From 1d9ab0f1f310969acacd41edf99599478da2b6ab Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 4 Jun 2020 16:19:48 +0200 Subject: [PATCH 01/48] Allows using localhost to connect to MySQL in lxc Add 'php_conf_mysql_default_socket' variable to lxc-php role that configure both the lxc containers and PHP so that a local MySQL database may be used through localhost. The PHP containers will automount /var/run/mysqld/mysqld.sock (the default path to the mysql socket) to the path defined by the variable 'php_conf_mysql_default_socket' which will be the path used by php to contact MySQL both with mysqli and PDO_MYSQL. --- lxc-php/defaults/main.yml | 3 +++ lxc-php/tasks/misc.yml | 9 ++++++++- lxc-php/templates/z-evolinux-defaults.ini.j2 | 8 ++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 8cb62665..bacd7635 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -7,6 +7,9 @@ php_conf_html_errors: "Off" php_conf_allow_url_fopen: "Off" php_conf_disable_functions: "exec,shell-exec,system,passthru,popen" +# Allows accessing a local mysql database using localhost +php_conf_mysql_default_socket: Null + lxc_php_version: Null lxc_php_container_releases: diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index af848213..30565c9c 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -18,8 +18,15 @@ dest: "/var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/mailname" notify: "Restart opensmtpd" - - name: "{{ lxc_php_version }} - Install misc packages" lxc_container: name: "{{ lxc_php_version }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip" + +- name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts" + lxc_container: + name: "{{ lxc_php_version }}" + container_config: + - "lxc.mount.entry = /var/run/mysqld/mysqld {{ php_conf_mysql_default_socket | replace('/', '', 1) }} none bind,create=file 0 0" + state: restarted + when: php_conf_mysql_default_socket is string diff --git a/lxc-php/templates/z-evolinux-defaults.ini.j2 b/lxc-php/templates/z-evolinux-defaults.ini.j2 index 7e3e116b..b407e520 100644 --- a/lxc-php/templates/z-evolinux-defaults.ini.j2 +++ b/lxc-php/templates/z-evolinux-defaults.ini.j2 @@ -6,3 +6,11 @@ log_errors = {{ php_conf_log_errors }} html_errors = {{ php_conf_html_errors }} allow_url_fopen = {{ php_conf_allow_url_fopen }} disable_functions = {{ php_conf_disable_functions }} + +{% if php_conf_mysql_default_socket %} +[Pdo_mysql] +pdo_mysql.default_socket = {{ php_conf_mysql_default_socket }} + +[MySQLi] +mysqli.default_socket = {{ php_conf_mysql_default_socket }} +{% endif %} From 49b20f9b126a2a9344446656c1b732b817f980bc Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 5 Jun 2020 09:37:43 +0200 Subject: [PATCH 02/48] lxc-php: Have mysqld.sock inside of a directory Bind mount don't seems to work on a file so the default socket is now always named mysqld.sock and the configurable variable is php_conf_mysql_socket_dir that define the directory the socket will be in. --- lxc-php/defaults/main.yml | 3 ++- lxc-php/tasks/misc.yml | 5 ++--- lxc-php/templates/z-evolinux-defaults.ini.j2 | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index bacd7635..a76e1a5b 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -8,7 +8,8 @@ php_conf_allow_url_fopen: "Off" php_conf_disable_functions: "exec,shell-exec,system,passthru,popen" # Allows accessing a local mysql database using localhost -php_conf_mysql_default_socket: Null +php_conf_mysql_socket_dir: Null +php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock" lxc_php_version: Null diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 30565c9c..b643bb4a 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -27,6 +27,5 @@ lxc_container: name: "{{ lxc_php_version }}" container_config: - - "lxc.mount.entry = /var/run/mysqld/mysqld {{ php_conf_mysql_default_socket | replace('/', '', 1) }} none bind,create=file 0 0" - state: restarted - when: php_conf_mysql_default_socket is string + - "lxc.mount.entry = /var/run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" + when: php_conf_mysql_socket_dir is string diff --git a/lxc-php/templates/z-evolinux-defaults.ini.j2 b/lxc-php/templates/z-evolinux-defaults.ini.j2 index b407e520..3bc6e4ee 100644 --- a/lxc-php/templates/z-evolinux-defaults.ini.j2 +++ b/lxc-php/templates/z-evolinux-defaults.ini.j2 @@ -7,7 +7,7 @@ html_errors = {{ php_conf_html_errors }} allow_url_fopen = {{ php_conf_allow_url_fopen }} disable_functions = {{ php_conf_disable_functions }} -{% if php_conf_mysql_default_socket %} +{% if php_conf_mysql_socket_dir %} [Pdo_mysql] pdo_mysql.default_socket = {{ php_conf_mysql_default_socket }} From 5e13f8da4ef28d6886948546ff4fb8994b1f2a47 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 5 Jun 2020 12:09:19 +0200 Subject: [PATCH 03/48] lxc-php: Make mysql socket binding work on fresh install /var/run/mysqld only exist after mysql is installed, as such the role lxc-php need to run after the role mysql. Also only cause a restart of the containers when their configuration has been changed. For now socket binding might only work for mysql and not mysql-oracle (it's default socket seems to be /tmp/mysql.sock). --- lxc-php/tasks/misc.yml | 7 +++++++ packweb-apache/meta/main.yml | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index b643bb4a..582c4170 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -29,3 +29,10 @@ container_config: - "lxc.mount.entry = /var/run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" when: php_conf_mysql_socket_dir is string + register: added_mysql_socket + +- name: "{{ lxc_php_version }} - Restart container as configuration changed" + lxc_container: + name: "{{ lxc_php_version }}" + state: restarted + when: added_mysql_socket.changed diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index c8981b6e..f98442a6 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -21,11 +21,11 @@ dependencies: - { role: evolix/apache } - { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp } - { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm } - - { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" } - { role: evolix/squid, squid_localproxy_enable: True } - { role: evolix/mysql, when: packweb_mysql_variant == "debian" } - { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" } + - { role: evolix/lxc-php, lxc_php_version: php56, when: "'php56' in packweb_multiphp_versions" } + - { role: evolix/lxc-php, lxc_php_version: php70, when: "'php70' in packweb_multiphp_versions" } + - { role: evolix/lxc-php, lxc_php_version: php73, when: "'php73' in packweb_multiphp_versions" } - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" } - { role: evolix/evoacme } From 4f7c0d6e698e507d1a3aee1d62d45c117f19674b Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 22 Sep 2020 10:03:29 +0200 Subject: [PATCH 04/48] Add TransfertLog to sftp and ftps configuration --- proftpd/templates/ftps.conf.j2 | 1 + proftpd/templates/sftp.conf.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/proftpd/templates/ftps.conf.j2 b/proftpd/templates/ftps.conf.j2 index ceec0631..33a2cff3 100644 --- a/proftpd/templates/ftps.conf.j2 +++ b/proftpd/templates/ftps.conf.j2 @@ -25,6 +25,7 @@ DefaultRoot ~ PassivePorts 60000 61000 + TransferLog /var/log/proftpd/xferlog AllowGroup ftpusers diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index 5f12ca9c..9a96e5ef 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -12,6 +12,7 @@ DefaultRoot ~ SFTPLog /var/log/proftpd/sftp.log + TransferLog /var/log/proftpd/xferlog SFTPAuthMethods password SFTPHostKey /etc/ssh/ssh_host_ecdsa_key From 929f258bf83236157fdb8f8934e64a42124c42ca Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 2 Oct 2020 16:51:05 +0200 Subject: [PATCH 05/48] nextcloud: New role --- CHANGELOG.md | 2 + webapps/nextcloud/defaults/main.yml | 19 +++ webapps/nextcloud/handlers/main.yml | 10 ++ webapps/nextcloud/meta/main.yml | 4 + webapps/nextcloud/tasks/archive.yml | 37 ++++++ webapps/nextcloud/tasks/config.yml | 81 ++++++++++++ webapps/nextcloud/tasks/main.yml | 31 +++++ webapps/nextcloud/tasks/mysql.yml | 62 +++++++++ webapps/nextcloud/tasks/user.yml | 38 ++++++ webapps/nextcloud/tasks/vhost.yml | 34 +++++ webapps/nextcloud/templates/nginx.conf.j2 | 134 ++++++++++++++++++++ webapps/nextcloud/templates/php-fpm.conf.j2 | 17 +++ 12 files changed, 469 insertions(+) create mode 100644 webapps/nextcloud/defaults/main.yml create mode 100644 webapps/nextcloud/handlers/main.yml create mode 100644 webapps/nextcloud/meta/main.yml create mode 100644 webapps/nextcloud/tasks/archive.yml create mode 100644 webapps/nextcloud/tasks/config.yml create mode 100644 webapps/nextcloud/tasks/main.yml create mode 100644 webapps/nextcloud/tasks/mysql.yml create mode 100644 webapps/nextcloud/tasks/user.yml create mode 100644 webapps/nextcloud/tasks/vhost.yml create mode 100644 webapps/nextcloud/templates/nginx.conf.j2 create mode 100644 webapps/nextcloud/templates/php-fpm.