Browse Source

Merge pull request 'Release 10.3.0' (#120) from unstable into stable

Reviewed-on: https://gitea.evolix.org/evolix/ansible-roles/pulls/120
stable 10.3.0
Jérémy Lecour 2 months ago
parent
commit
03b91177b1
66 changed files with 955 additions and 120 deletions
  1. +33
    -0
      CHANGELOG.md
  2. +1
    -0
      apt/tasks/config.yml
  3. +3
    -2
      certbot/files/hooks/haproxy.sh
  4. +3
    -1
      dovecot/defaults/main.yml
  5. +2
    -0
      dovecot/files/munin_config
  6. +12
    -10
      dovecot/files/munin_plugin
  7. +4
    -2
      dovecot/tasks/main.yml
  8. +5
    -3
      dovecot/tasks/munin.yml
  9. +2
    -0
      evoacme/defaults/main.yml
  10. +9
    -3
      evoacme/files/evoacme.sh
  11. +2
    -2
      evoacme/files/make-csr.sh
  12. +2
    -2
      evoacme/files/vhost-domains.sh
  13. +1
    -0
      evoacme/tasks/main.yml
  14. +24
    -13
      evocheck/files/evocheck.sh
  15. +1
    -1
      evolinux-users/tasks/sudo.yml
  16. +33
    -11
      evolinux-users/tasks/user.yml
  17. +6
    -0
      filebeat/defaults/main.yml
  18. +17
    -10
      filebeat/templates/filebeat.default.yml.j2
  19. +1
    -0
      kvm-host/defaults/main.yml
  20. +4
    -4
      kvm-host/meta/main.yml
  21. +4
    -0
      lxc-php/defaults/main.yml
  22. +6
    -0
      lxc-php/handlers/main.yml
  23. +9
    -1
      lxc-php/tasks/misc.yml
  24. +8
    -0
      lxc-php/templates/z-evolinux-defaults.ini.j2
  25. +4
    -0
      minifirewall/defaults/main.yml
  26. +7
    -2
      minifirewall/files/minifirewall.conf
  27. +8
    -2
      minifirewall/tasks/config.yml
  28. +2
    -2
      minifirewall/tasks/install.yml
  29. +114
    -6
      minifirewall/templates/minifirewall.j2
  30. +5
    -0
      mysql-oracle/files/evolinux-defaults.cnf
  31. +25
    -0
      mysql/files/save_mysql_processlist.sh
  32. +1
    -1
      mysql/handlers/main.yml
  33. +9
    -0
      mysql/tasks/utils.yml
  34. +3
    -3
      packweb-apache/meta/main.yml
  35. +1
    -1
      postgresql/defaults/main.yml
  36. +5
    -0
      postgresql/tasks/packages_buster.yml
  37. +5
    -0
      postgresql/tasks/packages_jessie.yml
  38. +5
    -0
      postgresql/tasks/packages_stretch.yml
  39. +6
    -1
      postgresql/tasks/pgdg-repo.yml
  40. +1
    -0
      proftpd/templates/ftps.conf.j2
  41. +1
    -0
      proftpd/templates/sftp.conf.j2
  42. +2
    -0
      redis/defaults/main.yml
  43. +10
    -0
      redis/files/check_redis_instances.sh
  44. +1
    -1
      redis/tasks/default-log2mail.yml
  45. +1
    -0
      redis/tasks/instance-server.yml
  46. +20
    -0
      tomcat-instance/tasks/user.yml
  47. +1
    -1
      varnish/defaults/main.yml
  48. +0
    -5
      varnish/files/reload-vcl.sh
  49. +40
    -23
      varnish/tasks/main.yml
  50. +5
    -0
      varnish/templates/reload-vcl.sh.j2
  51. +5
    -0
      varnish/templates/varnish.conf.buster.j2
  52. +0
    -7
      varnish/templates/varnish.conf.j2
  53. +7
    -0
      varnish/templates/varnish.conf.jessie.j2
  54. +0
    -0
      varnish/templates/varnish.vcl.j2
  55. +2
    -0
      webapps/evoadmin-web/tasks/user.yml
  56. +19
    -0
      webapps/nextcloud/defaults/main.yml
  57. +10
    -0
      webapps/nextcloud/handlers/main.yml
  58. +4
    -0
      webapps/nextcloud/meta/main.yml
  59. +37
    -0
      webapps/nextcloud/tasks/archive.yml
  60. +81
    -0
      webapps/nextcloud/tasks/config.yml
  61. +31
    -0
      webapps/nextcloud/tasks/main.yml
  62. +62
    -0
      webapps/nextcloud/tasks/mysql.yml
  63. +38
    -0
      webapps/nextcloud/tasks/user.yml
  64. +34
    -0
      webapps/nextcloud/tasks/vhost.yml
  65. +134
    -0
      webapps/nextcloud/templates/nginx.conf.j2
  66. +17
    -0
      webapps/nextcloud/templates/php-fpm.conf.j2

