# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added * base: set the title of the terminal when connecting to a server * base: import dump-server-state.sh script * post-install: add a version number to motd-carp-state.sh * nagios-nrpe: add a check dhcp_pool * collectd: add dhcp_pool.pl script * base: add a "next_part" before executing evobackup in daily.local file * base: add update-evobackup-canary script * base: session timeout is configurable * add a update-utils.yml playbook to update scripts * base: use a variable to define ntpd server * base: add entry in doas.conf for sd0 in case we have a hard raid * base: add munin files in newsyslog.conf by default * nagios-nrpe: add some information in check_connections_state.sh check * ospf: precise in the readme file that no daemon is configured/activated * logsentry: delete unused default file that we put in /usr/share/scripts * base: set the lookup option so that resolv.conf searches /etc/hosts before querying a domain name server; the default is the opposite * post-install: add the pf_states check by default in generateldif.sh script * nagios-nrpe: allow older cipher suites for older Icinga version * evobackup: execute canary script before executing backup script * accounts: create only users who have a certain value for the `create` key (default: `always`) * nagios-nrpe: add the ipmi_sensor check * base: doas configuration for ipmi_sensor NRPE check * base: deactivate insults in sudo * base: added handlers for entries in fstab * forwarding: added tags to distinguish IPv4 from IPv6 * accounts: add a "users" tag so that new users are not created and customized password are not reset based on vars files when executing evolixisation.yml again * base: Generate default (self-signed) certificate ### Changed * accounts: use "evobsd_internal_group" for SSH authentication * base: zzz_evobackup upstream release 22.03 * etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks * etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible * etc-git: add versioning for /usr/share/scripts * nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state * evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file * pf: reorder some rules, more details on some comments * update of tags for each tasks and ease the update of scripts * evocheck: execute evocheck without --cron the first of the month * etc-git: chmod 600 for local periodic files (daily, weekly, monthly) * base: loop over fstab entries instead of copying the same task for each entries * etc-git: do not erase custom entries of servers in .gitignore files * nagios-nrpe: check_disk1 returns only alerts * base: do not erase custom configuration of servers in doas.conf * base: vmd and pass are not used in our infrastructure, deletion of autocompletion * nagios-nrpe: do not erase custom configuration of servers in nrpe.d/evolix.cfg, and do not use zzz_evolix.cfg anymore * base: export evomaintenance and evobackup tasks into their own roles * nagios-nrpe: multiples IP can now be checked with check_ipsecctl_critiques.sh * base: use a variable for /etc/installurl content * base: use "servers" option instead of "server" option for ntpd.conf * base: fstab options can be activated or not * base: configure "/usr/X11R6" and "/usr/local" for servers that have a mount on it * base: we can chose to deploy or not utils files * base: reordering default variable file and deleting unused one * base: use a template for ntp configuration to ease the management of the different cases * logsentry: update config files, add "[logsentry]" in subject, and simplify task * nagios-nrpe: deleted unused variables and added a ntp check server variable * post-install: use basename of path in generateldif.sh to define file from elsewhere * bgp, collectd, logsentry, ospf: update scripts * collectd: improve dns_stats.sh script for more metrics * ospf: do not repeat use of command, use variable instead with output of command * nagios-nrpe: changed check_load to make it more relevant * nagios-nrpe: check_ipsecctl.sh is never used standalone for check_vpn, always called by check_ipsecctl_critiques.sh * evobackup: zzz_evobackup upstream release 22.12, and call zzz_evobackup with bash * base: install bash, now needed for zzz_evobackup script * post-install: execute motd-carp-state.sh every 10 minuts * collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them * base: install ncdu and htop often used as diagnostic tools * base: dump-server-state.sh upstream release 24.01 * evocheck: upstream release 23.06 * base: add evobsd_alias_fwupdate variable and make kshrc file a template so we can set or not a fw_update alias to servers that need it * etc-git: add versioning for /var/unbound/etc * base: ignore errors on packages installation because it fails for some packages when run in check mode * evomaintenance: upstream release 23.10.1 * accounts, etc-git, evocheck, nagios-nrpe: multiple changes to not fail when run in check mode * base: configure "/var/log" for servers that have