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 33998f64..b83ea994 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release. ### Added +* nextcloud: New role to setup a nextcloud instance + ### Changed ### Fixed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml new file mode 100644 index 00000000..0048ca69 --- /dev/null +++ b/webapps/nextcloud/defaults/main.yml @@ -0,0 +1,19 @@ +--- +nextcloud_webserver: 'nginx' +nextcloud_version: "19.0.0" +nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2" +nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" + +nextcloud_instance_name: "nextcloud" +nextcloud_user: "{{ nextcloud_instance_name }}" +nextcloud_domains: [] + +nextcloud_home: "/home/{{ nextcloud_user }}" +nextcloud_webroot: "{{ nextcloud_home }}/nextcloud" +nextcloud_data: "{{ nextcloud_webroot }}/data" + +nextcloud_db_user: "{{ nextcloud_user }}" +nextcloud_db_name: "{{ nextcloud_instance_name }}" + +nextcloud_admin_login: "admin" +nextcloud_admin_password: "" diff --git a/webapps/nextcloud/handlers/main.yml b/webapps/nextcloud/handlers/main.yml new file mode 100644 index 00000000..2db4770d --- /dev/null +++ b/webapps/nextcloud/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload php-fpm + service: + name: php7.3-fpm + state: reloaded + +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/webapps/nextcloud/meta/main.yml b/webapps/nextcloud/meta/main.yml new file mode 100644 index 00000000..d5852e32 --- /dev/null +++ b/webapps/nextcloud/meta/main.yml @@ -0,0 +1,4 @@ +--- +# dependencies: + # - { role: nginx, when: nextcloud_webserver == 'nginx' } + # - { role: php, php_fpm_enable: True } diff --git a/webapps/nextcloud/tasks/archive.yml b/webapps/nextcloud/tasks/archive.yml new file mode 100644 index 00000000..d59bd582 --- /dev/null +++ b/webapps/nextcloud/tasks/archive.yml @@ -0,0 +1,37 @@ +--- + +- name: Retrieve Nextcloud archive + get_url: + url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}" + dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" + force: no + tags: + - nextcloud + +- name: Retrieve Nextcloud sha256 checksum + get_url: + url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256" + dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256" + force: no + tags: + - nextcloud + +- name: Verify Nextcloud sha256 checksum + command: "sha256sum -c {{ nextcloud_archive_name }}.sha256" + changed_when: "False" + args: + chdir: "{{ nextcloud_home }}" + tags: + - nextcloud + +- name: Extract Nextcloud archive + unarchive: + src: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" + dest: "{{ nextcloud_home }}" + creates: "{{ nextcloud_home }}/nextcloud" + remote_src: True + mode: "0750" + owner: "{{ nextcloud_user }}" + group: "{{ nextcloud_user }}" + tags: + - nextcloud diff --git a/webapps/nextcloud/tasks/config.yml b/webapps/nextcloud/tasks/config.yml new file mode 100644 index 00000000..a4e3a3e7 --- /dev/null +++ b/webapps/nextcloud/tasks/config.yml @@ -0,0 +1,81 @@ +--- + +- block: + - name: Generate admin password + command: 'apg -n 1 -m 16 -M lcN' + register: nextcloud_admin_password_apg + check_mode: no + changed_when: False + + - debug: + var: nextcloud_admin_password_apg + + - set_fact: + nextcloud_admin_password: "{{ nextcloud_admin_password_apg.stdout }}" + + tags: + - nextcloud + when: nextcloud_admin_password == "" + +- name: Get Nextcloud Status + shell: "php ./occ status --output json | grep -v 'Nextcloud is not installed'" + args: + chdir: "{{ nextcloud_webroot }}" + become_user: "{{ nextcloud_user }}" + register: nc_status + check_mode: no + tags: + - nextcloud + +- name: Install Nextcloud + command: "php ./occ maintenance:install --database mysql --database-name {{ nextcloud_db_name | mandatory }} --database-user {{ nextcloud_db_user | mandatory }} --database-pass {{ nextcloud_db_pass | mandatory }} --admin-user {{ nextcloud_admin_login | mandatory }} --admin-pass {{ nextcloud_admin_password | mandatory }} --data-dir {{ nextcloud_data | mandatory }}" + args: + chdir: "{{ nextcloud_webroot }}" + creates: "{{ nextcloud_home }}/config/config.php" + become_user: "{{ nextcloud_user }}" + when: (nc_status.stdout | from_json).installed == false + tags: + - nextcloud + +- name: Configure Nextcloud Mysql password + replace: + dest: "{{ nextcloud_home }}/nextcloud/config/config.php" + regexp: "'dbpassword' => '([^']*)'," + replace: "'dbpassword' => '{{ nextcloud_db_pass }}'," + tags: + - nextcloud + +- name: Configure Nextcloud cron + cron: + name: 'Nextcloud' + minute: "*/5" + job: "php -f {{ nextcloud_webroot }}/cron.php" + user: "{{ nextcloud_user }}" + tags: + - nextcloud + +- name: Erase previously trusted domains config + command: "php ./occ config:system:set trusted_domains" + args: + chdir: "{{ nextcloud_webroot }}" + become_user: "{{ nextcloud_user }}" + tags: + - nextcloud + +- name: Configure trusted domains + command: "php ./occ config:system:set trusted_domains {{ item.0 }} --value {{ item.1 }}" + args: + chdir: "{{ nextcloud_webroot }}" + with_indexed_items: + - "{{ nextcloud_domains }}" + become_user: "{{ nextcloud_user }}" + tags: + - nextcloud + +#- name: Configure memcache local to APCu +# command: "php ./occ config:system:set memcache.local --value '\\OC\\Memcache\\APCu'" +# args: +# chdir: "{{ nextcloud_webroot }}" +# become_user: "{{ nextcloud_user }}" +# tags: +# - nextcloud diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml new file mode 100644 index 00000000..2c525114 --- /dev/null +++ b/webapps/nextcloud/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Install dependencies + apt: + state: present + name: + - bzip2 + - php-gd + - php-json + - php-xml + - php-mbstring + - php-zip + - php-curl + - php-bz2 + - php-intl + - php-gmp + - php-apcu + - php-redis + - php-bcmath + - python-mysqldb + tags: + - nextcloud + +- include: user.yml + +- include: archive.yml + +- include: vhost.yml + +- include: mysql.yml + +- include: config.yml diff --git a/webapps/nextcloud/tasks/mysql.yml b/webapps/nextcloud/tasks/mysql.yml new file mode 100644 index 00000000..f2fcee32 --- /dev/null +++ b/webapps/nextcloud/tasks/mysql.yml @@ -0,0 +1,62 @@ +--- +- name: Get actual Mysql password + shell: "grep password {{ nextcloud_home }}/.my.cnf | awk '{ print $3 }'" + register: nextcloud_db_pass_grep + check_mode: no + changed_when: False + failed_when: False + tags: + - nextcloud + +- name: Generate Mysql password + command: 'apg -n 1 -m 16 -M lcN' + register: nextcloud_db_pass_apg + check_mode: no + changed_when: False + tags: + - nextcloud + +- name: Set Mysql password + set_fact: + nextcloud_db_pass: "{{ nextcloud_db_pass_grep.stdout | default(nextcloud_db_pass_apg.stdout, True) }}" + tags: + - nextcloud + +- debug: + var: nextcloud_db_pass + verbosity: 1 + +- name: Create Mysql database + mysql_db: + name: "{{ nextcloud_db_name }}" + config_file: "/root/.my.cnf" + state: present + tags: + - nextcloud + +- name: Create Mysql user + mysql_user: + name: "{{ nextcloud_db_user }}" + password: '{{ nextcloud_db_pass }}' + priv: "{{ nextcloud_db_name }}.*:ALL" + config_file: "/root/.my.cnf" + update_password: always + state: present + tags: + - nextcloud + +- name: Store credentials in my.cnf + ini_file: + dest: "{{ nextcloud_home }}/.my.cnf" + owner: "{{ nextcloud_user }}" + group: "{{ nextcloud_user }}" + mode: "0600" + section: client + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - { option: "user", value: "{{ nextcloud_db_user }}" } + - { option: "database", value: "{{ nextcloud_db_name }}" } + - { option: "password", value: "{{ nextcloud_db_pass }}" } + tags: + - nextcloud diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml new file mode 100644 index 00000000..07d5a31a --- /dev/null +++ b/webapps/nextcloud/tasks/user.yml @@ -0,0 +1,38 @@ +--- +- name: Create Nextcloud group + group: + name: "{{ nextcloud_instance_name | mandatory }}" + state: present + tags: + - nextcloud + +- name: Create Nextcloud user + user: + name: "{{ nextcloud_user | mandatory }}" + group: "{{ nextcloud_user }}" + home: "{{ nextcloud_home | mandatory }}" + shell: '/bin/bash' + createhome: True + state: present + tags: + - nextcloud + +- name: Add the user 'www-data' to Nextcloud group + user: + name: www-data + groups: "{{ nextcloud_user | mandatory }}" + append: yes + +- name: Create top-level directories + file: + dest: "{{ item }}" + state: directory + mode: "0770" + owner: "{{ nextcloud_user }}" + group: "{{ nextcloud_user }}" + with_items: + - "{{ nextcloud_home }}/log" + - "{{ nextcloud_home }}/tmp" + - "{{ nextcloud_home }}/data" + tags: + - nextcloud diff --git a/webapps/nextcloud/tasks/vhost.yml b/webapps/nextcloud/tasks/vhost.yml new file mode 100644 index 00000000..1f1592cc --- /dev/null +++ b/webapps/nextcloud/tasks/vhost.yml @@ -0,0 +1,34 @@ +--- +- block: + - name: Copy Nginx vhost + template: + src: nginx.conf.j2 + dest: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" + mode: "0640" + notify: reload nginx + tags: + - nextcloud + + - name: Enable Nginx vhost + file: + src: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" + dest: "/etc/nginx/sites-enabled/{{ nextcloud_instance_name }}.conf" + state: link + notify: reload nginx + tags: + - nextcloud + + - name: Generate ssl config + shell: + cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" + creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" + + - name: Copy PHP-FPM pool + template: + src: php-fpm.conf.j2 + dest: "/etc/php/7.3/fpm/pool.d/{{ nextcloud_instance_name }}.conf" + mode: "0640" + notify: reload php-fpm + tags: + - nextcloud + when: nextcloud_webserver == 'nginx' diff --git a/webapps/nextcloud/templates/nginx.conf.j2 b/webapps/nextcloud/templates/nginx.conf.j2 new file mode 100644 index 00000000..ffb72f01 --- /dev/null +++ b/webapps/nextcloud/templates/nginx.conf.j2 @@ -0,0 +1,134 @@ +upstream php-handler-{{ nextcloud_instance_name }} { + server unix:/var/run/php/php-fpm-{{ nextcloud_instance_name }}.sock; +} + +server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ nextcloud_domains | join(' ') }}; + + access_log {{ nextcloud_home }}/log/access.log; + error_log {{ nextcloud_home }}/log/error.log; + + include /etc/nginx/snippets/letsencrypt.conf; + include /etc/nginx/ssl/{{ nextcloud_instance_name }}.conf; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + root {{ nextcloud_webroot }}; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler-{{ nextcloud_instance_name }}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} diff --git a/webapps/nextcloud/templates/php-fpm.conf.j2 b/webapps/nextcloud/templates/php-fpm.conf.j2 new file mode 100644 index 00000000..1b4c7861 --- /dev/null +++ b/webapps/nextcloud/templates/php-fpm.conf.j2 @@ -0,0 +1,17 @@ +[{{ nextcloud_instance_name }}] +user = {{ nextcloud_user }} +group = {{ nextcloud_user }} +listen = /run/php/php-fpm-{{ nextcloud_instance_name }}.sock +listen.owner = {{ nextcloud_user }} +listen.group = {{ nextcloud_user }} + +pm = ondemand +pm.max_children = 50 +pm.process_idle_timeout = 120s +pm.status_path = /fpm_status + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = {{ nextcloud_home }}/tmp +env[TMPDIR] = {{ nextcloud_home }}/tmp +env[TEMP] = {{ nextcloud_home }}/tmp From 9bb7379e329f00c58e5c18a5b656e66bb8b19d85 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 15 Oct 2020 11:20:22 +0200 Subject: [PATCH 06/48] filebeat: add logstash output variables --- filebeat/defaults/main.yml | 6 +++++ filebeat/templates/filebeat.default.yml.j2 | 27 ++++++++++++++-------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index cd92eb3c..322aba46 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -12,6 +12,12 @@ filebeat_elasticsearch_auth_api_key: "" filebeat_elasticsearch_auth_username: "" filebeat_elasticsearch_auth_password: "" +filebeat_logstash_hosts: [] +filebeat_logstash_protocol: "http" +filebeat_logstash_auth_api_key: "" +filebeat_logstash_auth_username: "" +filebeat_logstash_auth_password: "" + filebeat_use_config_template: False filebeat_update_config: True filebeat_force_config: True diff --git a/filebeat/templates/filebeat.default.yml.j2 b/filebeat/templates/filebeat.default.yml.j2 index 65a15fd1..a0a0c0d4 100644 --- a/filebeat/templates/filebeat.default.yml.j2 +++ b/filebeat/templates/filebeat.default.yml.j2 @@ -143,15 +143,11 @@ setup.kibana: # Configure what output to use when sending the data collected by the beat. +{% if filebeat_elasticsearch_hosts %} # ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: - # Array of hosts to connect to. hosts: ["{{ filebeat_elasticsearch_hosts | join('", "') }}"] - - # Protocol - either `http` (default) or `https`. protocol: "{{ filebeat_elasticsearch_protocol | default('http') }}" - - # Authentication credentials - either API key or username/password. {% if filebeat_elasticsearch_auth_api_key %} api_key: "{{ filebeat_elasticsearch_auth_api_key }}" {% endif %} @@ -161,11 +157,22 @@ output.elasticsearch: {% if filebeat_elasticsearch_auth_password %} password: "{{ filebeat_elasticsearch_auth_password }}" {% endif %} - -# ------------------------------ Logstash Output ------------------------------- -#output.logstash: - # The Logstash hosts - #hosts: ["localhost:5044"] +{% endif %} +{% if filebeat_logstash_hosts %} +# ---------------------------- Logstash Output --------------------------------- +output.logstash: + hosts: ["{{ filebeat_logstash_hosts | join('", "') }}"] + protocol: "{{ filebeat_logstash_protocol | default('http') }}" +{% if filebeat_logstash_auth_api_key %} + api_key: "{{ filebeat_logstash_auth_api_key }}" +{% endif %} +{% if filebeat_logstash_auth_username %} + username: "{{ filebeat_logstash_auth_username }}" +{% endif %} +{% if filebeat_logstash_auth_password %} + password: "{{ filebeat_logstash_auth_password }}" +{% endif %} +{% endif %} # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications From 45835d334915f78bb5e15c289006c69d2d6c027d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 16 Oct 2020 15:25:49 +0200 Subject: [PATCH 07/48] nextcloud: Install version 20 instead of 19 --- webapps/nextcloud/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 0048ca69..cb8b70a0 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -1,6 +1,6 @@ --- nextcloud_webserver: 'nginx' -nextcloud_version: "19.0.0" +nextcloud_version: "20.0.0" nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2" nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" From 995cb6d9a2308675ebeef8c534284d08294b6df6 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 16 Oct 2020 15:33:52 +0200 Subject: [PATCH 08/48] dovecot: Update munin plugin & configure it --- dovecot/files/munin_config | 2 ++ dovecot/files/munin_plugin | 22 ++++++++++++---------- dovecot/tasks/munin.yml | 8 +++++--- 3 files changed, 19 insertions(+), 13 deletions(-) create mode 100644 dovecot/files/munin_config diff --git a/dovecot/files/munin_config b/dovecot/files/munin_config new file mode 100644 index 00000000..1a0553d8 --- /dev/null +++ b/dovecot/files/munin_config @@ -0,0 +1,2 @@ +[dovecot] +group adm diff --git a/dovecot/files/munin_plugin b/dovecot/files/munin_plugin index e5a6d1d1..f12c2b04 100755 --- a/dovecot/files/munin_plugin +++ b/dovecot/files/munin_plugin @@ -2,21 +2,22 @@ # # Munin Plugin # to count logins to your dovecot mailserver -# +# # Created by Dominik Schulz # http://developer.gauner.org/munin/ # Contributions by: # - Stephane Enten # - Steve Schnepp -# +# - pcy (make 'Connected Users' DERIVE, check existence of logfile in autoconf) +# # Parameters understood: # # config (required) # autoconf (optional - used by munin-config) -# +# # Config variables: # -# logfile - Where to find the syslog file +# logfile - Where to find the syslog file # # Add the following line to a file in /etc/munin/plugin-conf.d: # env.logfile /var/log/your/logfile.log @@ -34,13 +35,13 @@ LOGFILE=${logfile:-/var/log/mail.log} ###################### if [ "$1" = "autoconf" ]; then - echo yes + [ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)" exit 0 fi if [ "$1" = "config" ]; then echo 'graph_title Dovecot Logins' - echo 'graph_category Mail' + echo 'graph_category mail' echo 'graph_args --base 1000 -l 0' echo 'graph_vlabel Login Counters' @@ -53,6 +54,7 @@ if [ "$1" = "config" ]; then done echo 'connected.label Connected Users' + echo "connected.type DERIVE" exit 0 fi @@ -86,7 +88,7 @@ echo -n echo -en "login_tls.value " VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE) if [ ! -z "$VALUE" ]; then - echo "$VALUE" + echo "$VALUE" else echo "0" fi @@ -97,7 +99,7 @@ echo -n echo -en "login_ssl.value " VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE) if [ ! -z "$VALUE" ]; then - echo "$VALUE" + echo "$VALUE" else echo "0" fi @@ -108,7 +110,7 @@ echo -n echo -en "login_imap.value " VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE) if [ ! -z "$VALUE" ]; then - echo "$VALUE" + echo "$VALUE" else echo "0" fi @@ -119,7 +121,7 @@ echo -n echo -en "login_pop3.value " VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE) if [ ! -z "$VALUE" ]; then - echo "$VALUE" + echo "$VALUE" else echo "0" fi diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index 21d17519..c6b58d28 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -14,8 +14,10 @@ dest: /etc/munin/plugins/dovecot mode: "0755" -# TODO : add in /etc/munin/plugin-conf.d/munin-node -# [dovecot] -# group adm + - name: Install munin config + copy: + src: munin_config + dest: /etc/munin/plugin-conf.d/dovecot + mode: "0644" when: munin_node_plugins_config.stat.exists From d33b4baef159df18ecf8bfca7add484a29d7a454 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Mon, 19 Oct 2020 14:16:53 +0200 Subject: [PATCH 09/48] Make container restart an handler --- lxc-php/handlers/main.yml | 6 ++++++ lxc-php/tasks/misc.yml | 7 +------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index 06953b4f..b8322e94 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -18,3 +18,9 @@ lxc_container: name: "{{ lxc_php_version }}" container_command: "systemctl restart opensmtpd" + +- name: Restart container + lxc_container: + name: "{{ lxc_php_version }}" + state: restarted + diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 582c4170..4bd5728e 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -29,10 +29,5 @@ container_config: - "lxc.mount.entry = /var/run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" when: php_conf_mysql_socket_dir is string - register: added_mysql_socket + notify: Restart container -- name: "{{ lxc_php_version }} - Restart container as configuration changed" - lxc_container: - name: "{{ lxc_php_version }}" - state: restarted - when: added_mysql_socket.changed From d80461e39a128a3598a460662192db632b0289e0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 19 Oct 2020 16:03:58 +0200 Subject: [PATCH 10/48] redis: variable to force use of port 6379 in instances mode --- CHANGELOG.md | 1 + redis/defaults/main.yml | 2 ++ redis/tasks/instance-server.yml | 1 + 3 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b83ea994..ef8a7c7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * nextcloud: New role to setup a nextcloud instance +* redis: variable to force use of port 6379 in instances mode ### Changed diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index 6fc0b4c3..5cd311ce 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -3,6 +3,8 @@ redis_systemd_name: redis-server redis_conf_dir_prefix: /etc/redis +redis_force_instance_port: False + redis_port: 6379 redis_bind_interface: 127.0.0.1 diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 6437567c..5f4b2601 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -5,6 +5,7 @@ that: - redis_port != 6379 msg: "If you want to use port 6379, use the default instance, not a named instance." + when: not redis_force_instance_port - name: "Instance '{{ redis_instance_name }}' group is present" group: From d7aed91043062a3a9ffe3f4e4b7a258f988f0d8d Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Mon, 