Merge pull request 'Merge branch 'dev' into master' (#40) from dev into master

Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
Use vim as default git editor for the same reason, and because its better than vi
Bump EvoBSD version : OpenBSD 7.0 is out

.gitignore

@@ -0,0 +1,2 @@
+/vars/evolinux-secrets.yml
+/vars/evolix-main.yml

CHANGELOG

@@ -7,6 +7,79 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+### Changed
+
+### Fixed
+
+### Removed
+
+## [21.12] - 2021-12-17
+
+### Changed
+
+- Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
+- Use vim as default git editor
+- Change version pattern and fix release scheme
+
+### Added
+
+- Add a bioctl NRPE check for RAID devices
+
+## [6.9.2] - 2021-10-15
+
+### Added
+
+- Add a more complete ipsecctl check script
+- Add doas configuration for check_openvpn_certificates.sh
+
+### Fixed
+
+- Fix check_dhcpd for dhcpd server themselves : use back check_procs -c1: -C dhcpd
+- Fix check_mailq : check from monitoring-plugins current version is not compatible with opensmtpd
+
+## [6.9.1] - 2021-07-19
+
+### Added
+
+- Configure the ntpd.conf file
+
+## [6.9.0] - 2021-05-06
+
+### Changed
+
+- Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid.
+
+## [6.8.3] - 2021-02-15
+
+### Added
+
+- Add a customization of the logsentry configuration
+- Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files
+
+### Fixed
+
+- Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB.
+- Fix the check_mem script in the NRPE role, adding cached RAM as free RAM
+- Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade
+
+### Changed
+
+- The PF role now use a variable for trusted IPs
+
+## [6.8.2] - 2020-10-30
+
+### Added
+
+- Add a Logsentry role
+
+## [6.8.1] - 2020-10-26
+
+### Fixed
+
+- Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task
+
 ## [6.8.0] - 2020-10-23
 
 ### Added

README.md

@@ -1,13 +1,10 @@
-# EvoBSD 6.8.0
+# EvoBSD
 
-EvoBSD is an ansible project used for customising OpenBSD hosts
-used by Evolix.
+EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix.
 
 ## How to install an OpenBSD machine
 
 **Note :** The system must be installed with a root account only.
-Put your public key in the remote root's autorized_keys
-(/root/.ssh/authorized_keys)
 
 1.  Install ansible's prerequisites
 
@@ -17,6 +14,8 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
 
 2.  Run it
 
+The variables files evolix-main.yml and evolinux-secrets.yml are customized variables for Evolix that overwrite main.yml variables. They are not needed if you are not from Evolix.
+
 First use (become_method: su) :
 
 ```
@@ -29,52 +28,8 @@ Subsequent use (become_method: sudo) :
 ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME
 ```
 
-### Testing
-
-Changes can be tested by using [Packer](https://www.packer.io/) and
-[vmm(4)](https://man.openbsd.org/vmm.4) :
-
-*   This process depends on the [Go](https://golang.org/) programming language.
-
-**Packages**
-
-Needing a Golang eco system and some basics
-
-````
-pkg_add go-- packer-- git--
-````
-
-*   We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4)
-
-````
-git clone https://github.com/double-p/packer-builder-openbsd-vmm.git
-````
-
-**builds**
-
-Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit.
-
-````
-make
-make install
-````
-
-*   You need your unprivileged user to be able to run vmctl(8) through doas(1)
-
-```
-echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf
-```
-
-See packer-builder-openbsd-vmm/examples/README.examples for further instructions
-
-*   Enable NAT on your host machine
-
-```
-pass out on em0 inet from tap0:network to any nat-to (em0)
-```
-*assuming em0 is your egress interface*
-
 ## Contributions
+
 See the [contribution guidelines](CONTRIBUTING.md)
 
 ## License

evolixisation.yml

@@ -16,8 +16,8 @@
 
   vars_files:
     - vars/main.yml
-    - vars/secrets.yml
-    - vars/openbsd-secret.yml
+    - vars/evolix-main.yml
+    - vars/evolinux-secrets.yml
 
   roles:
     - etc-git
@@ -40,6 +40,3 @@
     - include_role:
         name: evocheck
         tasks_from: exec.yml
-
-#  environment:
-# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"

hosts

@@ -1,5 +1,5 @@
 [openbsd]
-foo.example.com
+foo.example.com ansible_host=192.0.2.1
 
 [openbsd:vars]
-ansible_python_interpreter=/usr/local/bin/python3
+ansible_python_interpreter=/usr/local/bin/python3.9

roles/base/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
-ntpd_servers:
-  - "ntp.evolix.net"
+ntpd_servers: "ntp.evolix.net"
 
 general_alert_email: "root@localhost"
 general_technical_realm: "example.com"

roles/base/files/zzz_evobackup

@@ -30,19 +30,20 @@ SERVERS="node0.backup.example.com:2XXX node1.backup.example.com:2XXX"
 SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
 
