||||
"""Return the latest stable release of letsencrypt."""
|
||||
metadata = loads(get(
|
||||
environ.get('LE_AUTO_JSON_URL',
|
||||
'https://pypi.python.org/pypi/certbot/json')).decode('UTF-8'))
|
||||
# metadata['info']['version'] actually returns the latest of any kind of
|
||||
# release release, contrary to https://wiki.python.org/moin/PyPIJSON.
|
||||
# The regex is a sufficient regex for picking out prereleases for most
|
||||
# packages, LE included.
|
||||
return str(max(LooseVersion(r) for r
|
||||
in metadata['releases'].keys()
|
||||
if re.match('^[0-9.]+$', r)))
|
||||
|
||||
|
||||
def verified_new_le_auto(get, tag, temp_dir):
|
||||
"""Return the path to a verified, up-to-date letsencrypt-auto script.
|
||||
|
||||
If the download's signature does not verify or something else goes wrong
|
||||
with the verification process, raise ExpectedError.
|
||||
|
||||
"""
|
||||
le_auto_dir = environ.get(
|
||||
'LE_AUTO_DIR_TEMPLATE',
|
||||
'https://raw.githubusercontent.com/certbot/certbot/%s/'
|
||||
'letsencrypt-auto-source/') % tag
|
||||
write(get(le_auto_dir + 'letsencrypt-auto'), temp_dir, 'letsencrypt-auto')
|
||||
write(get(le_auto_dir + 'letsencrypt-auto.sig'), temp_dir, 'letsencrypt-auto.sig')
|
||||
write(PUBLIC_KEY.encode('UTF-8'), temp_dir, 'public_key.pem')
|
||||
try:
|
||||
with open(devnull, 'w') as dev_null:
|
||||
check_call(['openssl', 'dgst', '-sha256', '-verify',
|
||||
join(temp_dir, 'public_key.pem'),
|
||||
'-signature',
|
||||
join(temp_dir, 'letsencrypt-auto.sig'),
|
||||
join(temp_dir, 'letsencrypt-auto')],
|
||||
stdout=dev_null,
|
||||
stderr=dev_null)
|
||||
except CalledProcessError as exc:
|
||||
raise ExpectedError("Couldn't verify signature of downloaded "
|
||||
"certbot-auto.", exc)
|
||||
|
||||
|
||||
def cert_none_context():
|
||||
"""Create a SSLContext object to not check hostname."""
|
||||
# PROTOCOL_TLS isn't available before 2.7.13 but this code is for 2.7.9+, so use this.
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
return context
|
||||
|
||||
|
||||
def main():
|
||||
get = HttpsGetter().get
|
||||
flag = argv[1]
|
||||
try:
|
||||
if flag == '--latest-version':
|
||||
print(latest_stable_version(get))
|
||||
elif flag == '--le-auto-script':
|
||||
tag = argv[2]
|
||||
verified_new_le_auto(get, tag, dirname(argv[0]))
|
||||
except ExpectedError as exc:
|
||||
print(exc.args[0], exc.args[1])
|
||||
return 1
|
||||
else:
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
exit(main())
|
||||
|
||||
UNLIKELY_EOF
|
||||
# ---------------------------------------------------------------------------
|
||||
if [ "$PYVER" -lt "$MIN_PYVER" ]; then
|
||||
error "WARNING: couldn't find Python $MIN_PYTHON_VERSION+ to check for updates."
|
||||
elif ! REMOTE_VERSION=`"$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version` ; then
|
||||
error "WARNING: unable to check for updates."
|
||||
fi
|
||||
|
||||
# If for any reason REMOTE_VERSION is not set, let's assume certbot-auto is up-to-date,
|
||||
# and do not go into the self-upgrading process.
|
||||
if [ -n "$REMOTE_VERSION" ]; then
|
||||
LE_VERSION_STATE=`CompareVersions "$LE_PYTHON" "$LE_AUTO_VERSION" "$REMOTE_VERSION"`
|
||||
|
||||
if [ "$LE_VERSION_STATE" = "UNOFFICIAL" ]; then
|
||||
say "Unofficial certbot-auto version detected, self-upgrade is disabled: $LE_AUTO_VERSION"
|
||||
elif [ "$LE_VERSION_STATE" = "OUTDATED" ]; then
|
||||
say "Upgrading certbot-auto $LE_AUTO_VERSION to $REMOTE_VERSION..."
|
||||
|
||||
# Now we drop into Python so we don't have to install even more
|
||||
# dependencies (curl, etc.), for better flow control, and for the option of
|
||||
# future Windows compatibility.
|
||||
"$LE_PYTHON" "$TEMP_DIR/fetch.py" --le-auto-script "v$REMOTE_VERSION"
|
||||
|
||||
# Install new copy of certbot-auto.
|
||||
# TODO: Deal with quotes in pathnames.
|
||||
say "Replacing certbot-auto..."
|
||||
# Clone permissions with cp. chmod and chown don't have a --reference
|
||||
# option on macOS or BSD, and stat -c on Linux is stat -f on macOS and BSD:
|
||||
cp -p "$0" "$TEMP_DIR/letsencrypt-auto.permission-clone"
|
||||
cp "$TEMP_DIR/letsencrypt-auto" "$TEMP_DIR/letsencrypt-auto.permission-clone"
|
||||
# Using mv rather than cp leaves the old file descriptor pointing to the
|
||||
# original copy so the shell can continue to read it unmolested. mv across
|
||||
# filesystems is non-atomic, doing `rm dest, cp src dest, rm src`, but the
|
||||
# cp is unlikely to fail if the rm doesn't.
|
||||
mv -f "$TEMP_DIR/letsencrypt-auto.permission-clone" "$0"
|
||||
fi # A newer version is available.