19 Oct 2020 17:33:58 +0200 Subject: [PATCH 11/48] packweb-multiphp: Change default configuration for compatibility /var/run is now /run (and it is what is used in the .service file) Have a default directory configured as bind target so things works by default --- lxc-php/defaults/main.yml | 2 +- lxc-php/tasks/misc.yml | 4 ++-- mysql-oracle/files/evolinux-defaults.cnf | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index a76e1a5b..69ef9380 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -8,7 +8,7 @@ php_conf_allow_url_fopen: "Off" php_conf_disable_functions: "exec,shell-exec,system,passthru,popen" # Allows accessing a local mysql database using localhost -php_conf_mysql_socket_dir: Null +php_conf_mysql_socket_dir: /mysqld php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock" lxc_php_version: Null diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 4bd5728e..3b6164d0 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -27,7 +27,7 @@ lxc_container: name: "{{ lxc_php_version }}" container_config: - - "lxc.mount.entry = /var/run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" + - "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" when: php_conf_mysql_socket_dir is string - notify: Restart container + notify: "Restart container" diff --git a/mysql-oracle/files/evolinux-defaults.cnf b/mysql-oracle/files/evolinux-defaults.cnf index 395ccac4..0b4b017b 100644 --- a/mysql-oracle/files/evolinux-defaults.cnf +++ b/mysql-oracle/files/evolinux-defaults.cnf @@ -1,6 +1,8 @@ [mysqld] ###### Connexions +# Path to socket +socket = /run/mysqld/mysqld.sock # Maximum de connexions concurrentes (defaut = 100)... provoque un "Too many connections" max_connections = 250 # Maximum de connexions en attente en cas de max_connections atteint (defaut = 50) From 9e5d041210a8138809618a376e1ca5cd5f33e0ec Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 16 Oct 2020 15:35:13 +0200 Subject: [PATCH 12/48] dovecot: Update munin plugin & configure it --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef8a7c7d..1bff9a4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added +* dovecot: Update munin plugin & configure it * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode From c8d4da532f619da1a6b2aa76f27d7c0ad6d4254b Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 20 Oct 2020 10:58:51 +0200 Subject: [PATCH 13/48] evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable") --- CHANGELOG.md | 2 ++ evoacme/files/evoacme.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1bff9a4d..07f1e37f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes incrementally at each release. ### Changed +* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable") + ### Fixed ### Removed diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index e8330748..6db0cab7 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -287,7 +287,7 @@ main() { # search for files in hooks directory for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do # keep only executables files, not containing a "." - if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF "."); then + if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then debug "Executing ${hook}" ${hook} fi From 2ea4745f93b3ad705d2e66172d34c621689f6ae9 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Tue, 20 Oct 2020 17:27:34 +0200 Subject: [PATCH 14/48] lxc-php: Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b83ea994..5a872e86 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * nextcloud: New role to setup a nextcloud instance +* lxc-php: Allow php containers to contact local MySQL with localhost ### Changed From 6b89fa18cb5b61a50855575d51e9ce8bf964ff19 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 23 Oct 2020 13:03:23 +0200 Subject: [PATCH 15/48] mysql-oracle: Update clients' conf to match server's The socket path was changed in the server configuration, update the client configuration to match so as not to break anything. --- mysql-oracle/files/evolinux-defaults.cnf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mysql-oracle/files/evolinux-defaults.cnf b/mysql-oracle/files/evolinux-defaults.cnf index 0b4b017b..c42ed727 100644 --- a/mysql-oracle/files/evolinux-defaults.cnf +++ b/mysql-oracle/files/evolinux-defaults.cnf @@ -62,3 +62,6 @@ character-set-server=utf8 collation-server=utf8_general_ci # Patch MySQL 5.5.53 secure-file-priv = "" + +[client] +socket = /run/mysqld/mysqld.sock From 4de33e41b5f85ec391be2706c8f8479df8d311bf Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 29 Oct 2020 10:41:21 +0100 Subject: [PATCH 16/48] mysql: fix typo in restart handler --- mysql/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 87a7613a..0ac28412 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -22,4 +22,4 @@ - name: 'restart xinetd' service: name: 'xinetd' - state: 'restart' + state: 'restarted From 7a37167e2009b28ad6b2413fbfd5220db2c736eb Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 29 Oct 2020 10:42:57 +0100 Subject: [PATCH 17/48] mysql: fix typo in restart handler --- mysql/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 0ac28412..80afafe5 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -22,4 +22,4 @@ - name: 'restart xinetd' service: name: 'xinetd' - state: 'restarted + state: 'restarted' From 15154169cfa32be5198f1b2c6e6fff6fe9b99f42 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 30 Oct 2020 11:56:24 +0100 Subject: [PATCH 18/48] kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) --- CHANGELOG.md | 1 + kvm-host/defaults/main.yml | 1 + kvm-host/meta/main.yml | 8 ++++---- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c309ba50..1130398e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode * lxc-php: Allow php containers to contact local MySQL with localhost diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml index 4c77a2ff..bb97c0f9 100644 --- a/kvm-host/defaults/main.yml +++ b/kvm-host/defaults/main.yml @@ -1,2 +1,3 @@ --- kvm_custom_libvirt_images_path: '' +kvm_install_drbd: True diff --git a/kvm-host/meta/main.yml b/kvm-host/meta/main.yml index 1d6d1c36..0976cf88 100644 --- a/kvm-host/meta/main.yml +++ b/kvm-host/meta/main.yml @@ -12,8 +12,8 @@ galaxy_info: - name: Debian versions: - jessie + - stretch + - buster -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - { role: evolix/drbd, when: kvm_install_drbd } From 6c202dcf4fc2691362bd1748f4361df225dfb37f Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 6 Nov 2020 16:26:31 +0100 Subject: [PATCH 19/48] Check that ansible_distribution_major_version is defined in sudo task This variable does not exist when run on OpenBSD servers, making the ansible playbook to exit in a fatal state. --- evolinux-users/tasks/sudo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 2f2ee07c..6f127da8 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -4,6 +4,6 @@ when: ansible_distribution_release == "jessie" - include: sudo_stretch.yml - when: ansible_distribution_major_version is version('9', '>=') + when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=') - meta: flush_handlers From b43d0f3629d4ea1030b3437743309435edafef13 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Nov 2020 21:21:07 +0100 Subject: [PATCH 20/48] evoacme: upstream release 20.11 --- CHANGELOG.md | 2 +- evoacme/files/evoacme.sh | 8 +++++++- evoacme/files/make-csr.sh | 2 +- evoacme/files/vhost-domains.sh | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1130398e..9e0c9370 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ The **patch** part changes incrementally at each release. ### Changed -* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable") +* evoacme: upstream release 20.11 ### Fixed diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 6db0cab7..431b8162 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -284,13 +284,19 @@ main() { export EVOACME_CHAIN="${LIVE_CHAIN}" export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" + # emulate certbot hooks environment variables + export RENEWED_LINEAGE="${LIVE_CHAIN}" + export RENEWED_DOMAINS="${VHOST}" + # search for files in hooks directory for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do + set +e # keep only executables files, not containing a "." if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then debug "Executing ${hook}" ${hook} fi + set -e done } @@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"} readonly TEST=${TEST:-"0"} readonly DRY_RUN=${DRY_RUN:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 372c58fc..78512e3a 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -265,7 +265,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index 41b065b6..f20e5dba 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -170,7 +170,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" readonly SRV_IP=${SRV_IP:-""} From 592030ee9a6c75882adece8127828af987f09caa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 21 Nov 2020 09:59:10 +0100 Subject: [PATCH 21/48] evoacme: variable to disable Debian version check (default: False) --- CHANGELOG.md | 1 + evoacme/defaults/main.yml | 2 ++ evoacme/tasks/main.yml | 1 + 3 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e0c9370..fcb3cec5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index e54ef2fc..ef16ee78 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille' evoacme_ssl_org: 'Evolix' evoacme_ssl_ou: 'Security' evoacme_ssl_email: 'security@evolix.net' + +evoacme_disable_debian_check: False diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index bd8cc055..4c71d90e 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -6,6 +6,7 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') msg: only compatible with Debian >= 9 + when: not evoacme_disable_debian_check - include: certbot.yml From 1d8b7c3bea565b78f1c831e9812140e543854a6e Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 24 Nov 2020 11:19:18 +0100 Subject: [PATCH 22/48] apt: disable APT Periodic This interfere with our usual workflow (listupgrade) Note : Using 0 instead of false is intentional, The value is used by the apt-daily script that except a "0" to disable itself. --- CHANGELOG.md | 1 + apt/tasks/config.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fcb3cec5..c0427b2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes incrementally at each release. ### Changed +* apt: disable APT Periodic * evoacme: upstream release 20.11 ### Fixed diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 988aac7a..48892b9e 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -11,6 +11,7 @@ with_items: - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' } when: apt_evolinux_config tags: - apt From 86d59cbb5fda0cbc36f20e1b04a07b1c8c464e32 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Nov 2020 13:58:59 +0100 Subject: [PATCH 23/48] mysql: install save_mysql_processlist script --- CHANGELOG.md | 1 + mysql/files/save_mysql_processlist.sh | 25 +++++++++++++++++++++++++ mysql/tasks/utils.yml | 9 +++++++++ 3 files changed, 35 insertions(+) create mode 100644 mysql/files/save_mysql_processlist.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index c0427b2f..fb0b5a7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) +* mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode * lxc-php: Allow php containers to contact local MySQL with localhost diff --git a/mysql/files/save_mysql_processlist.sh b/mysql/files/save_mysql_processlist.sh new file mode 100644 index 00000000..95abc57d --- /dev/null +++ b/mysql/files/save_mysql_processlist.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +processlist() { + mysqladmin --verbose --vertical processlist +} + +DIR="/var/log/mysql-processlist" +TS=`date +%Y%m%d%H%M%S` +FILE="${DIR}/${TS}" + +if [ ! -d "${DIR}" ]; then + mkdir -p "${DIR}" + chown root:adm "${DIR}" + chmod 750 "${DIR}" +fi + +processlist > "${FILE}" +chmod 640 "${FILE}" +chown root:adm "${FILE}" + +find "${DIR}" -type f -mtime +1 -delete + +exit 0 diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 7609a81e..164507aa 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -178,3 +178,12 @@ tags: - mysql - packages + +- name: "Install save_mysql_processlist.sh" + copy: + src: save_mysql_processlist.sh + dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh" + mode: "0755" + force: no + tags: + - mysql From aa62555e9ebd6750ad2e08d474b8119f51407a95 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 27 Nov 2020 11:07:18 +0100 Subject: [PATCH 24/48] Fix name file preference for PGDG repository --- postgresql/tasks/pgdg-repo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index dcc63d6f..978b2b9f 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -21,5 +21,5 @@ - name: Add APT preference file template: src: postgresql.pref.j2 - dest: /etc/apt/preferences.d/ + dest: /etc/apt/preferences.d/postgresql.pref mode: "0644" From ae07d508cf140c4ccc7860222706c96a90a59b2a Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 30 Nov 2020 10:51:34 +0100 Subject: [PATCH 25/48] Fix key and update just after add pgdg repo key --- postgresql/tasks/pgdg-repo.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 978b2b9f..8d937b82 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -18,6 +18,11 @@ #url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc data: "{{ lookup('file', 'ACCC4CF8.asc') }}" +- name: Update and upgrade apt packages for PGDG repository + apt: + upgrade: yes + update_cache: yes + - name: Add APT preference file template: src: postgresql.pref.j2 From 18ac1e72798fd44cc7b9056d9dc1c322b45cbf9f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 19:02:35 +0100 Subject: [PATCH 26/48] redis: check maxmemory in NRPE check If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" then we enforce the "maxmemory" limit --- CHANGELOG.md | 1 + redis/files/check_redis_instances.sh | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb0b5a7c..4c06e5f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode +* redis: check maxmemory in NRPE check * lxc-php: Allow php containers to contact local MySQL with localhost ### Changed diff --git a/redis/files/check_redis_instances.sh b/redis/files/check_redis_instances.sh index 7821aeb0..a7dead82 100644 --- a/redis/files/check_redis_instances.sh +++ b/redis/files/check_redis_instances.sh @@ -30,11 +30,21 @@ check_server() { host=$(config_var "bind" "${conf_file}") port=$(config_var "port" "${conf_file}") pass=$(config_var "requirepass" "${conf_file}") + maxmemory=$(config_var "maxmemory" "${conf_file}") + maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}") cmd="${check_bin} -H ${host} -p ${port}" + # If "requirepass" is set we add the password to the check if [ -n "${pass}" ]; then cmd="${cmd} -x ${pass}" fi + # If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" + # then we enforce the "maxmemory" limit + if [ -n "${maxmemory}" ]; then + if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then + cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90" + fi + fi result=$($cmd) ret="${?}" if [ "${ret}" -ge 2 ]; then From b6817cb62c0517eadaed4ffc570a45153b1dda52 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:27:05 +0100 Subject: [PATCH 27/48] evoacme: upstream release 20.12 --- CHANGELOG.md | 2 +- evoacme/files/evoacme.sh | 6 +++--- evoacme/files/make-csr.sh | 4 ++-- evoacme/files/vhost-domains.sh | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c06e5f0..32bfdeda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes incrementally at each release. ### Changed * apt: disable APT Periodic -* evoacme: upstream release 20.11 +* evoacme: upstream release 20.12 ### Fixed diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 431b8162..2ea2d273 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -14,7 +14,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -285,7 +285,7 @@ main() { export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" # emulate certbot hooks environment variables - export RENEWED_LINEAGE="${LIVE_CHAIN}" + export RENEWED_LINEAGE="${LIVE_DIR}" export RENEWED_DOMAINS="${VHOST}" # search for files in hooks directory @@ -309,7 +309,7 @@ readonly QUIET=${QUIET:-"0"} readonly TEST=${TEST:-"0"} readonly DRY_RUN=${DRY_RUN:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 78512e3a..f82ad65b 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -265,7 +265,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index f20e5dba..5a60c23c 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -170,7 +170,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" readonly SRV_IP=${SRV_IP:-""} From 9aa24f4cde128eab02707548676f260a649dd23c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:47:38 +0100 Subject: [PATCH 28/48] minifirewall: Docker support --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 1 + minifirewall/files/minifirewall.conf | 6 ++ minifirewall/tasks/config.yml | 6 ++ minifirewall/templates/minifirewall.j2 | 118 +++++++++++++++++++++++-- 5 files changed, 127 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32bfdeda..67448efd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) +* minifirewall: Docker support * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 5489b06a..e12da941 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -10,6 +10,7 @@ minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" +minifirewall_docker: "off" minifirewall_default_trusted_ips: [] minifirewall_additional_trusted_ips: [] diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 7285822a..2ddefe62 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -8,6 +8,12 @@ INT='eth0' # IPv6 IPV6=on +# Docker Mode +# Changes the behaviour of minifirewall to not break the containers' network +# For instance, turning it on will disable nat table purge +# Also, we'll add the DOCKER-USER chain, in iptable +DOCKER='off' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='192.168.0.2/32' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 82be385c..347e58a9 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -58,6 +58,12 @@ # IPv6 IPV6='{{ minifirewall_ipv6 }}' + # Docker Mode + # Changes the behaviour of minifirewall to not break the containers' network + # For instance, turning it on will disable nat table purge + # Also, we'll add the DOCKER-USER chain, in iptable + DOCKER='{{ minifirewall_docker }}' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='{{ minifirewall_intlan }}' diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index 8045ce60..de9e3b96 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -51,6 +51,20 @@ BROAD='255.255.255.255' PORTSROOT='0:1023' PORTSUSER='1024:65535' +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local intable="--table $1" + iptables $intable -nL "$chain_name" >/dev/null 2>&1 +} + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="{{ minifirewall_main_file }}" + +IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') case "$1" in start) @@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j ACCEPT -# Configuration -oldconfigfile="/etc/firewall.rc" -configfile="{{ minifirewall_main_file }}" - if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 exit 1 @@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP +if [ "$DOCKER" = "on" ]; then + + $IPT -N MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-TRUSTED -j DROP + + $IPT -N MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN + + $IPT -N MINIFW-DOCKER-PUB + $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PUB -j RETURN + + # Flush DOCKER-USER if exist, create it if absent + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + # Pipe new connection through MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -j RETURN + +fi + + # Local services restrictions ############################# @@ -218,6 +255,64 @@ for x in $SERVICESUDP3 done +if [ "$DOCKER" = "on" ]; then + + # Public services defined in SERVICESTCP1 & SERVICESUDP1 + for dstport in $SERVICESTCP1 + do + $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN + done + + for dstport in $SERVICESUDP1 + do + $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN + done + + # Privileged services (accessible from privileged & trusted IPs) + for dstport in $SERVICESTCP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + # Trusted services (accessible from trusted IPs) + for dstport in $SERVICESTCP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done +fi + # External services ################### @@ -323,11 +418,24 @@ trap - INT TERM EXIT $IPT -F ONLYTRUSTED $IPT -F ONLYPRIVILEGIED $IPT -F NEEDRESTRICT - $IPT -t nat -F + [ "$DOCKER" = "off" ] && $IPT -t nat -F $IPT -t mangle -F [ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + if [ "$DOCKER" = "on" ]; then + $IPT -F DOCKER-USER + $IPT -A DOCKER-USER -j RETURN + + $IPT -F MINIFW-DOCKER-PUB + $IPT -X MINIFW-DOCKER-PUB + $IPT -F MINIFW-DOCKER-PRIVILEGED + $IPT -X MINIFW-DOCKER-PRIVILEGED + $IPT -F MINIFW-DOCKER-TRUSTED + $IPT -X MINIFW-DOCKER-TRUSTED + + fi + # Accept all $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT From fc71bb59452a4b7f56cb743eb005c9f7e702a090 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:57:13 +0100 Subject: [PATCH 29/48] minifirewall: upstream release 20.12 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall.conf | 3 +-- minifirewall/templates/minifirewall.j2 | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67448efd..e409b444 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) -* minifirewall: Docker support +* minifirewall: upstream release 20.12 * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 2ddefe62..1c637483 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -1,6 +1,5 @@ # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall -# For fun, we keep last change from first CVS repository: -# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ +# Version 20.12 — 2020-12-01 22:55:35 # Main interface INT='eth0' diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index de9e3b96..13b5130d 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -4,7 +4,7 @@ # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall -# Copyright (c) 2007-2015 Evolix +# Copyright (c) 2007-2020 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 From 84bd3372d5d1303aa20de28c8c590ddece8b571e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Dec 2020 15:22:35 +0100 Subject: [PATCH 30/48] blockinfile: change from "content" to "block" It solves the diff bug : https://github.com/ansible/ansible/issues/62315 --- minifirewall/tasks/config.yml | 4 ++-- redis/tasks/default-log2mail.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 347e58a9..4c852d6b 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -51,7 +51,7 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" - content: | + block: | # Main interface INT='{{ minifirewall_int }}' @@ -95,7 +95,7 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" - content: | + block: | # Protected services # (add also in Public services if needed) SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 8614a11d..21628b0c 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -8,7 +8,7 @@ mode: "0640" create: yes marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" - content: | + block: | file = {{ redis_log_dir }}/redis-server.log pattern = "Cannot allocate memory" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} From 98f798b9fb949537820e22256a6abc2d2a138e5e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Dec 2020 17:26:16 +0100 Subject: [PATCH 31/48] cerbot: parse HAProxy config file only if HAProxy is found --- CHANGELOG.md | 2 ++ certbot/files/hooks/haproxy.sh | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e409b444..08b8b5b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,8 @@ The **patch** part changes incrementally at each release. ### Fixed +* cerbot: parse HAProxy config file only if HAProxy is found + ### Removed ### Security diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh index 1a7f5d4e..932a3e90 100644 --- a/certbot/files/hooks/haproxy.sh +++ b/certbot/files/hooks/haproxy.sh @@ -56,6 +56,9 @@ main() { fi if daemon_found_and_running; then + readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" + readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) + if found_renewed_lineage; then haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" @@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} readonly haproxy_bin=$(command -v haproxy) -readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" -readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) main From 5522f822f74c0879a74ba6a1068cb91c877e90ee Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:18:56 +0100 Subject: [PATCH 32/48] add set facts for buster --- postgresql/tasks/packages_buster.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3f45e84c..3b6b3e49 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -1,5 +1,9 @@ --- +- name: "Set variables (Debian 10)" + set_fact: + postgresql_version: '11' + - include: pgdg-repo.yml when: postgresql_version != '11' From 2a94a3bdf1e6184ed12d2515ddc3941c0b97db8f Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:21:57 +0100 Subject: [PATCH 33/48] fix packages_buster --- postgresql/tasks/packages_buster.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3b6b3e49..4b2e9efc 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -3,6 +3,7 @@ - name: "Set variables (Debian 10)" set_fact: postgresql_version: '11' + when: postgresql_version = '' - include: pgdg-repo.yml when: postgresql_version != '11' From 0f7dcb57b11ee98a18d4e103ce6797820b3ce1f0 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:24:11 +0100 Subject: [PATCH 34/48] add postgresql_version to empty --- postgresql/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index c81ff575..7b2b3734 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.6' +postgresql_version: '' # Set locales locales_default: fr_FR.UTF-8 From 1160a5e809d163120d373fda5365762453b50ba5 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 7 Dec 2020 16:43:59 +0100 Subject: [PATCH 35/48] postgresql: correct confitinal on set_fact --- postgresql/tasks/packages_buster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 4b2e9efc..3a1a440e 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -3,7 +3,7 @@ - name: "Set variables (Debian 10)" set_fact: postgresql_version: '11' - when: postgresql_version = '' + when: postgresql_version == "" - include: pgdg-repo.yml when: postgresql_version != '11' From c324866cd2b888505ff92b37cb931d7da0ec3d44 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:45:32 +0100 Subject: [PATCH 36/48] Add set variables for debian stretch and jessie --- postgresql/tasks/packages_jessie.yml | 5 +++++ postgresql/tasks/packages_stretch.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index abf0ad08..3e21bc0e 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 8)" + set_fact: + postgresql_version: '9.4' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.4' diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d6a3aa5e..eff513f9 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 9)" + set_fact: + postgresql_version: '9.6' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.6' From 4d6f88f0f4fdf4197b56a0d962ad656bf23ffb0a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 7 Dec 2020 17:23:21 +0100 Subject: [PATCH 37/48] minifirewall: add variables to force upgrade the script and the config (default: False) --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 3 +++ minifirewall/tasks/install.yml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08b8b5b4..f2ce2a6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * minifirewall: upstream release 20.12 +* minifirewall: add variables to force upgrade the script and the config (default: False) * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index e12da941..fd4e726b 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -5,6 +5,9 @@ minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False minifirewall_tail_force: True +minifirewall_force_upgrade_script: False +minifirewall_force_upgrade_config: False + minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index a4bcf734..5d6438ed 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -9,7 +9,7 @@ template: src: minifirewall.j2 dest: /etc/init.d/minifirewall - force: no + force: "{{ minifirewall_force_upgrade_script | default('no') }}" mode: "0700" owner: root group: root @@ -18,7 +18,7 @@ copy: src: minifirewall.conf dest: "{{ minifirewall_main_file }}" - force: no + force: "{{ minifirewall_force_upgrade_config | default('no') }}" mode: "0600" owner: root group: root From 772bce8c0b0150e7a8c4bf32314d5653148f7142 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 7 Dec 2020 17:26:45 +0100 Subject: [PATCH 38/48] dovecot: vmail uid/gid are configurable --- CHANGELOG.md | 1 + dovecot/defaults/main.yml | 4 +++- dovecot/tasks/main.yml | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2ce2a6e..f2d562e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * minifirewall: upstream release 20.12 diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 884bc1ca..52e06bda 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -1,2 +1,4 @@ --- -dovecot_foo: bar + +dovecot_vmail_uid: 5000 +dovecot_vmail_gid: 5000 diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8492e00a..8508a902 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -40,7 +40,7 @@ - name: create vmail group group: name: vmail - gid: 5000 + gid: "{{ dovecot_vmail_gid }}" tags: - dovecot @@ -48,7 +48,7 @@ user: name: vmail group: vmail - uid: 5000 + uid: "{{ dovecot_vmail_uid }}" shell: /bin/false tags: - dovecot From 3c4986275c781b7ad6651ad6271fb9aa66348890 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 8 Dec 2020 11:07:42 +0100 Subject: [PATCH 39/48] evocheck: upstream release 20.12 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 37 ++++++++++++++++++++++++------------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2d562e7..4eefc696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes incrementally at each release. * apt: disable APT Periodic * evoacme: upstream release 20.12 +* evocheck: upstream release 20.12 ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5c3f1365..287982e2 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -readonly VERSION="20.04.3" +readonly VERSION="20.12" # base functions @@ -205,10 +205,13 @@ check_customsudoers() { grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" } check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" -} -check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi + } check_serveurbase() { is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" @@ -559,7 +562,7 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2064 trap "rm -f ${excludes_file}" 0 # shellcheck disable=SC2044 - for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do @@ -878,15 +881,25 @@ check_sql_backup() { if (is_installed "mysql-server" || is_installed "mariadb-server"); then # You could change the default path in /etc/evocheck.cf SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} - test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})" + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_postgres_backup() { - if is_installed "postgresql-9*"; then + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf - POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} - test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})" + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_mongo_backup() { @@ -1013,7 +1026,7 @@ check_duplicate_fs_label() { BLKID_BIN=$(command -v blkid) if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" done @@ -1517,8 +1530,6 @@ main() { # shellcheck disable=SC2034 readonly PROGNAME=$(basename "$0") -# shellcheck disable=SC2034 -readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ From 5b2d3b09d093863e93ff331c75d4122a1b068b62 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 17 Dec 2020 08:05:16 +0100 Subject: [PATCH 40/48] Create system users for vmail (dovecot) and evoadmin --- CHANGELOG.md | 1 + dovecot/tasks/main.yml | 2 ++ webapps/evoadmin-web/tasks/user.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4eefc696..30bd12d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes incrementally at each release. ### Changed +* Create system users for vmail (dovecot) and evoadmin * apt: disable APT Periodic * evoacme: upstream release 20.12 * evocheck: upstream release 20.12 diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8508a902..1a7e4280 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -41,6 +41,7 @@ group: name: vmail gid: "{{ dovecot_vmail_gid }}" + system: True tags: - dovecot @@ -50,6 +51,7 @@ group: vmail uid: "{{ dovecot_vmail_uid }}" shell: /bin/false + system: True tags: - dovecot diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 5aa6c29c..7b58270c 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -6,6 +6,7 @@ comment: "Evoadmin Web Account" home: "{{ evoadmin_home_dir }}" password: "!" + system: yes - name: Create www-evoadmin group group: @@ -22,6 +23,7 @@ - name: "Create www-evoadmin (Debian 9 or later)" user: name: www-evoadmin + system: yes when: ansible_distribution_major_version is version('9', '>=') - name: Is /etc/aliases present? From 0b528f15da85a9d07c24cfff74078bc254949351 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 17 Dec 2020 08:06:44 +0100 Subject: [PATCH 41/48] tomcat-instance: fail if uid already exists --- CHANGELOG.md | 1 + tomcat-instance/tasks/user.yml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30bd12d0..076ef587 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release. * apt: disable APT Periodic * evoacme: upstream release 20.12 * evocheck: upstream release 20.12 +* tomcat-instance: fail if uid already exists ### Fixed diff --git a/tomcat-instance/tasks/user.yml b/tomcat-instance/tasks/user.yml index a4a7bcb2..64244799 100644 --- a/tomcat-instance/tasks/user.yml +++ b/tomcat-instance/tasks/user.yml @@ -1,4 +1,24 @@ --- + +- fail: + msg: "You must provide a value for the 'tomcat_instance_port' variable." + when: tomcat_instance_port is not defined or tomcat_instance_port == '' + + +- name: "Test if uid '{{ tomcat_instance_port }}' exists" + command: 'id -un -- "{{ tomcat_instance_port }}"' + register: get_login_from_id + failed_when: False + changed_when: False + check_mode: no + +- name: "Fail if uid already exists for another user" + fail: + msg: "Uid '{{ tomcat_instance_port }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ tomcat_instance_name }}'" + when: + - get_login_from_id.rc == 0 + - get_login_from_id.stdout != tomcat_instance_name + - name: Create group instance group: name: "{{ tomcat_instance_name }}" From 81fbd98a5f37a02afdc9ca0e0f91a543a9605360 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 17 Dec 2020 15:25:48 +0100 Subject: [PATCH 42/48] evolinux-users: improve uid/login checks --- CHANGELOG.md | 1 + evolinux-users/tasks/user.yml | 44 ++++++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 076ef587..ec95a820 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes incrementally at each release. * apt: disable APT Periodic * evoacme: upstream release 20.12 * evocheck: upstream release 20.12 +* evolinux-users: improve uid/login checks * tomcat-instance: fail if uid already exists ### Fixed diff --git a/evolinux-users/tasks/user.yml b/evolinux-users/tasks/user.yml index 2f5e4e43..b8dda1d2 100644 --- a/evolinux-users/tasks/user.yml +++ b/evolinux-users/tasks/user.yml @@ -2,20 +2,41 @@ # Unix account +- fail: + msg: "You must provide a value for the 'user.name ' variable." + when: user.name is not defined or user.name == '' + +- fail: + msg: "You must provide a value for the 'user.uid ' variable." + when: user.uid is not defined or user.uid == '' + - name: "Test if '{{ user.name }}' exists" - command: 'getent passwd {{ user.name }}' - register: loginisbusy + command: 'id -u "{{ user.name }}"' + register: get_id_from_login failed_when: False changed_when: False check_mode: no -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy +- name: "Test if uid '{{ user.uid }}' exists" + command: 'id -un -- "{{ user.uid }}"' + register: get_login_from_id failed_when: False changed_when: False check_mode: no +# Error if +# the uid already exists +# and the user associated with this uid is not the desired user +- name: "Fail if uid already exists for another user" + fail: + msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'" + when: + - get_login_from_id.rc == 0 + - get_login_from_id.stdout != user.name + +# Create/Update the user account with defined uid if +# the user doesn't already exist and the uid isn't already used +# or the user exists with the defined uid - name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')" user: state: present @@ -24,11 +45,13 @@ comment: '{{ user.fullname }}' shell: /bin/bash password: '{{ user.password_hash }}' - update_password: on_create + update_password: "on_create" when: - - loginisbusy.rc != 0 - - uidisbusy.rc != 0 + - (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name) +# Create/Update the user account without defined uid if +# the user doesn't already exist but the defined uid is already used +# or another user already exists with a the same uid - name: "Unix account for '{{ user.name }}' is present (with random uid)" user: state: present @@ -36,10 +59,9 @@ comment: '{{ user.fullname }}' shell: /bin/bash password: '{{ user.password_hash }}' - update_password: on_create + update_password: "on_create" when: - - loginisbusy.rc != 0 - - uidisbusy.rc == 0 + - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name) - name: Is /etc/aliases present? stat: From 8861169a04206c29729d50f9c85b9bd8e81b0b6c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 20 Dec 2020 22:55:39 +0100 Subject: [PATCH 43/48] varnish: config file name is configurable --- CHANGELOG.md | 1 + varnish/files/reload-vcl.sh | 5 ----- varnish/tasks/main.yml | 6 +++--- varnish/templates/reload-vcl.sh.j2 | 5 +++++ 4 files changed, 9 insertions(+), 8 deletions(-) delete mode 100644 varnish/files/reload-vcl.sh create mode 100644 varnish/templates/reload-vcl.sh.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index ec95a820..79fa9859 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. * redis: variable to force use of port 6379 in instances mode * redis: check maxmemory in NRPE check * lxc-php: Allow php containers to contact local MySQL with localhost +* varnish: config file name is configurable ### Changed diff --git a/varnish/files/reload-vcl.sh b/varnish/files/reload-vcl.sh deleted file mode 100644 index 537dcddf..00000000 --- a/varnish/files/reload-vcl.