 # timeout (in seconds) for SSH connections
-SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-30}
+SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
 
-## We use /home/backup : feel free to use your own dir
+# We use /home/backup : feel free to use your own dir
 LOCAL_BACKUP_DIR="/home/backup"
 
 # You can set "linux" or "bsd" manually or let it choose automatically
 SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
 
-# Change these 2 variables if you have more than one backup cron
-PIDFILE="/var/run/evobackup.pid"
-LOGFILE="/var/log/evobackup.log"
+# Store pid and logs in a file named after this program's name
+PROGNAME=$(basename $0)
+PIDFILE="/var/run/${PROGNAME}.pid"
+LOGFILE="/var/log/${PROGNAME}.log"
 
-## Enable/Disable tasks
+# Enable/Disable tasks
 LOCAL_TASKS=${LOCAL_TASKS:-1}
 SYNC_TASKS=${SYNC_TASKS:-1}
 
@@ -83,7 +84,7 @@ test_server() {
     else
         # SSH connection failed
         new_error=$(printf "Failed to connect to \`%s' within %s seconds" "${item}" "${SSH_CONNECT_TIMEOUT}")
-        SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
+        SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
 
         return 1
     fi
@@ -96,16 +97,16 @@ pick_server() {
     if [ "${increment}" -ge "${list_length}" ]; then
         # We've reached the end of the list
         new_error="No more server available"
-        SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
+        SERVERS_SSH_ERRORS=$(printf "%s\\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d')
 
         # Log errors to stderr
-        printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2
+        printf "%s\\n" "${SERVERS_SSH_ERRORS}" >&2
         # Log errors to logfile
-        printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
+        printf "%s\\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE
         return 1
     fi
 
-    # Extract the day of month, without leading 0 (which would give an octal based number) 
+    # Extract the day of month, without leading 0 (which would give an octal based number)
     today=$(date +%e)
     # A salt is useful to randomize the starting point in the list
     # but stay identical each time it's called for a server (based on hostname).
@@ -123,14 +124,14 @@ pick_server() {
 if [ -e "${PIDFILE}" ]; then
     pid=$(cat "${PIDFILE}")
     # Does process still exist ?
-    if kill -0 ${pid} 2> /dev/null; then
+    if kill -0 "${pid}" 2> /dev/null; then
         # Killing the childs of evobackup.
         for ppid in $(pgrep -P "${pid}"); do
             kill -9 "${ppid}";
         done
         # Then kill the main PID.
         kill -9 "${pid}"
-        printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2
+        printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\\n" >&2
     else
         rm -f ${PIDFILE}
     fi
@@ -145,6 +146,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
     # You can comment or uncomment sections below to customize the backup
 
     ## OpenLDAP : example with slapcat
+    # slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak
+    # slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak
     # slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
 
     ## MySQL
@@ -160,29 +163,33 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
     # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 -Q --opt --events --hex-blob --skip-comments \
     #  --fields-enclosed-by='\"' --fields-terminated-by=',' -T /home/mysqldump/$i $i; done
 
+    ## Dump all grants (requires 'percona-toolkit' package)
+    # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
+    # pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql
+
     ## example with SQL dump (schema only, no data) for each databases
-    # mkdir -p -m 700 /home/mysqldump/
+    # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
     # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
     # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
-    #     mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql
+    #     mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql
     # done
 
     ## example with compressed SQL dump (with data) for each databases
-    # mkdir -p -m 700 /home/mysqldump/
+    # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/
     # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \
     # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do
-    #     mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz
+    #     mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz
     # done
 
     ## example with *one* uncompressed SQL dump for *one* database (MYBASE)
-    # mkdir -p -m 700 /home/mysqldump/MYBASE
-    # chown -RL mysql /home/mysqldump/
+    # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE
+    # chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/
     # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \
-    # --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE
+    # --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE
 
     ## example with mysqlhotcopy
-    # mkdir -p -m 700 /home/mysqlhotcopy/
-    # mysqlhotcopy BASE /home/mysqlhotcopy/
+    # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/
+    # mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/
 
     ## example for multiples MySQL instances
     # mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3)
@@ -225,7 +232,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
     ## Redis
 
     ## example with copy .rdb file
+    ## for the default instance :
     # cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/
+    ## for multiple instances :
+    # for instance in $(ls -d /var/lib/redis-*); do
+    #     name=$(basename $instance)
+    #     mkdir -p ${LOCAL_BACKUP_DIR}/${name}
+    #     cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name}
+    # done
 
     ## ElasticSearch
 
@@ -295,12 +309,13 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
 
         ## Dump findmnt(8) output
         FINDMNT_BIN=$(command -v findmnt)
-        if [ -x ${FINDMNT_BIN} ]; then
+        if [ -x "${FINDMNT_BIN}" ]; then
             ${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
         fi
     else
-        ## Dump network connections with netstat
-        netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out
+        ## Dump network connections with fstat
+        fstat | head -1 > ${LOCAL_BACKUP_DIR}/netstat.out
+        fstat | grep internet >> ${LOCAL_BACKUP_DIR}/netstat.out
 