+ 33
- 0
CHANGELOG.md View File

@ -20,6 +20,39 @@ The **patch** part changes incrementally at each release.
### Security
## [10.3.0] 2020-12-21
### Added
* dovecot: Update munin plugin & configure it
* dovecot: vmail uid/gid are configurable
* evoacme: variable to disable Debian version check (default: False)
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
* minifirewall: upstream release 20.12
* minifirewall: add variables to force upgrade the script and the config (default: False)
* mysql: install save_mysql_processlist script
* nextcloud: New role to setup a nextcloud instance
* redis: variable to force use of port 6379 in instances mode
* redis: check maxmemory in NRPE check
* lxc-php: Allow php containers to contact local MySQL with localhost
* varnish: config file name is configurable
### Changed
* Create system users for vmail (dovecot) and evoadmin
* apt: disable APT Periodic
* evoacme: upstream release 20.12
* evocheck: upstream release 20.12
* evolinux-users: improve uid/login checks
* tomcat-instance: fail if uid already exists
* varnish: change template name for better readability
* varnish: no threadpool delay by default
* varnish: no custom reload script for Debian 10 and later
### Fixed
* cerbot: parse HAProxy config file only if HAProxy is found
## [10.2.0] 2020-09-17
### Added


+ 1
- 0
apt/tasks/config.yml View File

@ -11,6 +11,7 @@
with_items:
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' }
when: apt_evolinux_config
tags:
- apt


+ 3
- 2
certbot/files/hooks/haproxy.sh View File

@ -56,6 +56,9 @@ main() {
fi
if daemon_found_and_running; then
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
if found_renewed_lineage; then
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly haproxy_bin=$(command -v haproxy)
readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
main

+ 3
- 1
dovecot/defaults/main.yml View File

@ -1,2 +1,4 @@
---
dovecot_foo: bar
dovecot_vmail_uid: 5000
dovecot_vmail_gid: 5000

+ 2
- 0
dovecot/files/munin_config View File

@ -0,0 +1,2 @@
[dovecot]
group adm

+ 12
- 10
dovecot/files/munin_plugin View File

@ -2,21 +2,22 @@
#
# Munin Plugin
# to count logins to your dovecot mailserver
#
#
# Created by Dominik Schulz <lkml@ds.gauner.org>
# http://developer.gauner.org/munin/
# Contributions by:
# - Stephane Enten <tuf@delyth.net>
# - Steve Schnepp <steve.schnepp@pwkf.org>
#
# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
#
# Parameters understood:
#
# config (required)
# autoconf (optional - used by munin-config)
#
#
# Config variables:
#
# logfile - Where to find the syslog file
# logfile - Where to find the syslog file
#
# Add the following line to a file in /etc/munin/plugin-conf.d:
# env.logfile /var/log/your/logfile.log
@ -34,13 +35,13 @@ LOGFILE=${logfile:-/var/log/mail.log}
######################
if [ "$1" = "autoconf" ]; then
echo yes
[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Dovecot Logins'
echo 'graph_category Mail'
echo 'graph_category mail'
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel Login Counters'
@ -53,6 +54,7 @@ if [ "$1" = "config" ]; then
done
echo 'connected.label Connected Users'
echo "connected.type DERIVE"
exit 0
fi
@ -86,7 +88,7 @@ echo -n
echo -en "login_tls.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
echo "$VALUE"
else
echo "0"
fi
@ -97,7 +99,7 @@ echo -n
echo -en "login_ssl.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
echo "$VALUE"
else
echo "0"
fi
@ -108,7 +110,7 @@ echo -n
echo -en "login_imap.value "
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
echo "$VALUE"
else
echo "0"
fi
@ -119,7 +121,7 @@ echo -n
echo -en "login_pop3.value "
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
echo "$VALUE"
else
echo "0"
fi


+ 4
- 2
dovecot/tasks/main.yml View File

@ -40,7 +40,8 @@
- name: create vmail group
group:
name: vmail
gid: 5000
gid: "{{ dovecot_vmail_gid }}"
system: True
tags:
- dovecot
@ -48,8 +49,9 @@
user:
name: vmail
group: vmail
uid: 5000
uid: "{{ dovecot_vmail_uid }}"
shell: /bin/false
system: True
tags:
- dovecot


+ 5
- 3
dovecot/tasks/munin.yml View File

@ -14,8 +14,10 @@
dest: /etc/munin/plugins/dovecot
mode: "0755"
# TODO : add in /etc/munin/plugin-conf.d/munin-node
# [dovecot]
# group adm
- name: Install munin config
copy:
src: munin_config
dest: /etc/munin/plugin-conf.d/dovecot
mode: "0644"
when: munin_node_plugins_config.stat.exists

+ 2
- 0
evoacme/defaults/main.yml View File

@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille'
evoacme_ssl_org: 'Evolix'
evoacme_ssl_ou: 'Security'
evoacme_ssl_email: 'security@evolix.net'
evoacme_disable_debian_check: False