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -UUID=`cat /proc/sys/kernel/random/uuid` -/usr/sbin/varnishd -C -f /etc/varnish/default.vcl >/dev/null \ - &&/usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.load vcl_$UUID /etc/varnish/default.vcl" \ - && /usr/bin/varnishadm -T localhost:6082 -S /etc/varnish/secret "vcl.use vcl_$UUID" diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index c55218ef..1bf61fde 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -19,8 +19,8 @@ - varnish - name: Copy Custom Varnish ExecReload script (Debian <=9) - copy: - src: "reload-vcl.sh" + template: + src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" mode: "0700" owner: root @@ -62,7 +62,7 @@ - name: Copy Varnish configuration template: src: "{{ item }}" - dest: /etc/varnish/default.vcl + dest: "{{ varnish_config_file }}" mode: "0644" force: yes with_first_found: diff --git a/varnish/templates/reload-vcl.sh.j2 b/varnish/templates/reload-vcl.sh.j2 new file mode 100644 index 00000000..e60d8257 --- /dev/null +++ b/varnish/templates/reload-vcl.sh.j2 @@ -0,0 +1,5 @@ +#!/bin/sh +UUID=`cat /proc/sys/kernel/random/uuid` +/usr/sbin/varnishd -C -f {{ varnish_config_file }} >/dev/null \ + && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.load vcl_$UUID {{ varnish_config_file }}" \ + && /usr/bin/varnishadm -T {{ varnish_management_address }} -S {{ varnish_secret_file }} "vcl.use vcl_$UUID" From 3e72d6961c630a4e99c8e3d4225a33bf0c8e9ce7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 20 Dec 2020 22:56:15 +0100 Subject: [PATCH 44/48] varnish: no threadpool delay by default --- CHANGELOG.md | 2 ++ varnish/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79fa9859..e4ecf202 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,8 @@ The **patch** part changes incrementally at each release. * evocheck: upstream release 20.12 * evolinux-users: improve uid/login checks * tomcat-instance: fail if uid already exists +* varnish: change template name for better readability +* varnish: no threadpool delay by default ### Fixed diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index 544d0cf7..7a7d8c2f 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -10,7 +10,7 @@ varnish_malloc_size: "2G" varnish_storage: malloc,{{ varnish_malloc_size }} varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}" -varnish_thread_pool_add_delay: 2 +varnish_thread_pool_add_delay: 0 varnish_thread_pool_min: 500 varnish_thread_pool_max: 5000 From d430dea043d61c8939774d81f19fa732519a19d0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 20 Dec 2020 23:00:50 +0100 Subject: [PATCH 45/48] whitespaces --- varnish/tasks/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 1bf61fde..9624d832 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -4,19 +4,19 @@ name: varnish state: present tags: - - varnish + - varnish - name: Remove default varnish configuration files file: path: "{{ item }}" state: absent with_items: - - /etc/default/varnish - - /etc/default/varnishncsa - - /etc/default/varnishlog + - /etc/default/varnish + - /etc/default/varnishncsa + - /etc/default/varnishlog notify: reload varnish tags: - - varnish + - varnish - name: Copy Custom Varnish ExecReload script (Debian <=9) template: @@ -28,14 +28,14 @@ when: ansible_distribution_major_version is version('9', '<=') notify: reload varnish tags: - - varnish + - varnish - name: Create a system config directory for systemd overrides file: path: /etc/systemd/system/varnish.service.d state: directory tags: - - varnish + - varnish - name: Override Varnish systemd unit template: @@ -46,7 +46,7 @@ - reload systemd - restart varnish tags: - - varnish + - varnish - name: Patch logrotate conf replace: @@ -57,7 +57,7 @@ - varnishlog - varnishncsa tags: - - varnish + - varnish - name: Copy Varnish configuration template: @@ -72,7 +72,7 @@ - "default.vcl.j2" notify: reload varnish tags: - - varnish + - varnish - name: Create Varnish config dir file: @@ -80,7 +80,7 @@ state: directory mode: "0755" tags: - - varnish + - varnish - name: Copy included Varnish config template: @@ -92,6 +92,6 @@ - "templates/varnish/conf.d/*.vcl" notify: reload varnish tags: - - varnish + - varnish - include: munin.yml From 0f5ce44186420bae38b88f3859e929e765affb46 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 20 Dec 2020 23:01:46 +0100 Subject: [PATCH 46/48] varnish: change template name for better readability --- varnish/tasks/main.yml | 12 ++++++++---- varnish/templates/{default.vcl.j2 => varnish.vcl.j2} | 0 2 files changed, 8 insertions(+), 4 deletions(-) rename varnish/templates/{default.vcl.j2 => varnish.vcl.j2} (100%) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 9624d832..38066298 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -66,10 +66,14 @@ mode: "0644" force: yes with_first_found: - - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2" - - "templates/varnish/default.{{ host_group }}.vcl.j2" - - "templates/varnish/default.default.vcl.j2" - - "default.vcl.j2" + - "templates/varnish/varnish.{{ inventory_hostname }}.vcl.j2" + - "templates/varnish/default.{{ inventory_hostname }}.vcl.j2" + - "templates/varnish/varnish.{{ host_group }}.vcl.j2" + - "templates/varnish/default.{{ host_group }}.vcl.j2" + - "templates/varnish/varnish.default.vcl.j2" + - "templates/varnish/default.default.vcl.j2" + - "varnish.vcl.j2" + - "default.vcl.j2" notify: reload varnish tags: - varnish diff --git a/varnish/templates/default.vcl.j2 b/varnish/templates/varnish.vcl.j2 similarity index 100% rename from varnish/templates/default.vcl.j2 rename to varnish/templates/varnish.vcl.j2 From 67ce8de85e0215b557ffbb051ede1b9df5168896 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 20 Dec 2020 23:25:34 +0100 Subject: [PATCH 47/48] varnish: custom reload script is now useless --- CHANGELOG.md | 1 + varnish/tasks/main.yml | 21 +++++++++++++++++---- varnish/templates/varnish.conf.buster.j2 | 5 +++++ varnish/templates/varnish.conf.j2 | 7 ------- varnish/templates/varnish.conf.jessie.j2 | 7 +++++++ 5 files changed, 30 insertions(+), 11 deletions(-) create mode 100644 varnish/templates/varnish.conf.buster.j2 delete mode 100644 varnish/templates/varnish.conf.j2 create mode 100644 varnish/templates/varnish.conf.jessie.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index e4ecf202..463d3a83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes incrementally at each release. * tomcat-instance: fail if uid already exists * varnish: change template name for better readability * varnish: no threadpool delay by default +* varnish: no custom reload script for Debian 10 and later ### Fixed diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 38066298..7274cba8 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -18,14 +18,14 @@ tags: - varnish -- name: Copy Custom Varnish ExecReload script (Debian <=9) +- name: Copy Custom Varnish ExecReload script (Debian <10) template: src: "reload-vcl.sh.j2" dest: "/etc/varnish/reload-vcl.sh" mode: "0700" owner: root group: root - when: ansible_distribution_major_version is version('9', '<=') + when: ansible_distribution_major_version is version('10', '<') notify: reload varnish tags: - varnish @@ -37,11 +37,24 @@ tags: - varnish -- name: Override Varnish systemd unit +- name: Override Varnish systemd unit (Stretch and before) template: - src: varnish.conf.j2 + src: varnish.conf.jessie.j2 dest: /etc/systemd/system/varnish.service.d/evolinux.conf force: yes + when: ansible_distribution_major_version is version('10', '<') + notify: + - reload systemd + - restart varnish + tags: + - varnish + +- name: Override Varnish systemd unit (Buster and later) + template: + src: varnish.conf.buster.j2 + dest: /etc/systemd/system/varnish.service.d/evolinux.conf + force: yes + when: ansible_distribution_major_version is version('10', '>=') notify: - reload systemd - restart varnish diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2 new file mode 100644 index 00000000..09dcf7c4 --- /dev/null +++ b/varnish/templates/varnish.conf.buster.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2 deleted file mode 100644 index 3020d556..00000000 --- a/varnish/templates/varnish.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -[Service] -ExecStart= -ExecStart=/usr/sbin/varnishd -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} -ExecReload= -ExecReload=/etc/varnish/reload-vcl.sh diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2 new file mode 100644 index 00000000..59651b36 --- /dev/null +++ b/varnish/templates/varnish.conf.jessie.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +[Service] +ExecStart= +ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecReload= +ExecReload=/etc/varnish/reload-vcl.sh From 1922b51fbe793ad894c3af0e629a006eea06f5b9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Dec 2020 16:03:49 +0100 Subject: [PATCH 48/48] Release 10.3.0 --- CHANGELOG.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 463d3a83..c391df9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes incrementally at each release. ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [10.3.0] 2020-12-21 + +### Added + * dovecot: Update munin plugin & configure it * dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) @@ -41,10 +53,6 @@ The **patch** part changes incrementally at each release. * cerbot: parse HAProxy config file only if HAProxy is found -### Removed - -### Security - ## [10.2.0] 2020-09-17 ### Added