         ## List OpenBSD packages
         pkg_info -m > ${LOCAL_BACKUP_DIR}/packages
@@ -362,36 +377,52 @@ if [ "${SYNC_TASKS}" = "1" ]; then
     # Remote shell command
     RSH_COMMAND="ssh -p ${SSH_PORT} -o 'ConnectTimeout ${SSH_CONNECT_TIMEOUT}'"
 
-    rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \
+    # ignore check because we want it to split the different arguments to $rep
+    # shellcheck disable=SC2086
+    rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \
+        --exclude "dev"                                    \
         --exclude "lost+found"                             \
         --exclude ".nfs.*"                                 \
-        --exclude "/var/log"                               \
-        --exclude "/var/log/evobackup*"                    \
+        --exclude "/usr/doc"                               \
+        --exclude "/usr/obj"                               \
+        --exclude "/usr/share/doc"                         \
+        --exclude "/usr/src"                               \
+        --exclude "/var/apt"                               \
+        --exclude "/var/cache"                             \
+        --exclude "/var/lib/amavis/amavisd.sock"           \
+        --exclude "/var/lib/amavis/tmp"                    \
+        --exclude "/var/lib/clamav/*.tmp"                  \
+        --exclude "/var/lib/elasticsearch"                 \
+        --exclude "/var/lib/metche"                        \
+        --exclude "/var/lib/munin/*tmp*"                   \
+        --exclude "/var/db/munin/*.tmp"                    \
         --exclude "/var/lib/mysql"                         \
+        --exclude "/var/lib/php5"                          \
+        --exclude "/var/lib/php/sessions"                  \
         --exclude "/var/lib/postgres"                      \
         --exclude "/var/lib/postgresql"                    \
         --exclude "/var/lib/sympa"                         \
-        --exclude "/var/lib/metche"                        \
-        --exclude "/var/run"                               \
         --exclude "/var/lock"                              \
-        --exclude "/var/state"                             \
-        --exclude "/var/apt"                               \
-        --exclude "/var/cache"                             \
-        --exclude "/usr/src"                               \
-        --exclude "/usr/doc"                               \
-        --exclude "/usr/share/doc"                         \
-        --exclude "/usr/obj"                               \
-        --exclude "dev"                                    \
+        --exclude "/var/log"                               \
+        --exclude "/var/log/evobackup*"                    \
+        --exclude "/var/run"                               \
         --exclude "/var/spool/postfix"                     \
-        --exclude "/var/lib/amavis/amavisd.sock"           \
-        --exclude "/var/lib/munin/*tmp*"                   \
-        --exclude "/var/lib/php5"                          \
+        --exclude "/var/spool/smtpd"                       \
         --exclude "/var/spool/squid"                       \
-        --exclude "/var/lib/elasticsearch"                 \
-        --exclude "/var/lib/amavis/tmp"                    \
-        --exclude "/var/lib/clamav/*.tmp"                  \
+        --exclude "/var/state"                             \
+        --exclude "lxc/*/rootfs/usr/doc"                   \
+        --exclude "lxc/*/rootfs/usr/obj"                   \
+        --exclude "lxc/*/rootfs/usr/share/doc"             \
+        --exclude "lxc/*/rootfs/usr/src"                   \
+        --exclude "lxc/*/rootfs/var/apt"                   \
+        --exclude "lxc/*/rootfs/var/cache"                 \
+        --exclude "lxc/*/rootfs/var/lib/php5"              \
+        --exclude "lxc/*/rootfs/var/lib/php/sessions"      \
+        --exclude "lxc/*/rootfs/var/lock"                  \
+        --exclude "lxc/*/rootfs/var/log"                   \
+        --exclude "lxc/*/rootfs/var/run"                   \
+        --exclude "lxc/*/rootfs/var/state"                 \
         --exclude "/home/mysqltmp"                         \
-        --exclude "/var/lib/php/sessions"                  \
             ${rep}                                         \
             /etc                                           \
             /root                                          \
@@ -406,11 +437,11 @@ fi
 
 END=$(/bin/date +"%d-%m-%Y ; %H:%M")
 
-printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
+printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
        "${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
        >> $LOGFILE
 
-printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \
+printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\\n" \
        "${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \
        >> $LOGFILE
 

roles/base/handlers/main.yml

@@ -31,3 +31,8 @@
   command: mount -u -o noatime /home
   args:
     warn: false
+
+- name: reload ntp
+  service:
+    name: ntpd
+    state: restarted

roles/base/tasks/cron.yml

@@ -5,15 +5,4 @@
     env: true
     value: "{{ cron_root_path }}"
   tags:
-    - cron
-
-- name: Customize daily.local environment
-  lineinfile:
-    path: /etc/daily.local
-    line: 'VERBOSESTATUS=0'
-    insertbefore: BOF
-    owner: root
-    mode: "0644"
-    create: true
-  tags:
-    - cron
+    - cron

roles/base/tasks/evomaintenance.yml

@@ -15,10 +15,10 @@
     dest: "{{ item.dest }}"
     owner: 'root'
     group: 'wheel'
-    mode: '0755'
+    mode: '{{ item.mode }}'
   with_items:
-    - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
-    - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
+    - {src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700'}
+    - {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600'}
   tags:
     - evomaintenance
     - script-evomaintenance

roles/base/tasks/main.yml

@@ -10,3 +10,4 @@
 - include: newsyslog.yml
 - include: cron.yml
 - include: fstab.yml
+- include: ntp.yml

roles/base/tasks/ntp.yml

@@ -0,0 +1,30 @@
+---
+- name: Retrieve ntpd.conf content
+  command: cat ntpd.conf
+  args:
+    chdir: /etc/
+  check_mode: no
+  register: ntpd_conf
+  tags:
+    - ntp
+
+- name: Empty ntpd.conf before customizing it
+  file:
+    path: /etc/ntpd.conf
+    state: absent
+  when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$")
+  tags:
+    - ntp
+
+- name: Customize ntpd conf
+  lineinfile:
+    path: /etc/ntpd.conf
+    line: "server {{ ntpd_servers }}"
+    create: yes
+    owner: root
+    group: wheel
+    mode: '0644'
+  notify:
+    - reload ntp
+  tags:
+    - ntp

roles/base/templates/doas.conf.j2

@@ -5,8 +5,7 @@ permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as
 permit nopass _collectd as root cmd /bin/cat
 permit nopass _collectd as root cmd /usr/sbin/bgpctl
 permit nopass _nrpe as root cmd /sbin/bioctl args sd2
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
-permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
+permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
@@ -16,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_state
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
 permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
+permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh

roles/base/templates/profile.j2

@@ -4,6 +4,8 @@
 
 PATH="{{ evobsd_path }}"
 export PATH HOME TERM
+export LANG="en_US.UTF-8"
+export LC_ALL="en_US.UTF-8"
 export PS1="\u@\h:\w\\$ "
 HISTFILE=$HOME/.histfile
 export HISTSIZE=10000

roles/etc-git/files/gitignore

@@ -1,3 +1,4 @@
 aliases.db
 *.swp
 random.seed
+openvpn/ipp.txt

roles/etc-git/tasks/main.yml

@@ -44,6 +44,12 @@
   tags:
     - etc-git
 
+- name: Set vim as default editor
+  git_config:
+    name: core.editor
+    scope: global
+    value: vim
+
 - name: does /etc/ have any commit?
   command: "git log"
   args:
@@ -118,7 +124,7 @@
 - name: hourly cron job for /etc/.git status is installed
   cron:
     name: git status
-    minute: 42
+    minute: "42"
     job: >
       who
       > /dev/null

roles/evocheck/files/evocheck.sh

@@ -3,7 +3,7 @@
 # EvoCheck
 # Script to verify compliance of an OpenBSD server powered by Evolix
 
-readonly VERSION="6.7.7"
+readonly VERSION="21.09"
 
 # Disable LANG*
 
@@ -108,13 +108,17 @@ check_softdep(){
 }
 
 check_noatime(){
-    if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then
+    if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
         failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
     fi
 }
 
 check_tmoutprofile(){
-    grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
+    if [ -f /etc/skel/.profile ]; then
+        grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
+    else
+        failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
+    fi
 }
 
 check_raidok(){
@@ -176,7 +180,7 @@ check_gitperms(){
     test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
 }
 
-check_advbase(){
+check_carpadvbase(){
     if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
         bad_advbase=0
         for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
@@ -185,21 +189,21 @@ check_advbase(){
         fi
         done
         if [[ "$bad_advbase" -eq 1 ]]; then
-            failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
+            failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
         fi
     fi
 }
 
-check_preempt(){
+check_carppreempt(){
     if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
         preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
         if [[ "$preempt" -ne 1 ]]; then
-            failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
+            failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
         fi
         if [ -f /etc/sysctl.conf ]; then
-            grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
+            grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
         else
-        failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
+        failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
         fi
     fi
 }
@@ -353,6 +357,29 @@ check_openvpncronlog(){
     fi
 }
 
