249 lines
11 KiB

# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Added
* base: set the title of the terminal when connecting to a server
* base: import dump-server-state.sh script
* post-install: add a version number to motd-carp-state.sh
* nagios-nrpe: add a check dhcp_pool
* collectd: add dhcp_pool.pl script
* base: add a "next_part" before executing evobackup in daily.local file
* base: add update-evobackup-canary script
* base: session timeout is configurable
* add a update-utils.yml playbook to update scripts
* base: use a variable to define ntpd server
* base: add entry in doas.conf for sd0 in case we have a hard raid
* base: add munin files in newsyslog.conf by default
* nagios-nrpe: add some information in check_connections_state.sh check
* ospf: precise in the readme file that no daemon is configured/activated
* logsentry: delete unused default file that we put in /usr/share/scripts
* base: set the lookup option so that resolv.conf searches /etc/hosts before querying a domain name server; the default is the opposite
* post-install: add the pf_states check by default in generateldif.sh script
* nagios-nrpe: allow older cipher suites for older Icinga version
* evobackup: execute canary script before executing backup script
* accounts: create only users who have a certain value for the `create` key (default: `always`)
* nagios-nrpe: add the ipmi_sensor check
* base: doas configuration for ipmi_sensor NRPE check
* base: deactivate insults in sudo
* base: added handlers for entries in fstab
* forwarding: added tags to distinguish IPv4 from IPv6
* accounts: add a "users" tag so that new users are not created and customized password are not reset based on vars files when executing evolixisation.yml again
* base: Generate default (self-signed) certificate
* evomaintenance: upstream release 24.05
* evomaintenance: move files into upstream folder
### Changed
* accounts: use "evobsd_internal_group" for SSH authentication
* base: zzz_evobackup upstream release 22.03
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
* etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible
* etc-git: add versioning for /usr/share/scripts
* nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state
* evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file
* pf: reorder some rules, more details on some comments
* update of tags for each tasks and ease the update of scripts
* evocheck: execute evocheck without --cron the first of the month
* etc-git: chmod 600 for local periodic files (daily, weekly, monthly)
* base: loop over fstab entries instead of copying the same task for each entries
* etc-git: do not erase custom entries of servers in .gitignore files
* nagios-nrpe: check_disk1 returns only alerts
* base: do not erase custom configuration of servers in doas.conf
* base: vmd and pass are not used in our infrastructure, deletion of autocompletion
* nagios-nrpe: do not erase custom configuration of servers in nrpe.d/evolix.cfg, and do not use zzz_evolix.cfg anymore
* base: export evomaintenance and evobackup tasks into their own roles
* nagios-nrpe: multiples IP can now be checked with check_ipsecctl_critiques.sh
* base: use a variable for /etc/installurl content
* base: use "servers" option instead of "server" option for ntpd.conf
* base: fstab options can be activated or not
* base: configure "/usr/X11R6" and "/usr/local" for servers that have a mount on it
* base: we can chose to deploy or not utils files
* base: reordering default variable file and deleting unused one
* base: use a template for ntp configuration to ease the management of the different cases
* logsentry: update config files, add "[logsentry]" in subject, and simplify task
* nagios-nrpe: deleted unused variables and added a ntp check server variable
* post-install: use basename of path in generateldif.sh to define file from elsewhere
* bgp, collectd, logsentry, ospf: update scripts
* collectd: improve dns_stats.sh script for more metrics
* ospf: do not repeat use of command, use variable instead with output of command
* nagios-nrpe: changed check_load to make it more relevant
* nagios-nrpe: check_ipsecctl.sh is never used standalone for check_vpn, always called by check_ipsecctl_critiques.sh
* evobackup: zzz_evobackup upstream release 22.12, and call zzz_evobackup with bash
* base: install bash, now needed for zzz_evobackup script
* post-install: execute motd-carp-state.sh every 10 minuts
* collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them
* base: install ncdu and htop often used as diagnostic tools
* base: dump-server-state.sh upstream release 24.01
* evocheck: upstream release 23.06
* base: add evobsd_alias_fwupdate variable and make kshrc file a template so we can set or not a fw_update alias to servers that need it
* etc-git: add versioning for /var/unbound/etc
* base: ignore errors on packages installation because it fails for some packages when run in check mode
* evomaintenance: upstream release 23.10.1
* accounts, etc-git, evocheck, nagios-nrpe: multiple changes to not fail when run in check mode
* base: configure "/var/log" for servers that have a mount on it
* nagios-nrpe: configure allowed_hosts in template and make use of the 'nagios_nrpe_additional_allowed_hosts' var in inventory for additional IP