+ 9
- 3
evoacme/files/evoacme.sh View File

@ -14,7 +14,7 @@ show_version() {
cat <<END
evoacme version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2020 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -284,13 +284,19 @@ main() {
export EVOACME_CHAIN="${LIVE_CHAIN}"
export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"
# emulate certbot hooks environment variables
export RENEWED_LINEAGE="${LIVE_DIR}"
export RENEWED_DOMAINS="${VHOST}"
# search for files in hooks directory
for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
set +e
# keep only executables files, not containing a "."
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then
if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
debug "Executing ${hook}"
${hook}
fi
set -e
done
}
@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"}
readonly TEST=${TEST:-"0"}
readonly DRY_RUN=${DRY_RUN:-"0"}
readonly VERSION="20.08"
readonly VERSION="20.12"
# Read configuration file, if it exists
[ -r /etc/default/evoacme ] && . /etc/default/evoacme


+ 2
- 2
evoacme/files/make-csr.sh View File

@ -13,7 +13,7 @@ show_version() {
cat <<END
make-csr version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2020 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -265,7 +265,7 @@ readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly VERSION="20.08"
readonly VERSION="20.12"
# Read configuration file, if it exists
[ -r /etc/default/evoacme ] && . /etc/default/evoacme


+ 2
- 2
evoacme/files/vhost-domains.sh View File

@ -13,7 +13,7 @@ show_version() {
cat <<END
vhost-domains version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Copyright 2009-2020 Evolix <info@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Benoit Série <bserie@evolix.fr>
@ -170,7 +170,7 @@ readonly ARGS=$@
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly VERSION="20.08"
readonly VERSION="20.12"
readonly SRV_IP=${SRV_IP:-""}


+ 1
- 0
evoacme/tasks/main.yml View File

@ -6,6 +6,7 @@
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')
msg: only compatible with Debian >= 9
when: not evoacme_disable_debian_check
- include: certbot.yml


+ 24
- 13
evocheck/files/evocheck.sh View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
readonly VERSION="20.04.3"
readonly VERSION="20.12"
# base functions
@ -205,10 +205,13 @@ check_customsudoers() {
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
}
check_vartmpfs() {
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
}
check_vartmpfs() {
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
FINDMNT_BIN=$(command -v findmnt)
if [ -x "${FINDMNT_BIN}" ]; then
${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
else
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi
}
check_serveurbase() {
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
@ -559,7 +562,7 @@ check_evobackup_exclude_mount() {
# shellcheck disable=SC2064
trap "rm -f ${excludes_file}" 0
# shellcheck disable=SC2044
for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
@ -878,15 +881,25 @@ check_sql_backup() {
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
for backup_path in ${SQL_BACKUP_PATH}; do
if [ ! -f "${backup_path}" ]; then
failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_postgres_backup() {
if is_installed "postgresql-9*"; then
if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then
# If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"}
for backup_path in ${POSTGRES_BACKUP_PATH}; do
if [ ! -f "${backup_path}" ]; then
failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_mongo_backup() {
@ -1013,7 +1026,7 @@ check_duplicate_fs_label() {
BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp)
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
done
@ -1517,8 +1530,6 @@ main() {
# shellcheck disable=SC2034
readonly PROGNAME=$(basename "$0")
# shellcheck disable=SC2034
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
# shellcheck disable=2124
readonly ARGS=$@


+ 1
- 1
evolinux-users/tasks/sudo.yml View File

@ -4,6 +4,6 @@
when: ansible_distribution_release == "jessie"
- include: sudo_stretch.yml
when: ansible_distribution_major_version is version('9', '>=')
when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=')
- meta: flush_handlers

+ 33
- 11
evolinux-users/tasks/user.yml View File

@ -2,20 +2,41 @@
# Unix account
- fail:
msg: "You must provide a value for the 'user.name ' variable."
when: user.name is not defined or user.name == ''
- fail:
msg: "You must provide a value for the 'user.uid ' variable."
when: user.uid is not defined or user.uid == ''
- name: "Test if '{{ user.name }}' exists"
command: 'getent passwd {{ user.name }}'
register: loginisbusy
command: 'id -u "{{ user.name }}"'
register: get_id_from_login
failed_when: False
changed_when: False
check_mode: no
- name: "Test if uid exists for '{{ user.name }}'"
command: 'getent passwd {{ user.uid }}'
register: uidisbusy
- name: "Test if uid '{{ user.uid }}' exists"
command: 'id -un -- "{{ user.uid }}"'
register: get_login_from_id
failed_when: False
changed_when: False
check_mode: no
# Error if
# the uid already exists
# and the user associated with this uid is not the desired user
- name: "Fail if uid already exists for another user"
fail:
msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
when:
- get_login_from_id.rc == 0
- get_login_from_id.stdout != user.name
# Create/Update the user account with defined uid if
# the user doesn't already exist and the uid isn't already used
# or the user exists with the defined uid
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
user:
state: present
@ -24,11 +45,13 @@
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
update_password: "on_create"
when:
- loginisbusy.rc != 0
- uidisbusy.rc != 0
- (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)
# Create/Update the user account without defined uid if
# the user doesn't already exist but the defined uid is already used
# or another user already exists with a the same uid
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
user:
state: present
@ -36,10 +59,9 @@
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
update_password: "on_create"
when:
- loginisbusy.rc != 0
- uidisbusy.rc == 0
- (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)
- name: Is /etc/aliases present?
stat:


+ 6
- 0
filebeat/defaults/main.yml View File

@ -12,6 +12,12 @@ filebeat_elasticsearch_auth_api_key: ""
filebeat_elasticsearch_auth_username: ""
filebeat_elasticsearch_auth_password: ""
filebeat_logstash_hosts: []
filebeat_logstash_protocol: "http"
filebeat_logstash_auth_api_key: ""
filebeat_logstash_auth_username: ""
filebeat_logstash_auth_password: ""
filebeat_use_config_template: False
filebeat_update_config: True
filebeat_force_config: True

+ 17
- 10
filebeat/templates/filebeat.default.yml.j2 View File

@ -143,15 +143,11 @@ setup.kibana:
# Configure what output to use when sending the data collected by the beat.
{% if filebeat_elasticsearch_hosts %}
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["{{ filebeat_elasticsearch_hosts | join('", "') }}"]
# Protocol - either `http` (default) or `https`.
protocol: "{{ filebeat_elasticsearch_protocol | default('http') }}"
# Authentication credentials - either API key or username/password.
{% if filebeat_elasticsearch_auth_api_key %}
api_key: "{{ filebeat_elasticsearch_auth_api_key }}"
{% endif %}
@ -161,11 +157,22 @@ output.elasticsearch:
{% if filebeat_elasticsearch_auth_password %}
password: "{{ filebeat_elasticsearch_auth_password }}"
{% endif %}
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
{% endif %}
{% if filebeat_logstash_hosts %}
# ---------------------------- Logstash Output ---------------------------------
output.logstash:
hosts: ["{{ filebeat_logstash_hosts | join('", "') }}"]
protocol: "{{ filebeat_logstash_protocol | default('http') }}"
{% if filebeat_logstash_auth_api_key %}
api_key: "{{ filebeat_logstash_auth_api_key }}"
{% endif %}
{% if filebeat_logstash_auth_username %}
username: "{{ filebeat_logstash_auth_username }}"
{% endif %}
{% if filebeat_logstash_auth_password %}
password: "{{ filebeat_logstash_auth_password }}"
{% endif %}
{% endif %}
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications


+ 1
- 0
kvm-host/defaults/main.yml View File

@ -1,2 +1,3 @@
---
kvm_custom_libvirt_images_path: ''
kvm_install_drbd: True

+ 4
- 4
kvm-host/meta/main.yml View File

@ -12,8 +12,8 @@ galaxy_info:
- name: Debian
versions:
- jessie
- stretch
- buster
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.
dependencies:
- { role: evolix/drbd, when: kvm_install_drbd }

+ 4
- 0
lxc-php/defaults/main.yml View File

@ -7,6 +7,10 @@ php_conf_html_errors: "Off"
php_conf_allow_url_fopen: "Off"
php_conf_disable_functions: "exec,shell-exec,system,passthru,popen"
# Allows accessing a local mysql database using localhost
php_conf_mysql_socket_dir: /mysqld
php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock"
lxc_php_version: Null
lxc_php_container_releases:


+ 6
- 0
lxc-php/handlers/main.yml View File

@ -18,3 +18,9 @@
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "systemctl restart opensmtpd"
- name: Restart container
lxc_container:
name: "{{ lxc_php_version }}"
state: restarted

+ 9
- 1
lxc-php/tasks/misc.yml View File

@ -18,8 +18,16 @@
dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/mailname"
notify: "Restart opensmtpd"
- name: "{{ lxc_php_version }} - Install misc packages"
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip"
- name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts"
lxc_container:
name: "{{ lxc_php_version }}"
container_config:
- "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0"
when: php_conf_mysql_socket_dir is string
notify: "Restart container"

+ 8
- 0
lxc-php/templates/z-evolinux-defaults.ini.j2 View File

@ -6,3 +6,11 @@ log_errors = {{ php_conf_log_errors }}
html_errors = {{ php_conf_html_errors }}
allow_url_fopen = {{ php_conf_allow_url_fopen }}
disable_functions = {{ php_conf_disable_functions }}
{% if php_conf_mysql_socket_dir %}
[Pdo_mysql]
pdo_mysql.default_socket = {{ php_conf_mysql_default_socket }}
[MySQLi]
mysqli.default_socket = {{ php_conf_mysql_default_socket }}
{% endif %}

+ 4
- 0
minifirewall/defaults/main.yml View File

@ -5,11 +5,15 @@ minifirewall_tail_file: /etc/default/minifirewall.tail
minifirewall_tail_included: False
minifirewall_tail_force: True
minifirewall_force_upgrade_script: False
minifirewall_force_upgrade_config: False
minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
minifirewall_checkout_path: "/tmp/minifirewall"
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
minifirewall_ipv6: "on"
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
minifirewall_docker: "off"
minifirewall_default_trusted_ips: []
minifirewall_additional_trusted_ips: []


+ 7
- 2
minifirewall/files/minifirewall.conf View File

@ -1,6 +1,5 @@
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# For fun, we keep last change from first CVS repository:
# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
# Version 20.12 — 2020-12-01 22:55:35
# Main interface
INT='eth0'
@ -8,6 +7,12 @@ INT='eth0'
# IPv6
IPV6=on
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'


+ 8
- 2
minifirewall/tasks/config.yml View File

@ -51,13 +51,19 @@
blockinfile:
dest: "{{ minifirewall_main_file }}"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
content: |
block: |
# Main interface
INT='{{ minifirewall_int }}'
# IPv6
IPV6='{{ minifirewall_ipv6 }}'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='{{ minifirewall_docker }}'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='{{ minifirewall_intlan }}'
@ -89,7 +95,7 @@
blockinfile:
dest: "{{ minifirewall_main_file }}"
marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
content: |
block: |
# Protected services
# (add also in Public services if needed)
SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'


+ 2
- 2
minifirewall/tasks/install.yml View File

@ -9,7 +9,7 @@
template:
src: minifirewall.j2
dest: /etc/init.d/minifirewall
force: no
force: "{{ minifirewall_force_upgrade_script | default('no') }}"
mode: "0700"
owner: root
group: root
@ -18,7 +18,7 @@
copy:
src: minifirewall.conf
dest: "{{ minifirewall_main_file }}"
force: no
force: "{{ minifirewall_force_upgrade_config | default('no') }}"
mode: "0600"
owner: root
group: root

+ 114
- 6
minifirewall/templates/minifirewall.j2 View File

@ -4,7 +4,7 @@
# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2015 Evolix
# Copyright (c) 2007-2020 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
@ -51,6 +51,20 @@ BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local intable="--table $1"
iptables $intable -nL "$chain_name" >/dev/null 2>&1
}
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="{{ minifirewall_main_file }}"
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
case "$1" in
start)
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="{{ minifirewall_main_file }}"
if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
exit 1
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
if [ "$DOCKER" = "on" ]; then
$IPT -N MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
$IPT -N MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
$IPT -N MINIFW-DOCKER-PUB
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PUB -j RETURN
# Flush DOCKER-USER if exist, create it if absent
if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;
# Pipe new connection through MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -j RETURN
fi
# Local services restrictions
#############################
@ -218,6 +255,64 @@ for x in $SERVICESUDP3
done
if [ "$DOCKER" = "on" ]; then
# Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in $SERVICESTCP1
do
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
done
for dstport in $SERVICESUDP1
do
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
done
# Privileged services (accessible from privileged & trusted IPs)
for dstport in $SERVICESTCP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
# Trusted services (accessible from trusted IPs)
for dstport in $SERVICESTCP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
fi
# External services
###################
@ -323,11 +418,24 @@ trap - INT TERM EXIT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
$IPT -t nat -F
[ "$DOCKER" = "off" ] && $IPT -t nat -F
$IPT -t mangle -F
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
if [ "$DOCKER" = "on" ]; then
$IPT -F DOCKER-USER
$IPT -A DOCKER-USER -j RETURN
$IPT -F MINIFW-DOCKER-PUB
$IPT -X MINIFW-DOCKER-PUB
$IPT -F MINIFW-DOCKER-PRIVILEGED
$IPT -X MINIFW-DOCKER-PRIVILEGED
$IPT -F MINIFW-DOCKER-TRUSTED
$IPT -X MINIFW-DOCKER-TRUSTED
fi
# Accept all
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT


+ 5
- 0
mysql-oracle/files/evolinux-defaults.cnf View File

@ -1,6 +1,8 @@
[mysqld]
###### Connexions
# Path to socket
socket = /run/mysqld/mysqld.sock
# Maximum de connexions concurrentes (defaut = 100)... provoque un "Too many connections"
max_connections = 250
# Maximum de connexions en attente en cas de max_connections atteint (defaut = 50)
@ -60,3 +62,6 @@ character-set-server=utf8
collation-server=utf8_general_ci
# Patch MySQL 5.5.53
secure-file-priv = ""
[client]
socket = /run/mysqld/mysqld.sock

+ 25
- 0
mysql/files/save_mysql_processlist.sh View File

@ -0,0 +1,25 @@
#!/bin/sh
set -e
processlist() {
mysqladmin --verbose --vertical processlist
}
DIR="/var/log/mysql-processlist"
TS=`date +%Y%m%d%H%M%S`
FILE="${DIR}/${TS}"
if [ ! -d "${DIR}" ]; then
mkdir -p "${DIR}"
chown root:adm "${DIR}"
chmod 750 "${DIR}"
fi
processlist > "${FILE}"
chmod 640 "${FILE}"
chown root:adm "${FILE}"
find "${DIR}" -type f -mtime +1 -delete
exit 0

+ 1
- 1
mysql/handlers/main.yml View File

@ -22,4 +22,4 @@
- name: 'restart xinetd'
service:
name: 'xinetd'
state: 'restart'
state: 'restarted'