+check_carpadvskew(){
+    if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
+        for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
+            ifconfig $carp | grep -q master
+            master=$?
+            ifconfig $carp | grep -q backup
+            backup=$?
+            advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
+            if [ "$master" -eq 0 ]; then
+                if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
+                    failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
+                fi
+            elif [ "$backup" -eq 0 ]; then
+                if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
+                    failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
+                fi
+            else
+                failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
+            fi
+        done
+    fi
+}
+
 
 main() {
     # Default return code : 0 = no error
@@ -369,8 +396,8 @@ main() {
     test "${IS_UPTIME:=1}" = 1 && check_uptime
     test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
     test "${IS_GITPERMS:=1}" = 1 && check_gitperms
-    test "${IS_ADVBASE:=1}" = 1 && check_advbase
-    test "${IS_PREEMPT:=1}" = 1 && check_preempt
+    test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
+    test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
     test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
     test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
     test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
@@ -394,6 +421,7 @@ main() {
     test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
     test "${IS_NTP:=1}" = 1 && check_ntp
     test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
+    test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
 
     exit ${RC}
 }

roles/forwarding/tasks/main.yml

@@ -2,7 +2,7 @@
 - name: Enable IPv4 forwarding
   sysctl:
     name: net.inet.ip.forwarding
-    value: 1
+    value: "1"
     state: present
     reload: true
   tags:
@@ -11,7 +11,7 @@
 - name: Enable IPv6 forwarding
   sysctl:
     name: net.inet6.ip6.forwarding
-    value: 1
+    value: "1"
     state: present
     reload: true
   tags:

roles/logsentry/README.md

@@ -0,0 +1,7 @@
+# logsentry
+
+Installation and custom configuration of logsentry (formely logcheck)
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.

roles/logsentry/files/logsentry.ignore

@@ -0,0 +1,100 @@
+authsrv.*AUTHENTICATE
+cron.*CMD
+cron.*RELOAD
+cron.*STARTUP
+ftp-gw.*: exit host
+ftp-gw.*: permit host
+ftpd.*ANONYMOUS FTP LOGIN
+ftpd.*FTP LOGIN FROM
+ftpd.*retrieved
+ftpd.*stored
+http-gw.*: exit host
+http-gw.*: permit host
+mail.local
+named.*Lame delegation
+named.*Response from
+named.*answer queries
+named.*points to a CNAME
+named.*reloading
+named.*starting
+netacl.*: exit host
+netacl.*: permit host
+popper.*Unable
+popper: -ERR POP server at
+popper: -ERR Unknown command: "uidl".
+qmail.*new msg
+qmail.*info msg
+qmail.*starting delivery
+qmail.*delivery
+qmail.*end msg
+rlogin-gw.*: exit host
+rlogin-gw.*: permit host
+sendmail.*User Unknown
+sendmail.*alias database.*rebuilt
+sendmail.*aliases.*longest
+sendmail.*from=
+sendmail.*lost input channel
+sendmail.*message-id=
+sendmail.*putoutmsg
+sendmail.*return to sender
+sendmail.*stat=
+sendmail.*timeout waiting
+smap.*host=
+smapd.*daemon running
+smapd.*delivered
+telnetd.*ttloop:  peer died
+tn-gw.*: exit host
+tn-gw.*: permit host
+x-gw.*: exit host
+x-gw.*: permit host
+xntpd.*Previous time adjustment didn't complete
+xntpd.*time reset
+ansible-command: Invoked
+ansible-copy: Invoked
+ansible-cron: Invoked
+ansible-file: Invoked
+ansible-openbsd_pkg: Invoked
+ansible-setup: Invoked
+ansible-slurp: Invoked
+ansible-stat: Invoked
+ansible-synchronize: Invoked
+bgpd.*: neighbor .*: sending IPv4 unicast EOR marker
+bgpd.*: neighbor .*: sending IPv6 unicast EOR marker
+bgpd.*: RDE reconfigured
+bgpd.*: RDE soft reconfiguration done
+bgpd.*: rereading config
+bgpd.*: running softreconfig in
+bgpd.*: SE reconfigured
+bgpd.*: softreconfig in done
+doas: _collectd ran command /bin/cat /var/log/daemon as root from /var/collectd
+doas: _collectd ran command /usr/sbin/bgpctl sh as root from /var/collectd
+doas: _collectd ran command /usr/sbin/bgpctl show neighbor as root from /var/collectd
+doas: _nrpe ran command /sbin/bioctl sd2 as root from /
+doas: _nrpe ran command /usr/local/libexec/nagios
+doas:.*ran command /usr/share/scripts/evomaintenance.sh as root from
+last message repeated .* times
+mownitoring.py: Alert sent through email
+mownitoring.py: Already known state but still a problem for
+newsyslog.*logfile turned over
+nrpe.*: Could not read request from client, bailing out...
+nrpe.*: Error: Could not complete SSL handshake.
+nrpe.*: INFO: SSL Socket Shutdown.
+ntpd.*: adjusting clock frequency by
+pkg_add: Added
+smtpd.*mta connected
+smtpd.*mta connecting address=smtp://
+smtpd.*mta delivery evpid=
+smtpd.*mta disconnected reason=quit messages=
+smtpd.*mta server-cert-check result=
+smtpd.*mta tls ciphers=
+smtpd.*smtp connected address=127.0.0.1 host=localhost
+smtpd.*smtp connected address=local
+smtpd.*smtp disconnected reason=quit
+smtpd.*smtp envelope evpid=
+smtpd.*smtp message msgid=
+sshd.*Connection closed by 127.0.0.1 port
+sshd.*Connection reset by 127.0.0.1 port
+sudo:.*: a password is required ; TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
+sudo:.*: TTY=.* ; PWD=/home/.* ; USER=root ; COMMAND=
+syslogd.*restart
+unbound:.*info:

roles/logsentry/files/logsentry.sh

@@ -0,0 +1,281 @@
+#!/bin/sh
+#
+#	logcheck.sh: Log file checker
+#	Written by Craig Rowland <crowland@psionic.com>
+#
+#	This file needs the program logtail.c to run
+#
+#	This script checks logs for unusual activity and blatant
+#	attempts at hacking. All items are mailed to administrators
+# 	for review. This script and the logtail.c program are based upon 
+#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
+#	(c)Trusted Information Systems Inc. The original authors are 
+#	Marcus J. Ranum and Fred Avolio.
+#
+#	Default search files are tuned towards the TIS Firewall toolkit
+# 	the TCP Wrapper program. Custom daemons and reporting facilites
+#	can be accounted for as well...read the rest of the script for
+#	details.
+#
+#	Version Information
+#
+#	1.0 	9/29/96  -- Initial Release
+#	1.01	11/01/96 -- Added working /tmp directory for symlink protection
+#			    (Thanks Richard Bullington (rbulling@obscure.org)
+#	1.1	1/03/97	 -- Made this script more portable for Sun's.
+#		1/03/97	 -- Made this script work on HPUX
+#               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
+#                           to Jay Vassos-Libove <libove@compgen.com> for
+#                           his changes.
+ 
+
+# CONFIGURATION SECTION
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
+
+# Logcheck is pre-configured to work on most BSD like systems, however it
+# is a rather dumb program and may need some help to work on other
+# systems. Please check the following command paths to ensure they are 
+# correct.
+
+# Person to send log activity to.
+SYSADMIN=root
+
+# Full path to logtail program.
+# This program is required to run this script and comes with the package.
+
+LOGTAIL=/usr/local/bin/logtail
+
+# Full path to SECURED (non public writable) /tmp directory.
+# Prevents Race condition and potential symlink problems. I highly
+# recommend you do NOT make this a publically writable/readable directory.
+# You would also be well advised to make sure all your system/cron scripts
+# use this directory for their "scratch" area. 
+
+TMPDIR=/var/cache/logsentry
+
+# The 'grep' command. This command MUST support the
+# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
+# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
+# does not support these switches, but the 'egrep' command does (Thanks
+# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU 
+# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
+# hard links to each other we'll just specify egrep here. Change this if 
+# you get errors.
+
+# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
+GREP=egrep
+
+# The 'mail' command. Most systems this should be OK to leave as is.
+# If your default mail command does not support the '-s' (subject) command
+# line switch you will need to change this command one one that does.
+# The only system I've seen this to be a problem on are HPUX boxes. 
+# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
+# feel they need to do everything differently to remind the rest that
+# they are the best ;).
+
+# Linux, FreeBSD, BSDI, Sun, etc.
+MAIL=mail
+# HPUX 10.x and others(?)
+#MAIL=mailx
+# Digital OSF/1, Irix
+#MAIL=Mail
+
+# File of known active hacking attack messages to look for.
+# Only put messages in here if you are sure they won't cause
+# false alarms. This is a rather generic way of checking for 
+# malicious activity and can be inaccurate unless you know
+# what past hacking activity looks like. The default is to
+# look for generic ISS probes (who the hell else looks for 
+# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
+
+HACKING_FILE=/etc/logsentry/logsentry.hacking
+
+# File of security violation patterns to specifically look for.
+# This file should contain keywords of information administrators should
+# probably be aware of. May or may not cause false alarms sometimes.
+# Generally, anything that is "negative" is put in this file. It may miss
+# some items, but these will be caught by the next check. Move suspicious
+# items into this file to have them reported regularly.
+
+VIOLATIONS_FILE=/etc/logsentry/logsentry.violations
+
+# File that contains more complete sentences that have keywords from
+# the violations file. These keywords are normal and are not cause for 
+# concern but could cause a false alarm. An example of this is the word 
+# "refused" which is often reported by sendmail if a message cannot be 
+# delivered or can be a more serious security violation of a system 
+# attaching to illegal ports. Obviously you would put the sendmail 
+# warning as part of this file. Use your judgement before putting words 
+# in here or you can miss really important events. The default is to leave
+# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some 
+# grep's will assume that an EMPTY file means a wildcard and will ignore 
+# everything! The basic configuration allows for the more frequent sendmail
+# error.
+#
+# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
+
+VIOLATIONS_IGNORE_FILE=/etc/logsentry/logsentry.violations.ignore
+
+# This is the name of a file that contains patterns that we should
+# ignore if found in a log file. If you have repeated false alarms
+# or want specific errors ignored, you should put them in here.
+# Once again, be as specific as possible, and go easy on the wildcards
+
+IGNORE_FILE=/etc/logsentry/logsentry.ignore
+
+# The files are reported in the order of hacking, security 
+# violations, and unusual system events. Notice that this