* nagios-nrpe: configure server certificate for nrpe daemon
* pf: pass quick for ICMP and Evolix rules which won't need to be overwritten, no state for ICMP because it's not needed and can sometimes be unfavourable
### Fixed
* base: fix shell configuration, increase $HISTSIZE, and change history alias so it displays full history
* nagios-nrpe: handle the case where cached_mem is in GB to convert it in MB in check_free_mem.sh
* post-install: improve management of ldif file for ldap
* post-install: ignore errors from syspatch
* nagios-nrpe: grep in check_ipsecctl_critiques.sh was too large
* post-install: fix missing space in generateldif.sh script
* logsentry: fix variables for configuration files
* nagios-nrpe: fix allowed_hosts configuration: keep potential added IP, but we cannot use backrefs if the line does not exist yet
* accounts: configure user home, ssh keys and groups only if it already exists, so that there is no error when run in check mode and user doesn't exist yet
* collectd: fix rights for collectd directory
* etc-git: Remove deprecated/unsupported "warn" parameter
* ospf, bgp: fix checks scripts
* base, collectd, etc-git, logsentry, nagios-nrpe: install packages manually because openbsd_pkg module is broken since OpenBSD 7.4 with the version of Ansible we currently use
* nagios-nrpe: fix variable use in check_ipsecctl_critiques.sh
### Removed
* openvpn: deleted this deprecated role ; use the one provided in the ansible-roles repo
* base: doas is used for evomaintenance, not sudo ; wheel group mustn't be sudo because we use the evolinux-sudo group
* base: doas configuration for _collectd user is managed in collectd role, not needed to have it by default
## [21.12] - 2021-12-17
### Changed
* Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
* Use vim as default git editor
* Change version pattern and fix release scheme
### Added
* Add a bioctl NRPE check for RAID devices
## [6.9.2] - 2021-10-15
### Added
* Add a more complete ipsecctl check script
* Add doas configuration for check_openvpn_certificates.sh
### Fixed
* Fix check_dhcpd for dhcpd server themselves: use back check_procs -c1: -C dhcpd
* Fix check_mailq: check from monitoring-plugins current version is not compatible with opensmtpd
## [6.9.1] - 2021-07-19
### Added
* Configure the ntpd.conf file
## [6.9.0] - 2021-05-06
### Changed
* Remove the variable VERBOSESTATUS in daily.local configuration file since it is no longer valid.
## [6.8.3] - 2021-02-15
### Added
* Add a customization of the logsentry configuration
* Add a check_openvpn_certificates in NRPE and OpenVPN role to check expiration date of server CA and certificates files
### Fixed
* Fix the check_mem command in the NRPE role, precising the percentage sign for it not to check the memory in MB.
* Fix the check_mem script in the NRPE role, adding cached RAM as free RAM
* Fix motd-carp-state.sh by updating the OpenBSD release in our customized motd after an upgrade
### Changed
* The PF role now use a variable for trusted IPs
## [6.8.2] - 2020-10-30
### Added
* Add a Logsentry role
## [6.8.1] - 2020-10-26
### Fixed
* Fix a task using a register where simple quotes prevented the register to be properly filled, breaking the following task
## [6.8.0] - 2020-10-23
### Added
* Add a PF tag to be able to skip that part when rerunning EvoBSD
* Add a doas authorization for NRPE check_ipsecctl_critiques
### Changed
* The task mail.yml replace the former boot/reboot message only if it is untouched
* Replace the variable used to set the email address in etc-git role - now using inventory_hostname
* Not checking syspatch when OpenBSD <= 6.1
* Amend fstab file adding noatime option to each entrie
* Import evocheck v.6.7.7
* Comment NRPE checks that cannot be used as is
### Fixed
* Add the creation of the NRPE plugins directory in nagios-nrpe role
* Add collectd doas rights in the base role to avoid broking anything if EvoBSD is rerun without the collectd role included
* Do not add the motd cron if the same line is already there but uncommented
* Amend fstab entries only when the filesystem is ffs
## [6.7.2] - 2020-10-13
### Added
* Now handling deletion of evobackup crontab (replaced by daily.local cron)
* Customize fstab with noexec and softdep
* Collectd role
### Changed
* Improve rc.local file configuration
* Update evocheck to version 6.7.5
* Hide default daily output mail content (VERBOSESTATUS=0)
* Add deletion of old log files in the OSPF role
### Fixed
* Fix duplicate evobackup cron if the entry is uncommented in daily.local
## [6.7.1] - 2020-09-10
### Added
* Add completions functions in root's profile dotfile
* Add check_connections_state.sh NRPE plugin
* Add an evocheck role
* Add stricter ssh and doas access
* Add an openvpn role
* Add an OpenBGPd NRPE plugin
* Add ospf and bgp roles
* Add an unbound NRPE check since it is part of the base system
* Add a motd-carp-state.sh script that checks the carp state and generates the /etc/motd file
### Changed
* Disable sndiod since it is not required on serveurs
* Replace sudo with doas for script executions
* Update evomaintenance version to 0.6.3
* Disable mouse function in vim configuration
* Drop openup since syspatch can apply stable patches now
* Update evobackup script
* Rewrite newsyslog configuration
* Drop postgresql-client package since evomaintenance use an API now