|
||||
fi
|
||||
fi # Self-upgrading is allowed.
|
||||
|
||||
RerunWithArgs --le-auto-phase2 "$@"
|
||||
fi
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: reload apache
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
||||
|
||||
- name: reload haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: reloaded
|
||||
|
||||
- name: systemd daemon-reload
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: install letsencrypt-auto
|
||||
command: /usr/local/bin/letsencrypt-auto --noninteractive --install-only --no-self-upgrade
|
|
@ -1,51 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Certbot work directory is present
|
||||
file:
|
||||
dest: "{{ certbot_work_dir }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Check if Nginx is installed
|
||||
stat:
|
||||
path: /etc/nginx
|
||||
register: is_nginx
|
||||
|
||||
- name: ACME challenge for Nginx is installed
|
||||
template:
|
||||
src: acme-challenge/nginx.conf.j2
|
||||
dest: /etc/nginx/snippets/letsencrypt.conf
|
||||
force: yes
|
||||
notify: reload nginx
|
||||
when: is_nginx.stat.exists
|
||||
|
||||
- name: Check if Apache is installed
|
||||
stat:
|
||||
path: /usr/sbin/apachectl
|
||||
register: is_apache
|
||||
|
||||
- name: ACME challenge for Apache
|
||||
block:
|
||||
- name: ACME challenge for Apache is installed
|
||||
template:
|
||||
src: acme-challenge/apache.conf.j2
|
||||
dest: /etc/apache2/conf-available/letsencrypt.conf
|
||||
force: yes
|
||||
notify: reload apache
|
||||
|
||||
- name: ACME challenge for Apache is enabled
|
||||
command: "a2enconf letsencrypt"
|
||||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
notify: reload apache
|
||||
when: is_apache.stat.exists
|
||||
|
||||
- name: Check if HAProxy is installed
|
||||
stat:
|
||||
path: /etc/haproxy
|
||||
register: is_haproxy
|
||||
|
||||
- name: ACME challenge for HAProxy is installed
|
||||
debug:
|
||||
msg: "ACME challenge configuration for HAProxy must be configured manually"
|
||||
when: is_haproxy.stat.exists
|
|
@ -1,60 +0,0 @@
|
|||
---
|
||||
|
||||
- name: certbot package is removed
|
||||
apt:
|
||||
name: certbot
|
||||
state: absent
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto
|
||||
- name: Let's Encrypt script is present
|
||||
copy:
|
||||
src: letsencrypt-auto
|
||||
dest: /usr/local/bin/letsencrypt-auto
|
||||
mode: '0755'
|
||||
owner: root
|
||||
group: root
|
||||
force: yes
|
||||
notify: install letsencrypt-auto
|
||||
|
||||
- name: Check certbot script
|
||||
stat:
|
||||
path: /usr/local/bin/certbot
|
||||
register: certbot_path
|
||||
|
||||
- name: Rename certbot script if present
|
||||
command: "mv /usr/local/bin/certbot /usr/local/bin/certbot.bak"
|
||||
when: certbot_path.stat.exists
|
||||
|
||||
- name: Let's Encrypt script is symlinked as certbot
|
||||
file:
|
||||
src: "/usr/local/bin/letsencrypt-auto"
|
||||
dest: "/usr/local/bin/certbot"
|
||||
state: link
|
||||
|
||||
- name: systemd artefacts are absent
|
||||
file:
|
||||
dest: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/systemd/system/certbot.service
|
||||
- /etc/systemd/system/certbot.service.d
|
||||
- /etc/systemd/system/certbot.timer
|
||||
notify: systemd daemon-reload
|
||||
|
||||
- name: custom crontab is present
|
||||
copy:
|
||||
src: cron_jessie
|
||||
dest: /etc/cron.d/certbot
|
||||
force: yes
|
||||
when: certbot_custom_crontab | bool
|
||||
|
||||
- name: disable self-upgrade
|
||||
ini_file:
|
||||
dest: "/etc/letsencrypt/cli.ini"
|
||||
section: null
|
||||
option: "no-self-upgrade"
|
||||
value: "no"
|
||||
state: present
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
|
||||
- name: certbot package is installed
|
||||
apt:
|
||||
name: certbot
|
||||
state: latest
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "System compatibility checks"
|
||||
assert:
|
||||
that:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('8', '>=')
|
||||
msg: only compatible with Debian 9+
|
||||
|
||||
- name: Install legacy script on Debian 8
|
||||
include: install-legacy.yml
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '<')
|
||||
|
||||
- name: Install package on Debian 9+
|
||||
include: install-package.yml
|
||||
when:
|
||||
- ansible_distribution == "Debian"
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- include: acme-challenge.yml
|
||||
|
||||
- name: Deploy hooks are present
|
||||
copy:
|
||||
src: hooks/deploy/
|
||||
dest: /etc/letsencrypt/renewal-hooks/deploy/
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Manual deploy hook is present
|
||||
copy:
|
||||
src: hooks/manual-deploy.sh
|
||||
dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: "sync_remote is configured with servers"
|
||||
lineinfile:
|
||||
dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
|
||||
regexp: "^servers="
|
||||
line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
|
||||
create: yes
|
||||
|
||||
# begining of backward compatibility tasks
|
||||
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
|
||||
command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
|
||||
args:
|
||||
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
|
||||
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
|
||||
# end of backward compatibility tasks
|
||||
|
||||
- name: "certbot lock is ignored by Git"
|
||||
lineinfile:
|
||||
dest: /etc/.gitignore
|
||||
line: letsencrypt/.certbot.lock
|
||||
create: yes
|
||||
owner: root
|
||||
mode: "0600"
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue