From 74464346a27b4a0eb3a7b877506d740a30d2e704 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 22 Mar 2019 16:04:44 +0100 Subject: [PATCH 001/150] We don't need a separate task to install sudo --- roles/base/tasks/packages.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 6c78d9c..55cf991 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -18,14 +18,9 @@ - mtr-- - iftop - postgresql-client - tags: - - pkg - -- name: Install sudo - openbsd_pkg: - name: "{{ item }}" - state: present - with_items: - sudo-- tags: - pkg + + tags: + - pkg From 1d6eaa12704950cae9b82635acbf54137826b01b Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 22 Mar 2019 16:05:02 +0100 Subject: [PATCH 002/150] sndiod is not needed, let's disable it --- roles/base/tasks/packages.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 55cf991..55b081a 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -22,5 +22,10 @@ tags: - pkg +- name: Disable sndiod + service: + name: sndiod + enabled: no + state: stopped tags: - pkg From 01278281bdc81a8b8f96d86afd2cfe65eb38b9bf Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 22 Mar 2019 16:05:33 +0100 Subject: [PATCH 003/150] Bring some completion functions in root's profile dotfile --- roles/base/files/profile | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/roles/base/files/profile b/roles/base/files/profile index b153f2f..995c549 100644 --- a/roles/base/files/profile +++ b/roles/base/files/profile @@ -1,8 +1,8 @@ -# $OpenBSD: dot.profile,v 1.9 2010/12/13 12:54:31 millert Exp $ +# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $ # # sh/ksh initialization -PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin +PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games export PATH HOME TERM export PS1="\u@\h:\w\\$ " HISTFILE=$HOME/.histfile @@ -25,3 +25,32 @@ case "$-" in fi ;; esac + +PKG_LIST=$(ls -1 /var/db/pkg) + +set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM +pgrep -q vmd +if [ $? = 0 ]; then + set -A complete_vmctl -- console load reload start stop reset status + set -A complete_vmctl_2 -- $(vmctl status | awk '!/NAME/{print $NF}') +fi +if [ -d ~/.password-store ]; then + PASS_LIST=$( + cd ~/.password-store + find . -type f -name \*.gpg | sed 's/^\.\///' | sed 's/\.gpg$//g' + ) + + set -A complete_pass -- $PASS_LIST -c generate edit insert git + set -A complete_pass_2 -- $PASS_LIST push +fi +set -A complete_pkg_delete -- $PKG_LIST +set -A complete_pkg_info -- $PKG_LIST +set -A complete_rcctl_1 -- disable enable get ls order set reload check restart stop start +set -A complete_rcctl_2 -- $(ls /etc/rc.d) +set -A complete_signify_1 -- -C -G -S -V +set -A complete_signify_2 -- -q -p -x -c -m -t -z +set -A complete_signify_3 -- -p -x -c -m -t -z +set -A complete_make_1 -- install clean repackage reinstall +set -A complete_gpg2 -- --refresh --receive-keys --armor --clearsign --sign --list-key --decrypt --verify --detach-sig +set -A complete_git -- pull push mpull mpush status clone branch add rm checkout fetch show tag commit +set -A complete_ifconfig_1 -- $(ifconfig | grep ^[a-z] | cut -d: -f1) From 4ef630285d337ea437ec493806f488107d917269 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 9 Apr 2019 15:53:45 +0200 Subject: [PATCH 004/150] Add check_connections_state Script to check if connections are UP, and if so, check whether main connection is correctly used. Also add configuration to use with nrpe and sudo. --- roles/base/tasks/sudo.yml | 1 + .../plugins_bsd/check_connections_state.sh | 73 +++++++++++++++++++ roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + 3 files changed, 75 insertions(+) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index d00e460..6aec63b 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,6 +21,7 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_connections_state.sh validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh new file mode 100755 index 0000000..ef894cd --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh @@ -0,0 +1,73 @@ +#!/bin/sh + +STATE=0 +MAIN_CONNECTION_PINGABLE_IP="31.170.8.95" +MAIN_CONNECTION_GATEWAY="IP" +MAIN_CONNECTION_IP="IP" +SECOND_CONNECTION_PINGABLE_IP="31.170.8.243" +INFO_MAIN_CONNECTION="IP - Description" +INFO_SECOND_CONNECTION="IP - Description" +CURRENT_GATEWAY=$(/usr/bin/netstat -nr | /usr/bin/grep "default" | /usr/bin/awk '{print $2}') + +IS_GATEWAY_IN_FILE=1 +IS_VPN_USING_MAIN_CONNECTION=1 +IS_PF_USING_MAIN_CONNECTION=1 +CHECK_CARP=0 + +if [ "${CHECK_CARP}" = 1 ]; then + CARP_STATUS=$(/sbin/ifconfig carp0 | /usr/bin/grep "status" | /usr/bin/awk '{print $2}') + if [ "$CARP_STATUS" = "backup" ]; then + echo "No check, I'm a backup" + exit 0 + fi +fi + +/sbin/ping -c1 -w1 ${MAIN_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 +if [ $? = 0 ]; then + if [ "${CURRENT_GATEWAY}" != "${MAIN_CONNECTION_GATEWAY}" ]; then + echo "Main connection is UP but not used as gateway !" + STATE=2 + fi +else + echo "Main connection (${INFO_MAIN_CONNECTION}) is down" + STATE=2 + IS_GATEWAY_IN_FILE=0 + IS_VPN_USING_MAIN_CONNECTION=0 + IS_PF_USING_MAIN_CONNECTION=0 +fi + +/sbin/ping -c1 -w1 ${SECOND_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 +if [ $? != 0 ]; then + echo "Second connection (${INFO_SECOND_CONNECTION}) is down" + STATE=2 +fi + +if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then + /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" /etc/mygate + if [ $? != 0 ]; then + echo "Main connection is not set in /etc/mygate" + STATE=2 + fi +fi + +if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then + /sbin/ipsecctl -sa | /usr/bin/grep -q "${MAIN_CONNECTION_IP}" + if [ $? != 0 ]; then + echo "VPN is not using the main connection !" + STATE=2 + fi +fi + +if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then + /sbin/pfctl -sr | /usr/bin/grep "route-to" | /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" + if [ $? != 0 ]; then + echo "PF is not using the main connection !" + STATE=2 + fi +fi + +if [ "${STATE}" = 0 ]; then + echo "OK - Main connection is UP and used, second connection is UP" +fi + +exit ${STATE} diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0420fcb..b3a7c33 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -36,3 +36,4 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf +command[check_connections_state]=sudo /usr/local/libexec/nagios/check_connections_state.sh From d2e9a0f5fb2c4da1e24ee21eef31312734155af9 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Apr 2019 11:00:53 +0200 Subject: [PATCH 005/150] Increase warning and critical pf_states threshold --- roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 b/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 index c32e305..670ea1b 100755 --- a/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 +++ b/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 @@ -3,8 +3,8 @@ # Script writen by Evolix _MAX_STATES_LIMIT=$(/sbin/pfctl -sm | /usr/bin/grep states | awk '{print $4}') -_WARNING_STATES_LIMIT=$((_MAX_STATES_LIMIT*10/100)) -_CRTICAL_STATES_LIMIT=$((_MAX_STATES_LIMIT*15/100)) +_WARNING_STATES_LIMIT=$((_MAX_STATES_LIMIT*50/100)) +_CRTICAL_STATES_LIMIT=$((_MAX_STATES_LIMIT*65/100)) . /usr/local/libexec/nagios/utils.sh From 0f1b2093701cbfbb1bc92799757a18e822bf9952 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 19 Apr 2019 15:21:08 +0200 Subject: [PATCH 006/150] Configure check_dhcpd --- roles/base/tasks/sudo.yml | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index d00e460..6e42fec 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,6 +21,7 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple + _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_dhcp validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0420fcb..4b492aa 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -30,7 +30,7 @@ command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 -command[check_dhcpclient]=/usr/local/libexec/nagios/check_dhcp -i INTERFACE +command[check_dhcpd]=sudo /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d From 798a4827873d1655241a313d08962b0ed07e3835 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Sun, 14 Apr 2019 20:18:55 +0200 Subject: [PATCH 007/150] Load root's environment when using doas --- roles/base/templates/doas.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 0d313a5..d28bf2f 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} :wheel +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel permit nopass root permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh From a6815408a8ad09f0ad8c4802feac28ec0c875676 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 19 Apr 2019 23:55:31 +0200 Subject: [PATCH 008/150] Add a warning message in the NRPE configuration requesting to use an alternative configuration file for local modifications --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0420fcb..fe51fac 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -2,6 +2,8 @@ # Custom NRPE configuration file. # Part of the EvoBSD distribution. # +# This is an Ansible managed file ! +# For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead # Allowed IPs allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} @@ -36,3 +38,6 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf + +# This is an Ansible managed file! +# For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead From b23a5796038e72a90f3b969566f7eacb9ea8eb8f Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Sun, 5 May 2019 21:21:09 +0200 Subject: [PATCH 009/150] We have to make sure the daily.local file exists otherwise the playbook fails --- roles/base/tasks/evobackup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index 669c86f..ba5a24a 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -16,5 +16,6 @@ line: '#sh /usr/share/scripts/zzz_evobackup' owner: root mode: "0644" + create: yes tags: - evobackup From 38273ecf332ef75845ccb99a828227ee4d886499 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Sun, 5 May 2019 21:42:21 +0200 Subject: [PATCH 010/150] Add a title in the daily output mail for the git status report --- roles/base/tasks/packages.yml | 1 - roles/etc-git/tasks/main.yml | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 55b081a..81528fe 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -17,7 +17,6 @@ - rsync-- - mtr-- - iftop - - postgresql-client - sudo-- tags: - pkg diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index 1068842..e9a868a 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -79,13 +79,16 @@ - name: cron job for /etc/.git status is installed lineinfile: path: /etc/daily.local - line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + line: {{ item }} owner: root mode: "0644" create: yes when: etc_git_monitor_status tags: - etc-git + with_items: + - 'next_part "Checking /etc git status:"' + - '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' - name: cron job for /etc/.git status is removed lineinfile: From 0afd6b9b63dec90cdda98f5207be9d2615d18e2e Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Sat, 11 May 2019 20:52:58 +0200 Subject: [PATCH 011/150] Add missing quotes --- roles/etc-git/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index e9a868a..e81c2f5 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -79,7 +79,7 @@ - name: cron job for /etc/.git status is installed lineinfile: path: /etc/daily.local - line: {{ item }} + line: "{{ item }}" owner: root mode: "0644" create: yes From 1cab5efc1d4f48b7ec3390270b3dff5b1dd312d7 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Mon, 13 May 2019 08:49:42 -0400 Subject: [PATCH 012/150] Reverts erroneous removal of postrgres-client pkg --- roles/base/tasks/packages.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 81528fe..e34c26b 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -18,6 +18,7 @@ - mtr-- - iftop - sudo-- + - postresql-client tags: - pkg From f456e4abf2353decc80c784784a40347abc080ba Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Mon, 13 May 2019 08:51:09 -0400 Subject: [PATCH 013/150] Fix typo in pkg name Wrote postgresql withouth the g... --- roles/base/tasks/packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index e34c26b..d205e19 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -18,7 +18,7 @@ - mtr-- - iftop - sudo-- - - postresql-client + - postgresql-client tags: - pkg From 1b5196d6a4879bb277f01ec5f739064514318d9c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 17:29:36 +0200 Subject: [PATCH 014/150] Replace sudo with doas --- roles/base/tasks/sudo.yml | 1 - roles/base/templates/doas.conf.j2 | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 6e42fec..d00e460 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,7 +21,6 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_dhcp validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 0d313a5..52db062 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -9,3 +9,4 @@ permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 4b492aa..f853d4f 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -30,7 +30,7 @@ command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 -command[check_dhcpd]=sudo /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u +command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d From a23a6efca862f00127ab73a6dedbf1fb95f8856a Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 17:44:05 +0200 Subject: [PATCH 015/150] Replace sudo with doas --- roles/base/tasks/sudo.yml | 1 - roles/base/templates/doas.conf.j2 | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 6aec63b..d00e460 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -21,7 +21,6 @@ _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_connections_state.sh validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 0d313a5..462ebdc 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -9,3 +9,4 @@ permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index b3a7c33..17ced04 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -36,4 +36,4 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf -command[check_connections_state]=sudo /usr/local/libexec/nagios/check_connections_state.sh +command[check_connections_state]=doas /usr/local/libexec/nagios/check_connections_state.sh From 6b55368234a3c63222bac5f4e702c45fcc463725 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 17:48:51 +0200 Subject: [PATCH 016/150] Improve script and add comments --- .../plugins_bsd/check_connections_state.sh | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh index ef894cd..ac73313 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh +++ b/roles/nagios-nrpe/files/plugins_bsd/check_connections_state.sh @@ -9,11 +9,13 @@ INFO_MAIN_CONNECTION="IP - Description" INFO_SECOND_CONNECTION="IP - Description" CURRENT_GATEWAY=$(/usr/bin/netstat -nr | /usr/bin/grep "default" | /usr/bin/awk '{print $2}') -IS_GATEWAY_IN_FILE=1 -IS_VPN_USING_MAIN_CONNECTION=1 -IS_PF_USING_MAIN_CONNECTION=1 -CHECK_CARP=0 +IS_GATEWAY_IN_FILE=1 # Check whether /etc/mygate has the IP of main connection +IS_VPN_USING_MAIN_CONNECTION=1 # Check whether ipsecctl use the main connection +IS_PF_USING_MAIN_CONNECTION=1 # Check whether PacketFilter has route-to using the main connection +IS_MISCELLANEOUS=1 # Check miscellaneous things +CHECK_CARP=0 # No check if host is backup +# No check if host is backup if [ "${CHECK_CARP}" = 1 ]; then CARP_STATUS=$(/sbin/ifconfig carp0 | /usr/bin/grep "status" | /usr/bin/awk '{print $2}') if [ "$CARP_STATUS" = "backup" ]; then @@ -22,6 +24,8 @@ if [ "${CHECK_CARP}" = 1 ]; then fi fi +# If main connection is UP but not used => critical and continue +# If main connection is DOWN (used or not) => warning and exit /sbin/ping -c1 -w1 ${MAIN_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 if [ $? = 0 ]; then if [ "${CURRENT_GATEWAY}" != "${MAIN_CONNECTION_GATEWAY}" ]; then @@ -30,18 +34,21 @@ if [ $? = 0 ]; then fi else echo "Main connection (${INFO_MAIN_CONNECTION}) is down" - STATE=2 + STATE=1 IS_GATEWAY_IN_FILE=0 IS_VPN_USING_MAIN_CONNECTION=0 IS_PF_USING_MAIN_CONNECTION=0 + IS_MISCELLANEOUS=0 fi +# If second connection is DOWN => critical and continue /sbin/ping -c1 -w1 ${SECOND_CONNECTION_PINGABLE_IP} >/dev/null 2>&1 if [ $? != 0 ]; then echo "Second connection (${INFO_SECOND_CONNECTION}) is down" STATE=2 fi +# Check whether /etc/mygate has the IP of main connection if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" /etc/mygate if [ $? != 0 ]; then @@ -50,6 +57,7 @@ if [ "${IS_GATEWAY_IN_FILE}" = 1 ]; then fi fi +# Check whether ipsecctl use the main connection if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then /sbin/ipsecctl -sa | /usr/bin/grep -q "${MAIN_CONNECTION_IP}" if [ $? != 0 ]; then @@ -58,6 +66,7 @@ if [ "${IS_VPN_USING_MAIN_CONNECTION}" = 1 ]; then fi fi +# Check whether PacketFilter has route-to using the main connection if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then /sbin/pfctl -sr | /usr/bin/grep "route-to" | /usr/bin/grep -q "${MAIN_CONNECTION_GATEWAY}" if [ $? != 0 ]; then @@ -66,6 +75,11 @@ if [ "${IS_PF_USING_MAIN_CONNECTION}" = 1 ]; then fi fi +# Check miscellaneous things +if [ "${IS_MISCELLANEOUS}" = 1 ]; then + echo +fi + if [ "${STATE}" = 0 ]; then echo "OK - Main connection is UP and used, second connection is UP" fi From f305b3420bdffcb10752f7e159fee4a3eb50d674 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 15 Jul 2019 18:25:25 +0200 Subject: [PATCH 017/150] Replace all sudo occurences with doas --- roles/base/tasks/sudo.yml | 3 --- roles/base/templates/doas.conf.j2 | 3 +++ roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 8 +++----- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index d00e460..8ba489e 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -18,9 +18,6 @@ block: | Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh %wheel ALL=NOPASSWD: MAINT - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ipsecctl.sh - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_mailq - _nrpe ALL=(root) NOPASSWD: /usr/local/libexec/nagios/plugins/check_ospfd_simple validate: 'visudo -cf %s' backup: no tags: diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 0d313a5..8cc0c9c 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -6,6 +6,9 @@ permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd permit nopass _collectd as root cmd /usr/sbin/bgpctl +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0420fcb..6d2b724 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -18,14 +18,12 @@ command[check_swap]=/usr/local/libexec/nagios/check_swap --no-swap=ok -a -w 30% command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp.evolix.net command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 command[check_onduleur]=/usr/local/libexec/nagios/check_ups -H localhost -u onduleur -# Pour check_mailq, ajouter dans sudo : -# _nrpe ALL=NOPASSWD: /usr/local/libexec/nagios/check_mailq -command[check_mailq]=sudo /usr/local/libexec/nagios/check_mailq -w 10 -c 20 +command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% -command[check_vpn]=sudo /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master @@ -34,5 +32,5 @@ command[check_dhcpclient]=/usr/local/libexec/nagios/check_dhcp -i INTERFACE command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d -command[check_ospfd_simple]=sudo /usr/local/libexec/nagios/plugins/check_ospfd_simple +command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf From f0c4b2f41445b30e1aad77bdddee3de7f93a6deb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 22 Jul 2019 15:56:35 +0200 Subject: [PATCH 018/150] Enhance ospfd_simple check The condition did not work properly --- roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple index 932e69e..718114c 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple @@ -3,7 +3,7 @@ . /usr/local/libexec/nagios/utils.sh # check if ospfd is running -if [[ "$(ospfctl show 2>&1)" = *"/var/run/ospfd.sock:"* ]]; then +if ospfctl show 2>&1 | grep -q "ospfctl: connect: /var/run/ospfd.sock: No such file or directory"; then echo "CRITICAL - OSPFD not running" exit "$STATE_CRITICAL" else From 70e49781d95b79a60666a6d1561101333d323242 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 22 Aug 2019 17:24:03 +0200 Subject: [PATCH 019/150] Import evomaintenance after last overhaul --- roles/base/defaults/main.yml | 11 + roles/base/files/evomaintenance.sh | 776 +++++++++++++++++++++---- roles/base/templates/evomaintenance.j2 | 15 +- 3 files changed, 676 insertions(+), 126 deletions(-) diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index fe0e8fd..0748c9f 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -17,3 +17,14 @@ evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" evomaintenance_urgency_from: mama.doe@example.com evomaintenance_urgency_tel: "06.00.00.00.00" +evomaintenance_install_vendor: False +evomaintenance_force_config: True +evomaintenance_api_endpoint: Null +evomaintenance_api_key: Null +evomaintenance_hook_api: True +evomaintenance_hook_db: False +evomaintenance_hook_commit: True +evomaintenance_hook_mail: True +evomaintenance_default_hosts: [] +evomaintenance_additional_hosts: [] +evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}" diff --git a/roles/base/files/evomaintenance.sh b/roles/base/files/evomaintenance.sh index d2a7f52..4820f49 100644 --- a/roles/base/files/evomaintenance.sh +++ b/roles/base/files/evomaintenance.sh @@ -4,82 +4,445 @@ # Dependencies (all OS): git postgresql-client # Dependencies (Debian): sudo -# version 0.4.1 -# Copyright 2007-2018 Evolix +# version 0.5.1 +# Copyright 2007-2019 Evolix , Gregory Colpart , +# Jérémy Lecour and others. + +VERSION="0.5.1" + +show_version() { + cat <, Gregory Colpart , + Jérémy Lecour and others. + +evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public Licence for details. +END +} + +show_help() { + cat <> "${LOGFILE}" + fi + fi + fi +} + +hook_db() { + SQL_DETAILS=$(echo "${MESSAGE}" | sed "s/'/''/g") + PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_DETAILS}')" + + if [ "${VERBOSE}" = "1" ]; then + printf "\n********** DB query **************\n%s\n***********************************\n" "${PG_QUERY}" + fi + if [ "${DRY_RUN}" != "1" ] && [ -x "${PSQL_BIN}" ]; then + echo "${PG_QUERY}" | ${PSQL_BIN} "${PGDB}" "${PGTABLE}" -h "${PGHOST}" + fi +} + +hook_api() { + if [ "${VERBOSE}" = "1" ]; then + printf "\n********** API call **************\n" + printf "curl -f -s -S -X POST [REDACTED] -k -F api_key=[REDACTED] -F action=insertEvoMaintenance -F hostname=%s -F userid=%s -F ipaddress=%s -F begin_date=%s -F end_date='now()' -F details=%s" \ + "${HOSTNAME}" "${USER}" "${IP}" "${BEGIN_DATE}" "${MESSAGE}" + printf "\n***********************************\n" + fi + + if [ "${DRY_RUN}" != "1" ] && [ -x "${CURL_BIN}" ]; then + API_RETURN_STATUS=$(curl -f -s -S -X POST \ + "${API_ENDPOINT}" -k \ + -F api_key="${API_KEY}" \ + -F action=insertEvoMaintenance \ + -F hostname="${HOSTNAME}" \ + -F userid="${USER}" \ + -F ipaddress="${IP}" \ + -F begin_date="${BEGIN_DATE}" \ + -F end_date='now()' \ + -F details="${MESSAGE}") + + # either cURL or the API backend can throw an error, otherwise it returns this JSON response + if [ "$API_RETURN_STATUS" = '{"status":"Ok"}' ]; then + echo "API call OK." + else + echo "API call FAILED." + fi + fi +} + +format_mail() { + cat <> "${LOGFILE}" + fi +} + +# load configuration if present. test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf -[ -n "${HOSTNAME}" ] || HOSTNAME=$(get_fqdn) -[ -n "${EVOMAINTMAIL}" ] || EVOMAINTMAIL=evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM} -[ -n "${LOGFILE}" ] || LOGFILE=/var/log/evomaintenance.log +HOSTNAME=${HOSTNAME:-$(get_fqdn)} +EVOMAINTMAIL=${EVOMAINTMAIL:-"evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM}"} +LOGFILE=${LOGFILE:-"/var/log/evomaintenance.log"} +HOOK_COMMIT=${HOOK_COMMIT:-"1"} +HOOK_DB=${HOOK_DB:-"0"} +HOOK_API=${HOOK_API:-"1"} +HOOK_MAIL=${HOOK_MAIL:-"1"} +DRY_RUN=${DRY_RUN:-"0"} +VERBOSE=${VERBOSE:-"0"} +AUTO=${AUTO:-"0"} +EVOCHECK=${EVOCHECK:-"0"} +GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20} +API_ENDPOINT=${API_ENDPOINT:-""} + +# initialize variables +MESSAGE="" +# GIT_COMMITS_SHORT="" +GIT_COMMITS="" + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + -m|--message) + # message options, with value speparated by space + if [ -n "$2" ]; then + MESSAGE=$2 + shift + else + printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --message=?*) + # message options, with value speparated by = + MESSAGE=${1#*=} + ;; + --message=) + # message options, without value + printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + --no-commit) + # disable commit hook + HOOK_COMMIT=0 + ;; + --commit) + # enable commit hook + HOOK_COMMIT=1 + ;; + --no-db) + # disable DB hook + HOOK_DB=0 + ;; + --db) + # enable DB hook + HOOK_DB=1 + ;; + --no-api) + # disable API hook + HOOK_API=0 + ;; + --api) + # enable API hook + HOOK_API=1 + ;; + --no-mail) + # disable mail hook + HOOK_MAIL=0 + ;; + --mail) + # enable mail hook + HOOK_MAIL=1 + ;; + --no-auto) + # use "manual" mode + AUTO=0 + ;; + --auto) + # use "auto" mode + AUTO=1 + ;; + -n|--dry-run) + # disable actual commands + DRY_RUN=1 + ;; + -v|--verbose) + # print verbose information + VERBOSE=1 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + # Treat unset variables as an error when substituting. # Only after this line, because some config variables might be missing. set -u -REAL_HOSTNAME=$(get_fqdn) -if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then - HOSTNAME_TEXT="${HOSTNAME}" -else - HOSTNAME_TEXT="${HOSTNAME} (${REAL_HOSTNAME})" -fi - +# Gather information +HOSTNAME_TEXT=$(get_complete_hostname) # TTY=$(get_tty) # WHO=$(get_who) IP=$(get_ip) @@ -90,109 +453,278 @@ USER=$(logname) PATH=${PATH}:/usr/sbin SENDMAIL_BIN=$(command -v sendmail) +readonly SENDMAIL_BIN +if [ "${HOOK_MAIL}" = "1" ] && [ -z "${SENDMAIL_BIN}" ]; then + echo "No \`sendmail' command has been found, can't send mail." 2>&1 +fi + GIT_BIN=$(command -v git) +readonly GIT_BIN +if [ "${HOOK_COMMIT}" = "1" ] && [ -z "${GIT_BIN}" ]; then + echo "No \`git' command has been found, can't commit changes" 2>&1 +fi + +PSQL_BIN=$(command -v psql) +readonly PSQL_BIN +if [ "${HOOK_DB}" = "1" ] && [ -z "${PSQL_BIN}" ]; then + echo "No \`psql' command has been found, can't save to the database." 2>&1 +fi + +CURL_BIN=$(command -v curl) +readonly CURL_BIN +if [ "${HOOK_API}" = "1" ] && [ -z "${CURL_BIN}" ]; then + echo "No \`curl' command has been found, can't call the API." 2>&1 +fi + +if [ "${HOOK_API}" = "1" ] && [ -z "${API_ENDPOINT}" ]; then + echo "No API endpoint specified, can't call the API." 2>&1 +fi + +EVOCHECK_BIN="/usr/share/scripts/evocheck.sh" GIT_REPOSITORIES="/etc /etc/bind" -# git statuses +# initialize variable GIT_STATUSES="" - -if test -x "${GIT_BIN}"; then +# git statuses +if [ -x "${GIT_BIN}" ]; then # loop on possible directories managed by GIT for dir in ${GIT_REPOSITORIES}; do - # tell Git where to find the repository and the work tree (no need to `cd …` there) - export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" - # If the repository and the work tree exist, try to commit changes - if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then - CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') - if [ "${CHANGED_LINES}" != "0" ]; then - STATUS=$(${GIT_BIN} status --short | tail -n 10) - # append diff data, without empty lines - GIT_STATUSES=$(printf "%s\n%s\n%s\n" "${GIT_STATUSES}" "${GIT_DIR} (last 10 lines)" "${STATUS}" | sed -e '/^$/d') - fi + RESULT=$(get_repository_status "${dir}") + if [ -n "${RESULT}" ]; then + # append diff data, without empty lines + GIT_STATUSES=$(printf "%s\n%s\n" "${GIT_STATUSES}" "${RESULT}" | sed -e '/^$/d') fi - # unset environment variables to prevent accidental influence on other git commands - unset GIT_DIR GIT_WORK_TREE + unset RESULT done - if [ -n "${GIT_STATUSES}" ]; then - echo "/!\ There are some uncommited changes. If you proceed, everything will be commited." - echo "${GIT_STATUSES}" - echo "" - fi fi -# get input from stdin -echo "> Please, enter details about your maintenance" -read TEXTE +# find out if running in interactive mode, or not +if [ -t 0 ]; then + INTERACTIVE=1 +else + INTERACTIVE=0 +fi +readonly INTERACTIVE -if [ "${TEXTE}" = "" ]; then +if [ "${INTERACTIVE}" = "1" ] && [ "${EVOCHECK}" = "1" ]; then + get_evocheck +fi +if [ -n "${GIT_STATUSES}" ] && [ "${INTERACTIVE}" = "1" ]; then + printf "/!\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" +fi + +if [ -z "${MESSAGE}" ]; then + if [ "${INTERACTIVE}" = "1" ]; then + printf "> Please, enter details about your maintenance:\n" + fi + read -r MESSAGE +fi + +if [ -z "${MESSAGE}" ]; then echo "no value..." exit 1 fi -# recapitulatif -BLOB=$(cat < Press to submit, or to cancel." -read enter - -# write log -echo "----------- $(get_now) ---------------" >> "${LOGFILE}" -echo "${BLOB}" >> "${LOGFILE}" - -# git commit -GIT_COMMITS="" - -if test -x "${GIT_BIN}"; then - # loop on possible directories managed by GIT - for dir in ${GIT_REPOSITORIES}; do - # tell Git where to find the repository and the work tree (no need to `cd …` there) - export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" - # If the repository and the work tree exist, try to commit changes - if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then - CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') - if [ "${CHANGED_LINES}" != "0" ]; then - ${GIT_BIN} add --all - ${GIT_BIN} commit --message "${TEXTE}" --author="${USER} <${USER}@evolix.net>" --quiet - # Add the SHA to the log file if something has been committed - SHA=$(${GIT_BIN} rev-parse --short HEAD) - STATS=$(${GIT_BIN} show --stat | tail -1) - # append commit data, without empty lines - GIT_COMMITS=$(printf "%s\n%s : %s –%s" "${GIT_COMMITS}" "${GIT_DIR}" "${SHA}" "${STATS}" | sed -e '/^$/d') - fi +if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then + if [ "${HOOK_COMMIT}" = "1" ] || [ "${HOOK_MAIL}" = "1" ] || [ "${HOOK_DB}" = "1" ]; then + printf "\nActions to execute:\n" + if [ "${HOOK_COMMIT}" = "1" ]; then + printf "* commit changes in repositories\n" fi - # unset environment variables to prevent accidental influence on other git commands - unset GIT_DIR GIT_WORK_TREE - done - if [ -n "${GIT_COMMITS}" ]; then - echo "${GIT_COMMITS}" >> "${LOGFILE}" + if [ "${HOOK_MAIL}" = "1" ]; then + printf "* send mail to %s\n" "${EVOMAINTMAIL}" + fi + if [ "${HOOK_DB}" = "1" ]; then + printf "* save metadata to the database\n" + fi + if [ "${HOOK_API}" = "1" ]; then + printf "* send metadata to the API\n" + fi + echo "" + + answer="" + while :; do + printf "> Let's continue? [Y,n,i,?] " + read -r answer + case $answer in + [Yy]|"" ) + # force "auto" mode, but keep hooks settings + AUTO=1 + break + ;; + [Nn] ) + # force "auto" mode, and disable all hooks + HOOK_COMMIT=0 + HOOK_MAIL=0 + HOOK_DB=0 + HOOK_API=0 + AUTO=1 + break + ;; + [Ii] ) + # force "manual" mode + AUTO=0 + break + ;; + * ) + printf "y - yes, execute actions and exit\n" + printf "n - no, don't execute actions and exit\n" + printf "i - switch to interactive mode\n" + printf "? - print this help\n" + ;; + esac + done fi fi -# insert into PG -# SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/\\\\\\'/g ; s@/@\\\\\/@g ; s@\\&@et@g"` -SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"` +if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then + # Commit hook + if [ -n "${GIT_STATUSES}" ] && [ "${HOOK_COMMIT}" = "1" ]; then + printf "/!\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" -PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')" -echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet + y="Y"; n="n" + answer="" + while :; do + printf "> Do you want to commit the changes? [%s] " "${y},${n}" + read -r answer + case $answer in + [Yy] ) + hook_commit; + break + ;; + [Nn] ) + break + ;; + "" ) + if [ "${HOOK_COMMIT}" = "1" ]; then + hook_commit + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done + fi -# send mail -MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") -MAIL_GIT_COMMITS=$(echo "${GIT_COMMITS}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") + # Mail hook + if [ "${HOOK_MAIL}" = "1" ]; then + y="Y"; n="n" + else + y="y"; n="N" + fi + answer="" + while :; do + printf "> Do you want to send an email to <%s>? [%s] " "${EVOMAINTMAIL}" "${y},${n},e" + read -r answer + case $answer in + [Yy] ) + hook_mail; + break + ;; + [Nn] ) + break + ;; + [Ee] ) + printf "> To: [%s] " "${EVOMAINTMAIL}" + read -r mail_recipient + if [ -n "${mail_recipient}" ]; then + EVOMAINTMAIL="${mail_recipient}" + fi + ;; + "" ) + if [ "${HOOK_MAIL}" = "1" ]; then + hook_mail + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done -cat /usr/share/scripts/evomaintenance.tpl | \ - sed -e "s/__TO__/${EVOMAINTMAIL}/ ; s/__HOSTNAME__/${HOSTNAME_TEXT}/ ; s/__USER__/${USER}/ ; s/__BEGIN_DATE__/${BEGIN_DATE}/ ; s/__END_DATE__/${END_DATE}/ ; s/__GIT_COMMITS__/${MAIL_GIT_COMMITS}/ ; s/__TEXTE__/${MAIL_TEXTE}/ ; s/__IP__/${IP}/ ; s/__FULLFROM__/${FULLFROM}/ ; s/__FROM__/${FROM}/ ; s/__URGENCYFROM__/${URGENCYFROM}/ ; s/__URGENCYTEL__/${URGENCYTEL}/" | \ - ${SENDMAIL_BIN} -oi -t -f ${FROM} + # Database hook + if [ "${HOOK_DB}" = "1" ]; then + y="Y"; n="n" + else + y="y"; n="N" + fi + answer="" + while :; do + printf "> Do you want to insert your message into the database? [%s] " "${y},${n}" + read -r answer + case $answer in + [Yy] ) + hook_db; + break + ;; + [Nn] ) + break + ;; + "" ) + if [ "${HOOK_DB}" = "1" ]; then + hook_db + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done + + # API hook + if [ "${HOOK_API}" = "1" ]; then + y="Y"; n="n" + else + y="y"; n="N" + fi + answer="" + while :; do + printf "> Do you want to send the metadata to the API? [%s] " "${y},${n}" + read -r answer + case $answer in + [Yy] ) + hook_api; + break + ;; + [Nn] ) + break + ;; + "" ) + if [ "${HOOK_API}" = "1" ]; then + hook_api + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done +fi + +# Log hook +hook_log + +if [ "${INTERACTIVE}" = "0" ] || [ "${AUTO}" = "1" ]; then + if [ "${HOOK_COMMIT}" = "1" ]; then + hook_commit + fi + if [ "${HOOK_MAIL}" = "1" ]; then + hook_mail + fi + if [ "${HOOK_DB}" = "1" ]; then + hook_db + fi + if [ "${HOOK_API}" = "1" ]; then + hook_api + fi +fi exit 0 diff --git a/roles/base/templates/evomaintenance.j2 b/roles/base/templates/evomaintenance.j2 index 79bc0cb..006d1c0 100644 --- a/roles/base/templates/evomaintenance.j2 +++ b/roles/base/templates/evomaintenance.j2 @@ -1,13 +1,20 @@ HOSTNAME={{ evomaintenance_hostname }} EVOMAINTMAIL={{ evomaintenance_alert_email or general_alert_email | mandatory }} -export PGPASSWORD={{ evomaintenance_pg_passwd | mandatory }} +export PGPASSWORD={{ evomaintenance_pg_passwd }} -PGDB={{ evomaintenance_pg_db | mandatory }} -PGTABLE={{ evomaintenance_pg_table | mandatory }} -PGHOST={{ evomaintenance_pg_host | mandatory }} +PGDB={{ evomaintenance_pg_db }} +PGTABLE={{ evomaintenance_pg_table }} +PGHOST={{ evomaintenance_pg_host }} FROM={{ evomaintenance_from }} FULLFROM="{{ evomaintenance_full_from }}" URGENCYFROM={{ evomaintenance_urgency_from }} URGENCYTEL="{{ evomaintenance_urgency_tel }}" REALM="{{ evomaintenance_realm }}" +API_ENDPOINT={{ evomaintenance_api_endpoint }} +API_KEY={{ evomaintenance_api_key }} + +HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }} +HOOK_DB={{ evomaintenance_hook_db | bool | ternary('1','0') }} +HOOK_COMMIT={{ evomaintenance_hook_commit | bool | ternary('1','0') }} +HOOK_MAIL={{ evomaintenance_hook_mail | bool | ternary('1','0') }} From d73645532789da46e98e821bf3ea636d19f0f57d Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 22 Aug 2019 17:05:15 +0200 Subject: [PATCH 020/150] Please, we don't want the mouse function enabled in vim --- roles/base/files/vimrc | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/files/vimrc b/roles/base/files/vimrc index 581459c..df8a1cb 100644 --- a/roles/base/files/vimrc +++ b/roles/base/files/vimrc @@ -9,3 +9,4 @@ set smarttab set backspace=indent,eol,start set showcmd set encoding=utf-8 +set mouse="" From 8b1ce861e3a95bd532c82bebb295c42afec5ffdb Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 19 Sep 2019 17:07:01 -0400 Subject: [PATCH 021/150] Add stricter ssh and doas access --- roles/accounts/handlers/main.yml | 6 +++ roles/accounts/tasks/main.yml | 70 ++++++++++++++++++++++++++++++- roles/accounts/tasks/user.yml | 12 +++++- roles/base/templates/doas.conf.j2 | 4 +- vars/main.yml | 7 +++- 5 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 roles/accounts/handlers/main.yml diff --git a/roles/accounts/handlers/main.yml b/roles/accounts/handlers/main.yml new file mode 100644 index 0000000..5d24c46 --- /dev/null +++ b/roles/accounts/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: reload sshd + service: + name: sshd + state: reloaded diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 0524374..4805b2a 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,7 +1,75 @@ --- +- name: "Create {{ evolinux_sudo_group }}" + group: + name: "{{ evolinux_sudo_group }}" + system: true + - name: Create user accounts include: user.yml vars: user: "{{ item.value }}" with_dict: "{{ evolinux_users }}" - when: evolinux_users != {} \ No newline at end of file + when: evolinux_users != {} + +- name: verify AllowGroups directive + command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + changed_when: false + failed_when: false + check_mode: false + register: grep_allowgroups_ssh + +- name: verify AllowUsers directive + command: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + changed_when: false + failed_when: false + check_mode: false + register: grep_allowusers_ssh + +- assert: + that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" + msg: "We can't deal with AllowUsers and AllowGroups at the same time" + +- set_fact: + # If "AllowGroups is present" + ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + lineinfile: + dest: /etc/ssh/sshd_config + line: "\nAllowGroups {{ evolinux_ssh_group }}" + insertafter: 'Subsystem' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - ssh_allowgroups + - grep_allowgroups_ssh.rc == 1 + +- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' + replace: '\1 {{ evolinux_ssh_group }}' + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - ssh_allowgroups + - grep_allowgroups_ssh.rc == 0 + +- name: "Append '{{ item.name }}' to AllowUsers sshd directive" + replace: + dest: /etc/ssh/sshd_config + regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' + replace: '\1 {{ item.name }}' + validate: '/usr/sbin/sshd -t -f %s' + with_dict: "{{ evolinux_users }}" + notify: reload sshd + when: + - not ssh_allowgroups + - grep_allowusers_ssh == 1 + +- name: disable root login + replace: + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' + replace: "PermitRootLogin no" + notify: reload sshd diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 109c8a5..03af553 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -7,7 +7,7 @@ password: '{{ user.password_hash_openbsd }}' groups: wheel shell: /bin/ksh - append: yes + append: true tags: - admin @@ -21,4 +21,12 @@ loop_var: ssk_key when: user.ssh_keys is defined tags: - - admin \ No newline at end of file + - admin + +- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group" + user: + name: "{{ user.name }}" + groups: "{{ evolinux_sudo_group }}" + append: true + tags: + - admin diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 1a56e79..67241cc 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :wheel +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :wheel as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd diff --git a/vars/main.yml b/vars/main.yml index ed3fb9f..fff786a 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,12 +2,17 @@ ######################################################## ## Edit and uncomment to overwrite the default values ## ######################################################## - +general_alert_email: "alert4@evolix.net" +general_technical_realm: "evolix.ca" +evomaintenance_realm: "evolix.fr" #ntpd_servers: #- "ntp.evolix.net" # #general_alert_email: "root@localhost" #general_technical_realm: "example.com" +evolinux_ssh_group: "evolinux-ssh" +evolinux_sudo_group: "evolinux-sudo" +evolinux_root_disable_ssh: true # #evomaintenance_realm: "example.com" #evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" From 67d6c0ab622e7c55c0e5a84f177db820ad606b06 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 19 Sep 2019 17:12:21 -0400 Subject: [PATCH 022/150] revert forgotten extra variables in main --- vars/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index fff786a..098a8d2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,9 +2,7 @@ ######################################################## ## Edit and uncomment to overwrite the default values ## ######################################################## -general_alert_email: "alert4@evolix.net" -general_technical_realm: "evolix.ca" -evomaintenance_realm: "evolix.fr" + #ntpd_servers: #- "ntp.evolix.net" # From 8be45548a26b42c2178c003e3005538a243bf721 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 29 Oct 2019 17:59:33 +0100 Subject: [PATCH 023/150] Since yspatch can apply stable patches, we no longer need to install openup --- roles/post-install/tasks/update.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/roles/post-install/tasks/update.yml b/roles/post-install/tasks/update.yml index 1a6de6a..f437189 100644 --- a/roles/post-install/tasks/update.yml +++ b/roles/post-install/tasks/update.yml @@ -1,9 +1,3 @@ --- -- name: Fetch and install openup - get_url: - url: https://stable.mtier.org/openup - dest: /usr/local/bin/openup - mode: "0750" - -- name: Install updates (erratas) with openup - shell: /usr/local/bin/openup +- name: Check and install updates (erratas) if available + shell: /usr/sbin/syspatch From 02658b6b1d603d0a3844206984125ceb04fbd526 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Wed, 30 Oct 2019 11:00:29 +0100 Subject: [PATCH 024/150] Add first version of an OpenVPN role --- roles/openvpn/README.md | 13 ++ roles/openvpn/defaults/main.yml | 3 + roles/openvpn/files/check_openvpn.pl | 215 +++++++++++++++++++++++++ roles/openvpn/files/shellpki | 1 + roles/openvpn/files/sudo_shellpki | 1 + roles/openvpn/handlers/main.yml | 5 + roles/openvpn/tasks/main.yml | 110 +++++++++++++ roles/openvpn/templates/dh2048.pem.j2 | 8 + roles/openvpn/templates/server.conf.j2 | 26 +++ 9 files changed, 382 insertions(+) create mode 100644 roles/openvpn/README.md create mode 100644 roles/openvpn/defaults/main.yml create mode 100755 roles/openvpn/files/check_openvpn.pl create mode 120000 roles/openvpn/files/shellpki create mode 100644 roles/openvpn/files/sudo_shellpki create mode 100644 roles/openvpn/handlers/main.yml create mode 100644 roles/openvpn/tasks/main.yml create mode 100644 roles/openvpn/templates/dh2048.pem.j2 create mode 100644 roles/openvpn/templates/server.conf.j2 diff --git a/roles/openvpn/README.md b/roles/openvpn/README.md new file mode 100644 index 0000000..18b459f --- /dev/null +++ b/roles/openvpn/README.md @@ -0,0 +1,13 @@ +# OpenVPN + +Installation and custom configuration of OpenVPN server. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +NOTE: Make sure you have already cloned shellpki in ~/GIT/ diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml new file mode 100644 index 0000000..dbf2f80 --- /dev/null +++ b/roles/openvpn/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openvpn_lan: "192.168.42.0" +openvpn_netmask: "255.255.255.0" diff --git a/roles/openvpn/files/check_openvpn.pl b/roles/openvpn/files/check_openvpn.pl new file mode 100755 index 0000000..270fd1e --- /dev/null +++ b/roles/openvpn/files/check_openvpn.pl @@ -0,0 +1,215 @@ +#!/usr/bin/perl -w + +####################################################################### +# +# Copyright (c) 2007 Jaime Gascon Romero +# +# License Information: +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $ +# $Revision: 1.1 $ +# Home Site: http://emergeworld.blogspot.com/ +# ##################################################################### + +use diagnostics; +use strict; +use Net::Telnet (); +use Getopt::Long qw(:config no_ignore_case); +use vars qw($PROGNAME $VERSION); +use lib "/usr/lib/nagios/plugins/"; +use utils qw(%ERRORS); + +$PROGNAME = "check_openvpn"; +$VERSION = '$Revision: 1.1 $'; + +$ENV{'PATH'}=''; +$ENV{'BASH_ENV'}=''; +$ENV{'ENV'}=''; + +my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r); + +sub print_help (); +sub print_usage (); + +GetOptions + ("h" => \$opt_h, "help" => \$opt_h, + "H=s" => \$opt_H, "host=s" => \$opt_H, + "p=i" => \$opt_p, "port=i" => \$opt_p, + "P=s" => \$opt_P, "password=s" => \$opt_P, + "t=i" => \$opt_t, "timeout=i" => \$opt_t, + "i" => \$opt_i, "ip" => \$opt_i, + "n" => \$opt_n, "numeric" => \$opt_n, + "c" => \$opt_c, "critical" => \$opt_c, + "w" => \$opt_w, "warning" => \$opt_w, + "C=s" => \$opt_C, "common_name=s" => \$opt_C, + "r=s" => \$opt_r, "remote_ip=s" => \$opt_r, + ) or exit $ERRORS{'UNKNOWN'}; + +# default values +unless ( defined $opt_t ) { + $opt_t = 10; +} + +if ($opt_h) {print_help(); exit $ERRORS{'OK'};} + +if ( ! defined($opt_H) || ! defined($opt_p) ) { + print_usage(); + exit $ERRORS{'UNKNOWN'} +} + +my @lines; +my @clients; +my @clients_ip; +my $t; + +eval { +$t = new Net::Telnet (Timeout => $opt_t, + Port => $opt_p, + Prompt => '/END$/' + ); +$t->open($opt_H); +if ( defined $opt_P ) { + $t->waitfor('/ENTER PASSWORD:$/'); + $t->print($opt_P); +} +$t->waitfor('/^$/'); +@lines = $t->cmd("status 2"); +$t->close; +}; + +if ($@) { + print "OpenVPN Critical: Can't connect to server\n"; + exit $ERRORS{'CRITICAL'}; +} + + +if (defined $opt_i || defined $opt_r) { + foreach (@lines) { + if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) { + push @clients_ip, $1; + } +} + if (defined $opt_i) { + print "OpenVPN OK: "."@clients_ip "; + exit $ERRORS{'OK'}; + } elsif (defined $opt_r) { + if ( ! grep /\b$opt_r\b/, @clients_ip) { + if (defined $opt_c) { + print "OpenVPN CRITICAL: $opt_r don't found"; + exit $ERRORS{'CRITICAL'}; + } else { + print "OpenVPN WARNING: $opt_r don't found"; + exit $ERRORS{'WARNING'}; + } + } + print "OpenVPN OK: "."@clients_ip "; + exit $ERRORS{'OK'}; + } +} + +foreach (@lines) { + if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) { + push @clients, $1; + } +} + +if (defined $opt_C) { + if ( ! grep /\b$opt_C\b/, @clients) { + if (defined $opt_c) { + print "OpenVPN CRITICAL: $opt_C don't found"; + exit $ERRORS{'CRITICAL'}; + } else { + print "OpenVPN WARNING: $opt_C don't found"; + exit $ERRORS{'WARNING'}; + } + } +} + + +if (defined $opt_n) { +print "OpenVPN OK: ".@clients." connected clients."; +exit $ERRORS{'OK'}; +} + +print "OpenVPN OK: "."@clients "; +exit $ERRORS{'OK'}; + +####################################################################### +###### Subroutines #################################################### + +sub print_usage() { + print "Usage: $PROGNAME -H | --host -p | --port [-P | --password] [-t | --timeout] + [-i | --ip] [-n | --numeric] [-C | --common_name] [-r | --remote_ip] [-c | --critical] [-w | --warning]\n\n"; + print " $PROGNAME [-h | --help]\n"; +} + +sub print_help() { + print "$PROGNAME $VERSION\n\n"; + print "Copyright (c) 2007 Jaime Gascon Romero + +Nagios plugin to check the clients connected to a openvpn server. + +"; + print_usage(); + print " +-H | --host + IP address or hostname of the openvpn server. + +-p | --port + Management port interface of the openvpn server. + +-P | --password + Password for the management interface of the openvpn server. + +-t | --timeout + Timeout for the connection attempt. Optional, default 10 seconds. + + + Optional parameters + =================== + +-i | --ip + Prints the IP address of the remote client instead of the common name. + +-n | --numeric + Prints the number of clients connected to the openvpn server. + + + Matching Parameters + =================== + +-C | --common_name + The common name, as it is specified in the client certificate, who is wanted to check. + +-r | --remote_ip + The client remote ip address who is wanted to check. + +-c | --critical + Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected. + +-w | --warning + Exits with WARNING status if the client specified by the common name or the remote ip address is not connected. + + + Other Parameters + ================ + +-h | --help + Show this help. +"; + +} + +# vim:sts=2:sw=2:ts=2:et diff --git a/roles/openvpn/files/shellpki b/roles/openvpn/files/shellpki new file mode 120000 index 0000000..3036d45 --- /dev/null +++ b/roles/openvpn/files/shellpki @@ -0,0 +1 @@ +/home/tpilat/GIT/shellpki/ \ No newline at end of file diff --git a/roles/openvpn/files/sudo_shellpki b/roles/openvpn/files/sudo_shellpki new file mode 100644 index 0000000..08ca1ab --- /dev/null +++ b/roles/openvpn/files/sudo_shellpki @@ -0,0 +1 @@ +%shellpki ALL = (root) /usr/local/sbin/shellpki diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml new file mode 100644 index 0000000..b22f340 --- /dev/null +++ b/roles/openvpn/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart openvpn + service: + name: openvpn + state: restarted diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml new file mode 100644 index 0000000..79299c4 --- /dev/null +++ b/roles/openvpn/tasks/main.yml @@ -0,0 +1,110 @@ +--- +- name: Install OpenVPN package + openbsd_pkg: + name: "openvpn--" + tags: + - openvpn + +- name: Create /etc/openvpn directory + file: + path: /etc/openvpn + state: directory + owner: "root" + group: "wheel" + mode: "0755" + tags: + - openvpn + +- name: Deploy OpenVPN configuration + template: + src: "server.conf.j2" + dest: "/etc/openvpn/server.conf" + mode: "0600" + notify: restart openvpn + tags: + - openvpn + +- name: Enabling OpenVPN + service: + name: openvpn + enabled: yes + tags: + - openvpn + +- name: Set OpenVPN flag + shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"' + tags: + - openvpn + +- name: Create shellpki user + user: + name: "_shellpki" + system: yes + state: present + system: yes + home: "/etc/shellpki/" + shell: "/sbin/nologin" + tags: + - openvpn + +- name: Copy some shellpki files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: wheel + mode: "{{ item.mode }}" + force: yes + with_items: + - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } + - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' } + tags: + - openvpn + +- name: Deploy DH PARAMETERS + template: + src: "dh2048.pem.j2" + dest: "/etc/shellpki/dh2048.pem" + mode: "0600" + tags: + - openvpn + +- name: Create /etc/sudoers.d directory + file: + path: /etc/sudoers.d + state: directory + owner: "root" + group: "wheel" + mode: "0755" + tags: + - openvpn + +- name: Include /etc/sudoers.d in sudoers configuration file + lineinfile: + path: /etc/sudoers + line: '#includedir /etc/sudoers.d' + tags: + - openvpn + +- name: Verify shellpki sudoers file presence + copy: + src: "sudo_shellpki" + dest: "/etc/sudoers.d/shellpki" + force: true + mode: "0440" + validate: '/usr/local/sbin/visudo -cf %s' + tags: + - openvpn + +- name: Copy check_openvpn + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: wheel + mode: "{{ item.mode }}" + force: yes + with_items: + - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' } + tags: + - openvpn diff --git a/roles/openvpn/templates/dh2048.pem.j2 b/roles/openvpn/templates/dh2048.pem.j2 new file mode 100644 index 0000000..9db20bb --- /dev/null +++ b/roles/openvpn/templates/dh2048.pem.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP +R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr +TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv +ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2 +Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ +aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg== +-----END DH PARAMETERS----- diff --git a/roles/openvpn/templates/server.conf.j2 b/roles/openvpn/templates/server.conf.j2 new file mode 100644 index 0000000..377b5b1 --- /dev/null +++ b/roles/openvpn/templates/server.conf.j2 @@ -0,0 +1,26 @@ +user nobody +group nogroup + +local {{ ansible_default_ipv4.address }} +port 1194 +proto udp +dev tun +mode server +keepalive 10 120 + +cipher AES-128-CBC # AES +#comp-lzo +# compress (à partir d'OpenVPN 2.4) + +persist-key +persist-tun + +status /var/log/openvpn-status.log +log-append /var/log/openvpn.log + +ca /etc/shellpki/cacert.pem +cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt +key /etc/shellpki/private/{{ ansible_fqdn }}.key +dh /etc/shellpki/dh2048.pem + +server {{ openvpn_lan }} {{ openvpn_netmask }} From f88538858b62946a55ccadd91e8e47834d111372 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 14 Nov 2019 15:07:09 +0100 Subject: [PATCH 025/150] Import Evomaintenance 0.6.0 --- roles/base/files/evomaintenance.sh | 33 ++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/roles/base/files/evomaintenance.sh b/roles/base/files/evomaintenance.sh index 4820f49..a459394 100644 --- a/roles/base/files/evomaintenance.sh +++ b/roles/base/files/evomaintenance.sh @@ -4,18 +4,19 @@ # Dependencies (all OS): git postgresql-client # Dependencies (Debian): sudo -# version 0.5.1 # Copyright 2007-2019 Evolix , Gregory Colpart , # Jérémy Lecour and others. -VERSION="0.5.1" +VERSION="0.6.0" show_version() { cat <, Gregory Colpart , - Jérémy Lecour and others. +Copyright 2007-2019 Evolix , + Gregory Colpart , + Jérémy Lecour + and others. evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. @@ -167,12 +168,27 @@ print_session_data() { printf "Message : %s\n" "${MESSAGE}" } +is_repository_readonly() { + mountpoint=$(stat -c '%m' $1) + findmnt ${mountpoint} --noheadings --output OPTIONS | grep -q -E "\bro\b" +} +remount_repository_readwrite() { + mountpoint=$(stat -c '%m' $1) + mount -o remount,rw ${mountpoint} +} +remount_repository_readonly() { + mountpoint=$(stat -c '%m' $1) + mount -o remount,ro ${mountpoint} 2>/dev/null +} + hook_commit() { if [ -x "${GIT_BIN}" ]; then # loop on possible directories managed by GIT for dir in ${GIT_REPOSITORIES}; do # tell Git where to find the repository and the work tree (no need to `cd …` there) export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" + # reset variable used to track if a mount point is readonly + READONLY_ORIG=0 # If the repository and the work tree exist, try to commit changes if [ -d "${GIT_DIR}" ] && [ -d "${GIT_WORK_TREE}" ]; then CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') @@ -183,8 +199,13 @@ hook_commit() { # GIT_COMMITS_SHORT=$(printf "%s\n%s : %s" "${GIT_COMMITS_SHORT}" "${GIT_DIR}" "${STATS_SHORT}" | sed -e '/^$/d') GIT_COMMITS=$(printf "%s\n%s\n%s" "${GIT_COMMITS}" "${GIT_DIR}" "${STATS}" | sed -e '/^$/d') else + # remount mount point read-write if currently readonly + is_repository_readonly ${dir} && { READONLY_ORIG=1; remount_repository_readwrite ${dir}; } + # commit changes ${GIT_BIN} add --all ${GIT_BIN} commit --message "${MESSAGE}" --author="${USER} <${USER}@evolix.net>" --quiet + # remount mount point read-only if it was before + test "$READONLY_ORIG" = "1" && remount_repository_readonly ${dir} # Add the SHA to the log file if something has been committed SHA=$(${GIT_BIN} rev-parse --short HEAD) # STATS_SHORT=$(${GIT_BIN} show --stat | tail -1) @@ -347,7 +368,7 @@ while :; do show_help exit 0 ;; - --version) + -V|--version) show_version exit 0 ;; @@ -482,7 +503,7 @@ fi EVOCHECK_BIN="/usr/share/scripts/evocheck.sh" -GIT_REPOSITORIES="/etc /etc/bind" +GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts" # initialize variable GIT_STATUSES="" From 70135252c05a5a29e24141644c2be893168634e1 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 19 Nov 2019 16:28:12 +0100 Subject: [PATCH 026/150] Import Evomaintenance 0.6.1 --- roles/base/files/evomaintenance.sh | 31 ++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/roles/base/files/evomaintenance.sh b/roles/base/files/evomaintenance.sh index a459394..6725e16 100644 --- a/roles/base/files/evomaintenance.sh +++ b/roles/base/files/evomaintenance.sh @@ -7,7 +7,7 @@ # Copyright 2007-2019 Evolix , Gregory Colpart , # Jérémy Lecour and others. -VERSION="0.6.0" +VERSION="0.6.1" show_version() { cat </dev/null + else + mountpoint=$(stat -c '%m' $1) + mount -o remount,rw ${mountpoint} + fi } remount_repository_readonly() { - mountpoint=$(stat -c '%m' $1) - mount -o remount,ro ${mountpoint} 2>/dev/null + if [ "$(get_system)" = "OpenBSD" ]; then + partition=$(stat -f '%Sd' $1) + mount -u -r /dev/${partition} 2>/dev/null + else + mountpoint=$(stat -c '%m' $1) + mount -o remount,ro ${mountpoint} 2>/dev/null + fi } hook_commit() { @@ -532,7 +547,7 @@ if [ "${INTERACTIVE}" = "1" ] && [ "${EVOCHECK}" = "1" ]; then get_evocheck fi if [ -n "${GIT_STATUSES}" ] && [ "${INTERACTIVE}" = "1" ]; then - printf "/!\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" + printf "/!\\\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" fi if [ -z "${MESSAGE}" ]; then From 337dcb94381e61434ed3fa02b2fa0a38bae46cdc Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:15:27 +0200 Subject: [PATCH 027/150] Make evolixisation playbook more complete - Specification of the different possible uses of the playbook - Addition of the openvpn role, commented by default - No use of the PKG_PATH variable, which is no longer useful since OpenBSD 6.1 installurl. --- evolixisation.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/evolixisation.yml b/evolixisation.yml index 3895536..df88a4c 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -1,4 +1,7 @@ # Playbook command +# First use (become_method: su) : +# ansible-playbook evolixisation.yml --ask-vault-pass -CDi hosts -l HOSTNAME +# Subsequent use (become_method: sudo) : # ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME --- @@ -7,6 +10,7 @@ become: true become_user: root become_method: sudo +# become_method: su vars_files: @@ -21,13 +25,14 @@ - accounts - nagios-nrpe - post-install + #- openvpn post_tasks: - include: "tasks/commit_etc_git.yml" vars: commit_message: "Ansible - Evolixisation" - environment: - PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" +# environment: +# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" # vim:ft=ansible From 10d56cad1ea2e1a21ab7fa66874492785cb8bf19 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:27:43 +0200 Subject: [PATCH 028/150] Correction of the stricter ssh access commit evolinux_ssh_group was missing --- roles/accounts/tasks/main.yml | 5 +++++ roles/accounts/tasks/user.yml | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 4805b2a..704d908 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -4,6 +4,11 @@ name: "{{ evolinux_sudo_group }}" system: true +- name: "Create {{ evolinux_ssh_group }}" + group: + name: "{{ evolinux_ssh_group }}" + system: true + - name: Create user accounts include: user.yml vars: diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 03af553..568753b 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -30,3 +30,11 @@ append: true tags: - admin + +- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group" + user: + name: "{{ user.name }}" + groups: "{{ evolinux_ssh_group }}" + append: true + tags: + - admin From 29afa42c3d4453e5a13677dbc2a27038b4f97fd3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:30:40 +0200 Subject: [PATCH 029/150] Deletion of mailevomaintenance.sh We now use the git status cron for uncommited changes --- roles/base/tasks/evomaintenance.yml | 21 -------------- roles/base/templates/mailevomaintenance.sh.j2 | 28 ------------------- 2 files changed, 49 deletions(-) delete mode 100644 roles/base/templates/mailevomaintenance.sh.j2 diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml index 6471d28..f1d1c18 100644 --- a/roles/base/tasks/evomaintenance.yml +++ b/roles/base/tasks/evomaintenance.yml @@ -28,24 +28,3 @@ backup: no tags: - evomaintenance - -- name: Copy mailevomaintenance - template: - src: mailevomaintenance.sh.j2 - dest: /usr/share/scripts/mailevomaintenance.sh - owner: root - group: wheel - mode: "0700" - tags: - - evomaintenance - - mailevomaintenance - -- name: Add mailevomaintenance cron - cron: - name: "mailevomaintenance" - job: "/usr/share/scripts/mailevomaintenance.sh" - minute: "50" - hour: "22" - disabled: yes - tags: - - mailevomaintenance diff --git a/roles/base/templates/mailevomaintenance.sh.j2 b/roles/base/templates/mailevomaintenance.sh.j2 deleted file mode 100644 index d679ea5..0000000 --- a/roles/base/templates/mailevomaintenance.sh.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -set -eu - -cd /etc && _STATUS=$(/usr/local/bin/git status --porcelain) -[ -n "${_STATUS}" ] || exit 0 - -if [ -e /etc/realname ]; then - _HOSTNAME=$(/bin/cat /etc/realname) -else - _HOSTNAME=$(/bin/hostname) -fi - - -TMPFILE=$(/usr/bin/mktemp) || exit 1 -echo "Dear NOC,\n\nSome changes in /etc/ were not committed." >> $TMPFILE - -echo "" >> $TMPFILE -echo "${_STATUS}" >> $TMPFILE - -echo "" >> $TMPFILE -/usr/bin/last | head -n 10 >> $TMPFILE -echo "" >> $TMPFILE -echo "Please answer this mail to notify people when you've corrected the problem." >> $TMPFILE - -/bin/cat $TMPFILE | mail -s "Verif etc-git ${_HOSTNAME}" noc@{{ evomaintenance_realm }} - -/bin/rm $TMPFILE From f57e0e24f0dc093f6b4c7c03e665475b84656509 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:35:45 +0200 Subject: [PATCH 030/150] Change in depreciated options Packages list and comparisons will have a new syntax with future ansible version --- roles/base/tasks/packages.yml | 4 +--- roles/nagios-nrpe/tasks/main.yml | 10 ++++------ .../templates/plugins_bsd/check_free_mem.sh.j2 | 2 +- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index d205e19..695ffe1 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -9,9 +9,7 @@ - name: Install packages (vim rsync mtr etc) openbsd_pkg: - name: "{{ item }}" - state: present - with_items: + name: - wget - vim--no_x11 - rsync-- diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index ec97d0a..270de2f 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -1,17 +1,15 @@ --- - name: Install nrpe openbsd_pkg: - name: "{{ item }}" + name: + - nrpe-- state: present - with_items: - - nrpe-- - name: Install monitoring-plugins openbsd_pkg: - name: "{{ item }}" + name: + - monitoring-plugins state: present - with_items: - - monitoring-plugins - name: Create nrpe.d dir file: diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 index ab5f7e2..ee47ad5 100755 --- a/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 +++ b/roles/nagios-nrpe/templates/plugins_bsd/check_free_mem.sh.j2 @@ -64,7 +64,7 @@ __EOT # Total memory size (in MB) tot_mem=$(( `/sbin/sysctl -n hw.physmem` / BYTES_IN_MB)) # Free memory size (in MB) -{% if ansible_distribution_version | version_compare("6.2",'<') %} +{% if ansible_distribution_version is version_compare("6.2",'<') %} free_mem=$(( `/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $5 }'` / KB_IN_MB )) {% else %} free_mem=$(/usr/bin/vmstat | /usr/bin/tail -1 | /usr/bin/awk '{ print $4 }' | tr -d 'M') From c6e3f06fd6458101e5c4bb33019476a6c892cfa7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:40:31 +0200 Subject: [PATCH 031/150] Add .gitignore file --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1296400 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +vars/secrets.yml From caf151d05ca7c12cbd35481534e849bde6fa2bb7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 11:42:52 +0200 Subject: [PATCH 032/150] Import last evobackup client script The only difference from Debian version is that /srv does not exist on OpenBSD and is removed from the backup directory list Close #21 --- roles/base/files/zzz_evobackup | 581 ++++++++++++++++++++++----------- 1 file changed, 389 insertions(+), 192 deletions(-) diff --git a/roles/base/files/zzz_evobackup b/roles/base/files/zzz_evobackup index 5e2a4d9..ec64280 100755 --- a/roles/base/files/zzz_evobackup +++ b/roles/base/files/zzz_evobackup @@ -1,222 +1,419 @@ #!/bin/sh - # -# Script Evobackup plus ou moins forké -# See https://forge.evolix.org/projects/evobackup -# +# Script Evobackup client +# See https://gitea.evolix.org/evolix/evobackup +# +# Author: Gregory Colpart +# Contributors: +# Romain Dessort +# Benoît Série +# Tristan Pilat +# Victor Laborie +# Jérémy Lecour +# +# Licence: AGPLv3 +# +# /!\ DON'T FORGET TO SET "MAIL" and "SERVERS" VARIABLES + +# Fail on unassigned variables +set -u + +##### Configuration ################################################### + +# email adress for notifications +MAIL=jdoe@example.com + +# list of hosts (hostname or IP) and SSH port for Rsync +SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX" + +# Should we fallback on servers when the first is unreachable ? +SERVERS_FALLBACK=${SERVERS_FALLBACK:-1} + +# timeout (in seconds) for SSH connections +SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30} + +## We use /home/backup : feel free to use your own dir +LOCAL_BACKUP_DIR="/home/backup" + +# You can set "linux" or "bsd" manually or let it choose automatically +SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') + +# Change these 2 variables if you have more than one backup cron +PIDFILE="/var/run/evobackup.pid" +LOGFILE="/var/log/evobackup.log" + +## Enable/Disable tasks +LOCAL_TASKS=${LOCAL_TASKS:-1} +SYNC_TASKS=${SYNC_TASKS:-1} + +##### SETUP AND FUNCTIONS ############################################# + +BEGINNING=$(/bin/date +"%d-%m-%Y ; %H:%M") + +# shellcheck disable=SC2174 +mkdir -p -m 700 ${LOCAL_BACKUP_DIR} PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin ## lang = C for english outputs -LANGUAGE=C -LANG=C +export LANGUAGE=C +export LANG=C ## Force umask umask 077 +## Initialize variable to store SSH connection errors +SERVERS_SSH_ERRORS="" + +# Call test_server with "HOST:PORT" string +# It will return with 0 if the server is reachable. +# It will return with 1 and a message on stderr if not. +test_server() { + item=$1 + # split HOST and PORT from the input string + host=$(echo "${item}" | cut -d':' -f1) + port=$(echo "${item}" | cut -d':' -f2) + + # Test if the server is accepting connections + ssh -q -o "ConnectTimeout ${SSH_CONNECT_TIMEOUT}" "${host}" -p "${port}" -t "exit" + # shellcheck disable=SC2181 + if [ $? = 0 ]; then + # SSH connection is OK + return 0 + else + # SSH connection failed + new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}") + SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') + + return 1 + fi +} +# Call pick_server with an optional positive integer to get the nth server in the list. +pick_server() { + increment=${1:-0} + list_length=$(echo "${SERVERS}" | wc -w) + + if [ "${increment}" -ge "${list_length}" ]; then + # We've reached the end of the list + new_error="No more server available" + SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') + + # Log errors to stderr + printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2 + # Log errors to logfile + printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE + return 1 + fi + + # Extract the day of month, without leading 0 (which would give an octal based number) + today=$(date +%e) + # A salt is useful to randomize the starting point in the list + # but stay identical each time it's called for a server (based on hostname). + salt=$(hostname | cksum | cut -d' ' -f1) + # Pick an integer between 0 and the length of the SERVERS list + # It changes each day + item=$(( (today + salt + increment) % list_length )) + # cut starts counting fields at 1, not 0. + field=$(( item + 1 )) + + echo "${SERVERS}" | cut -d' ' -f${field} +} + ## Verify other evobackup process and kill if needed -PIDFILE=/var/run/evobackup.pid -if [ -e $PIDFILE ]; then - # Killing the childs of evobackup. - for pid in $(ps h --ppid $(cat $PIDFILE) -o pid | tr -s '\n' ' '); do - kill -9 $pid; +if [ -e "${PIDFILE}" ]; then + pid=$(cat "${PIDFILE}") + # Does process still exist ? + if kill -0 ${pid} 2> /dev/null; then + # Killing the childs of evobackup. + for ppid in $(pgrep -P "${pid}"); do + kill -9 "${ppid}"; + done + # Then kill the main PID. + kill -9 "${pid}" + printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2 + else + rm -f ${PIDFILE} + fi +fi +echo "$$" > ${PIDFILE} +# shellcheck disable=SC2064 +trap "rm -f ${PIDFILE}" EXIT + +##### LOCAL BACKUP #################################################### + +if [ "${LOCAL_TASKS}" = "1" ]; then + # You can comment or uncomment sections below to customize the backup + + ## OpenLDAP : example with slapcat + # slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak + + ## MySQL + + ## example with global and compressed mysqldump + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ + # --opt --all-databases --force --events --hex-blob | gzip --best > ${LOCAL_BACKUP_DIR}/mysql.bak.gz + + ## example with two dumps for each table (.sql/.txt) for all databases + # for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ + # | egrep -v "^(Database|information_schema|performance_schema|sys)" ); \ + # do mkdir -p -m 700 /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \ + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \ + # --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done + + ## example with SQL dump (schema only, no data) for each databases + # mkdir -p -m 700 /home/mysqldump/ + # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ + # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql + # done + + ## example with compressed SQL dump (with data) for each databases + # mkdir -p -m 700 /home/mysqldump/ + # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ + # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz + # done + + ## example with *one* uncompressed SQL dump for *one* database (MYBASE) + # mkdir -p -m 700 /home/mysqldump/MYBASE + # chown -RL mysql /home/mysqldump/ + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ + # --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE + + ## example with mysqlhotcopy + # mkdir -p -m 700 /home/mysqlhotcopy/ + # mysqlhotcopy BASE /home/mysqlhotcopy/ + + ## example for multiples MySQL instances + # mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3) + # grep -E "^port\s*=\s*\d*" /etc/mysql/my.cnf |while read instance; do + # instance=$(echo "$instance"|awk '{ print $3 }') + # if [ "$instance" != "3306" ] + # then + # mysqldump -P $instance --opt --all-databases --hex-blob -u mysqladmin -p$mysqladminpasswd > ${LOCAL_BACKUP_DIR}/mysql.$instance.bak + # fi + # done + + ## PostgreSQL + + ## example with pg_dumpall (warning: you need space in ~postgres) + # su - postgres -c "pg_dumpall > ~/pg.dump.bak" + # mv ~postgres/pg.dump.bak ${LOCAL_BACKUP_DIR}/ + ## another method with gzip directly piped + # cd /var/lib/postgresql + # sudo -u postgres pg_dumpall | gzip > ${LOCAL_BACKUP_DIR}/pg.dump.bak.gz + # cd - > /dev/null + + ## example with all tables from MYBASE excepts TABLE1 and TABLE2 + # pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f ${LOCAL_BACKUP_DIR}/pg-backup.tar -t 'TABLE1' -t 'TABLE2' MYBASE + + ## example with only TABLE1 and TABLE2 from MYBASE + # pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f ${LOCAL_BACKUP_DIR}/pg-backup.tar -T 'TABLE1' -T 'TABLE2' MYBASE + + ## MongoDB + + ## don't forget to create use with read-only access + ## > use admin + ## > db.createUser( { user: "mongobackup", pwd: "PASS", roles: [ "backup", ] } ) + # test -d ${LOCAL_BACKUP_DIR}/mongodump/ && rm -rf ${LOCAL_BACKUP_DIR}/mongodump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mongodump/ + # mongodump --quiet -u mongobackup -pPASS -o ${LOCAL_BACKUP_DIR}/mongodump/ + # if [ $? -ne 0 ]; then + # echo "Error with mongodump!" + # fi + + ## Redis + + ## example with copy .rdb file + # cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/ + + ## ElasticSearch + + ## Take a snapshot as a backup. + ## Warning: You need to have a path.repo configured. + ## See: https://wiki.evolix.org/HowtoElasticsearch#snapshots-et-sauvegardes + # curl -s -XDELETE "localhost:9200/_snapshot/snaprepo/snapshot.daily" -o /tmp/es_delete_snapshot.daily.log + # curl -s -XPUT "localhost:9200/_snapshot/snaprepo/snapshot.daily?wait_for_completion=true" -o /tmp/es_snapshot.daily.log + ## Clustered version here + ## It basically the same thing except that you need to check that NFS is mounted + # if ss | grep ':nfs' | grep -q 'ip\.add\.res\.s1' && ss | grep ':nfs' | grep -q 'ip\.add\.res\.s2' + # then + # curl -s -XDELETE "localhost:9200/_snapshot/snaprepo/snapshot.daily" -o /tmp/es_delete_snapshot.daily.log + # curl -s -XPUT "localhost:9200/_snapshot/snaprepo/snapshot.daily?wait_for_completion=true" -o /tmp/es_snapshot.daily.log + # else + # echo 'Cannot make a snapshot of elasticsearch, at least one node is not mounting the repository.' + # fi + ## If you need to keep older snapshot, for example the last 10 daily snapshots, replace the XDELETE and XPUT lines by : + # for snapshot in $(curl -s -XGET "localhost:9200/_snapshot/snaprepo/_all?pretty=true" | grep -Eo 'snapshot_[0-9]{4}-[0-9]{2}-[0-9]{2}' | head -n -10); do + # curl -s -XDELETE "localhost:9200/_snapshot/snaprepo/${snapshot}" | grep -v -Fx '{"acknowledged":true}' + # done + # date=$(date +%F) + # curl -s -XPUT "localhost:9200/_snapshot/snaprepo/snapshot_${date}?wait_for_completion=true" -o /tmp/es_snapshot_${date}.log + + ## RabbitMQ + + ## export config + #rabbitmqadmin export ${LOCAL_BACKUP_DIR}/rabbitmq.config >> $LOGFILE + + ## MegaCli config + + #megacli -CfgSave -f ${LOCAL_BACKUP_DIR}/megacli_conf.dump -a0 >/dev/null + + ## Dump system and kernel versions + uname -a > ${LOCAL_BACKUP_DIR}/uname + + ## Dump network routes with mtr and traceroute (warning: could be long with aggressive firewalls) + for addr in 8.8.8.8 www.evolix.fr travaux.evolix.net; do + mtr -r ${addr} > ${LOCAL_BACKUP_DIR}/mtr-${addr} + traceroute -n ${addr} > ${LOCAL_BACKUP_DIR}/traceroute-${addr} 2>&1 done - # Then kill the main PID. - kill -9 $(cat $PIDFILE) - echo "$0 tourne encore (PID `cat $PIDFILE`). Processus killé" >&2 + + ## Dump process with ps + ps auwwx >${LOCAL_BACKUP_DIR}/ps.out + + if [ "${SYSTEM}" = "linux" ]; then + ## Dump network connections with ss + ss -taupen > ${LOCAL_BACKUP_DIR}/netstat.out + + ## List Debian packages + dpkg -l > ${LOCAL_BACKUP_DIR}/packages + dpkg --get-selections > ${LOCAL_BACKUP_DIR}/packages.getselections + apt-cache dumpavail > ${LOCAL_BACKUP_DIR}/packages.available + + ## Dump MBR / table partitions + disks=$(lsblk -l | grep disk | grep -v -E '(drbd|fd[0-9]+)' | awk '{print $1}') + for disk in ${disks}; do + dd if="/dev/${disk}" of="${LOCAL_BACKUP_DIR}/MBR-${disk}" bs=512 count=1 2>&1 | grep -Ev "(records in|records out|512 bytes)" + fdisk -l "/dev/${disk}" > "${LOCAL_BACKUP_DIR}/partitions-${disk}" 2>&1 + done + cat ${LOCAL_BACKUP_DIR}/partitions-* > ${LOCAL_BACKUP_DIR}/partitions + + ## Dump iptables + if [ -x /sbin/iptables ]; then + { /sbin/iptables -L -n -v; /sbin/iptables -t filter -L -n -v; } > ${LOCAL_BACKUP_DIR}/iptables.txt + fi + + ## Dump findmnt(8) output + FINDMNT_BIN=$(command -v findmnt) + if [ -x ${FINDMNT_BIN} ]; then + ${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt + fi + else + ## Dump network connections with netstat + netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out + + ## List OpenBSD packages + pkg_info -m > ${LOCAL_BACKUP_DIR}/packages + + ## Dump MBR / table partitions + disklabel sd0 > ${LOCAL_BACKUP_DIR}/partitions + + ## Dump pf infos + pfctl -sa > ${LOCAL_BACKUP_DIR}/pfctl-sa.txt + + fi + + ## Dump rights + #getfacl -R /var > ${LOCAL_BACKUP_DIR}/rights-var.txt + #getfacl -R /etc > ${LOCAL_BACKUP_DIR}/rights-etc.txt + #getfacl -R /usr > ${LOCAL_BACKUP_DIR}/rights-usr.txt + #getfacl -R /home > ${LOCAL_BACKUP_DIR}/rights-home.txt + fi -echo "$$" > $PIDFILE -trap "rm -f $PIDFILE" EXIT -# Variable to choose different backup server with date -NODE=$(expr `date +%d` % 2 + 2) +##### REMOTE BACKUP ################################################### -# port SSH -SSH_PORT=2XXX +n=0 +server="" +if [ "${SERVERS_FALLBACK}" = "1" ]; then + # We try to find a suitable server + while :; do + server=$(pick_server "${n}") + test $? = 0 || exit 2 -# email adress for notifications -MAIL={{ general_alert_email }} - -# backup server used -SRV=node$NODE.backup2.evolix.net - -# choose "linux" or "bsd" -SYSTEME=$(uname | tr '[:upper:]' '[:lower:]') - -## We use /home/backup : feel free to use your own dir -mkdir -p -m 700 /home/backup - -## OpenLDAP : example with slapcat -# slapcat -l /home/backup/ldap.bak - -### MySQL - -## example with global and compressed mysqldump -# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ -# --opt --all-databases --force --events --hex-blob | gzip --best > /home/backup/mysql.bak.gz - -## example with two dumps for each table (.sql/.txt) for all databases -# for i in $(echo SHOW DATABASES | mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 \ -# | egrep -v "^(Database|information_schema|performance_schema)" ); \ -# do mkdir -p /home/mysqldump/$i ; chown -RL mysql /home/mysqldump ; \ -# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments -T \ -# /home/mysqldump/$i $i; done - -## example with compressed SQL dump for each databases -# mkdir -p /home/mysqldump/ -# for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ -# | egrep -v "^(Database|information_schema|performance_schema)"); do -# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz -# done - -## example with *one* uncompressed SQL dump for *one* database (MYBASE) -# mkdir -p -m 700 /home/mysqldump/MYBASE -# chown -RL mysql /home/mysqldump/ -# mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ -# --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE - -## example with mysqlhotcopy -# mkdir -p /home/mysqlhotcopy/ -# mysqlhotcopy BASE /home/mysqlhotcopy/ - -## example for multiples MySQL instances -# mysqladminpasswd=`cat /root/.my.cnf |grep -m1 'password = .