+# script uses the principle of "That which is not explicitely
+# ignored is reported" in that the script will report all items
+# that you do not tell it to ignore specificially. Be careful
+# how you use wildcards in the logcheck.ignore file or you 
+# may miss important entries.
+
+# Make sure we really did clean up from the last run.
+# Also this ensures that people aren't trying to trick us into
+# overwriting files that we aren't supposed to. This is still a race
+# condition, but if you are in a temp directory that does not have
+# generic luser access it is not a problem. Do not allow this program
+# to write to a generic /tmp directory where others can watch and/or
+# create files!!
+
+# Shouldn't need to touch these...
+HOSTNAME=`hostname`
+DATE=`date +%m/%d/%y:%H.%M`
+
+umask 077
+rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
+	echo "Log files exist in $TMPDIR directory that cannot be removed. This 
+may be an attempt to spoof the log checker." \
+	| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
+	exit 1
+fi
+
+# LOG FILE CONFIGURATION SECTION
+# You might have to customize these entries depending on how 
+# you have syslogd configured. Be sure you check all relevant logs.
+# The logtail utility is required to read and mark log files.
+# See INSTALL for more information. Again, using one log file
+# is preferred and is easier to manage. Be sure you know what the
+# > and >> operators do before you change them. LOG FILES SHOULD
+# ALWAYS BE chmod 600 OWNER root!!
+
+# Generic and Linux Slackware 3.x
+#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+
+# OpenBSD 2.x, 3.x
+$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
+$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
+$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
+$LOGTAIL /var/log/xferlog >> $TMPDIR/check.$$
+
+# Linux Red Hat Version 3.x, 4.x
+#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
+#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+
+# FreeBSD 2.x
+#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+
+# BSDI 2.x
+#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
+#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
+# Un-comment out the line below if you are using BSDI 2.1
+#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
+
+# SunOS, Sun Solaris 2.5
+#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
+#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
+
+# HPUX 10.x and others(?)
+#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
+
+# Digital OSF/1
+# OSF/1 - uses rotating log directory with date & time in name
+#        LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
+#        LOGDIR=`ls -dtr1 $LOGDIRS | tail -1` 
+#        if [ ! -d "$LOGDIR" ]
+#        then
+#          echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
+#        else
+#                $LOGTAIL  $LOGDIR/auth.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/daemon.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/kern.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/lpr.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/mail.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/syslog.log >> $TMPDIR/check.$$
+#                $LOGTAIL  $LOGDIR/user.log >> $TMPDIR/check.$$
+#        fi
+#
+
+
+
+# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
+# BELOW THIS LINE.
+
+# Set the flag variables
+FOUND=0
+ATTACK=0
+
+# See if the tmp file exists and actually has data to check, 
+# if it doesn't we should erase it and exit as our job is done.
+ 
+if [ ! -s $TMPDIR/check.$$ ]; then
+	rm -f $TMPDIR/check.$$	
+	exit 0
+fi
+
+# Perform Searches
+
+# Check for blatant hacking attempts
+if [ -f "$HACKING_FILE" ]; then
+	if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
+		echo >> $TMPDIR/checkreport.$$
+		echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
+		echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
+		cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
+		FOUND=1
+		ATTACK=1
+	fi
+fi
+
+# Check for security violations
+if [ -f "$VIOLATIONS_FILE" ]; then
+	if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
+	   $GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
+		echo >> $TMPDIR/checkreport.$$
+		echo "Security Violations" >> $TMPDIR/checkreport.$$
+		echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
+		cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
+		FOUND=1
+	fi
+fi
+
+# Do reverse grep on patterns we want to ignore
+if [ -f "$IGNORE_FILE" ]; then
+	if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
+		echo >> $TMPDIR/checkreport.$$
+		echo "Unusual System Events" >> $TMPDIR/checkreport.$$
+		echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
+		cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
+		FOUND=1
+	fi
+fi
+
+# If there are results, mail them to sysadmin
+
+if [ "$ATTACK" -eq 1 ]; then
+	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
+elif [ "$FOUND" -eq 1 ]; then
+	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN 
+fi
+
+# Clean Up
+rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$

roles/logsentry/files/logsentry.violations.ignore

@@ -0,0 +1,9 @@
+stat=Deferred
+unbound:.*info: server stats for
+smtpd.*smtp connected address=127.0.0.1 host=localhost
+smtpd.*smtp connected address=local
+smtpd.*smtp disconnected reason=quit
+smtpd.*smtp envelope evpid=
+smtpd.*smtp message msgid=
+nrpe.*: INFO: SSL Socket Shutdown.
+collectd.*: exec plugin: Failed to execute

roles/logsentry/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- name: Install logsentry
+  openbsd_pkg:
+    name:
+      - logsentry--
+    state: present
+  tags:
+    - logsentry
+
+- name: Copy logsentry script to /usr/share/scripts
+  copy:
+    src: logsentry.sh
+    dest: /usr/share/scripts/logsentry.sh
+    owner: root
+    group: wheel
+    mode: "0644"
+  tags:
+    - logsentry
+
+- name: Copy logsentry.ignore configuration
+  copy:
+    src: "{{ item }}"
+    dest: /etc/logsentry/logsentry.ignore
+  with_first_found:
+    - "files/logsentry/logsentry.ignore"
+    - "logsentry.ignore"
+  tags:
+    - logsentry
+    - config
+
+- name: Copy logsentry.violations.ignore configuration
+  copy:
+    src: "{{ item }}"
+    dest: /etc/logsentry/logsentry.violations.ignore
+  with_first_found:
+    - "files/logsentry/logsentry.violations.ignore"
+    - "logsentry.violations.ignore"
+  tags:
+    - logsentry
+    - config
+
+- name: hourly cron job for logsentry.sh is installed
+  cron:
+    name: logsentry
+    minute: "11"
+    job: >
+      /bin/sh /usr/share/scripts/logsentry.sh
+  tags:
+    - logsentry

roles/nagios-nrpe/defaults/main.yml

@@ -1,11 +1,9 @@
 ---
-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
+nagios_nrpe_default_allowed_hosts: []
+nagios_nrpe_additional_allowed_hosts: []
 nagios_nrpe_allowed_hosts:
-  "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
-nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
-nagios_nrpe_ldap_passwd: LDAP_PASSWD
+  "{{ nagios_nrpe_default_allowed_hosts
+  | union(nagios_nrpe_additional_allowed_hosts) | unique }}"
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
 nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}"
 

roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+
+# Use : ./check_ipsecctl_critiques.sh
+# check_ipsecctl.sh must be installed
+# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in"
+# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used).
+
+# Variables
+
+CHECK_IPSECCTL="/usr/local/libexec/nagios/plugins/check_ipsecctl.sh"
+STATUS=0
+VPN_KO=""
+
+default_int=$(route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0)
+default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }')
+
+# No check if CARP backup
+
+carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2)
+
+if [ "$carp" = "backup" ]; then
+    echo "It's alright I'm just a backup!"
+    exit 0
+fi
+
+# First check that isakmpd is running
+
+if ! /usr/sbin/rcctl check isakmpd >/dev/null; then
+    echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf"
+    STATUS=2
+fi
+
+# Make sure "0.0.0.0" is not configured
+
+if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then
+    echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem."
+    STATUS=2
+fi
+
+# Check with "ipsecctl -sa"
+
+for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do
+    vpn=$(basename $vpn .conf\")
+    local_ip=$default_ip
+    remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
+    $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
+    if [ $? -ne 0 ]; then
+        STATUS=2
+        VPN_KO="$VPN_KO $vpn"
+    fi
+done
+
+# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail
+
+if [ $STATUS -eq 0 ]; then
+
+    # Definition of VPNs to be checked
+    VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2"
+
+    # Definition of destination IPs (client side) to ping for each VPN
+    A_from_vlan1_IP="192.168.1.1"
+    A_from_vlan2_IP="192.168.2.1"
+
+    B_from_vlan1_IP="172.16.1.1"
+
+    C_from_vlan2_IP="10.0.1.1"
+
+    for vpn in $VPNS; do
+        # dst_ip takes the value of VPNS_IP
+        eval dst_ip=\$${vpn}_IP
+    
+        # Definition of the source IP of the ping according to the source network used (our side, adjust the -I option)
+        case $vpn in
+            *vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;;
+            *vlan2*) ping -q -i 0.1 -I 172.16.2.5  -c 3 -w 1 $dst_ip >/dev/null ;;
+        esac
+    
+        if [ $? -ne 0 ]; then
+            VPN_KO="$VPN_KO $vpn"
+        fi
+    done
+fi
+
+if [ -n "$VPN_KO" ]; then
+    echo "VPNs down:$VPN_KO"
+    exit 2
+else
+    if [ "$STATUS" -eq 0 ]; then
+        echo "ALL VPN(s) UP(s)"
+        exit 0
+    else
+        exit $STATUS
+    fi
+fi

roles/nagios-nrpe/files/plugins_bsd/check_mailq.pl

@@ -0,0 +1,778 @@
+#!/usr/bin/perl -w
+
+# check_mailq - check to see how many messages are in the smtp queue awating
+#   transmittal.  
+#
+# Initial version support sendmail's mailq command
+#  Support for multiple sendmail queues (Carlos Canau)
+#  Support for qmail (Benjamin Schmid)
+
+# License Information:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+