a mount on it * nagios-nrpe: configure allowed_hosts in template and make use of the 'nagios_nrpe_additional_allowed_hosts' var in inventory for additional IP * nagios-nrpe: configure server certificate for nrpe daemon ### Fixed * base: fix shell configuration, increase $HISTSIZE, and change history alias so it displays full history * nagios-nrpe: handle the case where cached_mem is in GB to convert it in MB in check_free_mem.sh * post-install: improve management of ldif file for ldap * post-install: ignore errors from syspatch * nagios-nrpe: grep in check_ipsecctl_critiques.sh was too large * post-install: fix missing space in generateldif.sh script * logsentry: fix variables for configuration files * nagios-nrpe: fix allowed_hosts configuration: keep potential added IP, but we cannot use backrefs if the line does not exist yet * accounts: configure user home, ssh keys and groups only if it already exists, so that there is no error when run in check mode and user doesn't exist yet * collectd: fix rights for collectd directory * etc-git: Remove deprecated/unsupported "warn" parameter * ospf, bgp: fix checks scripts * base, collectd, etc-git, logsentry, nagios-nrpe: install packages manually because openbsd_pkg module is broken since OpenBSD 7.4 with the version of Ansible we currently use ### Removed * openvpn: deleted this deprecated role ; use the one provided in the ansible-roles repo * base: doas is used for evomaintenance, not sudo ; wheel group mustn't be sudo because we use the evolinux-sudo group * base: doas configuration for _collectd user is managed in collectd role, not needed to have it by default ## [21.12] - 2021-12-17 ### Changed * Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly * Use vim as default git editor * Change version pattern and fix release scheme ### Added * Add a bioctl NRPE check for RAID devices ## [6.9.2] - 2021-10-15 ### Added * Add a more complete ipsecctl check script * Add doas configuration for check_openvpn_certificates.sh ### Fixed * Fix check_dhcpd for dhcpd server themselves: use back check_procs -c1: -C dhcpd * Fix check_mailq: check from monitoring-plugins current version is not compatible with opensmtpd ## [6.9.1] - 2021-07-19 ### Added * Configure the ntpd.conf file ## [6.9.0] - 2021-05-06 ### Changed * Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid. ## [6.8.3] - 2021-02-15 ### Added * Add a customization of the logsentry configuration * Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files ### Fixed * Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB. * Fix the check_mem script in the NRPE role, adding cached RAM as free RAM * Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade ### Changed * The PF role now use a variable for trusted IPs ## [6.8.2] - 2020-10-30 ### Added * Add a Logsentry role ## [6.8.1] - 2020-10-26 ### Fixed * Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task ## [6.8.0] - 2020-10-23 ### Added * Add a PF tag to be able to skip that part when rerunning EvoBSD * Add a doas authorization for NRPE check_ipsecctl_critiques ### Changed * The task mail.yml replace the former boot/reboot message only if it is untouched * Replace the variable used to set the email address in etc-git role - now using inventory_hostname * Not checking syspatch when OpenBSD <= 6.1 * Amend fstab file adding noatime option to each entrie * Import evocheck v.6.7.7 * Comment NRPE checks that cannot be used as is ### Fixed * Add the creation of the NRPE plugins directory in nagios-nrpe role * Add collectd doas rights in the base role to avoid broking anything if EvoBSD is rerun without the collectd role included * Do not add the motd cron if the same line is already there but uncommented * Amend fstab entries only when the filesystem is ffs ## [6.7.2] - 2020-10-13 ### Added * Now handling deletion of evobackup crontab (replaced by daily.local cron) * Customize fstab with noexec and softdep * Collectd role ### Changed * Improve rc.local file configuration * Update evocheck to version 6.7.5 * Hide default daily output mail content (VERBOSESTATUS=0) * Add deletion of old log files in the OSPF role ### Fixed * Fix duplicate evobackup cron if the entry is uncommented in daily.local ## [6.7.1] - 2020-09-10 ### Added * Add completions functions in root's profile dotfile * Add check_connections_state.sh NRPE plugin * Add an evocheck role * Add stricter ssh and doas access * Add an openvpn role * Add an OpenBGPd NRPE plugin * Add ospf and bgp roles * Add an unbound NRPE check since it is part of the base system * Add a motd-carp-state.sh script that checks the carp state and generates the /etc/motd file ### Changed * Disable sndiod since it is not required on serveurs * Replace sudo with doas for script executions * Update evomaintenance version to 0.6.3 * Disable mouse function in vim configuration * Drop openup since syspatch can apply stable patches now * Update evobackup script * Rewrite newsyslog configuration * Drop postgresql-client package since evomaintenance use an API now