*' |cut -d" " -f3` -# grep -E "^port\s*=\s*\d*" /etc/mysql/my.cnf |while read instance; do -# instance=$(echo $instance |tr -d '\t') -# instance=${instance// /} -# instance=${instance//port=/} -# if [ "$instance" != "3306" ] -# then -# mysqldump -P $instance --opt --all-databases --hex-blob -u mysqladmin -p$mysqladminpasswd > /home/backup/mysql.$instance.bak -# fi -# done - -### PostgreSQL - -## example with pg_dumpall (warning: you need space in ~postgres) -# su - postgres -c "pg_dumpall > ~/pg.dump.bak" -# mv ~postgres/pg.dump.bak /home/backup/ - -## example with all tables from MYBASE excepts TABLE1 and TABLE2 -# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -t 'TABLE1' -t 'TABLE2' MYBASE - -## example with only TABLE1 and TABLE2 from MYBASE -# pg_dump -p 5432 -h 127.0.0.1 -U USER --clean -F t --inserts -f /home/backup/pg-backup.tar -T 'TABLE1' -T 'TABLE2' MYBASE - -## MongoDB : example with mongodump -## don't forget to create use with read-only access -## > use admin -## > db.addUser("mongobackup", "PASS", true); -# mongodump -u mongobackup -pPASS -o /home/backup/mongodump/ >/dev/null 2>&1 |grep -v "^connected to:" - -## Redis : example with copy .rdb file -# cp /var/lib/redis/dump.rdb /home/backup/ - -## ElasticSearch : example with rsync (warning: don't forget to use NFS if you have a cluster) -## Disable ES translog flush -# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": true}' >/dev/null -## Flushes translog -# curl -s 'localhost:9200/_flush' | grep -qe '"ok":true' -## If it succeed, do an rsync of the datadir -# if [ $? -eq 0 ]; then -# rsync -a /var/lib/elasticsearch /home/backup/ -# else -# echo "Error when flushing ES translog indexes." -# fi -## In any case re-enable translog flush -# curl -s -XPUT 'localhost:9200/_settings' -d '{"index.translog.disable_flush": false}' > /dev/null - -## Dump MBR / table partitions with dd and sfdisk -## Linux -# dd if=/dev/sda of=/home/backup/MBR bs=512 count=1 2>&1 | egrep -v "(records in|records out|512 bytes)" -# sfdisk -d /dev/sda > /home/backup/partitions 2>&1 | egrep -v "(Warning: extended partition does not start at a cylinder boundary|DOS and Linux will interpret the contents differently)" -## OpenBSD -# disklabel sd0 > /home/backup/partitions - -# backup MegaCli config -#megacli -CfgSave -f /home/backup/megacli_conf.dump -a0 >/dev/null - -## Dump network routes with mtr and traceroute (warning: could be long with aggressive firewalls) -for addr in 8.8.8.8 backup.evolix.net www.evolix.fr www.evolix.net; do - mtr -r $addr > /home/backup/mtr-${addr} 2>/dev/null - traceroute -n $addr > /home/backup/traceroute-${addr} 2>/dev/null -done - -## Dump process with ps -ps aux >/home/backup/ps.out - -if [ $SYSTEME = "linux" ]; then - ## Dump network connections with netstat - netstat -taupen >/home/backup/netstat.out - - ## List Debian packages - dpkg -l >/home/backup/packages + if test_server "${server}"; then + break + else + server="" + n=$(( n + 1 )) + fi + done else - ## Dump network connections with netstat - netstat -finet -atn >/home/backup/netstat.out - - ## List OpenBSD packages - pkg_info -m >/home/backup/packages + # we force the server + server=$(pick_server "${n}") fi +SSH_SERVER=$(echo "${server}" | cut -d':' -f1) +SSH_PORT=$(echo "${server}" | cut -d':' -f2) + HOSTNAME=$(hostname) -DATE=$(/bin/date +"%d-%m-%Y") - -DEBUT=$(/bin/date +"%d-%m-%Y ; %H:%M") - -if [ $SYSTEME = "linux" ]; then +if [ "${SYSTEM}" = "linux" ]; then rep="/bin /boot /lib /opt /sbin /usr" else rep="/bsd /bin /sbin /usr" fi -/usr/local/bin/rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ - --exclude "lost+found" \ - --exclude ".nfs.*" \ - --exclude "/var/log" \ - --exclude "/var/log/evobackup*" \ - --exclude "/var/lib/mysql" \ - --exclude "/var/lib/postgres" \ - --exclude "/var/lib/postgresql" \ - --exclude "/var/lib/sympa" \ - --exclude "/var/lib/metche" \ - --exclude "/var/run" \ - --exclude "/var/lock" \ - --exclude "/var/state" \ - --exclude "/var/apt" \ - --exclude "/var/cache" \ - --exclude "/usr/src" \ - --exclude "/usr/doc" \ - --exclude "/usr/share/doc" \ - --exclude "/usr/obj" \ - --exclude "dev" \ - --exclude "/var/spool/postfix" \ - --exclude "/var/lib/amavis/amavisd.sock" \ - --exclude "/var/lib/munin/*tmp*" \ - --exclude "/var/lib/php5" \ - --exclude "/var/spool/squid" \ - --exclude "/var/lib/elasticsearch" \ - --exclude "/var/lib/amavis/tmp" \ - --exclude "/var/lib/clamav/*.tmp" \ - --exclude "/home/mysqltmp" \ - $rep \ - /etc \ - /root \ - /var \ - /home \ - -e "ssh -p $SSH_PORT" \ - root@${SRV}:/var/backup/ \ - | tail -30 >> /var/log/evobackup.log -FIN=$(/bin/date +"%d-%m-%Y ; %H:%M") +if [ "${SYNC_TASKS}" = "1" ]; then + # /!\ DO NOT USE COMMENTS in the rsync command /!\ + # It breaks the command and destroys data, simply remove (or add) lines. -echo "EvoBackup - $HOSTNAME - START $DEBUT" \ - >> /var/log/evobackup.log + # Remote shell command + RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'" -echo "EvoBackup - $HOSTNAME - STOP $FIN" \ - >> /var/log/evobackup.log + rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ + --exclude "lost+found" \ + --exclude ".nfs.*" \ + --exclude "/var/log" \ + --exclude "/var/log/evobackup*" \ + --exclude "/var/lib/mysql" \ + --exclude "/var/lib/postgres" \ + --exclude "/var/lib/postgresql" \ + --exclude "/var/lib/sympa" \ + --exclude "/var/lib/metche" \ + --exclude "/var/run" \ + --exclude "/var/lock" \ + --exclude "/var/state" \ + --exclude "/var/apt" \ + --exclude "/var/cache" \ + --exclude "/usr/src" \ + --exclude "/usr/doc" \ + --exclude "/usr/share/doc" \ + --exclude "/usr/obj" \ + --exclude "dev" \ + --exclude "/var/spool/postfix" \ + --exclude "/var/lib/amavis/amavisd.sock" \ + --exclude "/var/lib/munin/*tmp*" \ + --exclude "/var/lib/php5" \ + --exclude "/var/spool/squid" \ + --exclude "/var/lib/elasticsearch" \ + --exclude "/var/lib/amavis/tmp" \ + --exclude "/var/lib/clamav/*.tmp" \ + --exclude "/home/mysqltmp" \ + --exclude "/var/lib/php/sessions" \ + ${rep} \ + /etc \ + /root \ + /var \ + /home \ + -e "${RSH_COMMAND}" \ + "root@${SSH_SERVER}:/var/backup/" \ + | tail -30 >> $LOGFILE +fi -tail -10 /var/log/evobackup.log | \ - mail -s "[info] EvoBackup - Client $HOSTNAME" \ - $MAIL +##### REPORTING ####################################################### + +END=$(/bin/date +"%d-%m-%Y ; %H:%M") + +printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ + "${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ + >> $LOGFILE + +printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ + "${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ + >> $LOGFILE + +tail -10 $LOGFILE | \ + mail -s "[info] EvoBackup - Client ${HOSTNAME}" \ + ${MAIL} From 1ba892ef01aa5940cc593958dc30b0e3897c5328 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 14:14:49 +0200 Subject: [PATCH 033/150] Improve NRPE OpenVPN check --- .../files/plugins_bsd/check_openvpn | 13 +- .../files/plugins_bsd/check_openvpn.pl | 215 ++++++++++++++++++ roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 3 +- 3 files changed, 225 insertions(+), 6 deletions(-) create mode 100644 roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn index 4ae14ac..d06769c 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn @@ -1,9 +1,12 @@ #!/bin/sh +# +# Wrapper of check_openvpn.pl, to use when the serveur is CARP backup and OpenVPN should not run -if netstat -an|grep '.1194' >/dev/null; then - echo "VPN OK" - return 0 +carp=$(/sbin/ifconfig carp0 | /usr/bin/grep 'status' |cut -d' ' -f2) + +if [ $carp = 'backup' ]; then + echo "No check, I'm a backup" + return 0 else - echo "PROCESS NOT LISTENING" - return 2 + /usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD fi diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl new file mode 100644 index 0000000..78e0cdb --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl @@ -0,0 +1,215 @@ +#!/usr/bin/perl -w + +####################################################################### +# +# Copyright (c) 2007 Jaime Gascon Romero +# +# License Information: +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $ +# $Revision: 1.1 $ +# Home Site: http://emergeworld.blogspot.com/ +# ##################################################################### + +use diagnostics; +use strict; +use Net::Telnet (); +use Getopt::Long qw(:config no_ignore_case); +use vars qw($PROGNAME $VERSION); +use lib "/usr/local/libexec/nagios/"; +use utils qw(%ERRORS); + +$PROGNAME = "check_openvpn"; +$VERSION = '$Revision: 1.1 $'; + +$ENV{'PATH'}=''; +$ENV{'BASH_ENV'}=''; +$ENV{'ENV'}=''; + +my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r); + +sub print_help (); +sub print_usage (); + +GetOptions + ("h" => \$opt_h, "help" => \$opt_h, + "H=s" => \$opt_H, "host=s" => \$opt_H, + "p=i" => \$opt_p, "port=i" => \$opt_p, + "P=s" => \$opt_P, "password=s" => \$opt_P, + "t=i" => \$opt_t, "timeout=i" => \$opt_t, + "i" => \$opt_i, "ip" => \$opt_i, + "n" => \$opt_n, "numeric" => \$opt_n, + "c" => \$opt_c, "critical" => \$opt_c, + "w" => \$opt_w, "warning" => \$opt_w, + "C=s" => \$opt_C, "common_name=s" => \$opt_C, + "r=s" => \$opt_r, "remote_ip=s" => \$opt_r, + ) or exit $ERRORS{'UNKNOWN'}; + +# default values +unless ( defined $opt_t ) { + $opt_t = 10; +} + +if ($opt_h) {print_help(); exit $ERRORS{'OK'};} + +if ( ! defined($opt_H) || ! defined($opt_p) ) { + print_usage(); + exit $ERRORS{'UNKNOWN'} +} + +my @lines; +my @clients; +my @clients_ip; +my $t; + +eval { +$t = new Net::Telnet (Timeout => $opt_t, + Port => $opt_p, + Prompt => '/END$/' + ); +$t->open($opt_H); +if ( defined $opt_P ) { + $t->waitfor('/ENTER PASSWORD:$/'); + $t->print($opt_P); +} +$t->waitfor('/^$/'); +@lines = $t->cmd("status 2"); +$t->close; +}; + +if ($@) { + print "OpenVPN Critical: Can't connect to server\n"; + exit $ERRORS{'CRITICAL'}; +} + + +if (defined $opt_i || defined $opt_r) { + foreach (@lines) { + if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) { + push @clients_ip, $1; + } +} + if (defined $opt_i) { + print "OpenVPN OK: "."@clients_ip "; + exit $ERRORS{'OK'}; + } elsif (defined $opt_r) { + if ( ! grep /\b$opt_r\b/, @clients_ip) { + if (defined $opt_c) { + print "OpenVPN CRITICAL: $opt_r don't found"; + exit $ERRORS{'CRITICAL'}; + } else { + print "OpenVPN WARNING: $opt_r don't found"; + exit $ERRORS{'WARNING'}; + } + } + print "OpenVPN OK: "."@clients_ip "; + exit $ERRORS{'OK'}; + } +} + +foreach (@lines) { + if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) { + push @clients, $1; + } +} + +if (defined $opt_C) { + if ( ! grep /\b$opt_C\b/, @clients) { + if (defined $opt_c) { + print "OpenVPN CRITICAL: $opt_C don't found"; + exit $ERRORS{'CRITICAL'}; + } else { + print "OpenVPN WARNING: $opt_C don't found"; + exit $ERRORS{'WARNING'}; + } + } +} + + +if (defined $opt_n) { +print "OpenVPN OK: ".@clients." connected clients."; +exit $ERRORS{'OK'}; +} + +print "OpenVPN OK: "."@clients "; +exit $ERRORS{'OK'}; + +####################################################################### +###### Subroutines #################################################### + +sub print_usage() { + print "Usage: $PROGNAME -H | --host -p | --port [-P | --password] [-t | --timeout] + [-i | --ip] [-n | --numeric] [-C | --common_name] [-r | --remote_ip] [-c | --critical] [-w | --warning]\n\n"; + print " $PROGNAME [-h | --help]\n"; +} + +sub print_help() { + print "$PROGNAME $VERSION\n\n"; + print "Copyright (c) 2007 Jaime Gascon Romero + +Nagios plugin to check the clients connected to a openvpn server. + +"; + print_usage(); + print " +-H | --host + IP address or hostname of the openvpn server. + +-p | --port + Management port interface of the openvpn server. + +-P | --password + Password for the management interface of the openvpn server. + +-t | --timeout + Timeout for the connection attempt. Optional, default 10 seconds. + + + Optional parameters + =================== + +-i | --ip + Prints the IP address of the remote client instead of the common name. + +-n | --numeric + Prints the number of clients connected to the openvpn server. + + + Matching Parameters + =================== + +-C | --common_name + The common name, as it is specified in the client certificate, who is wanted to check. + +-r | --remote_ip + The client remote ip address who is wanted to check. + +-c | --critical + Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected. + +-w | --warning + Exits with WARNING status if the client specified by the common name or the remote ip address is not connected. + + + Other Parameters + ================ + +-h | --help + Show this help. +"; + +} + +# vim:sts=2:sw=2:ts=2:et diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 732a1fa..fcda18a 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -26,7 +26,8 @@ command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" -command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn +command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD +#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the serveur is CARP backup and OpenVPN should not run command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 From 05d2b707e1958c547e9a0ab0f3cffb13601b5a49 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 14:25:42 +0200 Subject: [PATCH 034/150] Add OpenBGPD nrpe check with doas configuration --- roles/base/templates/doas.conf.j2 | 2 +- .../files/plugins_bsd/check_openbgpd | 387 ++++++++++++++++++ roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + 3 files changed, 389 insertions(+), 1 deletion(-) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_openbgpd diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 67241cc..66558bf 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -4,13 +4,13 @@ permit nopass root permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh permit nopass _nrpe as root cmd /sbin/bioctl args sd2 -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_openbgpd permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd b/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd new file mode 100755 index 0000000..c62ec43 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd @@ -0,0 +1,387 @@ +#!/usr/bin/perl -T +# $AFresh1: check_openbgpd,v 1.10 2015/03/26 03:44:15 andrew Exp $ +######################################################################## +# check_openbgpd *** A nagios check for OpenBSD bgpd +# +# 2009.11.12 #*#*# andrew fresh +######################################################################## +use strict; +use warnings; + +use 5.010; +use if $] >= 5.016, experimental => 'switch'; + +local %ENV = (); + +my $NAGIOS_OUTPUT = 1; + +my $LICENSE = <<'EOL'; +Copyright (c) 2009-2015 Andrew Fresh +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +EOL + +my $PROGNAME = 'check_openbgpd'; +my $BGPCTL = '/usr/sbin/bgpctl'; + +use POSIX; +use Config; +my $PREFIX; + +BEGIN { + ## no critic 'warnings' + no warnings 'uninitialized'; + $PREFIX = "/usr/local" || '/usr/local'; # Magic for OpenBSD ports tree +} +use lib $PREFIX . '/libexec/nagios'; +use utils qw($TIMEOUT %ERRORS &support); + +$SIG{'ALRM'} = sub { + print("ERROR: $PROGNAME timeout\n"); + exit $ERRORS{'UNKNOWN'}; +}; +alarm($TIMEOUT); + +my %CHECKS = getopt(@ARGV); +if ( !%CHECKS ) { + print_help(); + exit $ERRORS{'OK'}; +} + +my @STATUS = read_status( $CHECKS{_SOCKET} ); +my %STATES = check_status( \@STATUS, \%CHECKS ); + +my $have_results = 0; +my $state = 'OK'; +foreach + my $error ( reverse sort { $ERRORS{$a} <=> $ERRORS{$b} } keys %ERRORS ) +{ + if ( exists $STATES{$error} ) { + $have_results++; + $state = $error if $ERRORS{$state} < $ERRORS{$error}; + + if ($NAGIOS_OUTPUT) { + print $error . ' (' . scalar( @{ $STATES{$error} } ) . ')'; + if ( $error ne 'OK' ) { + print '
'; + print map {" - $_
"} @{ $STATES{$error} }; + } + } + else { + print $error . ' (' . scalar( @{ $STATES{$error} } ) . "):\n"; + foreach ( @{ $STATES{$error} } ) { + print " $_\n"; + } + } + } +} +if ( $have_results == 0 ) { + print "No results found\n"; +} +exit $ERRORS{$state}; + +sub read_status { + my ($socket) = @_; + my @S; + + my @cmd = ($BGPCTL); + if ($socket) { + push @cmd, '-s', $socket; + } + push @cmd, 'show', 'summary'; + + #open my $fh, '<', 'output' # XXX + open my $fh, '-|', @cmd or die "Couldn't open bgpctl: $!\n"; + while (<$fh>) { + chomp; + push @S, parse_line($_); + } + ## no critic 'die' + close $fh + or die $! + ? "Error closing sysctl pipe: $!\n" + : "Exit status $? from sysctl\n"; + + return grep { exists $_->{neighbor} && $_->{as} ne 'AS' } @S; +} + +sub parse_line { + my ($c) = @_; + my ( $neighbor, $as, $rcvd, $sent, $outq, $updown, $state, ) + = $c + =~ /^(.*?)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s*$/xms; + return { + neighbor => $neighbor, + as => $as, + rcvd => $rcvd, + sent => $sent, + outq => $outq, + updown => $updown, + state => $state, + line => $c, + }; +} + +sub parse_check { + my $check = shift; + + return { match => [] } unless $check; + my @values = split /,\s*/xms, $check; + + my %c = ( match => [] ); + foreach my $v (@values) { + if ( $v =~ /:/xms ) { + ( $c{low}, $c{high} ) = split /:/xms, $v; + } + else { + push @{ $c{match} }, $v; + } + } + + foreach my $d ( 'low', 'high' ) { + if ( defined $c{$d} ) { + $c{$d} =~ s/[^-\d\.\%]//gxms; + if ( !length $c{$d} ) { + delete $c{$d}; + } + } + } + + return \%c; +} + +sub check_status { + my ( $S, $C ) = @_; + + my %states; + my %neighbors = map { $_ => $C->{$_} } qw( _SOCKET _UNKNOWN ); +STATE: foreach my $s ( @{$S} ) { + my $n = $s->{neighbor}; + $neighbors{$n} = $s; + + my $result; + + if ( my $c = $C->{$n} || $C->{_UNKNOWN} ) { + CODE: foreach my $code ( 'CRITICAL', 'WARNING' ) { + next CODE if ( ref $c->{$code} ne 'HASH' ); + my $data = $s->{state}; + + my $result = check_item( $data, $c->{$code} ); + + if ($result) { + push @{ $states{$code} }, "[$n] $result"; + next STATE; + } + } + } + else { + push @{ $states{CRITICAL} }, '[' . $n . '] Unknown Neighbor'; + next STATE; + } + + push @{ $states{OK} }, $n; + } + + foreach my $n ( keys %{$C} ) { + if ( !exists $neighbors{$n} ) { + push @{ $states{CRITICAL} }, '[' . $n . '] Missing Neighbor'; + } + } + + return %states; +} + +sub check_item { + my ( $d, $c ) = @_; + + my $result; + + if ( $c->{match} && @{ $c->{match} } ) { + foreach my $m ( @{ $c->{match} } ) { + return if $m eq $d; + } + $result = 'State (' . $d . ') is outside of acceptable values'; + } + + if ( $c->{low} || $c->{high} ) { + $result = undef; + my ( $num, $max ) = split m{/}xms, $d; + $num =~ s/[^-\d\.]//gxms; + + if ( !length $num ) { + return 'State (' . $d . ') is not numeric'; + } + + DIRECTION: foreach my $dir (qw( low high )) { + if ( !$c->{$dir} ) { next DIRECTION; } + + my $check = $c->{$dir}; + my $cnum = $num; + + if ( $check =~ s/\%$//xms ) { + if ( !defined $max ) { + return 'max-prefix not specified and % check requested'; + } + + # convert to percent + $cnum = 100 * $cnum / $max; + } + + my @nums = ( $cnum, $check ); + my $abovebelow = 'below'; + my $symbol = '<'; + if ( $dir eq 'high' ) { + @nums = ( $check, $cnum ); + $abovebelow = 'above'; + $symbol = '>'; + } + + if ( $nums[0] < $nums[1] ) { + return join q{ }, 'is', $abovebelow, + 'threshold (' . $d, + $symbol, $c->{$dir} . ')'; + } + } + } + + return $result; +} + +sub getopt { + my (@argv) = @_; + + my %checks; + while (@argv) { + state( $w, $c ); + + my $opt = shift @argv; + for ($opt) { + when ( '-V' || '--version' ) { + print_revision( $PROGNAME, '$Revision: 1.10 $ ' ); + exit $ERRORS{'OK'} + } + when (/^-?-h(?:elp)?/xms) { print_help(); exit $ERRORS{'OK'} } + when (/^-?-s(?:ocket)?/xms) { $checks{_SOCKET} = shift @argv } + when (/^-?-w(?:arning)?/xms) { $w = parse_check( shift @argv ) } + when (/^-?-c(?:ritical)?/xms) { $c = parse_check( shift @argv ) } + when (/^-?-u(?:nknown)?/xms) { + $checks{_UNKNOWN} = { + WARNING => $w, + CRITICAL => $c, + }; + } + when (/^-?-n(?:eighbor)?/xms) { + while ( @argv && $argv[0] !~ /^-/xms ) { + $checks{ shift @argv } = { + WARNING => $w, + CRITICAL => $c, + }; + } + } + default { print_help(); exit $ERRORS{'UNKNOWN'} } + } + } + return %checks; +} + +sub print_help { + print <<"EOL"; +$PROGNAME - checks status of OpenBGPd peers + $PROGNAME [ -s SOCKET ][ -w ENTRY ][ -c ENTRY ]( -u | -n NEIGHBOR ) + +Usage: + -s, --socket SOCKET + Path to bgpd socket to use. See -r in bgpd(8). + -w, --warning RANGE or single ENTRY + Exit with WARNING status if outside of RANGE or if != ENTRY + May be entered multiple times. + -c, --critical RANGE or single ENTRY + Exit with CRITICAL status if outside of RANGE or if != ENTRY + May be entered multiple times. + -n, --neighbor NEIGHBOR + The name of the Neighbor, can be a space separated list of neighbors. + May be entered multiple times. + -u, --unknown + As if you specified -n for all unknown neighbors + +ENTRY is a comma separated list of items to match against. Each item can be +a RANGE or it will just be matched against the status. + +RANGE is specified as two optional numbers separated with a colon (:). The +check is that the value is between the two numbers. If either number is left +off, that check is ignored. + +If either number in a RANGE is specified as a percent, check is that +max-prefix is specified and that the number is within the specified percent. + +NEIGHBOR is the name that shows when running "bgpctl show summary" + +Examples: +(where many of the numbers would probably have to be multiplied by 1000) + +Any time a NEIGHBOR is specified on the command line but does NOT show up in +the output causes a CRITICAL result. + +Any time a NEIGHBOR that is NOT specified on the command line shows up in the +output causes a CRITICAL result. If -u is specified, it treats NEIGHBOR as if +it were specified at that position. + + +$PROGNAME -c Idle -n P1 -c 1:1 -n P2 -w 200:300 -c Active,10: -n P3 + +CRITICAL + If P1 is any value but Idle. + If P2 is any value but 1. + If P3 is below 10 or any non-numeric value other than "Active". + +WARNING + If P3 is above 10 and below 200 or above 300. + + +$PROGNAME -u -w 50%:70% -c 10%:90% -n P2 P3 + +No checks of unknown neighbors. + +CRITICAL + If P2 or P3 do not have max-prefix set or if they do but learned prefixes + are below 10% or above 90% of max-prefix or any non-numeric value. + +WARNING + If P2 or P3 have learned prefixes below 50% or above 70% of max-prefix. + + +$PROGNAME -w 50%:70% -c 10%:90% -u + +CRITICAL + If any neighbor does not have max-prefix set or if they do but learned + prefixes are below 10% or above 90% of max-prefix or any non-numeric value. + +WARNING + If any neighbor have learned prefixes below 50% or above 70% of max-prefix. + +EOL + + print_revision( $PROGNAME, '$Revision: 1.10 $' ); + + print $LICENSE; + + return; +} + +sub print_revision { + my ( $prog, $rev ) = @_; + $rev =~ s/^\D+([\d\.]+)\D+$/v$1/xms; + + say $prog, q{ }, $rev; + + return; +} diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index fcda18a..7ab8d14 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -36,5 +36,6 @@ command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 #command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd #command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple +command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf command[check_connections_state]=doas /usr/local/libexec/nagios/check_connections_state.sh From 267163ba93e014421b27500330d9ec3922125066 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 16:15:29 +0200 Subject: [PATCH 035/150] Correcting a typo --- roles/nagios-nrpe/files/plugins_bsd/check_openvpn | 2 +- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn index d06769c..04490d4 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn @@ -1,6 +1,6 @@ #!/bin/sh # -# Wrapper of check_openvpn.pl, to use when the serveur is CARP backup and OpenVPN should not run +# Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run carp=$(/sbin/ifconfig carp0 | /usr/bin/grep 'status' |cut -d' ' -f2) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 7ab8d14..1351b28 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -27,7 +27,7 @@ command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD -#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the serveur is CARP backup and OpenVPN should not run +#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 From 27006f8db703e2128e41c7c521e60c20187764d3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 16:18:07 +0200 Subject: [PATCH 036/150] Doas permissions rearrangement --- roles/base/templates/doas.conf.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 66558bf..796da79 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -2,15 +2,14 @@ permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }} permit nopass root permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh -permit nopass _nrpe cmd /usr/local/libexec/nagios/check_ipsecctl.sh -permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _collectd as root cmd /usr/sbin/bgpctl +permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states -permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh From 58851556bf0ace4de8c71f53ec1cbf6f3f3cc7ac Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 19:24:02 +0200 Subject: [PATCH 037/150] Add file to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1296400..89aaa88 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ vars/secrets.yml +vars/openbsd-secret.yml From 634cfee7744510949cd403a1e03b9adca64e3740 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 11:59:41 +0200 Subject: [PATCH 038/150] Writing of ospf and bgp roles --- evolixisation.yml | 3 + roles/bgp/README.md | 14 ++ roles/bgp/defaults/main.yml | 3 + roles/bgp/tasks/main.yml | 35 +++++ roles/bgp/templates/bgpd-check-peers.sh.j2 | 117 ++++++++++++++++ roles/ospf/README.md | 14 ++ roles/ospf/defaults/main.yml | 3 + roles/ospf/tasks/main.yml | 22 +++ roles/ospf/templates/ospf6d-check-peers.sh.j2 | 126 +++++++++++++++++ roles/ospf/templates/ospfd-check-peers.sh.j2 | 127 ++++++++++++++++++ 10 files changed, 464 insertions(+) create mode 100644 roles/bgp/README.md create mode 100644 roles/bgp/defaults/main.yml create mode 100644 roles/bgp/tasks/main.yml create mode 100755 roles/bgp/templates/bgpd-check-peers.sh.j2 create mode 100644 roles/ospf/README.md create mode 100644 roles/ospf/defaults/main.yml create mode 100644 roles/ospf/tasks/main.yml create mode 100755 roles/ospf/templates/ospf6d-check-peers.sh.j2 create mode 100755 roles/ospf/templates/ospfd-check-peers.sh.j2 diff --git a/evolixisation.yml b/evolixisation.yml index df88a4c..0f0f242 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -16,6 +16,7 @@ vars_files: - vars/main.yml # - vars/secrets.yml +# - vars/openbsd-secret.yml roles: - etc-git @@ -26,6 +27,8 @@ - nagios-nrpe - post-install #- openvpn + #- ospf + #- bgp post_tasks: - include: "tasks/commit_etc_git.yml" diff --git a/roles/bgp/README.md b/roles/bgp/README.md new file mode 100644 index 0000000..51aad44 --- /dev/null +++ b/roles/bgp/README.md @@ -0,0 +1,14 @@ +# BGP + +Deployment of BGP check script with its cron, and a best route log cron. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +* `bgp_mailto` : email address the output of the script will be sent to when a change is detected +* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked diff --git a/roles/bgp/defaults/main.yml b/roles/bgp/defaults/main.yml new file mode 100644 index 0000000..8279e96 --- /dev/null +++ b/roles/bgp/defaults/main.yml @@ -0,0 +1,3 @@ +--- +bgp_mailto: "foobar@example.com" +bgp_exclude_grep_command: "" diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml new file mode 100644 index 0000000..2196dc6 --- /dev/null +++ b/roles/bgp/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: Deploy bgp check script + template: + src: bgpd-check-peers.sh.j2 + dest: /usr/share/scripts/bgpd-check-peers.sh + when: group_names | select('search','bgp') | list | count > 0 + tags: + - bgp + +- name: Cron job for bgp check script is installed + cron: + name: bgp check + job: "/bin/sh /usr/share/scripts/bgpd-check-peers.sh" + when: group_names | select('search','bgp') | list | count > 0 + tags: + - bgp + +- name: Create bgp log directory + file: + path: /var/log/bgp + state: directory + when: group_names | select('search','bgp') | list | count > 0 + tags: + - bgp + +- name: weekly best routes cron job is installed + cron: + name: bgp best routes + minute: 0 + hour: 4 + weekday: 0 + job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +%F)" + when: group_names | select('search','bgp') | list | count > 0 + tags: + - bgp diff --git a/roles/bgp/templates/bgpd-check-peers.sh.j2 b/roles/bgp/templates/bgpd-check-peers.sh.j2 new file mode 100755 index 0000000..250ed54 --- /dev/null +++ b/roles/bgp/templates/bgpd-check-peers.sh.j2 @@ -0,0 +1,117 @@ +#!/bin/ksh + +# Script writen by Daniel Jakots + +# First we go through the list of neighbor and we write all the peer and +# their status in "${_TMPDIR}"/bgp-status. + +# Then we monitor if this file has changed between now and the previous run. + +# If it did, we send a mail with the states of the different sessions. + +set -u + +PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:. + +_MAILTO="{{ bgp_mailto }}" +_TMPDIR=/tmp/check-bgp +_PIDFILE="${_TMPDIR}"/bgpd-check-peers.pid + + +if [ -e /etc/realname ]; then + _REALNAME=$(cat /etc/realname) + _HOSTNAME=$(hostname -s) +else + _HOSTNAME=$(hostname) +fi + +mkdir -p "${_TMPDIR}" + +# Don't try to run if it's already running +if [ -e "${_PIDFILE}" ]; then + echo "$(date)" >> "${_TMPDIR}"/log + exit 1 +else + echo $$ >> "${_PIDFILE}" +fi + +# Create an history +if [[ -f "${_TMPDIR}"/bgp-status ]] ; then + mv "${_TMPDIR}"/bgp-status "${_TMPDIR}"/bgp-status.old +else + touch "${_TMPDIR}"/bgp-status + touch "${_TMPDIR}"/bgp-status.old +fi + +# List peers and loops on them to list them and their BGP state +bgpctl show neighbor | grep Description {{ bgp_exclude_grep_command }} | sed s,\ Description:\ ,,g > "${_TMPDIR}"/peers-list + +while read _PEER +do + _STATUS=$(/usr/sbin/bgpctl show neighbor "${_PEER}" | grep state | awk '{print $4}' |tr -d ',') + echo -n "${_PEER}" >> "${_TMPDIR}"/bgp-status + echo -n " " >> "${_TMPDIR}"/bgp-status + # we note only if it's established or not + if ! [[ "${_STATUS}" = "Established" ]] ; then + _STATUS="NotEstablished" + fi + echo "${_STATUS}" >> "${_TMPDIR}"/bgp-status + +done <"${_TMPDIR}"/peers-list + +# Check for difference with previous run +different=$(diff -q "${_TMPDIR}"/bgp-status.old "${_TMPDIR}"/bgp-status) + +if ! [[ -n "${different}" ]] ; then + rm -f "${_PIDFILE}" + exit 0 +fi + +# It changed so we're going to send a mail + +_TMPMAILDIR="${_TMPDIR}"/mail +mkdir -p "${_TMPMAILDIR}" + +# go through sessions and list them depending on their BGP state +echo "*** Session(s) OK ***\n" >> "${_TMPMAILDIR}"/bodyok +while read _LINE +do + # _LINE is session + status + _STATUS=$(echo "${_LINE##* }") + _SESSION=$(echo "${_LINE}" | awk '{$NF=""}1') + if [[ "${_STATUS}" = "Established" ]] ; then + bgpctl show | grep "${_SESSION}" >> "${_TMPMAILDIR}"/bodyok + else + bgpctl show | grep "${_SESSION}" >> "${_TMPMAILDIR}"/bodynok + fi +done <"${_TMPDIR}"/bgp-status + +# create the mail body + +echo "Dear NOC,\n\nThe state of one or more BGP session(s) has changed:\n" > "${_TMPMAILDIR}"/header +cat "${_TMPMAILDIR}"/header "${_TMPMAILDIR}"/bodyok > "${_TMPMAILDIR}"/body + +_STATE="OK" +if [[ -f "${_TMPMAILDIR}"/bodynok ]] ; then + _STATE="NOT OK" + echo "\n*** Session(s) on error ***\n" >> "${_TMPMAILDIR}"/body + cat "${_TMPMAILDIR}"/bodynok >> "${_TMPMAILDIR}"/body +fi + +# show a diff +echo "" >> "${_TMPMAILDIR}"/body +echo "Diff is " >> "${_TMPMAILDIR}"/body +diff -U0 "${_TMPDIR}"/bgp-status.old "${_TMPDIR}"/bgp-status >> "${_TMPMAILDIR}"/body + +# Send the mail whether we have a realname or not +if [ -n "${_REALNAME}" ]; then + cat "${_TMPMAILDIR}"/body | mail -s "[BGP] ${_REALNAME} (${_HOSTNAME}) - State change - ${_STATE}" "${_MAILTO}" +else + cat "${_TMPMAILDIR}"/body | mail -s "[BGP] ${_HOSTNAME} - State change" "${_MAILTO}" +fi + +# cleaning +if [[ -d "${_TMPMAILDIR}" ]] ; then + rm -rf "${_TMPMAILDIR}" +fi +rm -f "${_PIDFILE}" diff --git a/roles/ospf/README.md b/roles/ospf/README.md new file mode 100644 index 0000000..f0e929c --- /dev/null +++ b/roles/ospf/README.md @@ -0,0 +1,14 @@ +# OSPF + +Deployment of OSPF check scripts with their cron. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected +* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs diff --git a/roles/ospf/defaults/main.yml b/roles/ospf/defaults/main.yml new file mode 100644 index 0000000..098bef5 --- /dev/null +++ b/roles/ospf/defaults/main.yml @@ -0,0 +1,3 @@ +--- +ospf_mailto: "foobar@example.com" +ospf_sed_command: "" diff --git a/roles/ospf/tasks/main.yml b/roles/ospf/tasks/main.yml new file mode 100644 index 0000000..aa04759 --- /dev/null +++ b/roles/ospf/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Deploy ospf check scripts + template: + src: "{{ item }}.j2" + dest: /usr/share/scripts/{{ item }} + with_items: + - "ospfd-check-peers.sh" + - "ospf6d-check-peers.sh" + when: group_names | select('search','ospf') | list | count > 0 + tags: + - ospf + +- name: Cron job for ospf check scripts is installed + cron: + name: "{{ item }} check" + job: "/bin/sh /usr/share/scripts/{{ item }}-check-peers.sh" + with_items: + - ospfd + - ospf6d + when: group_names | select('search','ospf') | list | count > 0 + tags: + - ospf diff --git a/roles/ospf/templates/ospf6d-check-peers.sh.j2 b/roles/ospf/templates/ospf6d-check-peers.sh.j2 new file mode 100755 index 0000000..2c1d294 --- /dev/null +++ b/roles/ospf/templates/ospf6d-check-peers.sh.j2 @@ -0,0 +1,126 @@ +#!/bin/ksh + +# Script writen by Daniel Jakots for BGP, adapted by Jeremy Dubois for OSPF + +# First we go through the list of neighbor and we write all the peer and +# their status in "${_TMPDIR}"/ospf6-status. + +# Then we monitor if this file has changed between now and the previous run. + +# If it did, we send a mail with the states of the different sessions. + +set -u + +PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:. + +_MAILTO="{{ ospf_mailto }}" +_TMPDIR=/tmp/check-ospf6 +_PIDFILE="${_TMPDIR}"/ospf6d-check-peers.pid + + +if [ -e /etc/realname ]; then + _REALNAME=$(cat /etc/realname) + _HOSTNAME=$(hostname -s) +else + _HOSTNAME=$(hostname) +fi + +mkdir -p "${_TMPDIR}" + +# Don't try to run if it's already running +if [ -e "${_PIDFILE}" ]; then + echo "$(date)" >> "${_TMPDIR}"/log + exit 1 +else + echo $$ >> "${_PIDFILE}" +fi + +# Create an history +if [[ -f "${_TMPDIR}"/ospf6-status ]] ; then + mv "${_TMPDIR}"/ospf6-status "${_TMPDIR}"/ospf6-status.old +else + touch "${_TMPDIR}"/ospf6-status + touch "${_TMPDIR}"/ospf6-status.old +fi + +# List peers and loops on them to list them and their OSPF6 state +ospf6ctl show neighbor | grep -v "^$" | grep -v "Uptime" | awk {'print $1'} > "${_TMPDIR}"/peers-list + +while read _PEER +do + _STATUS=$(/usr/sbin/ospf6ctl show neighbor | grep "${_PEER} " | awk {'print $3'}) + echo -n "${_PEER}" >> "${_TMPDIR}"/ospf6-status + echo -n " " >> "${_TMPDIR}"/ospf6-status + if ([[ "${_STATUS}" = "FULL/BCKUP" ]] || [[ "${_STATUS}" = "FULL/DR" ]] || [[ "${_STATUS}" = "2-WAY/OTHER" ]] || [[ "${_STATUS}" = "FULL/OTHER" ]]) ; then + _STATUS="UP" + else + _STATUS="DOWN" + fi + echo "${_STATUS}" >> "${_TMPDIR}"/ospf6-status + +done <"${_TMPDIR}"/peers-list + +# Check for difference with previous run +different=$(diff -q "${_TMPDIR}"/ospf6-status.old "${_TMPDIR}"/ospf6-status) + +if ! [[ -n "${different}" ]] ; then + rm -f "${_PIDFILE}" + exit 0 +fi + +# It changed so we're going to send a mail + +_TMPMAILDIR="${_TMPDIR}"/mail +mkdir -p "${_TMPMAILDIR}" + +# go through sessions and list them depending on their OSPF6 state +echo "*** Session(s) OK ***\n" >> "${_TMPMAILDIR}"/bodyok +while read _LINE +do + # _LINE is session + status + _STATUS=$(echo "${_LINE}" | awk {'print $2'}) + _SESSION=$(echo "${_LINE}" | awk {'print $1'}) + if [[ "${_STATUS}" = "UP" ]] ; then + ospf6ctl show neighbor | grep "${_SESSION} " {{ ospf_sed_command }} >> "${_TMPMAILDIR}"/bodyok + else + ospf6ctl show neighbor | grep "${_SESSION} " {{ ospf_sed_command }} >> "${_TMPMAILDIR}"/bodynok + fi +done <"${_TMPDIR}"/ospf6-status + +# create the mail body + +echo "Dear NOC,\n\nThe state of one or more OSPF6 session(s) has changed:\n" > "${_TMPMAILDIR}"/header +cat "${_TMPMAILDIR}"/header "${_TMPMAILDIR}"/bodyok > "${_TMPMAILDIR}"/body + +_STATE="OK" +if [[ -f "${_TMPMAILDIR}"/bodynok ]] ; then + _STATE="NOT OK" + echo "\n*** Session(s) on error ***\n" >> "${_TMPMAILDIR}"/body + cat "${_TMPMAILDIR}"/bodynok >> "${_TMPMAILDIR}"/body +fi + +# Add some infos +echo "\n\n*** Known OSPF routes ***\n" >> "${_TMPMAILDIR}"/body +ospf6ctl show fib ospf >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Network used memory ***\n" >> "${_TMPMAILDIR}"/body +netstat -m >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Server load ***\n" >> "${_TMPMAILDIR}"/body +w >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Processes ***\n" >> "${_TMPMAILDIR}"/body +top >> "${_TMPMAILDIR}"/body + +# Send the mail whether we have a realname or not +if [ -n "${_REALNAME}" ]; then + cat "${_TMPMAILDIR}"/body | mail -s "[OSPF6] ${_REALNAME} (${_HOSTNAME}) - State change - ${_STATE}" "${_MAILTO}" +else + cat "${_TMPMAILDIR}"/body | mail -s "[OSPF6] ${_HOSTNAME} - State change - ${_STATE}" "${_MAILTO}" +fi + +# cleaning +if [[ -d "${_TMPMAILDIR}" ]] ; then + rm -rf "${_TMPMAILDIR}" +fi +rm -f "${_PIDFILE}" diff --git a/roles/ospf/templates/ospfd-check-peers.sh.j2 b/roles/ospf/templates/ospfd-check-peers.sh.j2 new file mode 100755 index 0000000..ede2eec --- /dev/null +++ b/roles/ospf/templates/ospfd-check-peers.sh.j2 @@ -0,0 +1,127 @@ +#!/bin/ksh + +# Script writen by Daniel Jakots for BGP, adapted by Jeremy Dubois for OSPF + +# First we go through the list of neighbor and we write all the peer and +# their status in "${_TMPDIR}"/ospf-status. + +# Then we monitor if this file has changed between now and the previous run. + +# If it did, we send a mail with the states of the different sessions. + +set -u + +PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:. + +_MAILTO="{{ ospf_mailto }}" +_TMPDIR=/tmp/check-ospf +_PIDFILE="${_TMPDIR}"/ospfd-check-peers.pid + + +if [ -e /etc/realname ]; then + _REALNAME=$(cat /etc/realname) + _HOSTNAME=$(hostname -s) +else + _HOSTNAME=$(hostname) +fi + +mkdir -p "${_TMPDIR}" + +# Don't try to run if it's already running +if [ -e "${_PIDFILE}" ]; then + echo "$(date)" >> "${_TMPDIR}"/log + exit 1 +else + echo $$ >> "${_PIDFILE}" +fi + +# Create an history +if [[ -f "${_TMPDIR}"/ospf-status ]] ; then + mv "${_TMPDIR}"/ospf-status "${_TMPDIR}"/ospf-status.old +else + touch "${_TMPDIR}"/ospf-status + touch "${_TMPDIR}"/ospf-status.old +fi + +# List peers and loops on them to list them and their OSPF state +ospfctl show neighbor | grep -v "^$" | grep -v "Uptime" | awk {'print $1'} > "${_TMPDIR}"/peers-list + +while read _PEER +do + _STATUS=$(/usr/sbin/ospfctl show neighbor | grep "${_PEER} " | awk {'print $3'}) + echo -n "${_PEER}" >> "${_TMPDIR}"/ospf-status + echo -n " " >> "${_TMPDIR}"/ospf-status + if ([[ "${_STATUS}" = "FULL/BCKUP" ]] || [[ "${_STATUS}" = "FULL/DR" ]] || [[ "${_STATUS}" = "2-WAY/OTHER" ]] || [[ "${_STATUS}" = "FULL/OTHER" ]]) ; then + _STATUS="UP" + else + _STATUS="DOWN" + fi + echo "${_STATUS}" >> "${_TMPDIR}"/ospf-status + +done <"${_TMPDIR}"/peers-list + +# Check for difference with previous run +different=$(diff -q "${_TMPDIR}"/ospf-status.old "${_TMPDIR}"/ospf-status) + +if ! [[ -n "${different}" ]] ; then + rm -f "${_PIDFILE}" + exit 0 +fi + +# It changed so we're going to send a mail + +_TMPMAILDIR="${_TMPDIR}"/mail +mkdir -p "${_TMPMAILDIR}" + +# go through sessions and list them depending on their OSPF state +echo "*** Session(s) OK ***\n" >> "${_TMPMAILDIR}"/bodyok +while read _LINE +do + # _LINE is session + status + _STATUS=$(echo "${_LINE}" | awk {'print $2'}) + _SESSION=$(echo "${_LINE}" | awk {'print $1'}) + if [[ "${_STATUS}" = "UP" ]] ; then + ospfctl show neighbor | grep "${_SESSION} " {{ ospf_sed_command }} >> "${_TMPMAILDIR}"/bodyok + else + ospfctl show neighbor | grep "${_SESSION} " {{ ospf_sed_command }} >> "${_TMPMAILDIR}"/bodynok + fi +done <"${_TMPDIR}"/ospf-status + +# create the mail body + +echo "Dear NOC,\n\nThe state of one or more OSPF session(s) has changed:\n" > "${_TMPMAILDIR}"/header +cat "${_TMPMAILDIR}"/header "${_TMPMAILDIR}"/bodyok > "${_TMPMAILDIR}"/body + +_STATE="OK" +if [[ -f "${_TMPMAILDIR}"/bodynok ]] ; then + _STATE="NOT OK" + echo "\n*** Session(s) on error ***\n" >> "${_TMPMAILDIR}"/body + cat "${_TMPMAILDIR}"/bodynok >> "${_TMPMAILDIR}"/body +fi + +# Add some infos +echo "\n\n*** Known OSPF routes ***\n" >> "${_TMPMAILDIR}"/body +ospfctl show fib ospf >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Network used memory ***\n" >> "${_TMPMAILDIR}"/body +netstat -m >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Server load ***\n" >> "${_TMPMAILDIR}"/body +w >> "${_TMPMAILDIR}"/body + +echo "\n\n*** Processes ***\n" >> "${_TMPMAILDIR}"/body +top >> "${_TMPMAILDIR}"/body + + +# Send the mail whether we have a realname or not +if [ -n "${_REALNAME}" ]; then + cat "${_TMPMAILDIR}"/body | mail -s "[OSPF] ${_REALNAME} (${_HOSTNAME}) - State change - ${_STATE}" "${_MAILTO}" +else + cat "${_TMPMAILDIR}"/body | mail -s "[OSPF] ${_HOSTNAME} - State change - ${_STATE}" "${_MAILTO}" +fi + +# cleaning +if [[ -d "${_TMPMAILDIR}" ]] ; then + rm -rf "${_TMPMAILDIR}" +fi +rm -f "${_PIDFILE}" From 71e0acb7e7b4da9448fc3043008a9cce0dadf1b1 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 12:08:55 +0200 Subject: [PATCH 039/150] Functional and better ospfd check --- .../files/plugins_bsd/check_ospfd_simple | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple index 718114c..2ec3692 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ospfd_simple @@ -3,10 +3,16 @@ . /usr/local/libexec/nagios/utils.sh # check if ospfd is running -if ospfctl show 2>&1 | grep -q "ospfctl: connect: /var/run/ospfd.sock: No such file or directory"; then - echo "CRITICAL - OSPFD not running" +if ! ls /var/run/ospfd* > /dev/null 2>&1; then + echo "CRITICAL - OSPFD not running, no socket found" exit "$STATE_CRITICAL" else - echo "OK - OSPFD is running" - exit "$STATE_OK" + if ospfctl show 2>&1 | grep -q "Uptime"; then + uptime=$(ospfctl show | grep Uptime | awk '{print $2}') + echo "OK - OSPFD has been running for $uptime" + exit "$STATE_OK" + else + echo "CRITICAL - OSPFD not running" + exit "$STATE_CRITICAL" + fi fi From 6cf81802bef8bd41c79f94f6ea1ab15b885aedb3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 14:30:26 +0200 Subject: [PATCH 040/150] Reordering of the list of NRPE checks With deletion of unused check_onduleur and correction of check_connections_state location --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 37 ++++++++++++------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 1351b28..2b33b5c 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -8,34 +8,43 @@ # Allowed IPs allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} +# System checks command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10 command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20 command[check_disk1]=/usr/local/libexec/nagios/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=/usr/local/libexec/nagios/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200 -command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost +command[check_swap]=/usr/local/libexec/nagios/check_swap --no-swap=ok -a -w 30% -c 20% + +# Generic services checks command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ general_alert_email }} command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net -command[check_swap]=/usr/local/libexec/nagios/check_swap --no-swap=ok -a -w 30% -c 20% command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp.evolix.net -command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 -command[check_onduleur]=/usr/local/libexec/nagios/check_ups -H localhost -u onduleur -command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 -command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost +command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 + +# Specific services checks +command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost +command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 +command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT +command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 +command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% -command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u + +# Local checks (not packaged) command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run -command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 -command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u -command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 -#command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd -#command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d +command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states +command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd +command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u -command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf -command[check_connections_state]=doas /usr/local/libexec/nagios/check_connections_state.sh +command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh + +# This is an Ansible managed file ! +# For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead From 9b1f5c0f6c512d06712116ccacc60e5ec72bdc8e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 15:06:53 +0200 Subject: [PATCH 041/150] Customize newsyslog.conf --- roles/base/files/newsyslog.conf | 15 +++++++++++++++ roles/base/tasks/main.yml | 1 + roles/base/tasks/newsyslog.yml | 7 +++++++ 3 files changed, 23 insertions(+) create mode 100644 roles/base/files/newsyslog.conf create mode 100644 roles/base/tasks/newsyslog.yml diff --git a/roles/base/files/newsyslog.conf b/roles/base/files/newsyslog.conf new file mode 100644 index 0000000..a488913 --- /dev/null +++ b/roles/base/files/newsyslog.conf @@ -0,0 +1,15 @@ +# EvoBSD configuration file for newsyslog +# +# logfile_name owner:group mode count size when flags +/var/cron/log root:wheel 600 52 * $W1 Z +/var/log/authlog root:wheel 640 52 * $W1 Z +/var/log/daemon 640 365 * $D0 Z +/var/log/lpd-errs 640 7 * $D0 Z +/var/log/maillog 640 52 * $W1 Z +/var/log/messages 644 365 * $D0 Z +/var/log/secure 600 52 * $W1 Z +/var/log/wtmp 644 7 * $D0 B +/var/log/xferlog 640 7 * $D0 Z +/var/log/pflog 600 30 * $D0 ZB "pkill -HUP -u root -U root -t - -x pflogd" +/var/www/logs/access.log 644 52 * $W1 Z "pkill -USR1 -u root -U root -x httpd" +/var/www/logs/error.log 644 52 * $W1 Z "pkill -USR1 -u root -U root -x httpd" diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 7df8981..b42d8d3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -7,3 +7,4 @@ - include: mail.yml - include: sudo.yml - include: evobackup.yml +- include: newsyslog.yml diff --git a/roles/base/tasks/newsyslog.yml b/roles/base/tasks/newsyslog.yml new file mode 100644 index 0000000..936a6d5 --- /dev/null +++ b/roles/base/tasks/newsyslog.yml @@ -0,0 +1,7 @@ +--- +- name: Customize newsyslog + copy: + src: newsyslog.conf + dest: /etc/newsyslog.conf + tags: + - newsyslog From cb2be6ecd2a98bf045b705d9a304fc9148ca44f7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 15:17:46 +0200 Subject: [PATCH 042/150] Change wtmp rotation period --- roles/base/files/newsyslog.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/files/newsyslog.conf b/roles/base/files/newsyslog.conf index a488913..4e84cb3 100644 --- a/roles/base/files/newsyslog.conf +++ b/roles/base/files/newsyslog.conf @@ -8,7 +8,7 @@ /var/log/maillog 640 52 * $W1 Z /var/log/messages 644 365 * $D0 Z /var/log/secure 600 52 * $W1 Z -/var/log/wtmp 644 7 * $D0 B +/var/log/wtmp 644 52 * $W1 B /var/log/xferlog 640 7 * $D0 Z /var/log/pflog 600 30 * $D0 ZB "pkill -HUP -u root -U root -t - -x pflogd" /var/www/logs/access.log 644 52 * $W1 Z "pkill -USR1 -u root -U root -x httpd" From c45c68c1b0976929bdfdd57ad8d7904a17730e65 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 22 Apr 2020 15:43:56 +0200 Subject: [PATCH 043/150] Add execute permission to OpenVPN check --- roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl b/roles/nagios-nrpe/files/plugins_bsd/check_openvpn.pl old mode 100644 new mode 100755 From 12f7e347da56c3a1ccdc861575fa277eac8e157e Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 12 May 2020 15:01:46 +0200 Subject: [PATCH 044/150] Add initial version of an evocheck role --- roles/evocheck/README.md | 13 ++ roles/evocheck/defaults/main.yml | 2 + roles/evocheck/files/evocheck.cf | 5 + roles/evocheck/files/evocheck.sh | 382 +++++++++++++++++++++++++++++++ roles/evocheck/tasks/exec.yml | 15 ++ roles/evocheck/tasks/install.yml | 38 +++ roles/evocheck/tasks/main.yml | 2 + 7 files changed, 457 insertions(+) create mode 100644 roles/evocheck/README.md create mode 100644 roles/evocheck/defaults/main.yml create mode 100644 roles/evocheck/files/evocheck.cf create mode 100644 roles/evocheck/files/evocheck.sh create mode 100644 roles/evocheck/tasks/exec.yml create mode 100644 roles/evocheck/tasks/install.yml create mode 100644 roles/evocheck/tasks/main.yml diff --git a/roles/evocheck/README.md b/roles/evocheck/README.md new file mode 100644 index 0000000..a486e2c --- /dev/null +++ b/roles/evocheck/README.md @@ -0,0 +1,13 @@ +# evocheck + +Install and run evocheck ; a script for checking various settings automatically. + +## Tasks + +A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example : + +``` +- include_role: + name: evolix/evocheck + tasks_from: exec.yml +``` diff --git a/roles/evocheck/defaults/main.yml b/roles/evocheck/defaults/main.yml new file mode 100644 index 0000000..8160768 --- /dev/null +++ b/roles/evocheck/defaults/main.yml @@ -0,0 +1,2 @@ +--- +evocheck_bin_dir: /usr/share/scripts diff --git a/roles/evocheck/files/evocheck.cf b/roles/evocheck/files/evocheck.cf new file mode 100644 index 0000000..9eca204 --- /dev/null +++ b/roles/evocheck/files/evocheck.cf @@ -0,0 +1,5 @@ +# Managed by Ansible +# +# Configuration for evocheck +# Use this file to change configuration values defined in evocheck.sh +# Ex : IS_TMP_1777=0 diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh new file mode 100644 index 0000000..0c90051 --- /dev/null +++ b/roles/evocheck/files/evocheck.sh @@ -0,0 +1,382 @@ +#!/bin/sh + +# EvoCheck +# Script to verify compliance of an OpenBSD server powered by Evolix + +readonly VERSION="6.6.2" + +# Disable LANG* + +export LANG=C +export LANGUAGE=C + + +# Default return code : 0 = no error +RC=0 + +# Verbose function +verbose() { + msg="${1:-$(cat /dev/stdin)}" + [ "${VERBOSE}" -eq 1 ] && [ -n "${msg}" ] && echo "${msg}" +} + +# Source configuration file +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# Functions + +show_help() { + cat < + Gregory Colpart + Jeremy Dubois + Jeremy Lecour + Ludovic Poujol + Romain Dessort + Tristan Pilat + Victor Laborie + +USAGE: evocheck + or evocheck --cron + or evocheck --quiet + or evocheck --verbose + +OPTIONS: + --cron disable a few checks + -v, --verbose increase verbosity of checks + -q, --quiet nothing is printed on stdout nor stderr + -h, --help, --version print this message and exit + +COPYRIGHT: + evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, + and you are welcome to redistribute it under certain conditions. + See the GNU General Public License v3.0 for details. 2009-2020 +END +} + +is_installed(){ + for pkg in "$@"; do + pkg_info | grep -q $pkg || return 1 + done +} + +# logging +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 + else + printf "%s FAILED!\n" "${check_name}" 2>&1 + fi + fi +} + + +# If --cron is passed, ignore some checks. +if [ "$1" = "--cron" ]; then + IS_KERNELUPTODATE=0 + IS_UPTIME=0 +fi + +check_umasksudoers(){ + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077" +} + +check_tmpnoexec(){ + mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option" +} + +check_tmoutprofile(){ + grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files" +} + +check_raidok(){ + egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1 + RESULT=$? + if [ $RESULT -eq 0 ]; then + raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }') + raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }') + if [ $raid_status != "Online" ]; then + failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations" + fi + fi +} + +check_evobackup(){ + if [ -f /etc/daily.local ]; then + grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" + else + failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" + fi +} + +check_uptodate(){ + if [ -f $(command -v syspatch) ]; then + if syspatch -c | egrep "." 1> /dev/null 2>&1; then + failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!" + fi + fi +} + +check_uptime(){ + if [ $(uptime | cut -d" " -f 4) -gt 365 ]; then + failed "IS_UPTIME" "The server is running for more than a year!" + fi +} + +check_backuptodate(){ +} + +check_gitperms(){ + test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700" +} + +check_advbase(){ + if ls /etc/hostname.carp* 1> /dev/null 2>&1; then + for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do + if [[ "$advbase" -gt 1 ]]; then + failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" + fi + done + fi +} + +check_preempt(){ + if ls /etc/hostname.carp* 1> /dev/null 2>&1; then + preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2) + if [[ "$preempt" -ne 1 ]]; then + failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in" + fi + if [ -f /etc/sysctl.conf ]; then + grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" + else + failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" + fi + fi +} + +check_rebootmail(){ + if [ -f /etc/rc.local ]; then + grep -qE '^date \| mail -s "boot/reboot of' /etc/rc.local || failed "IS_REBOOTMAIL" "Make sure the line 'date | mail -s \"boot/reboot of \$hostname' is present in the /etc/rc.local file!" + else + failed "IS_REBOOTMAIL" "Make sure /etc/rc.local exist and 'date | mail -s \"boot/reboot of \$hostname' is present!" + fi +} + +check_pfenabled(){ + if pfctl -si | grep Disabled 1> /dev/null 2>&1; then + failed "IS_PFENABLED" "PF is disabled! Make sure pf=NO is absent from /etc/rc.conf.local and carefully run pfctl -e" + fi +} + +check_pfcustom(){ +} + +check_softdep(){ + grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP" "" +} + +check_wheel(){ + if [ -f /etc/sudoers ]; then + grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" "" + fi +} + +check_pkgmirror(){ + grep -qE "^https://cdn\.openbsd\.org/pub/OpenBSD" /etc/installurl || failed "IS_PKGMIRROR" "Check whether the right repo is present in the /etc/installurl file" +} + +check_history(){ + file=/root/.profile + grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=10000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=10000' are present in /root/.profile" +} + +check_vim(){ + if ! is_installed vim; then + failed "IS_VIM" "vim is not installed! Please add with pkg_add vim" + fi +} + +check_ttyc0secure(){ + grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" "First tty should be secured" +} + +check_customsyslog(){ + grep -q Evolix /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" "" +} + +check_sudomaint(){ + file=/etc/sudoers + grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \ + && grep -q "ADMIN ALL=NOPASSWD: MAINT" $file \ + || failed "IS_SUDOMAINT" "" +} + +check_postgresql(){ + if ! is_installed postgresql-client; then + failed "IS_POSTGRESQL" "postgresql-client is not installed! Please add with pkg_add postgresql-client" + fi +} + +check_nrpe(){ + if ! is_installed monitoring-plugins || ! is_installed nrpe; then + failed "IS_NRPE" "nrpe and/or monitoring-plugins are not installed! Please add with pkg_add nrpe monitoring-plugins" + fi +} + +check_rsync(){ + if ! is_installed rsync; then + failed "IS_RSYNC" "rsync is not installed! Please add with pkg_add rsync" + fi +} + +check_cronpath(){ + grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" "" +} + +check_tmp1777(){ + ls -ld /tmp | grep -q drwxrwxrwt || failed "IS_TMP_1777" "" +} + +check_root0700(){ + ls -ld /root | grep -q drwx------ || failed "IS_ROOT_0700" "" +} + +check_usrsharescripts(){ + ls -ld /usr/share/scripts | grep -q drwx------ || failed "IS_USRSHARESCRIPTS" "" +} + +check_sshpermitrootno() { + grep -qE ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" "" ) +} + +check_evomaintenanceusers(){ + # Can be changed in evocheck.cf + homeDir=${homeDir:-/home} + sudoers="/etc/sudoers" + for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do + grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile + if [ $? != 0 ]; then + failed "IS_EVOMAINTENANCEUSERS" "$i doesn't have evomaintenance trap!" + fi + done +} + +check_evomaintenanceconf(){ + file=/etc/evomaintenance.cf + ( test -e $file \ + && test $(stat -f %p $file) = "100600" \ + && grep "^export PGPASSWORD" $file |grep -qv "your-passwd" \ + && grep "^PGDB" $file |grep -qv "your-db" \ + && grep "^PGTABLE" $file |grep -qv "your-table" \ + && grep "^PGHOST" $file |grep -qv "your-pg-host" \ + && grep "^FROM" $file |grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $file |grep -qv "John Doe " \ + && grep "^URGENCYFROM" $file |grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $file |grep -qv "06.00.00.00.00" \ + && grep "^REALM" $file |grep -qv "example.com" ) || failed "IS_EVOMAINTENANCECONF" "" +} + +check_sync(){ + if ifconfig carp | grep carp 1> /dev/null 2>&1; then + sync_script=/usr/share/scripts/sync.sh + if [ ! -f $sync_script ]; then + failed "IS_SYNC" "The sync.sh script is absent! As a carp member, a sync.sh script should be present in /usr/share/scripts" + fi + fi +} + + +main() { + # Default return code : 0 = no error + RC=0 + + test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers + test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile + test "${IS_RAIDOK:=1}" = 1 && check_raidok + test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_UPTODATE:=1}" = 1 && check_uptodate + test "${IS_UPTIME:=1}" = 1 && check_uptime + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backuptodate + test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_ADVBASE:=1}" = 1 && check_advbase + test "${IS_PREEMPT:=1}" = 1 && check_preempt + test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail + test "${IS_PFENABLED:=1}" = 1 && check_pfenabled + test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom + test "${IS_SOFTDEP:=1}" = 1 && check_softdep + test "${IS_WHEEL:=1}" = 1 && check_wheel + test "${IS_PKGMIRROR:=1}" = 1 && check_pkgmirror + test "${IS_HISTORY:=1}" = 1 && check_history + test "${IS_VIM:=1}" = 1 && check_vim + test "${IS_TTYC0SECURE:=1}" = 1 && check_ttyc0secure + test "${IS_CUSTOMSYSLOG:=1}" = 1 && check_customsyslog + test "${IS_SUDOMAINT:=1}" = 1 && check_sudomaint + test "${IS_POSTGRESQL:=1}" = 1 && check_postgresql + test "${IS_NRPE:=1}" = 1 && check_nrpe + test "${IS_RSYNC:=1}" = 1 && check_rsync + test "${IS_CRONPATH:=1}" = 1 && check_cronpath + test "${IS_TMP_1777:=1}" = 1 && check_tmp1777 + test "${IS_ROOT_0700:=1}" = 1 && check_root0700 + test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts + test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno + test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers + test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf + test "${IS_SYNC:=1}" = 1 && check_sync + + exit ${RC} +} +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help|--version) + show_help + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +main ${ARGS} diff --git a/roles/evocheck/tasks/exec.yml b/roles/evocheck/tasks/exec.yml new file mode 100644 index 0000000..244d034 --- /dev/null +++ b/roles/evocheck/tasks/exec.yml @@ -0,0 +1,15 @@ +--- +- name: run evocheck + command: "{{ evocheck_bin_dir }}/evocheck.sh" + register: evocheck_run + changed_when: False + failed_when: False + check_mode: no + tags: + - evocheck-exec + +- debug: + var: evocheck_run.stdout_lines + when: evocheck_run.stdout != "" + tags: + - evocheck-exec diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml new file mode 100644 index 0000000..77baca6 --- /dev/null +++ b/roles/evocheck/tasks/install.yml @@ -0,0 +1,38 @@ +--- +- name: Scripts dir is present + file: + path: "{{ evocheck_bin_dir }}" + state: directory + owner: root + group: root + mode: "0700" + tags: + - evocheck + +- name: Copy evocheck.sh + copy: + src: evocheck.sh + dest: "{{ evocheck_bin_dir }}/evocheck.sh" + mode: "0700" + owner: root + force: yes + tags: + - evocheck + +- name: Copy evocheck.cf + copy: + src: evocheck.cf + dest: /etc/evocheck.cf + force: no + tags: + - evocheck + +- name: Add evocheck cron + lineinfile: + path: /etc/daily.local + line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron' + owner: root + mode: "0644" + create: yes + tags: + - evocheck diff --git a/roles/evocheck/tasks/main.yml b/roles/evocheck/tasks/main.yml new file mode 100644 index 0000000..db69018 --- /dev/null +++ b/roles/evocheck/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include: install.yml From 1829b0b7179bc8c8fd0932d01dec403f18b54bcd Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 12 May 2020 15:04:05 +0200 Subject: [PATCH 045/150] Add evocheck to the roles called during the Evolixisation process --- evolixisation.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolixisation.yml b/evolixisation.yml index 0f0f242..a0ee92d 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -25,6 +25,7 @@ - pf - accounts - nagios-nrpe + - evocheck - post-install #- openvpn #- ospf From 064055b5c84731eb0847dc2dcf449483f750212c Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 12 May 2020 15:05:07 +0200 Subject: [PATCH 046/150] Execute Evocheck at the end of the Evolixisation process --- evolixisation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/evolixisation.yml b/evolixisation.yml index a0ee92d..003d941 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -35,6 +35,9 @@ - include: "tasks/commit_etc_git.yml" vars: commit_message: "Ansible - Evolixisation" + - include_role: + name: evocheck + tasks_from: exec.yml # environment: # PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" From 6ae49f147df1efd39391db135e43deb64e7c238f Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 12 May 2020 18:21:20 +0200 Subject: [PATCH 047/150] Fix group name in evocheck install task --- roles/evocheck/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml index 77baca6..915bc98 100644 --- a/roles/evocheck/tasks/install.yml +++ b/roles/evocheck/tasks/install.yml @@ -4,7 +4,7 @@ path: "{{ evocheck_bin_dir }}" state: directory owner: root - group: root + group: wheel mode: "0700" tags: - evocheck From 1014dab37babd123a0b5ad1b7f0f81c42b4fea02 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 15 May 2020 16:25:09 +0200 Subject: [PATCH 048/150] Escaping percent sign in crontab for bgp role --- roles/bgp/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml index 2196dc6..b67ab8f 100644 --- a/roles/bgp/tasks/main.yml +++ b/roles/bgp/tasks/main.yml @@ -29,7 +29,7 @@ minute: 0 hour: 4 weekday: 0 - job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +%F)" + job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)" when: group_names | select('search','bgp') | list | count > 0 tags: - bgp From 2177d43637a6e4a8554d9266d096f05a0ecebeb7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 18 May 2020 17:30:54 +0200 Subject: [PATCH 049/150] Import Evomaintenance 0.6.3 --- roles/base/files/evomaintenance.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/roles/base/files/evomaintenance.sh b/roles/base/files/evomaintenance.sh index 6725e16..1cd4ce7 100644 --- a/roles/base/files/evomaintenance.sh +++ b/roles/base/files/evomaintenance.sh @@ -7,7 +7,7 @@ # Copyright 2007-2019 Evolix , Gregory Colpart , # Jérémy Lecour and others. -VERSION="0.6.1" +VERSION="0.6.3" show_version() { cat </dev/null + syslog "Re-mount ${mountpoint} as read-only after commit to repository $1" fi } @@ -512,6 +520,9 @@ if [ "${HOOK_API}" = "1" ] && [ -z "${CURL_BIN}" ]; then echo "No \`curl' command has been found, can't call the API." 2>&1 fi +LOGGER_BIN=$(command -v logger) +readonly LOGGER_BIN + if [ "${HOOK_API}" = "1" ] && [ -z "${API_ENDPOINT}" ]; then echo "No API endpoint specified, can't call the API." 2>&1 fi From 38e5c1bf70b4bcbbd8ad0bfa184ddcde36870ba6 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 22 May 2020 11:34:47 +0200 Subject: [PATCH 050/150] Add OpenBSD version in computerOS field of ldap.sh --- roles/post-install/files/ldap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh index 8933e90..f09cf9b 100755 --- a/roles/post-install/files/ldap.sh +++ b/roles/post-install/files/ldap.sh @@ -5,8 +5,8 @@ dnsPTRrecord=$(hostname) HardwareMark=$(sysctl hw.vendor| sed 's#hw.vendor=##') HardwareModel=$(sysctl hw.product| sed 's#hw.product=##') computerIP=$(ifconfig egress | grep inet | awk -v OFS="\n" '{ print $2, $NF }'| head -1) -computerOS=OpenBSD computerKernel=$(sysctl kern.osrelease | sed 's#kern.osrelease=##') +computerOS=OpenBSD $computerKernel HardwareSerial=$(sysctl hw.serialno| sed 's#hw.serialno=##') clientNumber="XXX" cpuMark=$(sysctl hw.model| sed 's#hw.model=##') From af7b3b36fe9b60987e62759fee392a324f05fe6a Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Fri, 22 May 2020 11:49:18 -0400 Subject: [PATCH 051/150] Ansible-lint and yamllint Does not fix all warnings, but gets rid of the purely cosmetic ones. (roles/accounts/tasks/main.yml) --- evolixisation.yml | 16 +++++++--------- prerequisite.yml | 12 ++++++------ roles/accounts/tasks/main.yml | 7 ++++--- tasks/commit_etc_git.yml | 4 ++-- vars/main.yml | 34 +++++++++++++++++----------------- 5 files changed, 36 insertions(+), 37 deletions(-) diff --git a/evolixisation.yml b/evolixisation.yml index 003d941..49ebd97 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -10,13 +10,13 @@ become: true become_user: root become_method: sudo -# become_method: su + # become_method: su vars_files: - vars/main.yml -# - vars/secrets.yml -# - vars/openbsd-secret.yml + # - vars/secrets.yml + # - vars/openbsd-secret.yml roles: - etc-git @@ -27,9 +27,9 @@ - nagios-nrpe - evocheck - post-install - #- openvpn - #- ospf - #- bgp + # - openvpn + # - ospf + # - bgp post_tasks: - include: "tasks/commit_etc_git.yml" @@ -40,6 +40,4 @@ tasks_from: exec.yml # environment: -# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" - -# vim:ft=ansible +# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" diff --git a/prerequisite.yml b/prerequisite.yml index 4695566..64b4549 100644 --- a/prerequisite.yml +++ b/prerequisite.yml @@ -2,13 +2,13 @@ # ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME --- - - hosts: all - become: yes - become_method: su - user: root - gather_facts: no +- hosts: all + become: yes + become_method: su + user: root + gather_facts: no - tasks: + tasks: - name: Install ansible's prerequisite raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2 diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 704d908..c205a97 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -30,12 +30,13 @@ check_mode: false register: grep_allowusers_ssh -- assert: +- name: "Check that AllowUsers and AllowGroup do not override each other" + assert: that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)" msg: "We can't deal with AllowUsers and AllowGroups at the same time" -- set_fact: - # If "AllowGroups is present" +- name: "If AllowGroups is present then use it" + set_fact: ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index 032e898..8420431 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -8,7 +8,7 @@ when: not ansible_check_mode ignore_errors: yes tags: - - commit-etc + - commit-etc - name: /etc modifications are committed shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\"" @@ -18,4 +18,4 @@ when: not ansible_check_mode and git_status.stdout != "" ignore_errors: yes tags: - - commit-etc + - commit-etc diff --git a/vars/main.yml b/vars/main.yml index 098a8d2..7e70b75 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,29 +3,29 @@ ## Edit and uncomment to overwrite the default values ## ######################################################## -#ntpd_servers: -#- "ntp.evolix.net" +# ntpd_servers: +# - "ntp.evolix.net" # -#general_alert_email: "root@localhost" -#general_technical_realm: "example.com" +# general_alert_email: "root@localhost" +# general_technical_realm: "example.com" evolinux_ssh_group: "evolinux-ssh" evolinux_sudo_group: "evolinux-sudo" evolinux_root_disable_ssh: true # -#evomaintenance_realm: "example.com" -#evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" -#evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" -#evomaintenance_pg_host: Null -#evomaintenance_pg_passwd: Null -#evomaintenance_pg_db: Null -#evomaintenance_pg_table: Null -#evomaintenance_from_domain: "{{ evomaintenance_realm }}" -#evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" -#evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" -#evomaintenance_urgency_from: mama.doe@example.com -#evomaintenance_urgency_tel: "06.00.00.00.00" +# evomaintenance_realm: "example.com" +# evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +# evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" +# evomaintenance_pg_host: Null +# evomaintenance_pg_passwd: Null +# evomaintenance_pg_db: Null +# evomaintenance_pg_table: Null +# evomaintenance_from_domain: "{{ evomaintenance_realm }}" +# evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" +# evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" +# evomaintenance_urgency_from: mama.doe@example.com +# evomaintenance_urgency_tel: "06.00.00.00.00" # -#evolix_users: +# evolix_users: # foo: # name: foo # uid: 1042 From e29e0e9e6296a08c97ac39e360a7d80726ce4022 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 1 Jun 2020 11:37:15 +0200 Subject: [PATCH 052/150] Ansible-lint and yamllint again Lot of truthy variables, indentation and trailing spaces --- prerequisite.yml | 4 +- roles/base/defaults/main.yml | 26 ++++++------ roles/base/tasks/doas.yml | 6 +-- roles/base/tasks/dotfiles.yml | 6 +-- roles/base/tasks/evobackup.yml | 4 +- roles/base/tasks/evomaintenance.yml | 6 +-- roles/base/tasks/mail.yml | 4 +- roles/base/tasks/packages.yml | 16 ++++---- roles/base/tasks/sudo.yml | 12 +++--- roles/bgp/tasks/main.yml | 6 +-- roles/etc-git/defaults/main.yml | 2 +- roles/etc-git/tasks/commit.yml | 34 ++++++++-------- roles/etc-git/tasks/main.yml | 16 ++++---- roles/evocheck/tasks/exec.yml | 8 ++-- roles/evocheck/tasks/install.yml | 6 +-- roles/forwarding/tasks/main.yml | 4 +- roles/nagios-nrpe/tasks/main.yml | 2 +- roles/openvpn/tasks/main.yml | 63 ++++++++++++++--------------- roles/ospf/tasks/main.yml | 2 +- roles/pf/tasks/main.yml | 2 +- tasks/commit_etc_git.yml | 6 +-- 21 files changed, 115 insertions(+), 120 deletions(-) diff --git a/prerequisite.yml b/prerequisite.yml index 64b4549..c2fcfbe 100644 --- a/prerequisite.yml +++ b/prerequisite.yml @@ -3,10 +3,10 @@ --- - hosts: all - become: yes + become: true become_method: su user: root - gather_facts: no + gather_facts: false tasks: diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 0748c9f..b2173a8 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -1,6 +1,6 @@ --- ntpd_servers: -- "ntp.evolix.net" + - "ntp.evolix.net" general_alert_email: "root@localhost" general_technical_realm: "example.com" @@ -8,23 +8,23 @@ general_technical_realm: "example.com" evomaintenance_realm: "example.com" evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" -evomaintenance_pg_host: Null -evomaintenance_pg_passwd: Null -evomaintenance_pg_db: Null -evomaintenance_pg_table: Null +evomaintenance_pg_host: null +evomaintenance_pg_passwd: null +evomaintenance_pg_db: null +evomaintenance_pg_table: null evomaintenance_from_domain: "{{ evomaintenance_realm }}" evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" evomaintenance_urgency_from: mama.doe@example.com evomaintenance_urgency_tel: "06.00.00.00.00" -evomaintenance_install_vendor: False -evomaintenance_force_config: True -evomaintenance_api_endpoint: Null -evomaintenance_api_key: Null -evomaintenance_hook_api: True -evomaintenance_hook_db: False -evomaintenance_hook_commit: True -evomaintenance_hook_mail: True +evomaintenance_install_vendor: false +evomaintenance_force_config: true +evomaintenance_api_endpoint: null +evomaintenance_api_key: null +evomaintenance_hook_api: true +evomaintenance_hook_db: false +evomaintenance_hook_commit: true +evomaintenance_hook_mail: true evomaintenance_default_hosts: [] evomaintenance_additional_hosts: [] evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}" diff --git a/roles/base/tasks/doas.yml b/roles/base/tasks/doas.yml index 9c866a5..538b1af 100644 --- a/roles/base/tasks/doas.yml +++ b/roles/base/tasks/doas.yml @@ -6,8 +6,6 @@ owner: root group: wheel mode: "0640" - backup: no + backup: false tags: - - doas - - + - doas diff --git a/roles/base/tasks/dotfiles.yml b/roles/base/tasks/dotfiles.yml index a132e03..f8598df 100644 --- a/roles/base/tasks/dotfiles.yml +++ b/roles/base/tasks/dotfiles.yml @@ -39,10 +39,10 @@ dest: /etc/skel/.profile insertafter: EOF line: 'trap "doas /usr/share/scripts/evomaintenance.sh" 0' - create: yes + create: true tags: - - admin - - dotfiles + - admin + - dotfiles - name: Add vim configuration to dotfiles for new users copy: diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index ba5a24a..6ec8db5 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -6,7 +6,7 @@ owner: root group: wheel mode: "0755" - force: no + force: false tags: - evobackup @@ -16,6 +16,6 @@ line: '#sh /usr/share/scripts/zzz_evobackup' owner: root mode: "0644" - create: yes + create: true tags: - evobackup diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml index f1d1c18..e963256 100644 --- a/roles/base/tasks/evomaintenance.yml +++ b/roles/base/tasks/evomaintenance.yml @@ -12,8 +12,8 @@ - name: Copy evomaintenance script and template copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755" with_items: - - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/' } - - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/' } + - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'} + - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'} tags: - evomaintenance - script-evomaintenance @@ -25,6 +25,6 @@ owner: root group: wheel mode: "0600" - backup: no + backup: false tags: - evomaintenance diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 