+ 9
- 0
mysql/tasks/utils.yml View File

@ -178,3 +178,12 @@
tags:
- mysql
- packages
- name: "Install save_mysql_processlist.sh"
copy:
src: save_mysql_processlist.sh
dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh"
mode: "0755"
force: no
tags:
- mysql

+ 3
- 3
packweb-apache/meta/main.yml View File

@ -21,11 +21,11 @@ dependencies:
- { role: evolix/apache }
- { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp }
- { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm }
- { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" }
- { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" }
- { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" }
- { role: evolix/squid, squid_localproxy_enable: True }
- { role: evolix/mysql, when: packweb_mysql_variant == "debian" }
- { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" }
- { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" }
- { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" }
- { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" }
- { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" }
- { role: evolix/evoacme }

+ 1
- 1
postgresql/defaults/main.yml View File

@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5
postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"
# PostgreSQL version
postgresql_version: '9.6'
postgresql_version: ''
# Set locales
locales_default: fr_FR.UTF-8


+ 5
- 0
postgresql/tasks/packages_buster.yml View File

@ -1,5 +1,10 @@
---
- name: "Set variables (Debian 10)"
set_fact:
postgresql_version: '11'
when: postgresql_version == ""
- include: pgdg-repo.yml
when: postgresql_version != '11'


+ 5
- 0
postgresql/tasks/packages_jessie.yml View File

@ -1,5 +1,10 @@
---
- name: "Set variables (Debian 8)"
set_fact:
postgresql_version: '9.4'
when: postgresql_version == ""
- include: pgdg-repo.yml
when: postgresql_version != '9.4'


+ 5
- 0
postgresql/tasks/packages_stretch.yml View File

@ -1,5 +1,10 @@
---
- name: "Set variables (Debian 9)"
set_fact:
postgresql_version: '9.6'
when: postgresql_version == ""
- include: pgdg-repo.yml
when: postgresql_version != '9.6'


+ 6
- 1
postgresql/tasks/pgdg-repo.yml View File

@ -18,8 +18,13 @@
#url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
- name: Update and upgrade apt packages for PGDG repository
apt:
upgrade: yes
update_cache: yes
- name: Add APT preference file
template:
src: postgresql.pref.j2
dest: /etc/apt/preferences.d/
dest: /etc/apt/preferences.d/postgresql.pref
mode: "0644"

+ 1
- 0
proftpd/templates/ftps.conf.j2 View File

@ -25,6 +25,7 @@
DefaultRoot ~
PassivePorts 60000 61000
TransferLog /var/log/proftpd/xferlog
<Limit LOGIN>
AllowGroup ftpusers


+ 1
- 0
proftpd/templates/sftp.conf.j2 View File

@ -12,6 +12,7 @@
DefaultRoot ~
SFTPLog /var/log/proftpd/sftp.log
TransferLog /var/log/proftpd/xferlog
SFTPAuthMethods password
SFTPHostKey /etc/ssh/ssh_host_ecdsa_key


+ 2
- 0
redis/defaults/main.yml View File

@ -3,6 +3,8 @@ redis_systemd_name: redis-server
redis_conf_dir_prefix: /etc/redis
redis_force_instance_port: False
redis_port: 6379
redis_bind_interface: 127.0.0.1


+ 10
- 0
redis/files/check_redis_instances.sh View File

@ -30,11 +30,21 @@ check_server() {
host=$(config_var "bind" "${conf_file}")
port=$(config_var "port" "${conf_file}")
pass=$(config_var "requirepass" "${conf_file}")
maxmemory=$(config_var "maxmemory" "${conf_file}")
maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}")
cmd="${check_bin} -H ${host} -p ${port}"
# If "requirepass" is set we add the password to the check
if [ -n "${pass}" ]; then
cmd="${cmd} -x ${pass}"
fi
# If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction"
# then we enforce the "maxmemory" limit
if [ -n "${maxmemory}" ]; then
if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then
cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90"
fi
fi
result=$($cmd)
ret="${?}"
if [ "${ret}" -ge 2 ]; then


+ 1
- 1
redis/tasks/default-log2mail.yml View File

@ -8,7 +8,7 @@
mode: "0640"
create: yes
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
content: |
block: |
file = {{ redis_log_dir }}/redis-server.log
pattern = "Cannot allocate memory"
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}


+ 1
- 0
redis/tasks/instance-server.yml View File

@ -5,6 +5,7 @@
that:
- redis_port != 6379
msg: "If you want to use port 6379, use the default instance, not a named instance."
when: not redis_force_instance_port
- name: "Instance '{{ redis_instance_name }}' group is present"
group:


+ 20
- 0
tomcat-instance/tasks/user.yml View File

@ -1,4 +1,24 @@
---
- fail:
msg: "You must provide a value for the 'tomcat_instance_port' variable."
when: tomcat_instance_port is not defined or tomcat_instance_port == ''
- name: "Test if uid '{{ tomcat_instance_port }}' exists"
command: 'id -un -- "{{ tomcat_instance_port }}"'
register: get_login_from_id
failed_when: False
changed_when: False
check_mode: no
- name: "Fail if uid already exists for another user"
fail:
msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'"
when:
- get_login_from_id.rc == 0
- get_login_from_id.stdout != tomcat_instance_name
- name: Create group instance
group:
name: "{{ tomcat_instance_name }}"