321d837..dae151c 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -3,7 +3,7 @@ lineinfile: path: /etc/rc.local line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' - create: yes + create: true tags: - misc @@ -12,7 +12,7 @@ dest: /etc/mail/aliases regexp: "# root:" replace: "root: {{ general_alert_email }}" - backup: no + backup: false notify: - newaliases tags: diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 695ffe1..4decaee 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -10,20 +10,20 @@ - name: Install packages (vim rsync mtr etc) openbsd_pkg: name: - - wget - - vim--no_x11 - - rsync-- - - mtr-- - - iftop - - sudo-- - - postgresql-client + - wget + - vim--no_x11 + - rsync-- + - mtr-- + - iftop + - sudo-- + - postgresql-client tags: - pkg - name: Disable sndiod service: name: sndiod - enabled: no + enabled: false state: stopped tags: - pkg diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 8ba489e..0d0467d 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -4,11 +4,11 @@ lineinfile: dest: /etc/sudoers insertafter: '# and set environment variables.' - line: '%wheel ALL=(ALL) SETENV: ALL' + line: '%wheel ALL=(ALL) SETENV: ALL' validate: 'visudo -cf %s' - backup: no + backup: false tags: - - sudo + - sudo - name: Configure sudoers for evomaintenance and monitoring blockinfile: @@ -19,8 +19,6 @@ Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh %wheel ALL=NOPASSWD: MAINT validate: 'visudo -cf %s' - backup: no + backup: false tags: - - sudo - - + - sudo diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml index b67ab8f..c08f47a 100644 --- a/roles/bgp/tasks/main.yml +++ b/roles/bgp/tasks/main.yml @@ -5,7 +5,7 @@ dest: /usr/share/scripts/bgpd-check-peers.sh when: group_names | select('search','bgp') | list | count > 0 tags: - - bgp + - bgp - name: Cron job for bgp check script is installed cron: @@ -15,13 +15,13 @@ tags: - bgp -- name: Create bgp log directory +- name: Create bgp log directory file: path: /var/log/bgp state: directory when: group_names | select('search','bgp') | list | count > 0 tags: - - bgp + - bgp - name: weekly best routes cron job is installed cron: diff --git a/roles/etc-git/defaults/main.yml b/roles/etc-git/defaults/main.yml index 8a822ab..f160858 100644 --- a/roles/etc-git/defaults/main.yml +++ b/roles/etc-git/defaults/main.yml @@ -1,4 +1,4 @@ --- commit_message: Ansible run -etc_git_monitor_status: True +etc_git_monitor_status: true diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml index e4166e7..a816d81 100644 --- a/roles/etc-git/tasks/commit.yml +++ b/roles/etc-git/tasks/commit.yml @@ -3,20 +3,20 @@ command: git status --porcelain args: chdir: /etc - changed_when: False + changed_when: false register: git_status when: not ansible_check_mode - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - debug: var: git_status verbosity: 3 tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: fetch current Git user.email git_config: @@ -24,18 +24,18 @@ repo: /etc scope: local register: git_config_user_email - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: set commit author set_fact: commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' - commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' + commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - name: /etc modifications are committed shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" @@ -43,14 +43,14 @@ chdir: /etc register: etc_commit_end_run when: not ansible_check_mode and git_status.stdout != "" - ignore_errors: yes + ignore_errors: true tags: - - etc-git - - commit-etc + - etc-git + - commit-etc - debug: var: etc_commit_end_run verbosity: 4 tags: - - etc-git - - commit-etc + - etc-git + - commit-etc diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index e81c2f5..e4c01e2 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -12,7 +12,7 @@ args: chdir: /etc creates: /etc/.git/ - warn: no + warn: false register: git_init tags: - etc-git @@ -48,11 +48,11 @@ command: "git log" args: chdir: /etc - warn: no - changed_when: False - failed_when: False + warn: false + changed_when: false + failed_when: false register: git_log - check_mode: no + check_mode: false tags: - etc-git @@ -60,7 +60,7 @@ shell: "git add -A . && git commit -m \"Initial commit via Ansible\"" args: chdir: /etc - warn: no + warn: false register: git_commit when: git_log.rc != 0 or (git_init is defined and git_init.changed) tags: @@ -72,7 +72,7 @@ line: '/usr/local/bin/git --git-dir /etc/.git gc --quiet' owner: root mode: "0644" - create: yes + create: true tags: - etc-git @@ -82,7 +82,7 @@ line: "{{ item }}" owner: root mode: "0644" - create: yes + create: true when: etc_git_monitor_status tags: - etc-git diff --git a/roles/evocheck/tasks/exec.yml b/roles/evocheck/tasks/exec.yml index 244d034..d7f9ac6 100644 --- a/roles/evocheck/tasks/exec.yml +++ b/roles/evocheck/tasks/exec.yml @@ -2,9 +2,9 @@ - name: run evocheck command: "{{ evocheck_bin_dir }}/evocheck.sh" register: evocheck_run - changed_when: False - failed_when: False - check_mode: no + changed_when: false + failed_when: false + check_mode: false tags: - evocheck-exec @@ -12,4 +12,4 @@ var: evocheck_run.stdout_lines when: evocheck_run.stdout != "" tags: - - evocheck-exec + - evocheck-exec diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml index 915bc98..6b88c17 100644 --- a/roles/evocheck/tasks/install.yml +++ b/roles/evocheck/tasks/install.yml @@ -15,7 +15,7 @@ dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root - force: yes + force: true tags: - evocheck @@ -23,7 +23,7 @@ copy: src: evocheck.cf dest: /etc/evocheck.cf - force: no + force: false tags: - evocheck @@ -33,6 +33,6 @@ line: 'sh /usr/share/scripts/evocheck.sh --verbose --cron' owner: root mode: "0644" - create: yes + create: true tags: - evocheck diff --git a/roles/forwarding/tasks/main.yml b/roles/forwarding/tasks/main.yml index d424c35..f97c4af 100644 --- a/roles/forwarding/tasks/main.yml +++ b/roles/forwarding/tasks/main.yml @@ -4,7 +4,7 @@ name: net.inet.ip.forwarding value: 1 state: present - reload: yes + reload: true tags: - net @@ -13,6 +13,6 @@ name: net.inet6.ip6.forwarding value: 1 state: present - reload: yes + reload: true tags: - net diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 270de2f..2b4abd0 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -54,5 +54,5 @@ - name: Starting and enabling nrpe service: name: nrpe - enabled: yes + enabled: true state: started diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 79299c4..05e7b83 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -3,7 +3,7 @@ openbsd_pkg: name: "openvpn--" tags: - - openvpn + - openvpn - name: Create /etc/openvpn directory file: @@ -13,59 +13,58 @@ group: "wheel" mode: "0755" tags: - - openvpn + - openvpn - name: Deploy OpenVPN configuration - template: - src: "server.conf.j2" + template: + src: "server.conf.j2" dest: "/etc/openvpn/server.conf" - mode: "0600" + mode: "0600" notify: restart openvpn tags: - - openvpn + - openvpn - name: Enabling OpenVPN service: name: openvpn - enabled: yes + enabled: true tags: - - openvpn + - openvpn - name: Set OpenVPN flag shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"' tags: - - openvpn + - openvpn - name: Create shellpki user user: name: "_shellpki" - system: yes - state: present - system: yes + system: true + state: present home: "/etc/shellpki/" shell: "/sbin/nologin" tags: - - openvpn + - openvpn - name: Copy some shellpki files - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root group: wheel mode: "{{ item.mode }}" - force: yes + force: true with_items: - - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } - - { src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755' } + - {src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640'} + - {src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755'} tags: - openvpn - name: Deploy DH PARAMETERS - template: - src: "dh2048.pem.j2" + template: + src: "dh2048.pem.j2" dest: "/etc/shellpki/dh2048.pem" - mode: "0600" + mode: "0600" tags: - openvpn @@ -77,7 +76,7 @@ group: "wheel" mode: "0755" tags: - - openvpn + - openvpn - name: Include /etc/sudoers.d in sudoers configuration file lineinfile: @@ -91,20 +90,20 @@ src: "sudo_shellpki" dest: "/etc/sudoers.d/shellpki" force: true - mode: "0440" + mode: "0440" validate: '/usr/local/sbin/visudo -cf %s' tags: - - openvpn + - openvpn - name: Copy check_openvpn - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root group: wheel mode: "{{ item.mode }}" - force: yes + force: true with_items: - - { src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755' } + - {src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755'} tags: - openvpn diff --git a/roles/ospf/tasks/main.yml b/roles/ospf/tasks/main.yml index aa04759..d1b28be 100644 --- a/roles/ospf/tasks/main.yml +++ b/roles/ospf/tasks/main.yml @@ -8,7 +8,7 @@ - "ospf6d-check-peers.sh" when: group_names | select('search','ospf') | list | count > 0 tags: - - ospf + - ospf - name: Cron job for ospf check scripts is installed cron: diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 30aef63..8df8414 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -4,4 +4,4 @@ src: pf.conf.j2 dest: /etc/pf.conf mode: "0600" - backup: yes + backup: true diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index 8420431..bb8d5dd 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -3,10 +3,10 @@ command: git status --porcelain args: chdir: /etc - changed_when: False + changed_when: false register: git_status when: not ansible_check_mode - ignore_errors: yes + ignore_errors: true tags: - commit-etc @@ -16,6 +16,6 @@ chdir: /etc register: etc_commit_end_evolinux when: not ansible_check_mode and git_status.stdout != "" - ignore_errors: yes + ignore_errors: true tags: - commit-etc From a6213719ae7830d03d9941ac3b82f388293e3e88 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 3 Jun 2020 16:45:42 -0400 Subject: [PATCH 053/150] Add linting step to the ci We will need to go through code and ignore any warnings we dont want to fix. --- .drone.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .drone.yml diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..d88076c --- /dev/null +++ b/.drone.yml @@ -0,0 +1,11 @@ +--- +kind: pipeline +type: docker +name: default + +steps: +- name: lint ansible scripts + image: pipelinecomponents/ansible-lint:latest + commands: + - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-playbook --syntax-check --list-tasks" + - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-lint" From 4e8fca725ca3707ed10b29199d496d6a6203b95d Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 11:21:21 -0400 Subject: [PATCH 054/150] mention linting in CONTRIBUTING.md more of a test for the drone ci hook honestly --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c50afd9..9495015 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,7 +10,7 @@ created. you're updating the CHANGELOG file. 3. Use feature branches for anything else, once they've passed all -CI tests and have been reviewed by other contributors through a +CI test, lints and have been reviewed by other contributors through a pull request, they may be merged into the dev branch. From f8d6a0be86073041dab99c5c953ffaedebbce701 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 11:41:49 -0400 Subject: [PATCH 055/150] add a yaml linting step to the ci catches problems in the drone ci file as well --- .drone.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.drone.yml b/.drone.yml index d88076c..70bc054 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4,6 +4,11 @@ type: docker name: default steps: +- name: lint yaml files + image: pipelinecomponents/yamllint:latest + commands: + - "yamllint ." + - name: lint ansible scripts image: pipelinecomponents/ansible-lint:latest commands: From 896548c14ccf2a9192854276fae8b11c632eccc7 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 11:42:46 -0400 Subject: [PATCH 056/150] lint markdown files Makes sure the documentation will render correctly --- .drone.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.drone.yml b/.drone.yml index 70bc054..b5a3161 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4,6 +4,11 @@ type: docker name: default steps: +- name: lint markdown files + image: pipelinecomponents/remark-lint:latest + commands: + - "remark --no-stdout --color --use preset-lint-recommended ." + - name: lint yaml files image: pipelinecomponents/yamllint:latest commands: From e877b721f9d511018b5f9a423a2fdd119b54f6b4 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 11:47:08 -0400 Subject: [PATCH 057/150] Fix readme markdown --- CONTRIBUTING.md | 8 ++++---- README.md | 14 +++++++------- roles/bgp/README.md | 6 +++--- roles/nagios-nrpe/README.md | 2 +- roles/ospf/README.md | 6 +++--- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9495015..6a76452 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,17 +2,17 @@ Contributions are welcome, as long as they respect our current workflow: -1. The master branch is only for releases. Once properly tested, + 1. The master branch is only for releases. Once properly tested, the dev branch can be merged, the release tagged and a tar archive created. -2. The dev branch should never be commited to directly, unless + 2. The dev branch should never be commited to directly, unless you're updating the CHANGELOG file. -3. Use feature branches for anything else, once they've passed all + 3. Use feature branches for anything else, once they've passed all CI test, lints and have been reviewed by other contributors through a pull request, they may be merged into the dev branch. Open issues liberally, but please review closed and opened issues -for duplicates before hand. \ No newline at end of file +for duplicates before hand. diff --git a/README.md b/README.md index 2d65ac2..ea3b1e0 100644 --- a/README.md +++ b/README.md @@ -26,19 +26,19 @@ ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME Changes can be tested by using [Packer](https://www.packer.io/) and [vmm(4)](https://man.openbsd.org/vmm.4) : -* This process depends on the [Go](https://golang.org/) programming language. + * This process depends on the [Go](https://golang.org/) programming language. ``` # pkg_add go packer ``` -* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) + * We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) ``` $ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm ``` -* Here is an example build file + * Here is an example build file ``` $ vim openbsd.json @@ -101,25 +101,25 @@ $ vim openbsd.json } -* You need your unprivileged user to be able to run vmctl(8) through doas(1) + * You need your unprivileged user to be able to run vmctl(8) through doas(1) ``` # echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf ``` -* Build the virtual machine + * Build the virtual machine ``` $ packer build openbsd.json ``` -* Start it + * Start it ``` doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 ``` -* Enable NAT on your host machine + * Enable NAT on your host machine ``` pass out on em0 inet from tap0:network to any nat-to (em0) diff --git a/roles/bgp/README.md b/roles/bgp/README.md index 51aad44..827529a 100644 --- a/roles/bgp/README.md +++ b/roles/bgp/README.md @@ -1,5 +1,5 @@ # BGP - + Deployment of BGP check script with its cron, and a best route log cron. ## Tasks @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `bgp_mailto` : email address the output of the script will be sent to when a change is detected -* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked + * `bgp_mailto` : email address the output of the script will be sent to when a change is detected + * `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked diff --git a/roles/nagios-nrpe/README.md b/roles/nagios-nrpe/README.md index 3f3f9a9..0870336 100644 --- a/roles/nagios-nrpe/README.md +++ b/roles/nagios-nrpe/README.md @@ -8,6 +8,6 @@ Everything is in the `tasks/main.yml` file. ## Available variables -* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). + * `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/ospf/README.md b/roles/ospf/README.md index f0e929c..2cec045 100644 --- a/roles/ospf/README.md +++ b/roles/ospf/README.md @@ -1,5 +1,5 @@ # OSPF - + Deployment of OSPF check scripts with their cron. ## Tasks @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected -* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs + * `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected + * `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs From 98089a3274c889fd6aab48ee1188ed1bad533918 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 12:51:53 -0400 Subject: [PATCH 058/150] Fix yaml lint lines too long In some cases I used block scalars: https://yaml-multiline.info/ In other cases I added newlines In rare cases I just ignored the rule: https://yamllint.readthedocs.io/en/stable/disable_with_comments.html --- .drone.yml | 34 ++++++++++++++++++----------- evolixisation.yml | 1 + prerequisite.yml | 1 + roles/accounts/tasks/main.yml | 3 ++- roles/base/defaults/main.yml | 11 +++++++--- roles/base/tasks/evomaintenance.yml | 7 +++++- roles/base/tasks/mail.yml | 3 ++- roles/bgp/tasks/main.yml | 4 +++- roles/etc-git/tasks/commit.yml | 2 ++ roles/etc-git/tasks/main.yml | 19 +++++++++++++--- roles/nagios-nrpe/defaults/main.yml | 3 ++- roles/openvpn/tasks/main.yml | 12 +++++++--- tasks/commit_etc_git.yml | 10 +++++++-- vars/main.yml | 6 +++-- 14 files changed, 85 insertions(+), 31 deletions(-) diff --git a/.drone.yml b/.drone.yml index b5a3161..13451c1 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4,18 +4,26 @@ type: docker name: default steps: -- name: lint markdown files - image: pipelinecomponents/remark-lint:latest - commands: - - "remark --no-stdout --color --use preset-lint-recommended ." + - name: lint markdown files + image: pipelinecomponents/remark-lint:latest + commands: + - "remark --no-stdout --color --use preset-lint-recommended ." -- name: lint yaml files - image: pipelinecomponents/yamllint:latest - commands: - - "yamllint ." + - name: lint yaml files + image: pipelinecomponents/yamllint:latest + commands: + - "yamllint ." -- name: lint ansible scripts - image: pipelinecomponents/ansible-lint:latest - commands: - - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-playbook --syntax-check --list-tasks" - - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-lint" + - name: lint ansible scripts + image: pipelinecomponents/ansible-lint:latest + commands: + - > + find . -maxdepth 1 -name '*.yml' + | sort + | grep -v '.drone.yml' + | xargs ansible-playbook --syntax-check --list-tasks + - > + find . -maxdepth 1 -name '*.yml' + | sort + | grep -v '.drone.yml' + | xargs ansible-lint" diff --git a/evolixisation.yml b/evolixisation.yml index 49ebd97..da873e6 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -40,4 +40,5 @@ tasks_from: exec.yml # environment: +# yamllint disable-line rule:line-length # PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" diff --git a/prerequisite.yml b/prerequisite.yml index c2fcfbe..aaf5bbb 100644 --- a/prerequisite.yml +++ b/prerequisite.yml @@ -11,6 +11,7 @@ tasks: - name: Install ansible's prerequisite + # yamllint disable-line rule:line-length raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2 # vim:ft=ansible diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index c205a97..02d8749 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -37,7 +37,8 @@ - name: "If AllowGroups is present then use it" set_fact: - ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" + ssh_allowgroups: + "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" lineinfile: diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index b2173a8..9be1d76 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -6,8 +6,10 @@ general_alert_email: "root@localhost" general_technical_realm: "example.com" evomaintenance_realm: "example.com" -evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" -evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" +evomaintenance_alert_email: + "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +evomaintenance_hostname: + "{{ inventory_hostname }}.{{ general_technical_realm }}" evomaintenance_pg_host: null evomaintenance_pg_passwd: null evomaintenance_pg_db: null @@ -27,4 +29,7 @@ evomaintenance_hook_commit: true evomaintenance_hook_mail: true evomaintenance_default_hosts: [] evomaintenance_additional_hosts: [] -evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}" +evomaintenance_hosts: > + {{ evomaintenance_default_hosts + | union(evomaintenance_additional_hosts) + | unique }} diff --git a/roles/base/tasks/evomaintenance.yml b/roles/base/tasks/evomaintenance.yml index e963256..9d51c7a 100644 --- a/roles/base/tasks/evomaintenance.yml +++ b/roles/base/tasks/evomaintenance.yml @@ -10,7 +10,12 @@ - evomaintenance - name: Copy evomaintenance script and template - copy: src={{ item.src }} dest={{ item.dest }} owner=root group=wheel mode="0755" + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: 'root' + group: 'wheel' + mode: '0755' with_items: - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'} - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'} diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index dae151c..dacd60d 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -2,7 +2,8 @@ - name: Configure rc.local lineinfile: path: /etc/rc.local - line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' + line: + 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' create: true tags: - misc diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml index c08f47a..a0304a7 100644 --- a/roles/bgp/tasks/main.yml +++ b/roles/bgp/tasks/main.yml @@ -29,7 +29,9 @@ minute: 0 hour: 4 weekday: 0 - job: "/usr/sbin/bgpctl show rib selected > /var/log/bgp/rib-selected-$(date +\\%F)" + job: > + /usr/sbin/bgpctl show rib selected + > /var/log/bgp/rib-selected-$(date +\\%F) when: group_names | select('search','bgp') | list | count > 0 tags: - bgp diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml index a816d81..94cd02f 100644 --- a/roles/etc-git/tasks/commit.yml +++ b/roles/etc-git/tasks/commit.yml @@ -29,6 +29,7 @@ - etc-git - commit-etc +# yamllint disable rule:line-length - name: set commit author set_fact: commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' @@ -47,6 +48,7 @@ tags: - etc-git - commit-etc +# yamllint enable rule:line-length - debug: var: etc_commit_end_run diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index e4c01e2..6b20325 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -93,7 +93,8 @@ - name: cron job for /etc/.git status is removed lineinfile: path: /etc/daily.local - line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + line: + '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' owner: root mode: "0644" state: absent @@ -105,7 +106,13 @@ cron: name: git status minute: 42 - job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + job: > + who + > /dev/null + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short when: etc_git_monitor_status tags: - etc-git @@ -114,7 +121,13 @@ cron: name: git status minute: 42 - job: "who > /dev/null || /usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short" + job: > + who + > /dev/null + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short state: absent when: not etc_git_monitor_status tags: diff --git a/roles/nagios-nrpe/defaults/main.yml b/roles/nagios-nrpe/defaults/main.yml index 96c3ddd..c27efa8 100644 --- a/roles/nagios-nrpe/defaults/main.yml +++ b/roles/nagios-nrpe/defaults/main.yml @@ -2,7 +2,8 @@ evolix_trusted_ips: [] additional_trusted_ips: [] # Let's merge evolix_trusted_ips with additional_trusted_ips -nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +nagios_nrpe_allowed_hosts: + "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index 05e7b83..c3b0d80 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -55,8 +55,12 @@ mode: "{{ item.mode }}" force: true with_items: - - {src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640'} - - {src: 'files/shellpki/shellpki', dest: '/usr/local/sbin/shellpki', mode: '0755'} + - src: 'files/shellpki/openssl.cnf' + dest: '/etc/shellpki/openssl.cnf' + mode: '0640' + - src: 'files/shellpki/shellpki' + dest: '/usr/local/sbin/shellpki' + mode: '0755' tags: - openvpn @@ -104,6 +108,8 @@ mode: "{{ item.mode }}" force: true with_items: - - {src: 'files/check_openvpn.pl', dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl', mode: '0755'} + - src: 'files/check_openvpn.pl' + dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl' + mode: '0755' tags: - openvpn diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index bb8d5dd..2925120 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -9,9 +9,14 @@ ignore_errors: true tags: - commit-etc - +# yamllint disable rule:line-length - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | default('Ansible run') }}\" --author=\"{{ ansible_env.SUDO_USER | default('Root') }} <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>\"" + shell: > + git add -A . + && git commit + -m "{{ commit_message | default('Ansible run') }}" + --author="{{ ansible_env.SUDO_USER | default('Root') }}" + < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" args: chdir: /etc register: etc_commit_end_evolinux @@ -19,3 +24,4 @@ ignore_errors: true tags: - commit-etc +# yamllint enable rule:line-length diff --git a/vars/main.yml b/vars/main.yml index 7e70b75..347a44e 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,8 +13,10 @@ evolinux_sudo_group: "evolinux-sudo" evolinux_root_disable_ssh: true # # evomaintenance_realm: "example.com" -# evomaintenance_alert_email: "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" -# evomaintenance_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}" +# evomaintenance_alert_email: +# "evomaintenance-{{ inventory_hostname }}@{{ evomaintenance_realm }}" +# evomaintenance_hostname: +# "{{ inventory_hostname }}.{{ general_technical_realm }}" # evomaintenance_pg_host: Null # evomaintenance_pg_passwd: Null # evomaintenance_pg_db: Null From c6410ca1f5c0362c4526e9167f27cf8d263448b4 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:02:47 -0400 Subject: [PATCH 059/150] fix forgotten quote in .drone.yml --- .drone.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 13451c1..69f9b3f 100644 --- a/.drone.yml +++ b/.drone.yml @@ -22,8 +22,9 @@ steps: | sort | grep -v '.drone.yml' | xargs ansible-playbook --syntax-check --list-tasks + - > find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' - | xargs ansible-lint" + | xargs ansible-lint From db488ba8ef6524ae3b9c20f200724f3a3141d080 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:10:08 -0400 Subject: [PATCH 060/150] Split long lines in git role --- roles/etc-git/tasks/commit.yml | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml index 94cd02f..d41de38 100644 --- a/roles/etc-git/tasks/commit.yml +++ b/roles/etc-git/tasks/commit.yml @@ -29,17 +29,32 @@ - etc-git - commit-etc -# yamllint disable rule:line-length - name: set commit author set_fact: - commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' - commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' + commit_author: > + {% if ansible_env.SUDO_USER is not defined %} + root + {% else %} + {{ ansible_env.SUDO_USER }} + {% endif %} + commit_email: > + {% if git_config_user_email.config_value is not defined + or git_config_user_email.config_value == "" %} + root@localhost + {% else %} + {{ git_config_user_email.config_value }} + {% endif %} tags: - etc-git - commit-etc - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" + shell: > + git add -A . + && git commit + -m "{{ commit_message | mandatory }}" + --author + "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>" args: chdir: /etc register: etc_commit_end_run @@ -48,7 +63,6 @@ tags: - etc-git - commit-etc -# yamllint enable rule:line-length - debug: var: etc_commit_end_run From aaf22d450e5697ba3d89ef997bdd76d8f7b428f4 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:12:38 -0400 Subject: [PATCH 061/150] Try to fix markdown indentation --- CONTRIBUTING.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6a76452..19602d7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -3,15 +3,15 @@ Contributions are welcome, as long as they respect our current workflow: 1. The master branch is only for releases. Once properly tested, -the dev branch can be merged, the release tagged and a tar archive -created. + the dev branch can be merged, the release tagged and a tar archive + created. 2. The dev branch should never be commited to directly, unless -you're updating the CHANGELOG file. + you're updating the CHANGELOG file. 3. Use feature branches for anything else, once they've passed all -CI test, lints and have been reviewed by other contributors through a -pull request, they may be merged into the dev branch. + CI test, lints and have been reviewed by other contributors through a + pull request, they may be merged into the dev branch. Open issues liberally, but please review closed and opened issues From 245c80d73fad06be69fee22f963735486aa3b307 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:14:23 -0400 Subject: [PATCH 062/150] Try to fix markdown indentation, again --- CONTRIBUTING.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 19602d7..855cc70 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,16 +2,16 @@ Contributions are welcome, as long as they respect our current workflow: - 1. The master branch is only for releases. Once properly tested, - the dev branch can be merged, the release tagged and a tar archive - created. +1. The master branch is only for releases. Once properly tested, + the dev branch can be merged, the release tagged and a tar archive + created. - 2. The dev branch should never be commited to directly, unless - you're updating the CHANGELOG file. +2. The dev branch should never be commited to directly, unless + you're updating the CHANGELOG file. - 3. Use feature branches for anything else, once they've passed all - CI test, lints and have been reviewed by other contributors through a - pull request, they may be merged into the dev branch. +3. Use feature branches for anything else, once they've passed all + CI test, lints and have been reviewed by other contributors through a + pull request, they may be merged into the dev branch. Open issues liberally, but please review closed and opened issues From ce09c3f81ffd59447388463e7fe46c5effff71a2 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:16:08 -0400 Subject: [PATCH 063/150] Try to fix markdown indentation, again and again --- CONTRIBUTING.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 855cc70..4518abc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,14 +2,14 @@ Contributions are welcome, as long as they respect our current workflow: -1. The master branch is only for releases. Once properly tested, + 1. The master branch is only for releases. Once properly tested, the dev branch can be merged, the release tagged and a tar archive created. -2. The dev branch should never be commited to directly, unless + 2. The dev branch should never be commited to directly, unless you're updating the CHANGELOG file. -3. Use feature branches for anything else, once they've passed all + 3. Use feature branches for anything else, once they've passed all CI test, lints and have been reviewed by other contributors through a pull request, they may be merged into the dev branch. From 87ff4e635f395d034607fecbc02ca75c0a72d9b0 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:18:28 -0400 Subject: [PATCH 064/150] Try to fix markdown indentation after reading issues See https://github.com/remarkjs/remark-lint/issues/178 --- CONTRIBUTING.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4518abc..557c3c0 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,14 +2,14 @@ Contributions are welcome, as long as they respect our current workflow: - 1. The master branch is only for releases. Once properly tested, +1. The master branch is only for releases. Once properly tested, the dev branch can be merged, the release tagged and a tar archive created. - 2. The dev branch should never be commited to directly, unless +2. The dev branch should never be commited to directly, unless you're updating the CHANGELOG file. - 3. Use feature branches for anything else, once they've passed all +3. Use feature branches for anything else, once they've passed all CI test, lints and have been reviewed by other contributors through a pull request, they may be merged into the dev branch. From b711154722ad6956323463b5992c6a68968a18ab Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:23:06 -0400 Subject: [PATCH 065/150] Apply fix in last commit to other markdown files So a markdown list should be no indentation followed by two spaces. ' ' * one * two --- CONTRIBUTING.md | 2 +- README.md | 18 +++++++++--------- roles/bgp/README.md | 4 ++-- roles/nagios-nrpe/README.md | 2 +- roles/ospf/README.md | 4 ++-- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 557c3c0..d8caf95 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,7 +9,7 @@ Contributions are welcome, as long as they respect our current workflow: 2. The dev branch should never be commited to directly, unless you're updating the CHANGELOG file. -3. Use feature branches for anything else, once they've passed all +3. Use feature branches for anything else, once they've passed all CI test, lints and have been reviewed by other contributors through a pull request, they may be merged into the dev branch. diff --git a/README.md b/README.md index ea3b1e0..0182ec5 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ used by Evolix. Put your public key in the remote root's autorized_keys (/root/.ssh/authorized_keys) -1 - Install ansible's prerequisites +1. Install ansible's prerequisites ``` ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME ``` -2 - Run it +2. Run it ``` ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME @@ -26,19 +26,19 @@ ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME Changes can be tested by using [Packer](https://www.packer.io/) and [vmm(4)](https://man.openbsd.org/vmm.4) : - * This process depends on the [Go](https://golang.org/) programming language. +* This process depends on the [Go](https://golang.org/) programming language. ``` # pkg_add go packer ``` - * We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) +* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) ``` $ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm ``` - * Here is an example build file +* Here is an example build file ``` $ vim openbsd.json @@ -101,25 +101,25 @@ $ vim openbsd.json } - * You need your unprivileged user to be able to run vmctl(8) through doas(1) +* You need your unprivileged user to be able to run vmctl(8) through doas(1) ``` # echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf ``` - * Build the virtual machine +* Build the virtual machine ``` $ packer build openbsd.json ``` - * Start it +* Start it ``` doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 ``` - * Enable NAT on your host machine +* Enable NAT on your host machine ``` pass out on em0 inet from tap0:network to any nat-to (em0) diff --git a/roles/bgp/README.md b/roles/bgp/README.md index 827529a..3312e75 100644 --- a/roles/bgp/README.md +++ b/roles/bgp/README.md @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. - * `bgp_mailto` : email address the output of the script will be sent to when a change is detected - * `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked +* `bgp_mailto` : email address the output of the script will be sent to when a change is detected +* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked diff --git a/roles/nagios-nrpe/README.md b/roles/nagios-nrpe/README.md index 0870336..840698d 100644 --- a/roles/nagios-nrpe/README.md +++ b/roles/nagios-nrpe/README.md @@ -8,6 +8,6 @@ Everything is in the `tasks/main.yml` file. ## Available variables - * `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). +* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/ospf/README.md b/roles/ospf/README.md index 2cec045..3ebe574 100644 --- a/roles/ospf/README.md +++ b/roles/ospf/README.md @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. - * `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected - * `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs +* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected +* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs From 9f378fc1f9b2158ad9d1b382b00ebf937ed2b54e Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Thu, 4 Jun 2020 13:27:03 -0400 Subject: [PATCH 066/150] Misunderstood syntax for unordered lists in markdown So an unordered list needs three spaces and an ordered list needs a dot and two spaces. --- README.md | 14 +++++++------- roles/bgp/README.md | 4 ++-- roles/nagios-nrpe/README.md | 2 +- roles/ospf/README.md | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 0182ec5..6f3d3dc 100644 --- a/README.md +++ b/README.md @@ -26,19 +26,19 @@ ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME Changes can be tested by using [Packer](https://www.packer.io/) and [vmm(4)](https://man.openbsd.org/vmm.4) : -* This process depends on the [Go](https://golang.org/) programming language. +* This process depends on the [Go](https://golang.org/) programming language. ``` # pkg_add go packer ``` -* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) +* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) ``` $ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm ``` -* Here is an example build file +* Here is an example build file ``` $ vim openbsd.json @@ -101,25 +101,25 @@ $ vim openbsd.json } -* You need your unprivileged user to be able to run vmctl(8) through doas(1) +* You need your unprivileged user to be able to run vmctl(8) through doas(1) ``` # echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf ``` -* Build the virtual machine +* Build the virtual machine ``` $ packer build openbsd.json ``` -* Start it +* Start it ``` doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 ``` -* Enable NAT on your host machine +* Enable NAT on your host machine ``` pass out on em0 inet from tap0:network to any nat-to (em0) diff --git a/roles/bgp/README.md b/roles/bgp/README.md index 3312e75..cd6545d 100644 --- a/roles/bgp/README.md +++ b/roles/bgp/README.md @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `bgp_mailto` : email address the output of the script will be sent to when a change is detected -* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked +* `bgp_mailto` : email address the output of the script will be sent to when a change is detected +* `bgp_exclude_grep_command` : facultative grep -v command for some peers not to be checked diff --git a/roles/nagios-nrpe/README.md b/roles/nagios-nrpe/README.md index 840698d..42dde0e 100644 --- a/roles/nagios-nrpe/README.md +++ b/roles/nagios-nrpe/README.md @@ -8,6 +8,6 @@ Everything is in the `tasks/main.yml` file. ## Available variables -* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). +* `nagios_nrpe_allowed_hosts` : list of IP/hosts authorized (default: none). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/roles/ospf/README.md b/roles/ospf/README.md index 3ebe574..7be1224 100644 --- a/roles/ospf/README.md +++ b/roles/ospf/README.md @@ -10,5 +10,5 @@ Everything is in the `tasks/main.yml` file. The full list of variables (with default values) can be found in `defaults/main.yml`. -* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected -* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs +* `ospf_mailto` : email address the output of the scripts will be sent to when a change is detected +* `ospf_sed_command` : facultative sed command to modify the ospfctl output and add a name to IPs From 87d0c8aca43967b0d3260fb2796a8a422e841b96 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 16 Jun 2020 17:16:55 +0200 Subject: [PATCH 067/150] We do not use pfstatd anymore --- roles/pf/templates/pf.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index 1952e18..65ee69b 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -54,8 +54,8 @@ block log all #pass quick on $pfsync_if proto pfsync pass out -# 9999 = pfstat, 5666 = nrpe -pass in on $ext_if proto tcp from to (self) port { 9999, ssh, 5666 } +# 5666 = nrpe +pass in on $ext_if proto tcp from to (self) port { ssh, 5666 } # Block Attack # China 144.0.0.0/16 --> SSH From 593df07f093b7cf342ac19694188110fc25bf5ff Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 16 Jun 2020 17:17:20 +0200 Subject: [PATCH 068/150] We do not net postgresql-client anymore We now use an API for evomaintenance instead of a direct call to postgresql --- roles/base/tasks/packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/base/tasks/packages.yml b/roles/base/tasks/packages.yml index 4decaee..5bbe520 100644 --- a/roles/base/tasks/packages.yml +++ b/roles/base/tasks/packages.yml @@ -16,7 +16,6 @@ - mtr-- - iftop - sudo-- - - postgresql-client tags: - pkg From dedbdf98229e13d15e9e28be4d86d42ba035a3a2 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 23 Jun 2020 15:38:21 +0200 Subject: [PATCH 069/150] Added a package needed for the OpenVPN check and changed the default location of the checks --- roles/openvpn/files/check_openvpn.pl | 2 +- roles/openvpn/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/openvpn/files/check_openvpn.pl b/roles/openvpn/files/check_openvpn.pl index 270fd1e..78e0cdb 100755 --- a/roles/openvpn/files/check_openvpn.pl +++ b/roles/openvpn/files/check_openvpn.pl @@ -28,7 +28,7 @@ use strict; use Net::Telnet (); use Getopt::Long qw(:config no_ignore_case); use vars qw($PROGNAME $VERSION); -use lib "/usr/lib/nagios/plugins/"; +use lib "/usr/local/libexec/nagios/"; use utils qw(%ERRORS); $PROGNAME = "check_openvpn"; diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml index c3b0d80..0fcd91d 100644 --- a/roles/openvpn/tasks/main.yml +++ b/roles/openvpn/tasks/main.yml @@ -113,3 +113,9 @@ mode: '0755' tags: - openvpn + +- name: Install needed package for check_openvpn + openbsd_pkg: + name: "p5-Net-Telnet" + tags: + - openvpn From 7e977633bd44eeaaabb14a2f3643c9c28e5d4c31 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 2 Jul 2020 16:37:25 +0200 Subject: [PATCH 070/150] Add arguments and details for first evolixisation --- evolixisation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolixisation.yml b/evolixisation.yml index da873e6..7547867 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -1,6 +1,6 @@ # Playbook command -# First use (become_method: su) : -# ansible-playbook evolixisation.yml --ask-vault-pass -CDi hosts -l HOSTNAME +# First use (become_method: su, and var_files uncommented) : +# ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root # Subsequent use (become_method: sudo) : # ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME From 3dd9e461c4078acbe6ff001b47616f891617c140 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 2 Jul 2020 16:40:17 +0200 Subject: [PATCH 071/150] Corrects yaml line break. Indentation is not allowed and breaks the tasks. --- roles/etc-git/tasks/commit.yml | 6 +++--- roles/etc-git/tasks/main.yml | 16 ++++++++-------- tasks/commit_etc_git.yml | 6 +++--- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/etc-git/tasks/commit.yml b/roles/etc-git/tasks/commit.yml index d41de38..95ab89a 100644 --- a/roles/etc-git/tasks/commit.yml +++ b/roles/etc-git/tasks/commit.yml @@ -52,9 +52,9 @@ shell: > git add -A . && git commit - -m "{{ commit_message | mandatory }}" - --author - "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>" + -m "{{ commit_message | mandatory }}" + --author + "{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>" args: chdir: /etc register: etc_commit_end_run diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index 6b20325..cb01472 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -109,10 +109,10 @@ job: > who > /dev/null - || /usr/local/bin/git - --git-dir=/etc/.git - --work-tree=/etc - status --short + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short when: etc_git_monitor_status tags: - etc-git @@ -124,10 +124,10 @@ job: > who > /dev/null - || /usr/local/bin/git - --git-dir=/etc/.git - --work-tree=/etc - status --short + || /usr/local/bin/git + --git-dir=/etc/.git + --work-tree=/etc + status --short state: absent when: not etc_git_monitor_status tags: diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index 2925120..3330dad 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -14,9 +14,9 @@ shell: > git add -A . && git commit - -m "{{ commit_message | default('Ansible run') }}" - --author="{{ ansible_env.SUDO_USER | default('Root') }}" - < "{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" + -m "{{ commit_message | default('Ansible run') }}" + --author="{{ ansible_env.SUDO_USER | default('Root') }}" + "<{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" args: chdir: /etc register: etc_commit_end_evolinux From 30c1b70e2bd3ad31e33d5d8e8e980f1f418a8f80 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 8 Jul 2020 17:28:12 +0200 Subject: [PATCH 072/150] Modified openbgpd check to be in NRPE critical state when BGPD is not running --- .../files/plugins_bsd/check_openbgpd | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd b/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd index c62ec43..4e63480 100755 --- a/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd +++ b/roles/nagios-nrpe/files/plugins_bsd/check_openbgpd @@ -5,6 +5,18 @@ # # 2009.11.12 #*#*# andrew fresh ######################################################################## +# +# MODIFIED VERSION FOR THE NEEDS OF EVOLIX +# By Jérémy Dubois +# +# Line 51 : +# added « open STDERR, '>&STDOUT'; » +# +# Lines 123 to 126 : +# added « or exit 2; » +# commented « or die $! » and the 2 lines below +# +######################################################################## use strict; use warnings; @@ -36,6 +48,7 @@ my $BGPCTL = '/usr/sbin/bgpctl'; use POSIX; use Config; my $PREFIX; +open STDERR, '>&STDOUT'; BEGIN { ## no critic 'warnings' @@ -107,9 +120,10 @@ sub read_status { } ## no critic 'die' close $fh - or die $! - ? "Error closing sysctl pipe: $!\n" - : "Exit status $? from sysctl\n"; + or exit 2; +# or die $! +# ? "Error closing sysctl pipe: $!\n" +# : "Exit status $? from sysctl\n"; return grep { exists $_->{neighbor} && $_->{as} ne 'AS' } @S; } From 5c11472e9aefe49a604e3aee31353214f00065f8 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 9 Jul 2020 15:44:25 +0200 Subject: [PATCH 073/150] Force replacement of some NRPE checks We cannot simply put "force: true" because some checks are customizable, some are not. We do not force to replace customizable ones for the customizations not to be lost. --- roles/nagios-nrpe/tasks/main.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 2b4abd0..eb19793 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -32,23 +32,33 @@ - name: Nagios plugins are installed copy: - src: plugins_bsd/ - dest: /usr/local/libexec/nagios/plugins/ + src: plugins_bsd/{{ item.name }} + dest: /usr/local/libexec/nagios/plugins/{{ item.name }} owner: root group: wheel mode: "0755" + force: "{{ item.force }}" + with_items: + - { name: 'check_carp_if', force: true } + - { name: 'check_connections_state.sh', force: false } + - { name: 'check_ipsecctl.sh', force: false } + - { name: 'check_openbgpd', force: true } + - { name: 'check_openvpn', force: false } + - { name: 'check_openvpn.pl', force: true } + - { name: 'check_ospfd_simple', force: true } notify: restart nrpe - name: Nagios plugins are installed - template template: - src: plugins_bsd/{{ item }}.j2 - dest: /usr/local/libexec/nagios/plugins/{{ item }} + src: plugins_bsd/{{ item.name }}.j2 + dest: /usr/local/libexec/nagios/plugins/{{ item.name }} owner: root group: wheel mode: "0755" + force: "{{ item.force }}" with_items: - - 'check_pf_states' - - 'check_free_mem.sh' + - { name: 'check_pf_states', force: false } + - { name: 'check_free_mem.sh', force: true } notify: restart nrpe - name: Starting and enabling nrpe From c6e55ea4c05dabe5acea0782db7286099717a820 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 9 Jul 2020 16:09:19 +0200 Subject: [PATCH 074/150] Correct yamllint : spaces inside braces --- roles/nagios-nrpe/tasks/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index eb19793..355dc9f 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -39,13 +39,13 @@ mode: "0755" force: "{{ item.force }}" with_items: - - { name: 'check_carp_if', force: true } - - { name: 'check_connections_state.sh', force: false } - - { name: 'check_ipsecctl.sh', force: false } - - { name: 'check_openbgpd', force: true } - - { name: 'check_openvpn', force: false } - - { name: 'check_openvpn.pl', force: true } - - { name: 'check_ospfd_simple', force: true } + - {name: 'check_carp_if', force: true} + - {name: 'check_connections_state.sh', force: false} + - {name: 'check_ipsecctl.sh', force: false} + - {name: 'check_openbgpd', force: true} + - {name: 'check_openvpn', force: false} + - {name: 'check_openvpn.pl', force: true} + - {name: 'check_ospfd_simple', force: true} notify: restart nrpe - name: Nagios plugins are installed - template @@ -57,8 +57,8 @@ mode: "0755" force: "{{ item.force }}" with_items: - - { name: 'check_pf_states', force: false } - - { name: 'check_free_mem.sh', force: true } + - {name: 'check_pf_states', force: false} + - {name: 'check_free_mem.sh', force: true} notify: restart nrpe - name: Starting and enabling nrpe From 05898cc1885c6780db7b4d0e5a0623325872f1c7 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Jul 2020 14:12:45 +0200 Subject: [PATCH 075/150] Change NTP check host --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 2b33b5c..0ee85b0 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -19,7 +19,7 @@ command[check_swap]=/usr/local/libexec/nagios/check_swap --no-swap=ok -a -w 30% # Generic services checks command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ general_alert_email }} command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net -command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp.evolix.net +command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp-check.evolix.net command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 From cdc811b3deef401082b390e7c9cb02990ab5358d Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 28 Jul 2020 17:43:24 +0200 Subject: [PATCH 076/150] New NRPE check : check_packetfilter --- roles/nagios-nrpe/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 355dc9f..72215d3 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -46,6 +46,7 @@ - {name: 'check_openvpn', force: false} - {name: 'check_openvpn.pl', force: true} - {name: 'check_ospfd_simple', force: true} + - {name: 'check_packetfilter', force: true} notify: restart nrpe - name: Nagios plugins are installed - template From 62515ca5b512b695aab37db2865da754f4674a7d Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 28 Jul 2020 17:45:14 +0200 Subject: [PATCH 077/150] Add a new NRPE check : check_packetfilter --- .../files/plugins_bsd/check_packetfilter.sh | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh b/roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh new file mode 100644 index 0000000..4f064c1 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +. /usr/local/libexec/nagios/utils.sh + +is_pf_disabled() { + if [ -f /etc/rc.conf.local ]; then + grep -q "pf=NO" /etc/rc.conf.local + else + # If /etc/rc.conf.local does not exist, pf cannot be disabled + # If 0 then pf is disabled, so if /etc/rc.conf.local does not exist we have to return 1 => pf is not disabled + return 1 + fi +} + +is_pf_started() { + pfctl -si | grep -q "Status: Enabled for" +} + +main() { + if ! is_pf_disabled; then + if is_pf_started; then + echo "OK: PacketFilter is enabled and started." + exit "${STATE_OK}" + else + echo "CRITICAL: PacketFilter is enabled but not started." + exit "${STATE_CRITICAL}" + fi + else + if is_pf_started; then + echo "WARNING: PacketFilter is started but not enabled." + exit "${STATE_WARNING}" + else + echo "CRITICAL: PacketFilter is disabled and not started." + exit "${STATE_CRITICAL}" + fi + fi + +} + +main From 51669770257ed6364749ece81c71f3aa3b57a74f Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 28 Jul 2020 17:47:01 +0200 Subject: [PATCH 078/150] Change mode : make check_packetfilter.sh executable --- roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh b/roles/nagios-nrpe/files/plugins_bsd/check_packetfilter.sh old mode 100644 new mode 100755 From 3a6cd20ab39dbacd8adc6e080d84048cc5435068 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 28 Jul 2020 17:57:30 +0200 Subject: [PATCH 079/150] Configure the check_packetfilter in NRPE with doas --- roles/base/templates/doas.conf.j2 | 1 + roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 796da79..55c246a 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -13,3 +13,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 0ee85b0..3d0c69e 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -45,6 +45,7 @@ command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh +command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh # This is an Ansible managed file ! # For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead From 708ffcc538b7c2031c975fd47065b38850cc50f4 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 29 Jul 2020 14:52:46 +0200 Subject: [PATCH 080/150] Add packetfilter service and update other services version in LDIF creation for LDAP --- roles/post-install/files/ldap.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh index f09cf9b..ad81b06 100755 --- a/roles/post-install/files/ldap.sh +++ b/roles/post-install/files/ldap.sh @@ -119,7 +119,7 @@ objectClass: EvoService ipServicePort: 22 ServiceName: openssh ServiceType: ssh -ServiceVersion: OpenSSH 6.7 +ServiceVersion: OpenSSH 8.3 dn: ServiceName=opensmtpd,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net ipServiceProtocol: tcp @@ -128,13 +128,20 @@ objectClass: EvoService ServiceName: opensmtpd ipServicePort: 25 ServiceType: smtp -ServiceVersion: OpenSMTPD 5.4.3 +ServiceVersion: OpenSMTPD 6.7.1p1 dn: ServiceName=ntp,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net NagiosEnabled: TRUE objectClass: EvoService ServiceName: ntp ServiceType: ntp -ServiceVersion: OpenNTPd 4.6 +ServiceVersion: OpenNTPd 6.2p3 + +dn: ServiceName=packetfilter,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +NagiosEnabled: TRUE +objectClass: EvoService +ServiceName: packetfilter +ServiceType: firewall +ServiceVersion: packetfilter EOT From d956d5c6ba27d24d815d502df93ee90027f70bd8 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 31 Jul 2020 14:32:44 +0200 Subject: [PATCH 081/150] Import evocheck 6.7.3 --- roles/evocheck/files/evocheck.sh | 45 +++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 0c90051..7af41af 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.6.2" +readonly VERSION="6.7.3" # Disable LANG* @@ -148,11 +148,15 @@ check_gitperms(){ check_advbase(){ if ls /etc/hostname.carp* 1> /dev/null 2>&1; then + bad_advbase=0 for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do - if [[ "$advbase" -gt 1 ]]; then - failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" + if [[ "$advbase" -gt 5 ]]; then + bad_advbase=1 fi done + if [[ "$bad_advbase" -eq 1 ]]; then + failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" + fi fi } @@ -217,22 +221,16 @@ check_ttyc0secure(){ } check_customsyslog(){ - grep -q Evolix /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" "" + grep -q EvoBSD /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" "" } check_sudomaint(){ file=/etc/sudoers grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \ - && grep -q "ADMIN ALL=NOPASSWD: MAINT" $file \ + && grep -q "%wheel ALL=NOPASSWD: MAINT" $file \ || failed "IS_SUDOMAINT" "" } -check_postgresql(){ - if ! is_installed postgresql-client; then - failed "IS_POSTGRESQL" "postgresql-client is not installed! Please add with pkg_add postgresql-client" - fi -} - check_nrpe(){ if ! is_installed monitoring-plugins || ! is_installed nrpe; then failed "IS_NRPE" "nrpe and/or monitoring-plugins are not installed! Please add with pkg_add nrpe monitoring-plugins" @@ -301,6 +299,28 @@ check_sync(){ fi } +check_defaultroute(){ + if [ -f /etc/mygate ]; then + file_route=$(cat /etc/mygate) + used_route=$(route -n show -priority 8 | grep default | awk '{print $2}') + if [ "$file_route" != "$used_route" ]; then + failed "IS_DEFAULTROUTE" "The default route in /etc/mygate is different from the one currently used" + fi + else + failed "IS_DEFAULTROUTE" "The file /etc/mygate does not exist. Make sure you have the same default route in this file as the one currently in use." + fi +} + +check_ntp(){ + if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then + if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then + failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"." + fi + else + failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"." + fi +} + main() { # Default return code : 0 = no error @@ -328,7 +348,6 @@ main() { test "${IS_TTYC0SECURE:=1}" = 1 && check_ttyc0secure test "${IS_CUSTOMSYSLOG:=1}" = 1 && check_customsyslog test "${IS_SUDOMAINT:=1}" = 1 && check_sudomaint - test "${IS_POSTGRESQL:=1}" = 1 && check_postgresql test "${IS_NRPE:=1}" = 1 && check_nrpe test "${IS_RSYNC:=1}" = 1 && check_rsync test "${IS_CRONPATH:=1}" = 1 && check_cronpath @@ -339,6 +358,8 @@ main() { test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf test "${IS_SYNC:=1}" = 1 && check_sync + test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute + test "${IS_NTP:=1}" = 1 && check_ntp exit ${RC} } From 829df7456770a600e9007c185cd362eaf1dc66a2 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 21 Aug 2020 14:29:46 +0200 Subject: [PATCH 082/150] ldap.sh : Fix computerOS and add case for HardwareSerial if computer is a VM --- roles/post-install/files/ldap.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh index ad81b06..1ffc73b 100755 --- a/roles/post-install/files/ldap.sh +++ b/roles/post-install/files/ldap.sh @@ -6,8 +6,9 @@ HardwareMark=$(sysctl hw.vendor| sed 's#hw.vendor=##') HardwareModel=$(sysctl hw.product| sed 's#hw.product=##') computerIP=$(ifconfig egress | grep inet | awk -v OFS="\n" '{ print $2, $NF }'| head -1) computerKernel=$(sysctl kern.osrelease | sed 's#kern.osrelease=##') -computerOS=OpenBSD $computerKernel -HardwareSerial=$(sysctl hw.serialno| sed 's#hw.serialno=##') +computerOS="OpenBSD $computerKernel" +HardwareSerial=$(sysctl hw.serialno 2>/dev/null | sed 's#hw.serialno=##') +if [ -z $HardwareSerial ]; then sysctl hw | grep -qi qemu && HardwareSerial="Not Specified"; fi clientNumber="XXX" cpuMark=$(sysctl hw.model| sed 's#hw.model=##') cpuModel=$(sysctl hw.model| sed 's#hw.model=##') From deafd82337348bc8351e650a239a37596dfc2fa6 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 21 Aug 2020 15:26:32 +0200 Subject: [PATCH 083/150] For local modifications of nrpe conf, use zzz_evolix.cfg instead of zzz-evolix.cfg which is buggy --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 3d0c69e..961a932 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -3,7 +3,7 @@ # Part of the EvoBSD distribution. # # This is an Ansible managed file ! -# For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead +# For local modifications use the /etc/nrpe.d/zzz_evolix.cfg file instead # Allowed IPs allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} @@ -48,4 +48,4 @@ command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_co command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh # This is an Ansible managed file ! -# For local modifications use the /etc/nrpe.d/zzz-evolix.cfg file instead +# For local modifications use the /etc/nrpe.d/zzz_evolix.cfg file instead From b586b1fafe50a541fc0e4e6caee7a0dbffa688ac Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 25 Aug 2020 17:57:22 +0200 Subject: [PATCH 084/150] Write and deploy motd-carp-state.sh A script that checks the carp state and writes in the /etc/motd file if the server is in backup or master state. Script is copied in /usr/share/scripts/ directory and a cron job is installed but disabled by default. --- roles/post-install/files/motd-carp-state.sh | 47 +++++++++++++++++++++ roles/post-install/tasks/main.yml | 1 + roles/post-install/tasks/motd.yml | 14 ++++++ 3 files changed, 62 insertions(+) create mode 100755 roles/post-install/files/motd-carp-state.sh create mode 100644 roles/post-install/tasks/motd.yml diff --git a/roles/post-install/files/motd-carp-state.sh b/roles/post-install/files/motd-carp-state.sh new file mode 100755 index 0000000..cc29db3 --- /dev/null +++ b/roles/post-install/files/motd-carp-state.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +if [ ! -f /etc/motd-original ]; then + cp /etc/motd /etc/motd-original +fi + +if [ ! -f /tmp/carp.state ]; then + echo "unknown" > /tmp/carp.state +fi + +ifconfig carp0 | grep -q master +master=$? +ifconfig carp0 | grep -q backup +backup=$? + +if [ "$master" -eq 0 ]; then + if [ $(cat /tmp/carp.state) = "master" ]; then + # We already were master, no change + exit 0 + fi +cat /etc/motd-original - << EOF > /etc/motd + __ ______ _____________________ + / |/ / | / ___/_ __/ ____/ __ \ + / /|_/ / /| | \__ \ / / / __/ / /_/ / + / / / / ___ |___/ // / / /___/ _, _/ +/_/ /_/_/ |_/____//_/ /_____/_/ |_| + +EOF +echo "master" > /tmp/carp.state +elif [ "$backup" -eq 0 ]; then + if [ $(cat /tmp/carp.state) = "backup" ]; then + # We already were backup, no change + exit 0 + fi +cat /etc/motd-original - << EOF > /etc/motd + ____ ___ ________ ____ ______ + / __ )/ | / ____/ //_/ / / / __ \ + / __ / /| |/ / / ,< / / / / /_/ / + / /_/ / ___ / /___/ /| / /_/ / ____/ +/_____/_/ |_\____/_/ |_\____/_/ + +EOF +echo "backup" > /tmp/carp.state +else + # No CARP + exit 0 +fi diff --git a/roles/post-install/tasks/main.yml b/roles/post-install/tasks/main.yml index 1876037..40f494c 100644 --- a/roles/post-install/tasks/main.yml +++ b/roles/post-install/tasks/main.yml @@ -2,3 +2,4 @@ # tasks files - include: ldif.yml - include: update.yml +- include: motd.yml diff --git a/roles/post-install/tasks/motd.yml b/roles/post-install/tasks/motd.yml new file mode 100644 index 0000000..cbecbfd --- /dev/null +++ b/roles/post-install/tasks/motd.yml @@ -0,0 +1,14 @@ +--- +- name: Deploy dynamic motd script for CARP master or backup + copy: + src: motd-carp-state.sh + dest: /usr/share/scripts/motd-carp-state.sh + owner: root + group: wheel + mode: '0755' + +- name: Cron job for dynamic motd script is installed + cron: + name: dynamic motd for CARP + job: "/bin/sh /usr/share/scripts/motd-carp-state.sh" + disabled: true From 5bc2d870007520397b1c1a9d9690b2d7e46c6f2c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 26 Aug 2020 09:50:05 +0200 Subject: [PATCH 085/150] Fix commit_etc_git.yml task author Author in two parts was considered as "author" + "" instead of "author " --- tasks/commit_etc_git.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/commit_etc_git.yml b/tasks/commit_etc_git.yml index 3330dad..e73dc85 100644 --- a/tasks/commit_etc_git.yml +++ b/tasks/commit_etc_git.yml @@ -15,8 +15,8 @@ git add -A . && git commit -m "{{ commit_message | default('Ansible run') }}" - --author="{{ ansible_env.SUDO_USER | default('Root') }}" - "<{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" + --author="{{ ansible_env.SUDO_USER | default('Root') }} + <{{ ansible_env.SUDO_USER | default('Root') }}@{{ general_technical_realm }}>" args: chdir: /etc register: etc_commit_end_evolinux From 04ffb90b0c948aede2f7fef881ee5750aafa3afb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 31 Aug 2020 17:29:57 +0200 Subject: [PATCH 086/150] Add NRPE check unbound since OpenBSD use it more than bind --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 961a932..950661d 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -27,6 +27,7 @@ command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20 command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost +command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf From 655099101c20453cd9fe24d23550ef441d872ed0 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 2 Sep 2020 15:10:16 +0200 Subject: [PATCH 087/150] LDAP script replace "ram0" name with "mem" --- roles/post-install/files/ldap.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/post-install/files/ldap.sh b/roles/post-install/files/ldap.sh index 1ffc73b..0fa304d 100755 --- a/roles/post-install/files/ldap.sh +++ b/roles/post-install/files/ldap.sh @@ -63,8 +63,8 @@ HardwareSize: $cpuFreq HardwareType: CPU HardwareModel: $cpuModel -dn: HardwareName=ram0,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net -HardwareName: ram0 +dn: HardwareName=mem,EvoComputerName=${EvoComputerName},ou=computer,dc=evolix,dc=net +HardwareName: mem objectClass: EvoHardware HardwareSize: $mem HardwareType: mem From 3f0b3cff1c6e785fc4bd122315dcfeacfad5cb27 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 10 Sep 2020 11:54:01 +0200 Subject: [PATCH 088/150] Update copyright to 2020 --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 8c08e49..f8ce407 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2019 Evolix +Copyright (c) 2020 Evolix Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From a2aec3f4a66a65820ca104e12ed2b49398a5e47f Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 10 Sep 2020 11:54:21 +0200 Subject: [PATCH 089/150] Rewrite README.md file --- README.md | 102 +++++++++++++----------------------------------------- 1 file changed, 25 insertions(+), 77 deletions(-) diff --git a/README.md b/README.md index 6f3d3dc..15b4e7a 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,14 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME 2. Run it +First use (become_method: su, and var_files uncommented) : + +``` +ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root +``` + +Subsequent use (become_method: sudo) : + ``` ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME ``` @@ -28,96 +36,36 @@ Changes can be tested by using [Packer](https://www.packer.io/) and * This process depends on the [Go](https://golang.org/) programming language. -``` -# pkg_add go packer -``` +## Packages -* We use the [packer-builder-vmm](https://github.com/prep/packer-builder-vmm) project to bridge Packer and vmm(4) +Needing a Golang eco system and some basics -``` -$ go get -u github.com/prep/packer-builder-vmm/cmd/packer-builder-vmm -``` +```` +pkg_add go-- packer-- git-- +```` -* Here is an example build file +* We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4) -``` -$ vim openbsd.json -``` +```` +git clone https://github.com/double-p/packer-builder-openbsd-vmm.git +```` - { - "description": "OpenBSD installation on vmm(4)", +## builds - "variables": { - "hostname": "evobsd", - "domain": "example.com", - - "password": "evolix" - }, - - "builders": [ - { - "type": "vmm", - "vm_name": "evobsd", - "disk_size": "2G", - "format": "qcow2", - "mem_size": "1024M", - - "iso_urls": ["downloads/install64.fs", "https://ftp.nluug.nl/pub/OpenBSD/6.4/amd64/install64.fs"], - "iso_checksum": "7aa4344cb39efbf67300f97ac7eec005b607e8c19d4e31a0a593a8ee2b7136e4", - "iso_checksum_type": "sha256", - - "boot_wait": "10s", - "boot_command": [ - "S", - - "cat <disklabel.template", - "/ 1G-* 100%", - "EOF", - - "cat <install.conf", - "System hostname = {{user `hostname`}}", - "DNS domain name = {{user `domain`}}", - "Password for root account = {{user `password`}}", - "Do you expect to run the X Window System = no", - "Setup a user = no", - "Which disk is the root disk = sd1", - "Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout = c", - "URL to autopartitioning template for disklabel = file://disklabel.template", - "Location of sets = disk", - "Is the disk partition already mounted = no", - "Set name(s) = -bsd.rd", - "Set name(s) = done", - "Directory does not contain SHA256.sig. Continue without verification = yes", - "What timezone are you in = Europe/Paris", - "EOF", - - "install -af install.conf", - "", - - "/sbin/halt -p" - ] - } - ] - } +Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit. +```` +make +make install +```` * You need your unprivileged user to be able to run vmctl(8) through doas(1) ``` -# echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf +echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf ``` -* Build the virtual machine - -``` -$ packer build openbsd.json -``` - -* Start it - -``` -doas vmctl start evobsd -cL -d output-vmm/evobsd.qcow2 -``` +See packer-builder-openbsd-vmm/examples/README.examples for further instructions * Enable NAT on your host machine From 8ecaf8131489fc4564c804b644448533a3470860 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 10 Sep 2020 11:54:46 +0200 Subject: [PATCH 090/150] Update evocheck to 6.7.4 --- roles/evocheck/files/evocheck.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 7af41af..dfbad68 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.7.3" +readonly VERSION="6.7.4" # Disable LANG* @@ -139,7 +139,25 @@ check_uptime(){ fi } -check_backuptodate(){ +check_backupuptodate(){ + backup_dir="/home/backup" + if [ -d "${backup_dir}" ]; then + if [ -n "$(ls -A ${backup_dir})" ]; then + for file in ${backup_dir}/*; do + let "limit = $(date +"%s") - 172800" + updated_at=$(stat -f "%m" "$file") + + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing" + fi } check_gitperms(){ @@ -333,7 +351,7 @@ main() { test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup test "${IS_UPTODATE:=1}" = 1 && check_uptodate test "${IS_UPTIME:=1}" = 1 && check_uptime - test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backuptodate + test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate test "${IS_GITPERMS:=1}" = 1 && check_gitperms test "${IS_ADVBASE:=1}" = 1 && check_advbase test "${IS_PREEMPT:=1}" = 1 && check_preempt From 070046b5ee58a4ec5758c7109795031967584ee2 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 10 Sep 2020 11:55:27 +0200 Subject: [PATCH 091/150] Add a CHANGELOG file --- CHANGELOG | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 CHANGELOG diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..91d37df --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,33 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [6.7.1] - 2020-09-10 + +### Added + +- Add completions functions in root's profile dotfile +- Add check_connections_state.sh NRPE plugin +- Add an evocheck role +- Add stricter ssh and doas access +- Add an openvpn role +- Add an OpenBGPd NRPE plugin +- Add ospf and bgp roles +- Add an unbound NRPE check since it is part of the base system +- Add a motd-carp-state.sh script that checks the carp state and generates the /etc/motd file + +### Changed + +- Disable sndiod since it is not required on serveurs +- Replace sudo with doas for script executions +- Update evomaintenance version to 0.6.3 +- Disable mouse function in vim configuration +- Drop openup since syspatch can apply stable patches now +- Update evobackup script +- Rewrite newsyslog configuration +- Drop postgresql-client package since evomaintenance use an API now From f4d9ec7359e7fad766686ffa5e495a4dc33edb7c Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Thu, 10 Sep 2020 11:58:25 +0200 Subject: [PATCH 092/150] New naming conventing based OpenBSD's one --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 15b4e7a..7df3897 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 1.0 +# EvoBSD 6.7.1 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. From b0f1f9c2cae57c444660b874d4e9f800cb44db58 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 24 Sep 2020 16:11:49 +0200 Subject: [PATCH 093/150] Fix OSPF role : add deletion of old log files --- roles/bgp/tasks/main.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/roles/bgp/tasks/main.yml b/roles/bgp/tasks/main.yml index a0304a7..9b4c404 100644 --- a/roles/bgp/tasks/main.yml +++ b/roles/bgp/tasks/main.yml @@ -23,15 +23,30 @@ tags: - bgp -- name: weekly best routes cron job is installed +- name: daily best routes cron job is installed cron: name: bgp best routes minute: 0 hour: 4 - weekday: 0 job: > /usr/sbin/bgpctl show rib selected - > /var/log/bgp/rib-selected-$(date +\\%F) + > /var/log/bgp/rib-selected-$(date +\%F) + when: group_names | select('search','bgp') | list | count > 0 + tags: + - bgp + +- name: weekly best routes clean up cron job is installed + cron: + name: bgp best routes clean up + minute: 0 + hour: 4 + weekday: 0 + job: > + /usr/bin/find /var/log/bgp/ + -type f + -name "rib-selected-*" + -mtime +30 + -exec rm {} \+ when: group_names | select('search','bgp') | list | count > 0 tags: - bgp From f97317b76788f886764a564a9377fae88d7d5cc4 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 8 Oct 2020 15:19:52 +0200 Subject: [PATCH 094/150] Better rc.local configuration Add line before the "echo '.'" line instead of the end Delete old entry not precising the hostname if still there --- roles/base/tasks/mail.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index dacd60d..44e1fd8 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -4,10 +4,20 @@ path: /etc/rc.local line: 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' + insertbefore: 'echo' create: true tags: - misc +- name: Delete rc.local entry of boot/reboot not precising hostname + lineinfile: + path: /etc/rc.local + regexp: + "^.* mail -s (?!.*of.*).+$" + state: absent + tags: + - misc + - name: Set root mail alias replace: dest: /etc/mail/aliases From 12b2f3d280c816406885f93700f6e730c4bab465 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 8 Oct 2020 15:39:50 +0200 Subject: [PATCH 095/150] Delete evobackup root crontab replaced by daily.local cron --- roles/base/tasks/evobackup.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index 6ec8db5..1b1b3a7 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -19,3 +19,13 @@ create: true tags: - evobackup + +- name: Delete evobackup root crontab replaced by daily.local cron + lineinfile: + path: /var/cron/tabs/root + regexp: '/usr/share/scripts/zzz_evobackup' + validate: /usr/bin/crontab %s + state: absent + tags: + - evobackup + From fa497b280ef0638beddee5940a3bf850c8898106 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 8 Oct 2020 15:42:52 +0200 Subject: [PATCH 096/150] Configure sudoers umask This configuration is checked by evocheck, so it should be present by default --- roles/base/tasks/sudo.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 0d0467d..26913bc 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -1,4 +1,13 @@ --- +- name: Configure sudoers umask + lineinfile: + dest: /etc/sudoers + insertafter: '# Defaults specification' + line: 'Defaults umask=0077' + validate: 'visudo -cf %s' + tags: + - sudo + # dont't break the tab! - name: Allow wheel group to run command as root in sudo lineinfile: From 07d83d499475309901cc8a81d81c5534dfa52ca3 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:45:23 +0200 Subject: [PATCH 097/150] Delete empty line - yamllint --- roles/base/tasks/evobackup.