+ 1
- 1
varnish/defaults/main.yml View File

@ -10,7 +10,7 @@ varnish_malloc_size: "2G"
varnish_storage: malloc,{{ varnish_malloc_size }}
varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}"
varnish_thread_pool_add_delay: 2
varnish_thread_pool_add_delay: 0
varnish_thread_pool_min: 500
varnish_thread_pool_max: 5000


+ 0
- 5
varnish/files/reload-vcl.sh View File

@ -1,5 +0,0 @@
#!/bin/sh
UUID=`cat /proc/sys/kernel/random/uuid`
/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \
&&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \
&& /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID"

+ 40
- 23
varnish/tasks/main.yml View File

@ -4,49 +4,62 @@
name: varnish
state: present
tags:
- varnish
- varnish
- name: Remove default varnish configuration files
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/default/varnish
- /etc/default/varnishncsa
- /etc/default/varnishlog
- /etc/default/varnish
- /etc/default/varnishncsa
- /etc/default/varnishlog
notify: reload varnish
tags:
- varnish
- varnish
- name: Copy Custom Varnish ExecReload script (Debian <=9)
copy:
src: "reload-vcl.sh"
- name: Copy Custom Varnish ExecReload script (Debian <10)
template:
src: "reload-vcl.sh.j2"
dest: "/etc/varnish/reload-vcl.sh"
mode: "0700"
owner: root
group: root
when: ansible_distribution_major_version is version('9', '<=')
when: ansible_distribution_major_version is version('10', '<')
notify: reload varnish
tags:
- varnish
- varnish
- name: Create a system config directory for systemd overrides
file:
path: /etc/systemd/system/varnish.service.d
state: directory
tags:
- varnish
- varnish
- name: Override Varnish systemd unit (Stretch and before)
template:
src: varnish.conf.jessie.j2
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
force: yes
when: ansible_distribution_major_version is version('10', '<')
notify:
- reload systemd
- restart varnish
tags:
- varnish
- name: Override Varnish systemd unit
- name: Override Varnish systemd unit (Buster and later)
template:
src: varnish.conf.j2
src: varnish.conf.buster.j2
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
force: yes
when: ansible_distribution_major_version is version('10', '>=')
notify:
- reload systemd
- restart varnish
tags:
- varnish
- varnish
- name: Patch logrotate conf
replace:
@ -57,22 +70,26 @@
- varnishlog
- varnishncsa
tags:
- varnish
- varnish
- name: Copy Varnish configuration
template:
src: "{{ item }}"
dest: /etc/varnish/default.vcl
dest: "{{ varnish_config_file }}"
mode: "0644"
force: yes
with_first_found:
- "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
- "templates/varnish/default.{{ host_group }}.vcl.j2"
- "templates/varnish/default.default.vcl.j2"
- "default.vcl.j2"
- "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2"
- "templates/varnish/default.{{ inventory_hostname }}.vcl.j2"
- "templates/varnish/varnish.{{ host_group }}.vcl.j2"
- "templates/varnish/default.{{ host_group }}.vcl.j2"
- "templates/varnish/varnish.default.vcl.j2"
- "templates/varnish/default.default.vcl.j2"
- "varnish.vcl.j2"
- "default.vcl.j2"
notify: reload varnish
tags:
- varnish
- varnish
- name: Create Varnish config dir
file:
@ -80,7 +97,7 @@
state: directory
mode: "0755"
tags:
- varnish
- varnish
- name: Copy included Varnish config
template:
@ -92,6 +109,6 @@
- "templates/varnish/conf.d/*.vcl"
notify: reload varnish
tags:
- varnish
- varnish
- include: munin.yml

+ 5
- 0
varnish/templates/reload-vcl.sh.j2 View File

@ -0,0 +1,5 @@
#!/bin/sh
UUID=`cat /proc/sys/kernel/random/uuid`
/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \
&& /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \
&& /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID"

+ 5
- 0
varnish/templates/varnish.conf.buster.j2 View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}

+ 0
- 7
varnish/templates/varnish.conf.j2 View File

@ -1,7 +0,0 @@
# {{ ansible_managed }}
[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
ExecReload=
ExecReload=/etc/varnish/reload-vcl.sh

+ 7
- 0
varnish/templates/varnish.conf.jessie.j2 View File

@ -0,0 +1,7 @@
# {{ ansible_managed }}
[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
ExecReload=
ExecReload=/etc/varnish/reload-vcl.sh

varnish/templates/default.vcl.j2 → varnish/templates/varnish.vcl.j2 View File


+ 2
- 0
webapps/evoadmin-web/tasks/user.yml View File

@ -6,6 +6,7 @@
comment: "Evoadmin Web Account"
home: "{{ evoadmin_home_dir }}"
password: "!"
system: yes
- name: Create www-evoadmin group
group:
@ -22,6 +23,7 @@
- name: "Create www-evoadmin (Debian 9 or later)"
user:
name: www-evoadmin
system: yes
when: ansible_distribution_major_version is version('9', '>=')
- name: Is /etc/aliases present?


+ 19
- 0
webapps/nextcloud/defaults/main.yml View File

@ -0,0 +1,19 @@
---
nextcloud_webserver: 'nginx'
nextcloud_version: "20.0.0"
nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2"
nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/"
nextcloud_instance_name: "nextcloud"
nextcloud_user: "{{ nextcloud_instance_name }}"
nextcloud_domains: []
nextcloud_home: "/home/{{ nextcloud_user }}"
nextcloud_webroot: "{{ nextcloud_home }}/nextcloud"
nextcloud_data: "{{ nextcloud_webroot }}/data"
nextcloud_db_user: "{{ nextcloud_user }}"
nextcloud_db_name: "{{ nextcloud_instance_name }}"
nextcloud_admin_login: "admin"
nextcloud_admin_password: ""

+ 10
- 0
webapps/nextcloud/handlers/main.yml View File

@ -0,0 +1,10 @@
---
- name: reload php-fpm
service:
name: php7.3-fpm
state: reloaded
- name: reload nginx
service:
name: nginx
state: reloaded

+ 4
- 0
webapps/nextcloud/meta/main.yml View File

@ -0,0 +1,4 @@
---
# dependencies:
# - { role: nginx, when: nextcloud_webserver == 'nginx' }
# - { role: php, php_fpm_enable: True }

+ 37
- 0
webapps/nextcloud/tasks/archive.yml View File

@ -0,0 +1,37 @@
---
- name: Retrieve Nextcloud archive
get_url:
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}"
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
force: no
tags:
- nextcloud
- name: Retrieve Nextcloud sha256 checksum
get_url:
url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256"
dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256"
force: no
tags:
- nextcloud
- name: Verify Nextcloud sha256 checksum
command: "sha256sum -c {{ nextcloud_archive_name }}.sha256"
changed_when: "False"
args:
chdir: "{{ nextcloud_home }}"
tags:
- nextcloud
- name: Extract Nextcloud archive
unarchive:
src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}"
dest: "{{ nextcloud_home }}"
creates: "{{ nextcloud_home }}/nextcloud"
remote_src: True
mode: "0750"
owner: "{{ nextcloud_user }}"
group: "{{ nextcloud_user }}"
tags:
- nextcloud

+ 81
- 0
webapps/nextcloud/tasks/config.yml View File

@ -0,0 +1,81 @@
---
- block:
- name: Generate admin password
command: 'apg -n 1 -m 16 -M lcN'
register: nextcloud_admin_password_apg
check_mode: no
changed_when: False
- debug:
var: nextcloud_admin_password_apg
- set_fact:
nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}"
tags:
- nextcloud
when: nextcloud_admin_password == ""
- name: Get Nextcloud Status
shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'"
args:
chdir: "{{ nextcloud_webroot }}"
become_user: "{{ nextcloud_user }}"
register: nc_status
check_mode: no
tags:
- nextcloud
- name: Install Nextcloud
command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}"
args:
chdir: "{{ nextcloud_webroot }}"
creates: "{{ nextcloud_home }}/config/config.php"
become_user: "{{ nextcloud_user }}"
when: (nc_status.stdout | from_json).installed == false
tags:
- nextcloud
- name: Configure Nextcloud Mysql password
replace:
dest: "{{ nextcloud_home }}/nextcloud/config/config.php"
regexp: "'dbpassword' => '([^']*)',"
replace: "'dbpassword' => '{{ nextcloud_db_pass }}',"
tags:
- nextcloud
- name: Configure Nextcloud cron
cron:
name: 'Nextcloud'
minute: "*/5"
job: "php -f {{ nextcloud_webroot }}/cron.php"
user: "{{ nextcloud_user }}"
tags:
- nextcloud
- name: Erase previously trusted domains config
command: "php ./occ config:system:set trusted_domains"
args:
chdir: "{{ nextcloud_webroot }}"
become_user: "{{ nextcloud_user }}"
tags:
- nextcloud
- name: Configure trusted domains
command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}"
args:
chdir: "{{ nextcloud_webroot }}"
with_indexed_items:
- "{{ nextcloud_domains }}"
become_user: "{{ nextcloud_user }}"
tags:
- nextcloud
#- name: Configure memcache local to APCu
# command: "php ./occ config:system:set memcache.local --value '\\OC\\Memcache\\APCu'"
# args:
# chdir: "{{ nextcloud_webroot }}"
# become_user: "{{ nextcloud_user }}"
# tags:
# - nextcloud

+ 31
- 0
webapps/nextcloud/tasks/main.yml View File

@ -0,0 +1,31 @@
---
- name: Install dependencies
apt:
state: present
name:
- bzip2
- php-gd
- php-json
- php-xml
- php-mbstring
- php-zip
- php-curl
- php-bz2
- php-intl
- php-gmp
- php-apcu
- php-redis
- php-bcmath