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index 1b1b3a7..6d4e3d2 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -28,4 +28,3 @@ state: absent tags: - evobackup - From fe0c7f6add60b3f6838ba163cddc9064183bc6fa Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:14 +0200 Subject: [PATCH 098/150] Import evocheck v.6.7.5 --- roles/evocheck/files/evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index dfbad68..3bde7ac 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.7.4" +readonly VERSION="6.7.5" # Disable LANG* @@ -262,7 +262,7 @@ check_rsync(){ } check_cronpath(){ - grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" "" + grep -q "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" "" } check_tmp1777(){ From c9d1bff1c68d16f35f76b480a9eb4eda727dd370 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:46 +0200 Subject: [PATCH 099/150] Customize root crontab and daily.local Add custome PATH to root crontab Add environment variable to daily.local Add a "next_part" before the evocheck line in daily.local --- roles/base/defaults/main.yml | 2 ++ roles/base/tasks/cron.yml | 19 +++++++++++++++++++ roles/base/tasks/main.yml | 1 + roles/evocheck/tasks/install.yml | 8 ++++++++ 4 files changed, 30 insertions(+) create mode 100644 roles/base/tasks/cron.yml diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 9be1d76..84654b2 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -33,3 +33,5 @@ evomaintenance_hosts: > {{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }} + +cron_root_path: "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" diff --git a/roles/base/tasks/cron.yml b/roles/base/tasks/cron.yml new file mode 100644 index 0000000..87cce5f --- /dev/null +++ b/roles/base/tasks/cron.yml @@ -0,0 +1,19 @@ +--- +- name: Customize PATH variable of root crontab + cron: + name: PATH + env: true + value: "{{ cron_root_path }}" + tags: + - cron + +- name: Customize daily.local environment + lineinfile: + path: /etc/daily.local + line: 'VERBOSESTATUS=0' + insertbefore: BOF + owner: root + mode: "0644" + create: true + tags: + - cron diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index b42d8d3..3b1ca7a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -8,3 +8,4 @@ - include: sudo.yml - include: evobackup.yml - include: newsyslog.yml +- include: cron.yml diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml index 6b88c17..43338ef 100644 --- a/roles/evocheck/tasks/install.yml +++ b/roles/evocheck/tasks/install.yml @@ -36,3 +36,11 @@ create: true tags: - evocheck + +- name: Add evocheck cron + lineinfile: + path: /etc/daily.local + line: 'next_part "Evocheck output:"' + insertbefore: 'sh /usr/share/scripts/evocheck.sh --verbose --cron' + tags: + - evocheck From 88df90428214dc0c777a57546b3e3d46ee939be4 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 100/150] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/handlers/main.yml | 5 +++ roles/base/tasks/fstab.yml | 76 ++++++++++++++++++++++++++++++++++++ roles/base/tasks/main.yml | 1 + 3 files changed, 82 insertions(+) create mode 100644 roles/base/tasks/fstab.yml diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index ba888e0..a424527 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -1,3 +1,8 @@ --- - name: newaliases shell: smtpctl update table aliases + +- name: remount /tmp + command: mount -u -o noexec /tmp + args: + warn: no diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml new file mode 100644 index 0000000..eee8152 --- /dev/null +++ b/roles/base/tasks/fstab.yml @@ -0,0 +1,76 @@ +--- +- name: Fetch fstab content + command: "grep -v '^#' /etc/fstab" + check_mode: no + register: fstab_content + failed_when: false + changed_when: false + tags: + - fstab + +- name: / partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/\s') + - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /var partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/var\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/var\s') + - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /usr partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/usr\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/usr\s') + - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /tmp partition is customized - noexec + replace: + dest: /etc/fstab + regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' + replace: '\1,noexec\3' + when: + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) + tags: + - fstab + +- name: /tmp partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/tmp\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + notify: remount /tmp + when: + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /home partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/home\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/home\s') + - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) + tags: + - fstab diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 3b1ca7a..bd467b3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -9,3 +9,4 @@ - include: evobackup.yml - include: newsyslog.yml - include: cron.yml +- include: fstab.yml From e019b797230fc775a6640817e10a14ebddadbfca Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:55:12 +0200 Subject: [PATCH 101/150] yamllint + correction /tmp softdep softdep is not added anymore if noexec is already defined after rw --- roles/base/handlers/main.yml | 2 +- roles/base/tasks/fstab.yml | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index a424527..7d18f17 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -5,4 +5,4 @@ - name: remount /tmp command: mount -u -o noexec /tmp args: - warn: no + warn: false diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml index eee8152..7112137 100644 --- a/roles/base/tasks/fstab.yml +++ b/roles/base/tasks/fstab.yml @@ -1,7 +1,7 @@ --- - name: Fetch fstab content command: "grep -v '^#' /etc/fstab" - check_mode: no + check_mode: false register: fstab_content failed_when: false changed_when: false @@ -14,8 +14,8 @@ regexp: '(\s+/\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/\s') - - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/\s') + - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) tags: - fstab @@ -25,8 +25,8 @@ regexp: '(\s+/var\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/var\s') - - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/var\s') + - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) tags: - fstab @@ -36,8 +36,8 @@ regexp: '(\s+/usr\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/usr\s') - - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/usr\s') + - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) tags: - fstab @@ -47,8 +47,9 @@ regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' replace: '\1,noexec\3' when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout + | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) tags: - fstab @@ -59,8 +60,9 @@ replace: '\1,softdep\2' notify: remount /tmp when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout + | regex_search('\s+/tmp\s+\S+\s+rw,(noexec,)*softdep')) tags: - fstab @@ -70,7 +72,7 @@ regexp: '(\s+/home\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/home\s') - - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/home\s') + - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) tags: - fstab From 4f201d3a7352f7318bfc1767df82c12abfedf348 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:46 +0200 Subject: [PATCH 102/150] Customize root crontab and daily.local Add custome PATH to root crontab Add environment variable to daily.local Add a "next_part" before the evocheck line in daily.local --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index bd467b3..5db225a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -10,3 +10,4 @@ - include: newsyslog.yml - include: cron.yml - include: fstab.yml +- include: cron.yml From 0a4e970ab81d9421f5a01c5d7fab1276367130cf Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 103/150] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5db225a..6c7fd81 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,3 +11,4 @@ - include: cron.yml - include: fstab.yml - include: cron.yml +- include: fstab.yml From bd4748b4037ce27d3602fa0f99f09c6df03358be Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:46 +0200 Subject: [PATCH 104/150] Customize root crontab and daily.local Add custome PATH to root crontab Add environment variable to daily.local Add a "next_part" before the evocheck line in daily.local --- roles/base/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 6c7fd81..5db225a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,4 +11,3 @@ - include: cron.yml - include: fstab.yml - include: cron.yml -- include: fstab.yml From 5fa8e0c9bbeffb0915afca14530b90f798ea380e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 105/150] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5db225a..6c7fd81 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,3 +11,4 @@ - include: cron.yml - include: fstab.yml - include: cron.yml +- include: fstab.yml From 92837424fb67358c0f6c15e127028cfda29418ca Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 15:35:23 +0200 Subject: [PATCH 106/150] Fix weird commits --- roles/base/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 6c7fd81..bd467b3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -10,5 +10,3 @@ - include: newsyslog.yml - include: cron.yml - include: fstab.yml -- include: cron.yml -- include: fstab.yml From c1f66a92e2bc7da59d543c64b245339ef2d2e651 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 16:14:52 +0200 Subject: [PATCH 107/150] Fix add of multiple evobackup cron Do not add evobackup cron again if the same line is already there but uncommented --- roles/base/tasks/evobackup.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index 6d4e3d2..cbc68e6 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -10,6 +10,15 @@ tags: - evobackup +- name: Fetch daily.local content + command: 'grep "sh /usr/share/scripts/zzz_evobackup" /etc/daily.local' + check_mode: false + register: daily_local_content + failed_when: false + changed_when: false + tags: + - evobackup + - name: Add evobackup cron (disabled) lineinfile: path: /etc/daily.local @@ -17,6 +26,8 @@ owner: root mode: "0644" create: true + when: + - not (daily_local_content.stdout | regex_search('sh /usr/share/scripts/zzz_evobackup')) tags: - evobackup From 0615d3b5553635aae9632ae537e72e5f082bd23b Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 12:00:28 +0200 Subject: [PATCH 108/150] Specify order of cron command in daily.local and fix full deletion of the cron --- roles/etc-git/tasks/main.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index cb01472..94792e5 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -79,25 +79,33 @@ - name: cron job for /etc/.git status is installed lineinfile: path: /etc/daily.local - line: "{{ item }}" + line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' owner: root mode: "0644" create: true when: etc_git_monitor_status tags: - etc-git - with_items: - - 'next_part "Checking /etc git status:"' - - '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + +- name: cron job for /etc/.git status is installed - next_part + lineinfile: + path: /etc/daily.local + line: 'next_part "Checking /etc git status:"' + insertbefore: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + when: etc_git_monitor_status + tags: + - etc-git - name: cron job for /etc/.git status is removed lineinfile: path: /etc/daily.local - line: - '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + line: "{{ item }}" owner: root mode: "0644" state: absent + with_items: + - 'next_part "Checking /etc git status:"' + - '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' when: not etc_git_monitor_status tags: - etc-git From bd22b0545b9804e6d347da6c14eacb2fdc14c613 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 14:16:00 +0200 Subject: [PATCH 109/150] sudoers configuration : the tab was broken --- roles/base/tasks/sudo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 26913bc..b3fce09 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -13,7 +13,7 @@ lineinfile: dest: /etc/sudoers insertafter: '# and set environment variables.' - line: '%wheel ALL=(ALL) SETENV: ALL' + line: '%wheel ALL=(ALL) SETENV: ALL' validate: 'visudo -cf %s' backup: false tags: From 6b7c7b80c451e77985b239d99cfb18716923e6cb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 14:20:59 +0200 Subject: [PATCH 110/150] yamllint --- roles/base/tasks/evobackup.yml | 3 ++- roles/etc-git/tasks/main.yml | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/base/tasks/evobackup.yml b/roles/base/tasks/evobackup.yml index cbc68e6..c72a56b 100644 --- a/roles/base/tasks/evobackup.yml +++ b/roles/base/tasks/evobackup.yml @@ -27,7 +27,8 @@ mode: "0644" create: true when: - - not (daily_local_content.stdout | regex_search('sh /usr/share/scripts/zzz_evobackup')) + - not (daily_local_content.stdout + | regex_search('sh /usr/share/scripts/zzz_evobackup')) tags: - evobackup diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index 94792e5..72b2ff3 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -79,7 +79,8 @@ - name: cron job for /etc/.git status is installed lineinfile: path: /etc/daily.local - line: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + line: + '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' owner: root mode: "0644" create: true @@ -91,7 +92,8 @@ lineinfile: path: /etc/daily.local line: 'next_part "Checking /etc git status:"' - insertbefore: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + insertbefore: + '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' when: etc_git_monitor_status tags: - etc-git From 3255566edf8a920cfe58e35056c13fab2b492874 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 14:29:37 +0200 Subject: [PATCH 111/150] yamllint : disable rule:line-length for complete file evolixisation.yml --- evolixisation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolixisation.yml b/evolixisation.yml index 7547867..03af200 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length # Playbook command # First use (become_method: su, and var_files uncommented) : # ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root @@ -40,5 +41,4 @@ tasks_from: exec.yml # environment: -# yamllint disable-line rule:line-length # PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/" From 337e80b670fc762ac0d321541fc51a313a4dc178 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 21 Apr 2020 19:30:06 +0200 Subject: [PATCH 112/150] Writing of collectd role --- evolixisation.yml | 1 + roles/collectd/README.md | 13 +++ roles/collectd/defaults/main.yml | 32 ++++++ roles/collectd/files/dns_stats.sh | 3 + roles/collectd/files/ifq_drops.sh | 3 + roles/collectd/handlers/main.yml | 10 ++ roles/collectd/tasks/main.yml | 105 +++++++++++++++++++ roles/collectd/templates/collectd.conf.j2 | 122 ++++++++++++++++++++++ 8 files changed, 289 insertions(+) create mode 100644 roles/collectd/README.md create mode 100644 roles/collectd/defaults/main.yml create mode 100755 roles/collectd/files/dns_stats.sh create mode 100755 roles/collectd/files/ifq_drops.sh create mode 100644 roles/collectd/handlers/main.yml create mode 100644 roles/collectd/tasks/main.yml create mode 100644 roles/collectd/templates/collectd.conf.j2 diff --git a/evolixisation.yml b/evolixisation.yml index 03af200..950b46e 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -31,6 +31,7 @@ # - openvpn # - ospf # - bgp + # - { role: collectd, collectd_server: "127.0.0.1" } post_tasks: - include: "tasks/commit_etc_git.yml" diff --git a/roles/collectd/README.md b/roles/collectd/README.md new file mode 100644 index 0000000..e63b47b --- /dev/null +++ b/roles/collectd/README.md @@ -0,0 +1,13 @@ +# Collectd + +Installation and custom configuration of Collectd daemon. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +* `collectd_server` : server to which the data will be sent (default: 127.0.0.1). diff --git a/roles/collectd/defaults/main.yml b/roles/collectd/defaults/main.yml new file mode 100644 index 0000000..214234d --- /dev/null +++ b/roles/collectd/defaults/main.yml @@ -0,0 +1,32 @@ +--- + +# destination server + +collectd_server: "127.0.0.1" + +# execution interval + +collectd_interval: "300" + +# exec plugin + +collectd_plugin_exec: False # Set to true only if one of the exec plugins below is also set to true +collectd_plugin_exec_interval: "{{ collectd_interval }}" +collectd_plugin_exec_ifq_drops: False +collectd_plugin_exec_dns_stats: False # Based on unbound +collectd_plugin_exec_dns_stats_interval: "{{ collectd_interval }}" + +# others plugins + +collectd_plugin_cpu: True +collectd_plugin_df: True +collectd_plugin_disk: True +collectd_plugin_interface: True +collectd_plugin_load: True +collectd_plugin_memory: True +collectd_plugin_pf: True +collectd_plugin_processes: True +collectd_plugin_swap: True +collectd_plugin_tcpconns: True +collectd_plugin_uptime: True +collectd_plugin_users: True diff --git a/roles/collectd/files/dns_stats.sh b/roles/collectd/files/dns_stats.sh new file mode 100755 index 0000000..8a11d3d --- /dev/null +++ b/roles/collectd/files/dns_stats.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +echo "PUTVAL $(hostname)/dns_stats/count N:$(doas /bin/cat /var/log/daemon | grep "server stats" | grep -v "requestlist max" | awk '{print $13}' | tail -1)" diff --git a/roles/collectd/files/ifq_drops.sh b/roles/collectd/files/ifq_drops.sh new file mode 100755 index 0000000..25748f4 --- /dev/null +++ b/roles/collectd/files/ifq_drops.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +echo "PUTVAL $(hostname)/ifq_drops/count N:$(sysctl net.inet.ip.arpq.drops | awk -F= '{print $NF}')" diff --git a/roles/collectd/handlers/main.yml b/roles/collectd/handlers/main.yml new file mode 100644 index 0000000..00523b7 --- /dev/null +++ b/roles/collectd/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart collectd + service: + name: collectd + state: restarted + +- name: reload unbound + service: + name: unbound + state: reloaded diff --git a/roles/collectd/tasks/main.yml b/roles/collectd/tasks/main.yml new file mode 100644 index 0000000..a678829 --- /dev/null +++ b/roles/collectd/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: Install Collectd package + openbsd_pkg: + name: "collectd" + tags: + - collectd + +- name: Deploy Collectd configuration + template: + src: "collectd.conf.j2" + dest: "/etc/collectd.conf" + notify: restart collectd + tags: + - collectd + +- name: Enabling Collectd + service: + name: collectd + enabled: yes + tags: + - collectd + +- name: Create scripts directory for exec plugins + file: + path: /usr/local/share/collectd/scripts + state: directory + when: collectd_plugin_exec + tags: + - collectd + +- name: Copy ifq_drops.sh + copy: + src: ifq_drops.sh + dest: /usr/local/share/collectd/scripts/ifq_drops.sh + mode: 0755 + force: yes + when: collectd_plugin_exec_ifq_drops + tags: + - collectd + +- name: Remove ifq_drops.sh + file: + path: /usr/local/share/collectd/scripts/ifq_drops.sh + state: absent + when: not collectd_plugin_exec_ifq_drops + tags: + - collectd + +- name: Copy dns_stats.sh + copy: + src: dns_stats.sh + dest: /usr/local/share/collectd/scripts/dns_stats.sh + mode: 0755 + force: yes + when: collectd_plugin_exec_dns_stats + tags: + - collectd + +- name: Add stats DNS on unbound + lineinfile: + path: /var/unbound/etc/unbound.conf + regexp: 'statistics-interval' + line: ' statistics-interval: {{ collectd_plugin_exec_dns_stats_interval }}' + insertafter: 'hide-version:' + backup: yes + notify: reload unbound + when: collectd_plugin_exec_dns_stats + tags: + - collectd + +- name: Remove dns_stats.sh + file: + path: /usr/local/share/collectd/scripts/dns_stats.sh + state: absent + when: not collectd_plugin_exec_dns_stats + tags: + - collectd + +- name: Remove stats DNS on unbound + lineinfile: + path: /var/unbound/etc/unbound.conf + regexp: 'statistics-interval' + backup: yes + state: absent + notify: reload unbound + when: not collectd_plugin_exec_dns_stats + tags: + - collectd + +- name: Add doas configuration for dns_stats.sh execution + lineinfile: + path: /etc/doas.conf + line: 'permit nopass _collectd as root cmd /bin/cat' + when: collectd_plugin_exec_dns_stats + tags: + - collectd + +- name: Delete doas configuration for dns_stats.sh execution + lineinfile: + path: /etc/doas.conf + line: 'permit nopass _collectd as root cmd /bin/cat' + state: absent + when: not collectd_plugin_exec_dns_stats + tags: + - collectd diff --git a/roles/collectd/templates/collectd.conf.j2 b/roles/collectd/templates/collectd.conf.j2 new file mode 100644 index 0000000..6ce9e7d --- /dev/null +++ b/roles/collectd/templates/collectd.conf.j2 @@ -0,0 +1,122 @@ +Interval {{ collectd_interval }} +Timeout 2 + +LoadPlugin syslog + + LogLevel warning + + +{% if collectd_plugin_exec is sameas true %} + + Interval {{ collectd_plugin_exec_interval }} + + + +{% if collectd_plugin_exec_ifq_drops is sameas true %} + Exec "_collectd" "/usr/local/share/collectd/scripts/ifq_drops.sh" +{% endif %} +{% if collectd_plugin_exec_dns_stats is sameas true %} + Exec "_collectd" "/usr/local/share/collectd/scripts/dns_stats.sh" +{% endif %} + + +{% endif %} +{% if collectd_plugin_load is sameas true %} +LoadPlugin load +{% endif %} +{% if collectd_plugin_processes is sameas true %} +LoadPlugin processes +{% endif %} +{% if collectd_plugin_uptime is sameas true %} +LoadPlugin uptime +{% endif %} +{% if collectd_plugin_users is sameas true %} +LoadPlugin users +{% endif %} +{% if collectd_plugin_pf is sameas true %} +LoadPlugin pf +{% endif %} + +{% if collectd_plugin_df is sameas true %} +LoadPlugin df + + # expose host's mounts into container using -v /:/host:ro (location inside container does not matter much) + # ignore rootfs; else, the root file-system would appear twice, causing + # one of the updates to fail and spam the log + ## Seems to be fixed with collectd 5.5+ + ## FSType rootfs + # ignore the usual virtual / temporary file-systems + FSType sysfs + FSType proc + FSType devtmpfs + FSType devpts + FSType tmpfs + FSType fusectl + FSType cgroup + FSType overlay + FSType debugfs + FSType pstore + FSType securityfs + FSType hugetlbfs + FSType squashfs + FSType mqueue + IgnoreSelected true + + ReportByDevice false + ReportInodes true # Default false + ValuesAbsolute true + ValuesPercentage true + + +{% endif %} +{% if collectd_plugin_disk is sameas true %} +LoadPlugin disk + + #Disk "/^[hsv]d[a-z]/" + IgnoreSelected false + + +{% endif %} +{% if collectd_plugin_cpu is sameas true %} +LoadPlugin cpu + + ValuesPercentage true + + +{% endif %} +{% if collectd_plugin_memory is sameas true %} +LoadPlugin memory + + ValuesPercentage true + + +{% endif %} +{% if collectd_plugin_swap is sameas true %} +LoadPlugin swap + + ValuesPercentage true + + +{% endif %} +{% if collectd_plugin_interface is sameas true %} +LoadPlugin interface + + Interface "/^lo[0-9]*/" + Interface "/^veth.*/" + Interface "/^docker.*/" + IgnoreSelected true + ReportInactive false + + +{% endif %} +{% if collectd_plugin_tcpconns is sameas true %} +LoadPlugin tcpconns + + AllPortsSummary true + + +{% endif %} +LoadPlugin network + + Server "{{ collectd_server }}" "25826" + From 7cc374ea9e2245698880467e1f11f6c80cc18758 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 15:26:45 +0200 Subject: [PATCH 113/150] yamllint : indentation, trailing-spaces and truthy value --- roles/collectd/defaults/main.yml | 30 ++++++++++++------------ roles/collectd/tasks/main.yml | 39 ++++++++++++++++---------------- 2 files changed, 35 insertions(+), 34 deletions(-) diff --git a/roles/collectd/defaults/main.yml b/roles/collectd/defaults/main.yml index 214234d..8460a72 100644 --- a/roles/collectd/defaults/main.yml +++ b/roles/collectd/defaults/main.yml @@ -10,23 +10,23 @@ collectd_interval: "300" # exec plugin -collectd_plugin_exec: False # Set to true only if one of the exec plugins below is also set to true +collectd_plugin_exec: false # Set to true only if one of the exec plugins below is also set to true collectd_plugin_exec_interval: "{{ collectd_interval }}" -collectd_plugin_exec_ifq_drops: False -collectd_plugin_exec_dns_stats: False # Based on unbound +collectd_plugin_exec_ifq_drops: false +collectd_plugin_exec_dns_stats: false # Based on unbound collectd_plugin_exec_dns_stats_interval: "{{ collectd_interval }}" # others plugins -collectd_plugin_cpu: True -collectd_plugin_df: True -collectd_plugin_disk: True -collectd_plugin_interface: True -collectd_plugin_load: True -collectd_plugin_memory: True -collectd_plugin_pf: True -collectd_plugin_processes: True -collectd_plugin_swap: True -collectd_plugin_tcpconns: True -collectd_plugin_uptime: True -collectd_plugin_users: True +collectd_plugin_cpu: true +collectd_plugin_df: true +collectd_plugin_disk: true +collectd_plugin_interface: true +collectd_plugin_load: true +collectd_plugin_memory: true +collectd_plugin_pf: true +collectd_plugin_processes: true +collectd_plugin_swap: true +collectd_plugin_tcpconns: true +collectd_plugin_uptime: true +collectd_plugin_users: true diff --git a/roles/collectd/tasks/main.yml b/roles/collectd/tasks/main.yml index a678829..77a5988 100644 --- a/roles/collectd/tasks/main.yml +++ b/roles/collectd/tasks/main.yml @@ -3,7 +3,7 @@ openbsd_pkg: name: "collectd" tags: - - collectd + - collectd - name: Deploy Collectd configuration template: @@ -11,14 +11,14 @@ dest: "/etc/collectd.conf" notify: restart collectd tags: - - collectd + - collectd - name: Enabling Collectd service: name: collectd - enabled: yes + enabled: true tags: - - collectd + - collectd - name: Create scripts directory for exec plugins file: @@ -26,17 +26,17 @@ state: directory when: collectd_plugin_exec tags: - - collectd + - collectd - name: Copy ifq_drops.sh copy: src: ifq_drops.sh dest: /usr/local/share/collectd/scripts/ifq_drops.sh mode: 0755 - force: yes + force: true when: collectd_plugin_exec_ifq_drops tags: - - collectd + - collectd - name: Remove ifq_drops.sh file: @@ -44,29 +44,30 @@ state: absent when: not collectd_plugin_exec_ifq_drops tags: - - collectd + - collectd - name: Copy dns_stats.sh - copy: + copy: src: dns_stats.sh dest: /usr/local/share/collectd/scripts/dns_stats.sh mode: 0755 - force: yes + force: true when: collectd_plugin_exec_dns_stats tags: - - collectd + - collectd - name: Add stats DNS on unbound lineinfile: path: /var/unbound/etc/unbound.conf regexp: 'statistics-interval' - line: ' statistics-interval: {{ collectd_plugin_exec_dns_stats_interval }}' + line: + ' statistics-interval: {{ collectd_plugin_exec_dns_stats_interval }}' insertafter: 'hide-version:' - backup: yes + backup: true notify: reload unbound when: collectd_plugin_exec_dns_stats tags: - - collectd + - collectd - name: Remove dns_stats.sh file: @@ -74,18 +75,18 @@ state: absent when: not collectd_plugin_exec_dns_stats tags: - - collectd + - collectd - name: Remove stats DNS on unbound lineinfile: path: /var/unbound/etc/unbound.conf regexp: 'statistics-interval' - backup: yes + backup: true state: absent notify: reload unbound when: not collectd_plugin_exec_dns_stats tags: - - collectd + - collectd - name: Add doas configuration for dns_stats.sh execution lineinfile: @@ -93,7 +94,7 @@ line: 'permit nopass _collectd as root cmd /bin/cat' when: collectd_plugin_exec_dns_stats tags: - - collectd + - collectd - name: Delete doas configuration for dns_stats.sh execution lineinfile: @@ -102,4 +103,4 @@ state: absent when: not collectd_plugin_exec_dns_stats tags: - - collectd + - collectd From 11d3331958023766568cc3614b5a1ae0dcfb952b Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Mon, 12 Oct 2020 15:45:13 +0200 Subject: [PATCH 114/150] Collectd role : deletion of collectd_plugin_exec variable This variable had to be activated only if collectd_plugin_exec_ifq_drops or collectd_plugin_exec_dns_stats was also activated, for some configuration to be taken into account. I changed the role so that the configuration is automatically taken into account if one of these two variables is activated. --- roles/collectd/defaults/main.yml | 1 - roles/collectd/tasks/main.yml | 2 +- roles/collectd/templates/collectd.conf.j2 | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/collectd/defaults/main.yml b/roles/collectd/defaults/main.yml index 8460a72..7974087 100644 --- a/roles/collectd/defaults/main.yml +++ b/roles/collectd/defaults/main.yml @@ -10,7 +10,6 @@ collectd_interval: "300" # exec plugin -collectd_plugin_exec: false # Set to true only if one of the exec plugins below is also set to true collectd_plugin_exec_interval: "{{ collectd_interval }}" collectd_plugin_exec_ifq_drops: false collectd_plugin_exec_dns_stats: false # Based on unbound diff --git a/roles/collectd/tasks/main.yml b/roles/collectd/tasks/main.yml index 77a5988..4ff066b 100644 --- a/roles/collectd/tasks/main.yml +++ b/roles/collectd/tasks/main.yml @@ -24,7 +24,7 @@ file: path: /usr/local/share/collectd/scripts state: directory - when: collectd_plugin_exec + when: collectd_plugin_exec_ifq_drops or collectd_plugin_exec_dns_stats tags: - collectd diff --git a/roles/collectd/templates/collectd.conf.j2 b/roles/collectd/templates/collectd.conf.j2 index 6ce9e7d..2cae0ac 100644 --- a/roles/collectd/templates/collectd.conf.j2 +++ b/roles/collectd/templates/collectd.conf.j2 @@ -6,7 +6,7 @@ LoadPlugin syslog LogLevel warning -{% if collectd_plugin_exec is sameas true %} +{% if (collectd_plugin_exec_ifq_drops is sameas true) or (collectd_plugin_exec_dns_stats is sameas true) %} Interval {{ collectd_plugin_exec_interval }} From 57acbd60915781251e4c706562d3dd5259fe4d0d Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 11:43:59 +0200 Subject: [PATCH 115/150] Add jinja2 variable for PATH variable environment --- roles/base/defaults/main.yml | 2 ++ roles/base/tasks/dotfiles.yml | 8 ++++---- roles/base/{files/profile => templates/profile.j2} | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) rename roles/base/{files/profile => templates/profile.j2} (94%) diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 84654b2..fa6f093 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -34,4 +34,6 @@ evomaintenance_hosts: > | union(evomaintenance_additional_hosts) | unique }} +evobsd_path: >- + "$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" cron_root_path: "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" diff --git a/roles/base/tasks/dotfiles.yml b/roles/base/tasks/dotfiles.yml index f8598df..eb8c144 100644 --- a/roles/base/tasks/dotfiles.yml +++ b/roles/base/tasks/dotfiles.yml @@ -1,7 +1,7 @@ --- - name: Customize root's .profile - copy: - src: profile + template: + src: profile.j2 dest: /root/.profile tags: - admin @@ -26,8 +26,8 @@ - dotfiles - name: Change default .profile skeleton - copy: - src: profile + template: + src: profile.j2 dest: /etc/skel/.profile tags: - admin diff --git a/roles/base/files/profile b/roles/base/templates/profile.j2 similarity index 94% rename from roles/base/files/profile rename to roles/base/templates/profile.j2 index 995c549..1b031ed 100644 --- a/roles/base/files/profile +++ b/roles/base/templates/profile.j2 @@ -2,7 +2,7 @@ # # sh/ksh initialization -PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games +PATH="{{ evobsd_path }}" export PATH HOME TERM export PS1="\u@\h:\w\\$ " HISTFILE=$HOME/.histfile From a9ae1b57d418ce2d2c364e2f3ee087730f21bdc9 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 12:01:18 +0200 Subject: [PATCH 116/150] Do not use litteral tab in configuration Use "\t" instead of a litteral tab which can easily be broken. Also add a deletion of line with spaces. --- roles/base/tasks/sudo.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index b3fce09..1d71391 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -8,17 +8,26 @@ tags: - sudo -# dont't break the tab! - name: Allow wheel group to run command as root in sudo lineinfile: dest: /etc/sudoers insertafter: '# and set environment variables.' - line: '%wheel ALL=(ALL) SETENV: ALL' + line: "%wheel\tALL=(ALL) SETENV: ALL" validate: 'visudo -cf %s' backup: false tags: - sudo +- name: Delete line with space instead of tab + lineinfile: + dest: /etc/sudoers + line: "%wheel ALL=(ALL) SETENV: ALL" + validate: 'visudo -cf %s' + backup: false + state: absent + tags: + - sudo + - name: Configure sudoers for evomaintenance and monitoring blockinfile: state: present From 7ddc1ab72fbdb3ef43d8bda1bb3e732e29e092e2 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 12:02:48 +0200 Subject: [PATCH 117/150] Fix NRPE check file name --- roles/nagios-nrpe/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 72215d3..1b1a5a3 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -46,7 +46,7 @@ - {name: 'check_openvpn', force: false} - {name: 'check_openvpn.pl', force: true} - {name: 'check_ospfd_simple', force: true} - - {name: 'check_packetfilter', force: true} + - {name: 'check_packetfilter.sh', force: true} notify: restart nrpe - name: Nagios plugins are installed - template From b925a9f84d316f0c83d6ff4089b2d091b71c8167 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 13 Oct 2020 14:45:14 +0200 Subject: [PATCH 118/150] Update CHANGELOG and bump to version 6.7.2 --- CHANGELOG | 19 +++++++++++++++++++ README.md | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 91d37df..e0004f4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.7.2] - 2020-10-13 + +### Added + +- Now handling deletion of evobackup crontab (replaced by daily.local cron) +- Customize fstab with noexec and softdep +- Collectd role + +### Changed + +- Improve rc.local file configuration +- Update evocheck to version 6.7.5 +- Hide default daily output mail content (VERBOSESTATUS=0) +- Add deletion of old log files in the OSPF role + +### Fixed + +- Fix duplicate evobackup cron if the entry is uncommented in daily.local + ## [6.7.1] - 2020-09-10 ### Added diff --git a/README.md b/README.md index 7df3897..2d614ce 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.7.1 +# EvoBSD 6.7.2 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. From a606230d93f081af497f242606494aaaf1a2f265 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 16:01:16 +0200 Subject: [PATCH 119/150] We always need these Evolix vars_files which overwrite defaults values --- evolixisation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evolixisation.yml b/evolixisation.yml index 950b46e..63bc66d 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -1,6 +1,6 @@ # yamllint disable rule:line-length # Playbook command -# First use (become_method: su, and var_files uncommented) : +# First use (become_method: su) : # ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root # Subsequent use (become_method: sudo) : # ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME @@ -16,8 +16,8 @@ vars_files: - vars/main.yml - # - vars/secrets.yml - # - vars/openbsd-secret.yml + - vars/secrets.yml + - vars/openbsd-secret.yml roles: - etc-git From 2bf8a7e872671fa06bd8ff526ecabdbf10083fe1 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 16:03:54 +0200 Subject: [PATCH 120/150] Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner. --- roles/accounts/tasks/main.yml | 42 +++++++++++++++---------------- roles/accounts/tasks/user.yml | 27 ++++++++++++-------- roles/base/templates/doas.conf.j2 | 4 +-- vars/main.yml | 5 ++-- 4 files changed, 41 insertions(+), 37 deletions(-) diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index 02d8749..f238bbf 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,20 +1,15 @@ --- -- name: "Create {{ evolinux_sudo_group }}" +- name: "Create {{ evobsd_group }} group" group: - name: "{{ evolinux_sudo_group }}" - system: true - -- name: "Create {{ evolinux_ssh_group }}" - group: - name: "{{ evolinux_ssh_group }}" + name: "{{ evobsd_group }}" system: true - name: Create user accounts include: user.yml vars: user: "{{ item.value }}" - with_dict: "{{ evolinux_users }}" - when: evolinux_users != {} + with_dict: "{{ evolix_users }}" + when: evolix_users != {} - name: verify AllowGroups directive command: "grep -E '^AllowGroups' /etc/ssh/sshd_config" @@ -40,10 +35,10 @@ ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" -- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" +- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'" lineinfile: dest: /etc/ssh/sshd_config - line: "\nAllowGroups {{ evolinux_ssh_group }}" + line: "\nAllowGroups {{ evobsd_group }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd @@ -51,30 +46,33 @@ - ssh_allowgroups - grep_allowgroups_ssh.rc == 1 -- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" +- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive" replace: dest: /etc/ssh/sshd_config - regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$' - replace: '\1 {{ evolinux_ssh_group }}' + regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$' + replace: '\1 {{ evobsd_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: - ssh_allowgroups - grep_allowgroups_ssh.rc == 0 -- name: "Append '{{ item.name }}' to AllowUsers sshd directive" - replace: +- name: "Security directives for EvoBSD" + blockinfile: dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$' - replace: '\1 {{ item.name }}' + marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS" + block: | + Match Address {{ evolix_trusted_ips | join(',') }} + PasswordAuthentication yes + Match Group {{ evobsd_group }} + PasswordAuthentication no + insertafter: EOF validate: '/usr/sbin/sshd -t -f %s' - with_dict: "{{ evolinux_users }}" notify: reload sshd when: - - not ssh_allowgroups - - grep_allowusers_ssh == 1 + - evolix_trusted_ips != [] -- name: disable root login +- name: "Disable root login" replace: dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin (yes|without-password|prohibit-password)' diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 568753b..fbee95c 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -1,16 +1,31 @@ --- +- name: "Group '{{ user.name }}' is present" + group: + state: present + name: "{{ user.name }}" + gid: "{{ user.uid }}" + - name: "User '{{ user.name }}' is present" user: state: present name: '{{ user.name }}' uid: '{{ user.uid }}' password: '{{ user.password_hash_openbsd }}' + group: "{{ user.name }}" groups: wheel shell: /bin/ksh append: true tags: - admin +- name: "Home directory for '{{ user.name }}' is only accesible by owner" + file: + name: '/home/{{ user.name }}' + mode: "0700" + owner: "{{ user.name }}" + group: "{{ user.name }}" + state: directory + - name: "SSH public keys for '{{ user.name }}' are present" authorized_key: user: "{{ user.name }}" @@ -23,18 +38,10 @@ tags: - admin -- name: "Add {{ user.name }} to {{ evolinux_sudo_group }} group" +- name: "Add {{ user.name }} to {{ evobsd_group }} group" user: name: "{{ user.name }}" - groups: "{{ evolinux_sudo_group }}" - append: true - tags: - - admin - -- name: "Add {{ user.name }} to {{ evolinux_ssh_group }} group" - user: - name: "{{ user.name }}" - groups: "{{ evolinux_ssh_group }}" + groups: "{{ evobsd_group }}" append: true tags: - admin diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 55c246a..e3945ec 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evolinux_sudo_group }} +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evolinux_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq diff --git a/vars/main.yml b/vars/main.yml index 347a44e..bccc5d4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,9 +8,6 @@ # # general_alert_email: "root@localhost" # general_technical_realm: "example.com" -evolinux_ssh_group: "evolinux-ssh" -evolinux_sudo_group: "evolinux-sudo" -evolinux_root_disable_ssh: true # # evomaintenance_realm: "example.com" # evomaintenance_alert_email: @@ -27,6 +24,8 @@ evolinux_root_disable_ssh: true # evomaintenance_urgency_from: mama.doe@example.com # evomaintenance_urgency_tel: "06.00.00.00.00" # +evobsd_group: "evolix" +# # evolix_users: # foo: # name: foo From dc2707c0049010b1de62ad98acf77d0278a38bed Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 13 Oct 2020 16:16:52 +0200 Subject: [PATCH 121/150] Fix typo --- roles/accounts/tasks/user.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index fbee95c..fb4da6b 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -22,8 +22,8 @@ file: name: '/home/{{ user.name }}' mode: "0700" - owner: "{{ user.name }}" - group: "{{ user.name }}" + owner: "{{ user.name }}" + group: "{{ user.name }}" state: directory - name: "SSH public keys for '{{ user.name }}' are present" From 5adeaa31e145fcbcccc37e30722bb141c1aed18e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 09:40:59 +0200 Subject: [PATCH 122/150] Add a pf tag that we skip for subsequent use PacketFilter need to be customized only once, at the first use. After that, pf.conf will be modified on the server for the needs of the network. It must not be overwriten. --- evolixisation.yml | 4 ++-- roles/pf/tasks/main.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/evolixisation.yml b/evolixisation.yml index 63bc66d..8d17372 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -1,9 +1,9 @@ # yamllint disable rule:line-length # Playbook command # First use (become_method: su) : -# ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root +# ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -u root -l HOSTNAME # Subsequent use (become_method: sudo) : -# ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME +# ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME --- - name: Evolixisation of an OpenBSD system diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 8df8414..4e52827 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -5,3 +5,5 @@ dest: /etc/pf.conf mode: "0600" backup: true + tags: + - pf From 37ec518850d6f44073fdbb8073e9fe0e59272465 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 12:13:52 +0200 Subject: [PATCH 123/150] The pf_states NRPE check does not contain any variable, it can be in files folder --- .../check_pf_states.j2 => files/plugins_bsd/check_pf_states} | 0 roles/nagios-nrpe/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/nagios-nrpe/{templates/plugins_bsd/check_pf_states.j2 => files/plugins_bsd/check_pf_states} (100%) diff --git a/roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 b/roles/nagios-nrpe/files/plugins_bsd/check_pf_states similarity index 100% rename from roles/nagios-nrpe/templates/plugins_bsd/check_pf_states.j2 rename to roles/nagios-nrpe/files/plugins_bsd/check_pf_states diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 1b1a5a3..ed7512c 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -47,6 +47,7 @@ - {name: 'check_openvpn.pl', force: true} - {name: 'check_ospfd_simple', force: true} - {name: 'check_packetfilter.sh', force: true} + - {name: 'check_pf_states', force: false} notify: restart nrpe - name: Nagios plugins are installed - template @@ -58,7 +59,6 @@ mode: "0755" force: "{{ item.force }}" with_items: - - {name: 'check_pf_states', force: false} - {name: 'check_free_mem.sh', force: true} notify: restart nrpe From 68586d6450c418ae84ed676bc478b2dbf15ec86a Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 12:14:58 +0200 Subject: [PATCH 124/150] Fstab role : do not change lines beggining with "#" --- roles/base/tasks/fstab.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml index 7112137..e761282 100644 --- a/roles/base/tasks/fstab.yml +++ b/roles/base/tasks/fstab.yml @@ -11,7 +11,7 @@ - name: / partition is customized - softdep replace: dest: /etc/fstab - regexp: '(\s+/\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/\s') @@ -22,7 +22,7 @@ - name: /var partition is customized - softdep replace: dest: /etc/fstab - regexp: '(\s+/var\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/var\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/var\s') @@ -33,7 +33,7 @@ - name: /usr partition is customized - softdep replace: dest: /etc/fstab - regexp: '(\s+/usr\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/usr\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/usr\s') @@ -44,7 +44,7 @@ - name: /tmp partition is customized - noexec replace: dest: /etc/fstab - regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' + regexp: '([^#]\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' replace: '\1,noexec\3' when: - fstab_content.stdout | regex_search('\s/tmp\s') @@ -56,7 +56,7 @@ - name: /tmp partition is customized - softdep replace: dest: /etc/fstab - regexp: '(\s+/tmp\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/tmp\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' notify: remount /tmp when: @@ -69,7 +69,7 @@ - name: /home partition is customized - softdep replace: dest: /etc/fstab - regexp: '(\s+/home\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/home\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/home\s') From 592a2f8337ed3c7c07437befd7ea8ac9ea22158e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 12:25:55 +0200 Subject: [PATCH 125/150] Comment on checks that cannot be used as is --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 950661d..aec2baa 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -35,11 +35,11 @@ command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/ command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u # Local checks (not packaged) -command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD +#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 -command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" +#command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d From 213e4a7bcdc9c827a7c6767bf6f671683634b431 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 14:55:10 +0200 Subject: [PATCH 126/150] Comment on checks that cannot be used as is - v2 --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index aec2baa..16fe8dc 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -28,11 +28,11 @@ command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost command[check_http]=/usr/local/libexec/nagios/check_http -H localhost -p 80 command[check_bind]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H localhost -command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT -command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 +#command[check_proxy]=/usr/local/libexec/nagios/check_tcp -p PORT +#command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445 command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf #command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100% -command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u +#command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD From 7ecf7be4a4360dbf08e29639d108e343c6b3e77c Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:32:32 +0200 Subject: [PATCH 127/150] Do not remove line that would have a customized subject --- roles/base/tasks/mail.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 44e1fd8..2385473 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -1,4 +1,13 @@ --- +- name: Fetch rc.local content + command: "grep -v '^#' /etc/rc.local" + check_mode: false + register: rclocal_content + failed_when: false + changed_when: false + tags: + - misc + - name: Configure rc.local lineinfile: path: /etc/rc.local @@ -6,6 +15,8 @@ 'date | mail -s "boot/reboot of $(hostname -s)" {{ general_alert_email }}' insertbefore: 'echo' create: true + when: + - not (rclocal_content.stdout | regex_search('date \| mail -s (\"|\')boot/reboot of \$\(hostname -s\)')) tags: - misc From 556d98c170e652b4dcdd029e29d4c5a7376ce101 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:33:39 +0200 Subject: [PATCH 128/150] Variable ansible_fqdn is often not the name of the server --- roles/etc-git/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index 72b2ff3..f3ef13e 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -22,7 +22,7 @@ name: user.email repo: /etc scope: local - value: "root@{{ ansible_fqdn | default('localhost') }}" + value: "root@{{ inventory_hostname }}.{{ general_technical_realm }}" tags: - etc-git From 6dd4b6b8aa706608b6ca1df172d895918d1c5e48 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:34:49 +0200 Subject: [PATCH 129/150] Syspatch is not available before OpenBSD 6.1 --- roles/post-install/tasks/update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/post-install/tasks/update.yml b/roles/post-install/tasks/update.yml index f437189..8ec4587 100644 --- a/roles/post-install/tasks/update.yml +++ b/roles/post-install/tasks/update.yml @@ -1,3 +1,4 @@ --- - name: Check and install updates (erratas) if available shell: /usr/sbin/syspatch + when: ansible_distribution_version is version_compare("6.1",'>=') From cc80aefac7bac2ad27396afd1b689b8049b4e935 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:35:17 +0200 Subject: [PATCH 130/150] NRPE plugins dir was not created --- roles/nagios-nrpe/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index ed7512c..2445ebc 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -30,6 +30,14 @@ dest: /etc/nrpe.d/evolix.cfg notify: restart nrpe +- name: Create nrpe plugins dir + file: + path: /usr/local/libexec/nagios/plugins/ + state: directory + owner: root + group: wheel + mode: "0755" + - name: Nagios plugins are installed copy: src: plugins_bsd/{{ item.name }} From ff1f728102ab0f2f68cf02c33217fcb509363ddc Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 16:37:22 +0200 Subject: [PATCH 131/150] Doas authorization for collectd We put the doas authorization for collectd in the global file and we let it if collectd is not there, because otherwise the authorization would be removed if the base role was run without the collectd role, even if collectd was still running. Collectd would have been broken. --- roles/base/templates/doas.conf.j2 | 1 + roles/collectd/tasks/main.yml | 9 --------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index e3945ec..2b83565 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -2,6 +2,7 @@ permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }} permit nopass root permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq diff --git a/roles/collectd/tasks/main.yml b/roles/collectd/tasks/main.yml index 4ff066b..28a2c46 100644 --- a/roles/collectd/tasks/main.yml +++ b/roles/collectd/tasks/main.yml @@ -95,12 +95,3 @@ when: collectd_plugin_exec_dns_stats tags: - collectd - -- name: Delete doas configuration for dns_stats.sh execution - lineinfile: - path: /etc/doas.conf - line: 'permit nopass _collectd as root cmd /bin/cat' - state: absent - when: not collectd_plugin_exec_dns_stats - tags: - - collectd From 4610661299f840b62cbe9843524fc373bee2243f Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 17:19:27 +0200 Subject: [PATCH 132/150] Fix add of multiple motd cron Do not add motd cron again if the same line is already there but uncommented --- roles/post-install/tasks/motd.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/post-install/tasks/motd.yml b/roles/post-install/tasks/motd.yml index cbecbfd..80fb511 100644 --- a/roles/post-install/tasks/motd.yml +++ b/roles/post-install/tasks/motd.yml @@ -7,8 +7,18 @@ group: wheel mode: '0755' +- name: Fetch root crontab content + command: 'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root' + check_mode: false + register: root_crontab_content + failed_when: false + changed_when: false + - name: Cron job for dynamic motd script is installed cron: name: dynamic motd for CARP job: "/bin/sh /usr/share/scripts/motd-carp-state.sh" disabled: true + when: + - not (root_crontab_content.stdout | regex_search('/bin/sh /usr/share/scripts/motd-carp-state.sh')) + From 4c902eda5a33b05a6032a12f6dad3c526ca01f56 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 14 Oct 2020 18:05:29 +0200 Subject: [PATCH 133/150] Fstab : change only ffs file system --- roles/base/tasks/fstab.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml index e761282..64bf644 100644 --- a/roles/base/tasks/fstab.yml +++ b/roles/base/tasks/fstab.yml @@ -11,68 +11,68 @@ - name: / partition is customized - softdep replace: dest: /etc/fstab - regexp: '([^#]\s+/\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/\s') - - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) + - not (fstab_content.stdout | regex_search('\s+/\s+ffs\s+rw,softdep')) tags: - fstab - name: /var partition is customized - softdep replace: dest: /etc/fstab - regexp: '([^#]\s+/var\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/var\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/var\s') - - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) + - not (fstab_content.stdout | regex_search('\s+/var\s+ffs\s+rw,softdep')) tags: - fstab - name: /usr partition is customized - softdep replace: dest: /etc/fstab - regexp: '([^#]\s+/usr\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/usr\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/usr\s') - - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) + - not (fstab_content.stdout | regex_search('\s+/usr\s+ffs\s+rw,softdep')) tags: - fstab - name: /tmp partition is customized - noexec replace: dest: /etc/fstab - regexp: '([^#]\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' + regexp: '([^#]\s+/tmp\s+ffs\s+rw(,softdep)*)(.*)' replace: '\1,noexec\3' when: - fstab_content.stdout | regex_search('\s/tmp\s') - not (fstab_content.stdout - | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) + | regex_search('\s+/tmp\s+ffs\s+rw,(softdep,)*noexec')) tags: - fstab - name: /tmp partition is customized - softdep replace: dest: /etc/fstab - regexp: '([^#]\s+/tmp\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/tmp\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' notify: remount /tmp when: - fstab_content.stdout | regex_search('\s/tmp\s') - not (fstab_content.stdout - | regex_search('\s+/tmp\s+\S+\s+rw,(noexec,)*softdep')) + | regex_search('\s+/tmp\s+ffs\s+rw,(noexec,)*softdep')) tags: - fstab - name: /home partition is customized - softdep replace: dest: /etc/fstab - regexp: '([^#]\s+/home\s+\S+\s+rw)(.*)' + regexp: '([^#]\s+/home\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' when: - fstab_content.stdout | regex_search('\s/home\s') - - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) + - not (fstab_content.stdout | regex_search('\s+/home\s+ffs\s+rw,softdep')) tags: - fstab From a7b96d9f676285c7d325e34f0266f0de2808ad34 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 15 Oct 2020 09:57:02 +0200 Subject: [PATCH 134/150] Fstab : we now also add noatime to each partitions --- roles/base/handlers/main.yml | 27 +++++++++++++++- roles/base/tasks/fstab.yml | 62 +++++++++++++++++++++++++++++++++++- 2 files changed, 87 insertions(+), 2 deletions(-) diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 7d18f17..13c34bc 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -2,7 +2,32 @@ - name: newaliases shell: smtpctl update table aliases -- name: remount /tmp +- name: remount / noatime + command: mount -u -o noatime / + args: + warn: false + +- name: remount /var noatime + command: mount -u -o noatime /var + args: + warn: false + +- name: remount /usr noatime + command: mount -u -o noatime /usr + args: + warn: false + +- name: remount /tmp noexec command: mount -u -o noexec /tmp args: warn: false + +- name: remount /tmp noatime + command: mount -u -o noatime /tmp + args: + warn: false + +- name: remount /home noatime + command: mount -u -o noatime /home + args: + warn: false diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml index 64bf644..23a9af9 100644 --- a/roles/base/tasks/fstab.yml +++ b/roles/base/tasks/fstab.yml @@ -19,6 +19,18 @@ tags: - fstab +- name: / partition is customized - noatime + replace: + dest: /etc/fstab + regexp: '([^#]\s+/\s+ffs\s+rw)(\S*)(\s+.*)' + replace: '\1\2,noatime\3' + notify: remount / noatime + when: + - fstab_content.stdout | regex_search('\s/\s') + - not (fstab_content.stdout | regex_search('\s+/\s+ffs\s+rw\S*noatime')) + tags: + - fstab + - name: /var partition is customized - softdep replace: dest: /etc/fstab @@ -30,6 +42,18 @@ tags: - fstab +- name: /var partition is customized - noatime + replace: + dest: /etc/fstab + regexp: '([^#]\s+/var\s+ffs\s+rw)(\S*)(\s+.*)' + replace: '\1\2,noatime\3' + notify: remount /var noatime + when: + - fstab_content.stdout | regex_search('\s/var\s') + - not (fstab_content.stdout | regex_search('\s+/var\s+ffs\s+rw\S*noatime')) + tags: + - fstab + - name: /usr partition is customized - softdep replace: dest: /etc/fstab @@ -41,11 +65,24 @@ tags: - fstab +- name: /usr partition is customized - noatime + replace: + dest: /etc/fstab + regexp: '([^#]\s+/usr\s+ffs\s+rw)(\S*)(\s+.*)' + replace: '\1\2,noatime\3' + notify: remount /usr noatime + when: + - fstab_content.stdout | regex_search('\s/usr\s') + - not (fstab_content.stdout | regex_search('\s+/usr\s+ffs\s+rw\S*noatime')) + tags: + - fstab + - name: /tmp partition is customized - noexec replace: dest: /etc/fstab regexp: '([^#]\s+/tmp\s+ffs\s+rw(,softdep)*)(.*)' replace: '\1,noexec\3' + notify: remount /tmp noexec when: - fstab_content.stdout | regex_search('\s/tmp\s') - not (fstab_content.stdout @@ -58,7 +95,6 @@ dest: /etc/fstab regexp: '([^#]\s+/tmp\s+ffs\s+rw)(.*)' replace: '\1,softdep\2' - notify: remount /tmp when: - fstab_content.stdout | regex_search('\s/tmp\s') - not (fstab_content.stdout @@ -66,6 +102,18 @@ tags: - fstab +- name: /tmp partition is customized - noatime + replace: + dest: /etc/fstab + regexp: '([^#]\s+/tmp\s+ffs\s+rw)(\S*)(\s+.*)' + replace: '\1\2,noatime\3' + notify: remount /tmp noatime + when: + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout | regex_search('\s+/tmp\s+ffs\s+rw\S*noatime')) + tags: + - fstab + - name: /home partition is customized - softdep replace: dest: /etc/fstab @@ -76,3 +124,15 @@ - not (fstab_content.stdout | regex_search('\s+/home\s+ffs\s+rw,softdep')) tags: - fstab + +- name: /home partition is customized - noatime + replace: + dest: /etc/fstab + regexp: '([^#]\s+/home\s+ffs\s+rw)(\S*)(\s+.*)' + replace: '\1\2,noatime\3' + notify: remount /home noatime + when: + - fstab_content.stdout | regex_search('\s/home\s') + - not (fstab_content.stdout | regex_search('\s+/home\s+ffs\s+rw\S*noatime')) + tags: + - fstab From 4a0e552691ddd6b8cfce192532a86f40015947a8 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 15 Oct 2020 10:21:02 +0200 Subject: [PATCH 135/150] Import evocheck v.6.7.6 --- roles/evocheck/files/evocheck.sh | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 3bde7ac..857c5e0 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.7.5" +readonly VERSION="6.7.6" # Disable LANG* @@ -101,6 +101,18 @@ check_tmpnoexec(){ mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option" } +check_softdep(){ + if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then + failed "IS_SOFTDEP" "All partitions should have the softdep option" + fi +} + +check_noatime(){ + if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then + failed "IS_NOATIME" "All partitions should be mounted with the noatime option" + fi +} + check_tmoutprofile(){ grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files" } @@ -209,10 +221,6 @@ check_pfenabled(){ check_pfcustom(){ } -check_softdep(){ - grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP" "" -} - check_wheel(){ if [ -f /etc/sudoers ]; then grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" "" @@ -346,6 +354,8 @@ main() { test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec + test "${IS_SOFTDEP:=1}" = 1 && check_softdep + test "${IS_NOATIME:=1}" = 1 && check_noatime test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_RAIDOK:=1}" = 1 && check_raidok test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup @@ -358,7 +368,6 @@ main() { test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail test "${IS_PFENABLED:=1}" = 1 && check_pfenabled test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom - test "${IS_SOFTDEP:=1}" = 1 && check_softdep test "${IS_WHEEL:=1}" = 1 && check_wheel test "${IS_PKGMIRROR:=1}" = 1 && check_pkgmirror test "${IS_HISTORY:=1}" = 1 && check_history From 78686b8730d2794bf5fa85bf696b3f1951bb49b4 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 15 Oct 2020 11:01:52 +0200 Subject: [PATCH 136/150] Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in. --- roles/accounts/tasks/main.yml | 21 +++++++++++++-------- roles/accounts/tasks/user.yml | 12 ++++++++++-- roles/base/templates/doas.conf.j2 | 4 ++-- vars/main.yml | 3 ++- 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml index f238bbf..1b097c3 100644 --- a/roles/accounts/tasks/main.yml +++ b/roles/accounts/tasks/main.yml @@ -1,7 +1,12 @@ --- -- name: "Create {{ evobsd_group }} group" +- name: "Create {{ evobsd_ssh_group }} group" group: - name: "{{ evobsd_group }}" + name: "{{ evobsd_ssh_group }}" + system: true + +- name: "Create {{ evobsd_sudo_group }} group" + group: + name: "{{ evobsd_sudo_group }}" system: true - name: Create user accounts @@ -35,10 +40,10 @@ ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}" -- name: "Add AllowGroups sshd directive with '{{ evobsd_group }}'" +- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'" lineinfile: dest: /etc/ssh/sshd_config - line: "\nAllowGroups {{ evobsd_group }}" + line: "\nAllowGroups {{ evobsd_ssh_group }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd @@ -46,11 +51,11 @@ - ssh_allowgroups - grep_allowgroups_ssh.rc == 1 -- name: "Append '{{ evobsd_group }}' to AllowGroups sshd directive" +- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive" replace: dest: /etc/ssh/sshd_config - regexp: '^(AllowGroups ((?!\b{{ evobsd_group }}\b).)*)$' - replace: '\1 {{ evobsd_group }}' + regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$' + replace: '\1 {{ evobsd_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: @@ -64,7 +69,7 @@ block: | Match Address {{ evolix_trusted_ips | join(',') }} PasswordAuthentication yes - Match Group {{ evobsd_group }} + Match Group {{ evobsd_ssh_group }} PasswordAuthentication no insertafter: EOF validate: '/usr/sbin/sshd -t -f %s' diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index fb4da6b..b0965f9 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -38,10 +38,18 @@ tags: - admin -- name: "Add {{ user.name }} to {{ evobsd_group }} group" +- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group" user: name: "{{ user.name }}" - groups: "{{ evobsd_group }}" + groups: "{{ evobsd_ssh_group }}" + append: true + tags: + - admin + +- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group" + user: + name: "{{ user.name }}" + groups: "{{ evobsd_sudo_group }}" append: true tags: - admin diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 2b83565..166436f 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} -permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }} +permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 diff --git a/vars/main.yml b/vars/main.yml index bccc5d4..38f109c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,7 +24,8 @@ # evomaintenance_urgency_from: mama.doe@example.com # evomaintenance_urgency_tel: "06.00.00.00.00" # -evobsd_group: "evolix" +# evobsd_ssh_group: "foo-ssh" +# evobsd_sudo_group: "foo-sudo" # # evolix_users: # foo: From 9eeba0c0ab40eb135bd72476f5384f5cc20fc715 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 20 Oct 2020 15:06:03 +0200 Subject: [PATCH 137/150] Add a doas authorization for NRPE --- roles/base/templates/doas.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index 166436f..f99f8c1 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -15,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh +permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh From 5ef4a403d2391c2a7c0f6bf0bbcb8687d7b59c90 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 20 Oct 2020 15:57:35 +0200 Subject: [PATCH 138/150] We should be able to execute evomaintence.sh as soon as we can SSH to the server --- roles/base/templates/doas.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/base/templates/doas.conf.j2 b/roles/base/templates/doas.conf.j2 index f99f8c1..7653918 100644 --- a/roles/base/templates/doas.conf.j2 +++ b/roles/base/templates/doas.conf.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_sudo_group }} permit nopass root -permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_sudo_group }} as root cmd /usr/share/scripts/evomaintenance.sh +permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as root cmd /usr/share/scripts/evomaintenance.sh permit nopass _collectd as root cmd /bin/cat permit nopass _collectd as root cmd /usr/sbin/bgpctl permit nopass _nrpe as root cmd /sbin/bioctl args sd2 From 44d145e33b8cfde53f8cf90230d956d40bf09d08 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 21 Oct 2020 10:52:39 +0200 Subject: [PATCH 139/150] Add "create; true" to task, needed when running in check mode --- roles/etc-git/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/etc-git/tasks/main.yml b/roles/etc-git/tasks/main.yml index f3ef13e..f36f9d6 100644 --- a/roles/etc-git/tasks/main.yml +++ b/roles/etc-git/tasks/main.yml @@ -94,6 +94,9 @@ line: 'next_part "Checking /etc git status:"' insertbefore: '/usr/local/bin/git --git-dir=/etc/.git --work-tree=/etc status --short' + owner: root + mode: "0644" + create: true when: etc_git_monitor_status tags: - etc-git From 42f5d2c10e9e374f321ae87d3573bae3c4835746 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 21 Oct 2020 15:47:23 +0200 Subject: [PATCH 140/150] Add "create; true" to other task, needed when running in check mode --- roles/evocheck/tasks/install.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/evocheck/tasks/install.yml b/roles/evocheck/tasks/install.yml index 43338ef..d67e430 100644 --- a/roles/evocheck/tasks/install.yml +++ b/roles/evocheck/tasks/install.yml @@ -37,10 +37,13 @@ tags: - evocheck -- name: Add evocheck cron +- name: Add evocheck cron next_part lineinfile: path: /etc/daily.local line: 'next_part "Evocheck output:"' insertbefore: 'sh /usr/share/scripts/evocheck.sh --verbose --cron' + owner: root + mode: "0644" + create: true tags: - evocheck From d7701d32daa76666403516051872d7b8f7be4995 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 22 Oct 2020 10:34:13 +0200 Subject: [PATCH 141/150] Comment on checks that cannot be used as is - v3 --- roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 16fe8dc..6273506 100644 --- a/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/roles/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -37,7 +37,7 @@ command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/ # Local checks (not packaged) #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD #command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run -command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master +#command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20 -c 10 #command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME" command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states From 4db9d006a23f5b964835c3100455443e0463a697 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 22 Oct 2020 11:28:06 +0200 Subject: [PATCH 142/150] Allow evolinux-sudo group to sudo evolinux-sudo group can already use doas, it should also be allowed to use sudo --- roles/base/tasks/sudo.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/sudo.yml b/roles/base/tasks/sudo.yml index 1d71391..980d064 100644 --- a/roles/base/tasks/sudo.yml +++ b/roles/base/tasks/sudo.yml @@ -36,6 +36,7 @@ block: | Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh %wheel ALL=NOPASSWD: MAINT + %evolinux-sudo ALL=(ALL) SETENV: ALL validate: 'visudo -cf %s' backup: false tags: From 4012a014ce21b8b4dbf7c2f044ab21e5175680db Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 22 Oct 2020 11:52:54 +0200 Subject: [PATCH 143/150] =?UTF-8?q?Add=20user=20with=20legacy=20hash=20($2?= =?UTF-8?q?a=E2=80=A6)=20instead=20of=20current=20hash=20($2b=E2=80=A6)=20?= =?UTF-8?q?for=20OpenBSD=20versions=20older=20than=205.7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/accounts/tasks/user.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index b0965f9..8964b0f 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -5,6 +5,20 @@ name: "{{ user.name }}" gid: "{{ user.uid }}" +- name: "User '{{ user.name }}' is present with legacy hash" + user: + state: present + name: '{{ user.name }}' + uid: '{{ user.uid }}' + password: "{{ user.password_hash_openbsd_legacy }}" + group: "{{ user.name }}" + groups: wheel + shell: /bin/ksh + append: true + when: ansible_distribution_version is version_compare("5.7",'<') + tags: + - admin + - name: "User '{{ user.name }}' is present" user: state: present @@ -15,6 +29,7 @@ groups: wheel shell: /bin/ksh append: true + when: ansible_distribution_version is version_compare("5.7",'>=') tags: - admin From f648f332ddc18f3019e521e3e139b321c34f3365 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 22 Oct 2020 18:18:28 +0200 Subject: [PATCH 144/150] Import 6.7.7 evocheck version --- roles/evocheck/files/evocheck.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index 857c5e0..73a7ef7 100644 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="6.7.6" +readonly VERSION="6.7.7" # Disable LANG* @@ -121,7 +121,7 @@ check_raidok(){ egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1 RESULT=$? if [ $RESULT -eq 0 ]; then - raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }') + raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1) raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }') if [ $raid_status != "Online" ]; then failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations" @@ -138,7 +138,7 @@ check_evobackup(){ } check_uptodate(){ - if [ -f $(command -v syspatch) ]; then + if [ $(command -v syspatch) ]; then if syspatch -c | egrep "." 1> /dev/null 2>&1; then failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!" fi @@ -347,6 +347,12 @@ check_ntp(){ fi } +check_openvpncronlog(){ + if /etc/rc.d/openvpn check > /dev/null 2>&1; then + grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)." + fi +} + main() { # Default return code : 0 = no error @@ -387,6 +393,7 @@ main() { test "${IS_SYNC:=1}" = 1 && check_sync test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute test "${IS_NTP:=1}" = 1 && check_ntp + test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog exit ${RC} } From 5540aea87d8e1ffe8b831b9a1516e709064edcbd Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Oct 2020 10:02:26 +0200 Subject: [PATCH 145/150] Add empty vars_files for them not to generate errors --- .gitignore | 2 -- vars/openbsd-secret.yml | 0 vars/secrets.yml | 0 3 files changed, 2 deletions(-) delete mode 100644 .gitignore create mode 100644 vars/openbsd-secret.yml create mode 100644 vars/secrets.yml diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 89aaa88..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -vars/secrets.yml -vars/openbsd-secret.yml diff --git a/vars/openbsd-secret.yml b/vars/openbsd-secret.yml new file mode 100644 index 0000000..e69de29 diff --git a/vars/secrets.yml b/vars/secrets.yml new file mode 100644 index 0000000..e69de29 From a26d6e13cb44949055461501beee265ab069a817 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Oct 2020 10:15:57 +0200 Subject: [PATCH 146/150] yamllint line-lenght and empty-line --- roles/base/tasks/mail.yml | 3 ++- roles/post-install/tasks/motd.yml | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/base/tasks/mail.yml b/roles/base/tasks/mail.yml index 2385473..c15d4d9 100644 --- a/roles/base/tasks/mail.yml +++ b/roles/base/tasks/mail.yml @@ -16,7 +16,8 @@ insertbefore: 'echo' create: true when: - - not (rclocal_content.stdout | regex_search('date \| mail -s (\"|\')boot/reboot of \$\(hostname -s\)')) + - not (rclocal_content.stdout + | regex_search('date \| mail -s (\"|\')boot/reboot of \$\(hostname -s\)')) tags: - misc diff --git a/roles/post-install/tasks/motd.yml b/roles/post-install/tasks/motd.yml index 80fb511..58a0bde 100644 --- a/roles/post-install/tasks/motd.yml +++ b/roles/post-install/tasks/motd.yml @@ -8,7 +8,8 @@ mode: '0755' - name: Fetch root crontab content - command: 'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root' + command: > + 'grep "/bin/sh /usr/share/scripts/motd-carp-state.sh" /var/cron/tabs/root' check_mode: false register: root_crontab_content failed_when: false @@ -20,5 +21,5 @@ job: "/bin/sh /usr/share/scripts/motd-carp-state.sh" disabled: true when: - - not (root_crontab_content.stdout | regex_search('/bin/sh /usr/share/scripts/motd-carp-state.sh')) - + - not (root_crontab_content.stdout + | regex_search('/bin/sh /usr/share/scripts/motd-carp-state.sh')) From 6613c70446456e78fd5baa6f94f9ff6a5507c988 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 23 Oct 2020 10:17:12 +0200 Subject: [PATCH 147/150] =?UTF-8?q?Revert=20"Add=20user=20with=20legacy=20?= =?UTF-8?q?hash=20($2a=E2=80=A6)=20instead=20of=20current=20hash=20($2b?= =?UTF-8?q?=E2=80=A6)=20for=20OpenBSD=20versions=20older=20than=205.7"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 4012a014ce21b8b4dbf7c2f044ab21e5175680db. Versions older than 5.7 are … old. We do not handle versions that old. --- roles/accounts/tasks/user.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml index 8964b0f..b0965f9 100644 --- a/roles/accounts/tasks/user.yml +++ b/roles/accounts/tasks/user.yml @@ -5,20 +5,6 @@ name: "{{ user.name }}" gid: "{{ user.uid }}" -- name: "User '{{ user.name }}' is present with legacy hash" - user: - state: present - name: '{{ user.name }}' - uid: '{{ user.uid }}' - password: "{{ user.password_hash_openbsd_legacy }}" - group: "{{ user.name }}" - groups: wheel - shell: /bin/ksh - append: true - when: ansible_distribution_version is version_compare("5.7",'<') - tags: - - admin - - name: "User '{{ user.name }}' is present" user: state: present @@ -29,7 +15,6 @@ groups: wheel shell: /bin/ksh append: true - when: ansible_distribution_version is version_compare("5.7",'>=') tags: - admin From fd4bdf9dcc5218755c6982a3a1f24a1ae0e4d957 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 23 Oct 2020 11:29:31 +0200 Subject: [PATCH 148/150] Update CHANGELOG and bump to version 6.8.0 --- CHANGELOG | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index e0004f4..825c09b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [6.8.0] - 2020-10-23 + +### Added + +- Add a PF tag to be able to skip that part when rerunning EvoBSD +- Add a doas authorization for NRPE check_ipsecctl_critiques + +### Changed + +- The task mail.yml replace the former boot/reboot message only if it is untouched +- Replace the variable used to set the email address in etc-git role - now using inventory_hostname +- Not checking syspatch when OpenBSD <= 6.1 +- Amend fstab file adding noatime option to each entrie +- Import evocheck v.6.7.7 +- Comment NRPE checks that cannot be used as is + +### Fixed + +- Add the creation of the NRPE plugins directory in nagios-nrpe role +- Add collectd doas rights in the base role to avoid broking anything if EvoBSD is rerun without the collectd role included +- Do not add the motd cron if the same line is already there but uncommented +- Amend fstab entries only when the filesystem is ffs + ## [6.7.2] - 2020-10-13 ### Added From 864f85a49adfbe5d9c3e7d731c617f9665506467 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 23 Oct 2020 11:38:56 +0200 Subject: [PATCH 149/150] Change default Python version to 3.x --- hosts | 2 +- prerequisite.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 680aa87..8abb464 100644 --- a/hosts +++ b/hosts @@ -2,4 +2,4 @@ foo.example.com [openbsd:vars] -ansible_python_interpreter=/usr/local/bin/python2.7 +ansible_python_interpreter=/usr/local/bin/python3 diff --git a/prerequisite.yml b/prerequisite.yml index aaf5bbb..f5a76f2 100644 --- a/prerequisite.yml +++ b/prerequisite.yml @@ -12,6 +12,6 @@ - name: Install ansible's prerequisite # yamllint disable-line rule:line-length - raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-2 + raw: export PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -p)/; pkg_add -z python-3 # vim:ft=ansible From c54d0decb8590de1d71a079103f33da9d5b0f917 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Fri, 23 Oct 2020 11:40:22 +0200 Subject: [PATCH 150/150] Update README file - amend version number and command examples --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2d614ce..c3f3b2c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# EvoBSD 6.7.2 +# EvoBSD 6.8.0 EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix. @@ -17,16 +17,16 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME 2. Run it -First use (become_method: su, and var_files uncommented) : +First use (become_method: su) : ``` -ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -l HOSTNAME -u root +ansible-playbook evolixisation.yml --ask-vault-pass -CDki hosts -u root -l HOSTNAME ``` Subsequent use (become_method: sudo) : ``` -ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts -l HOSTNAME +ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME ``` ### Testing @@ -36,7 +36,7 @@ Changes can be tested by using [Packer](https://www.packer.io/) and * This process depends on the [Go](https://golang.org/) programming language. -## Packages +**Packages** Needing a Golang eco system and some basics @@ -50,7 +50,7 @@ pkg_add go-- packer-- git-- git clone https://github.com/double-p/packer-builder-openbsd-vmm.git ```` -## builds +**builds** Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit.