diff --git a/CHANGELOG.md b/CHANGELOG.md index e2b758ef..f0d8879a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,11 +12,15 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* all: Use proper keyrings directory for APT version +* all: Add signed-by option for additional APT sources +* all: preliminary work to support Debian 12 * evolinux-base: replace regular kernel by cloud kernel on virtual servers -* nagios-nrpe: check_haproxy_stats supports DRAIN status * lxc-php: set php-fpm umask to 007 -* varnish: create special tmp directory for syntax validation * nagios-nrpe: check_ceph_* +* nagios-nrpe: check_haproxy_stats supports DRAIN status +* packweb-apache: enable log_forensic module +* varnish: create special tmp directory for syntax validation ### Changed @@ -29,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-solr: download URL according to Solr Version * lxc-solr: set homedir and port at install * minifirewall: whitelist deb.freexian.com +* packweb-apache: manual dependencies resolution * redis: some values should be quoted * redis: variable to disable transparent hugepage (default: do nothing) * squid: whitelist deb.freexian.com diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index e5093c6e..681f1d14 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4" apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 8352e666..21062a32 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -19,7 +19,7 @@ - name: Add Evolix GPG key copy: src: reg.asc - dest: /etc/apt/trusted.gpg.d/reg.asc + dest: "{{ apt_keyring_dir }}/reg.asc" force: yes mode: "0644" owner: root diff --git a/apt/templates/bookworm_basics.list.j2 b/apt/templates/bookworm_basics.list.j2 new file mode 100644 index 00000000..1c6bc15b --- /dev/null +++ b/apt/templates/bookworm_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..e0bc0de7 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,7 @@ # {{ ansible_managed }} -deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% if ansible_distribution_release == "bookworm" %} +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/ +{% else %} +deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% endif %} \ No newline at end of file diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 3f713930..44496203 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem docker_tls_cert: server/cert.pem docker_tls_key: server/key.pem docker_tls_csr: server/server.csr + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index b430de6f..c60763d8 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -19,7 +19,7 @@ - name: Add Docker's official GPG key copy: src: docker-debian.asc - dest: /etc/apt/trusted.gpg.d/docker-debian.asc + dest: "{{ apt_keyring_dir }}/docker-debian.asc" force: yes mode: "0644" owner: root @@ -27,7 +27,7 @@ - name: Add Docker repository apt_repository: - repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' + repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present filename: docker.list diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 2b891953..98b1a646 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" elasticsearch_additional_scripts_dir: /usr/share/scripts + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 826fee1e..bb5b99da 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index d75a23bf..497a3d2b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -21,6 +21,8 @@ evolinux_apt_public_sources: True evolinux_apt_upgrade: True evolinux_apt_remove_aptitude: True +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" + # etc-evolinux evolinux_etcevolinux_include: True diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index fefb8177..146cf455 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -81,7 +81,7 @@ - name: HPE GPG key is installed copy: src: hpePublicKey2048_key1.asc - dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc + dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" force: yes mode: "0644" owner: root @@ -91,7 +91,7 @@ - name: Add HPE repository apt_repository: - repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' state: present tags: - packages @@ -208,7 +208,7 @@ - name: HWRaid GPG key is installed copy: src: hwraid.le-vert.net.asc - dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc + dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" force: yes mode: "0644" owner: root @@ -219,7 +219,7 @@ - name: Add HW tool repository apt_repository: - repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' + repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present tags: - packages diff --git a/filebeat/defaults/main.yml b/filebeat/defaults/main.yml index deed1508..6538aab5 100644 --- a/filebeat/defaults/main.yml +++ b/filebeat/defaults/main.yml @@ -22,3 +22,5 @@ filebeat_use_config_template: False filebeat_update_config: True filebeat_force_config: True filebeat_upgrade_package: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index dd326cc8..cde924b1 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/fluentd/defaults/main.yml b/fluentd/defaults/main.yml index 86475f51..18d9b0c7 100644 --- a/fluentd/defaults/main.yml +++ b/fluentd/defaults/main.yml @@ -10,3 +10,5 @@ fluentd_host_port: fluentd_flush_interval: fluentd_heartbeat_type: + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 282accf2..9248db97 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -21,7 +21,7 @@ - name: Add Fluentd GPG key copy: src: fluentd.asc - dest: /etc/apt/trusted.gpg.d/fluentd.asc + dest: "{{ apt_keyring_dir }}/fluentd.asc" force: yes mode: "0644" owner: root @@ -32,7 +32,7 @@ - name: Fluentd sources list is available apt_repository: - repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" + repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib" filename: treasuredata update_cache: yes state: present diff --git a/jenkins/defaults/main.yml b/jenkins/defaults/main.yml new file mode 100644 index 00000000..bf1296d7 --- /dev/null +++ b/jenkins/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 8ed3d38c..4346ef1e 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -20,7 +20,7 @@ - name: Add Jenkins GPG key copy: src: jenkins.asc - dest: /etc/apt/trusted.gpg.d/jenkins.asc + dest: "{{ apt_keyring_dir }}/jenkins.asc" force: yes mode: "0644" owner: root @@ -28,7 +28,7 @@ - name: Add jenkins APT repository apt_repository: - repo: deb http://pkg.jenkins-ci.org/debian-stable binary/ + repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/ filename: jenkins update_cache: yes diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index 7107398c..900e579c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -9,3 +9,5 @@ kibana_proxy_nginx: False kibana_proxy_domain: "kibana.{{ ansible_fqdn }}" kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index d0694094..5e9b0016 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/logstash/defaults/main.yml b/logstash/defaults/main.yml index 7cc40e49..b42fc347 100644 --- a/logstash/defaults/main.yml +++ b/logstash/defaults/main.yml @@ -7,4 +7,6 @@ logstash_log_rotate_days: 365 logstash_custom_tmpdir: Null logstash_default_tmpdir: /var/lib/logstash/tmp logstash_log_syslog_enabled: True -logstash_config_force: True \ No newline at end of file +logstash_config_force: True + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 856ceba1..6b46ce69 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 5567c4d0..9b501b6c 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -30,4 +30,4 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' - +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 47039fe7..b0ff90fe 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -19,13 +19,13 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php80/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/" - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index 8883cbcc..91dc38e1 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -19,13 +19,13 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ bullseye main" - - "deb http://pub.evolix.net/ bullseye-php81/" + - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" + - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/" - name: copy pub.evolix.net GPG key copy: src: reg.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc mode: "0644" owner: root group: root @@ -33,7 +33,7 @@ - name: copy packages.sury.org GPG Key copy: src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg + dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg mode: "0644" owner: root group: root diff --git a/metricbeat/defaults/main.yml b/metricbeat/defaults/main.yml index 780a4ffd..f6eb2a3e 100644 --- a/metricbeat/defaults/main.yml +++ b/metricbeat/defaults/main.yml @@ -28,3 +28,5 @@ metricbeat_tags: Null # metricbeat_fields: # - "env: staging" metricbeat_fields: Null + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 8a009f7f..021b4ae2 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -29,7 +29,7 @@ - name: Elastic GPG key is installed copy: src: elastic.asc - dest: /etc/apt/trusted.gpg.d/elastic.asc + dest: "{{ apt_keyring_dir }}/elastic.asc" force: yes mode: "0644" owner: root @@ -40,7 +40,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/mongodb/defaults/main.yml b/mongodb/defaults/main.yml index c118f588..667d68d5 100644 --- a/mongodb/defaults/main.yml +++ b/mongodb/defaults/main.yml @@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1 # otherwise it can disable important settings, like authorization :/ mongodb_force_config: False -mongodb_version: 4.4 \ No newline at end of file +mongodb_version: 4.4 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index f97016ec..4c654ae6 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -21,7 +21,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc" force: yes mode: "0644" owner: root @@ -29,7 +29,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index cf5ce2ae..d2d96a3f 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -15,7 +15,7 @@ - name: Add MongoDB GPG key copy: src: "server-{{mongodb_version}}.asc" - dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc" + dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc" force: yes mode: "0644" owner: root @@ -23,7 +23,7 @@ - name: enable APT sources list apt_repository: - repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main" state: present filename: "mongodb-org-{{mongodb_version}}" update_cache: yes diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index a7c38808..70a972f3 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -4,44 +4,44 @@ set_fact: mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}" -- include: packages_stretch.yml +- include_tasks: packages_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: packages_jessie.yml +- include_tasks: packages_jessie.yml when: ansible_distribution_release == "jessie" -## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility -- include: users_bullseye.yml - when: ansible_distribution_release == "bullseye" +## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility +- include_tasks: users_bullseye.yml + when: ansible_distribution_major_version is version('11', '>=') -- include: users_buster.yml +- include_tasks: users_buster.yml when: ansible_distribution_release == "buster" -- include: users_stretch.yml +- include_tasks: users_stretch.yml when: ansible_distribution_release == "stretch" -- include: users_jessie.yml +- include_tasks: users_jessie.yml when: ansible_distribution_release == "jessie" -- include: config_stretch.yml +- include_tasks: config_stretch.yml when: ansible_distribution_major_version is version('9', '>=') -- include: config_jessie.yml +- include_tasks: config_jessie.yml when: ansible_distribution_release == "jessie" -- include: replication.yml +- include_tasks: replication.yml when: mysql_replication | bool -- include: datadir.yml +- include_tasks: datadir.yml -- include: logdir.yml +- include_tasks: logdir.yml -- include: tmpdir.yml +- include_tasks: tmpdir.yml -- include: nrpe.yml +- include_tasks: nrpe.yml -- include: munin.yml +- include_tasks: munin.yml -- include: log2mail.yml +- include_tasks: log2mail.yml -- include: utils.yml +- include_tasks: utils.yml diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index e55b6361..1ac8f2df 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "Install mytop (Debian 9)" +- name: "Install mytop (Debian 8)" apt: name: mytop state: present @@ -43,14 +43,23 @@ - libterm-readkey-perl when: ansible_distribution_release == "buster" -- name: "Install dependencies for mytop (Debian 11 or later)" +- name: "Install dependencies for mytop (Debian 11)" apt: name: - mariadb-client-10.5 - libconfig-inifiles-perl - libterm-readkey-perl - libdbd-mariadb-perl - when: ansible_distribution_major_version is version('11', '>=') + when: ansible_distribution_release == "bullseye" + +- name: "Install dependencies for mytop (Debian 12 or later)" + apt: + name: + - mariadb-client-10.6 + - libconfig-inifiles-perl + - libterm-readkey-perl + - libdbd-mariadb-perl + when: ansible_distribution_major_version is version('12', '=') - name: Read debian-sys-maint password (Debian < 11) shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' diff --git a/newrelic/defaults/main.yml b/newrelic/defaults/main.yml index cddbcb0b..3205e53b 100644 --- a/newrelic/defaults/main.yml +++ b/newrelic/defaults/main.yml @@ -5,3 +5,5 @@ newrelic_php: False newrelic_license: "" newrelic_appname: "" + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index c27de24d..ad3545ae 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -15,7 +15,7 @@ - name: Add NewRelic GPG key copy: src: newrelic.asc - dest: /etc/apt/trusted.gpg.d/newrelic.asc + dest: "{{ apt_keyring_dir }}/newrelic.asc" force: yes mode: "0644" owner: root @@ -23,7 +23,7 @@ - name: Install NewRelic repository apt_repository: - repo: "deb http://apt.newrelic.com/debian/ newrelic non-free" + repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free" state: present filename: newrelic update_cache: yes diff --git a/nodejs/defaults/main.yml b/nodejs/defaults/main.yml index 8f36de49..a8adbb47 100644 --- a/nodejs/defaults/main.yml +++ b/nodejs/defaults/main.yml @@ -4,3 +4,5 @@ nodejs_apt_version: 'node_16.x' nodejs_install_yarn: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 5ab49e70..cdd733f2 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -32,7 +32,7 @@ - name: NodeJS GPG key is installed copy: src: nodesource.asc - dest: /etc/apt/trusted.gpg.d/nodesource.asc + dest: "{{ apt_keyring_dir }}/nodesource.asc" mode: "0644" owner: root group: root @@ -43,7 +43,7 @@ - name: NodeJS sources list ({{ nodejs_apt_version }}) is available apt_repository: - repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" filename: nodesource update_cache: yes state: present diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index e3dfe1da..f4f2dc37 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -25,7 +25,7 @@ - name: Yarn GPG key is installed copy: src: yarn.asc - dest: /etc/apt/trusted.gpg.d/yarn.asc + dest: "{{ apt_keyring_dir }}/yarn.asc" mode: "0644" owner: root group: root @@ -37,7 +37,7 @@ - name: Yarn sources list is available apt_repository: - repo: "deb https://dl.yarnpkg.com/debian/ stable main" + repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" filename: yarn update_cache: yes state: present diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index bbf086ce..47d29159 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -26,18 +26,5 @@ galaxy_info: allow_duplicates: true -dependencies: - - { role: evolix/apache } - - { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp } - - { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm } - - { role: evolix/squid, squid_localproxy_enable: True } - - { role: evolix/mysql, when: packweb_mysql_variant == "debian" } - - { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" } - - { role: evolix/lxc-php, lxc_php_version: php56, lxc_php_create_mysql_link: True, when: "'php56' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php70, lxc_php_create_mysql_link: True, when: "'php70' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php73, lxc_php_create_mysql_link: True, when: "'php73' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php74, lxc_php_create_mysql_link: True, when: "'php74' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php80, lxc_php_create_mysql_link: True, when: "'php80' in packweb_multiphp_versions" } - - { role: evolix/lxc-php, lxc_php_version: php81, lxc_php_create_mysql_link: True, when: "'php81' in packweb_multiphp_versions" } - - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" } - - { role: evolix/evoacme } +dependencies: [] + diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 57b360ce..96c11e3a 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -33,6 +33,7 @@ - include - negotiation - alias + - log_forensic - name: Copy Apache settings for modules copy: diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml new file mode 100644 index 00000000..0182654c --- /dev/null +++ b/packweb-apache/tasks/dependencies.yml @@ -0,0 +1,80 @@ +--- + +- import_role: + name: evolix/apache + +- import_role: + name: evolix/php + vars: + php_apache_enable: True + when: packweb_apache_modphp + +- import_role: + name: evolix/php + vars: + php_fpm_enable: True + when: packweb_apache_fpm + +- import_role: + name: evolix/squid + vars: + squid_localproxy_enable: True + +- import_role: + name: evolix/mysql + when: packweb_mysql_variant == "debian" + +- import_role: + name: evolix/mysql-oracle + when: packweb_mysql_variant == "oracle" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php56 + lxc_php_create_mysql_link: True + when: "'php56' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php70 + lxc_php_create_mysql_link: True + when: "'php70' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php73 + lxc_php_create_mysql_link: True + when: "'php73' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php74 + lxc_php_create_mysql_link: True + when: "'php74' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php80 + lxc_php_create_mysql_link: True + when: "'php80' in packweb_multiphp_versions" + +- import_role: + name: evolix/lxc-php + vars: + lxc_php_version: php81 + lxc_php_create_mysql_link: True + when: "'php81' in packweb_multiphp_versions" + +- import_role: + name: evolix/webapps/evoadmin-web + vars: + evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" + evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" + +- import_role: + name: evolix/evoacme \ No newline at end of file diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 5e2f9e92..ff3cd9a7 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,5 +1,8 @@ --- +- name: Dependencies are satisfied + include_tasks: dependencies.yml + - fail: msg: only compatible with Debian >= 8 when: diff --git a/percona/defaults/main.yml b/percona/defaults/main.yml index 46a86904..316eccc9 100644 --- a/percona/defaults/main.yml +++ b/percona/defaults/main.yml @@ -2,3 +2,5 @@ percona__install_xtrabackup: True percona__xtrabackup_package_name: percona-xtrabackup-24 + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 27544252..6dc319ff 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -18,7 +18,7 @@ - name: Add Percona GPG key copy: src: percona.asc - dest: /etc/apt/trusted.gpg.d/percona.asc + dest: "{{ apt_keyring_dir }}/percona.asc" force: yes mode: "0644" owner: root diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 19040baf..2e633d0f 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -8,3 +8,5 @@ php_symfony_requirements: False php_modules_mysqlnd: False php_fpm_remove_default_pool: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 973c0069..079a14d5 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -19,3 +19,8 @@ service: name: php7.4-fpm state: restarted + +- name: restart php8.1-fpm + service: + name: php8.1-fpm + state: restarted diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 86bde74f..180712b2 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -4,17 +4,20 @@ that: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('8', '>=') - - ansible_distribution_major_version is version('11', '<=') - msg: This is only compatible with Debian 8 → 11 + - ansible_distribution_major_version is version('12', '<=') + msg: This is only compatible with Debian 8 → 12 -- include: main_jessie.yml +- include_tasks: main_jessie.yml when: ansible_distribution_release == "jessie" -- include: main_stretch.yml +- include_tasks: main_stretch.yml when: ansible_distribution_release == "stretch" -- include: main_buster.yml +- include_tasks: main_buster.yml when: ansible_distribution_release == "buster" -- include: main_bullseye.yml +- include_tasks: main_bullseye.yml when: ansible_distribution_release == "bullseye" + +- include_tasks: main_bookworm.yml + when: ansible_distribution_release == "bookworm" diff --git a/php/tasks/main_bookworm.yml b/php/tasks/main_bookworm.yml new file mode 100644 index 00000000..4dcde767 --- /dev/null +++ b/php/tasks/main_bookworm.yml @@ -0,0 +1,108 @@ +--- + +- name: "Set php version to 8.1 (Debian 12)" + set_fact: + php_version: "8.1" + +- name: "Set php config directories (Debian 12)" + set_fact: + php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d" + php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d" + php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d" + php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d" + +- name: "Set php config files (Debian 12)" + set_fact: + php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini" + php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini" + php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini" + php_apache_custom_ini_file: "{{ php_apache_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_defaults_ini_file: "{{ php_fpm_conf_dir }}/z-evolinux-defaults.ini" + php_fpm_custom_ini_file: "{{ php_fpm_conf_dir }}/zzz-evolinux-custom.ini" + php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir}}/www.conf" + php_fpm_default_pool_file: "{{ php_fpm_pool_dir}}/www-evolinux-defaults.conf" + php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir}}/www-evolinux-zcustom.conf" + php_fpm_default_pool_socket: "/var/run/php/php{{ php_version }}-fpm.sock" + php_fpm_service_name: "php{{ php_version }}-fpm" + +# Packages + +- name: "Set package list (Debian 12)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-sqlite3 + - php-curl + - php-ssh2 + - php-xml + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 12)" + apt: + name: '{{ php_stretch_packages }}' + state: present + +- name: "Install mod_php packages (Debian 12)" + apt: + name: + - libapache2-mod-php + - php + state: present + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 12)" + apt: + name: + - php-fpm + - php + state: present + when: php_fpm_enable + +# Configuration + +- name: "Enforce permissions on PHP directory (Debian 12)" + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/{{ php_version }} + +- include: config_cli.yml +- name: "Enforce permissions on PHP cli directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable + +- name: "Enforce permissions on PHP fpm directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable + +- name: "Enforce permissions on PHP apache2 directory (Debian 12)" + file: + dest: /etc/php/{{ php_version }}/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 13dcc4ec..eca1d4d6 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -3,7 +3,7 @@ - name: Setup deb.sury.org repository - Add GPG key copy: src: sury.gpg - dest: /etc/apt/trusted.gpg.d/sury.gpg + dest: "{{ apt_keyring_dir }}/sury.gpg" mode: "0644" owner: root group: root @@ -20,7 +20,7 @@ - name: Setup deb.sury.org repository - Add source list apt_repository: - repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main" filename: sury state: present diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index dcdffb05..ffc3007c 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8 # PostGIS postgresql_install_postgis: False + +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/postgresql/tasks/packages_bookworm.yml b/postgresql/tasks/packages_bookworm.yml new file mode 100644 index 00000000..2a78b967 --- /dev/null +++ b/postgresql/tasks/packages_bookworm.yml @@ -0,0 +1,16 @@ +--- + +- name: "Set variables (Debian 12)" + set_fact: + postgresql_version: '15' + when: postgresql_version is none or postgresql_version | length == 0 + +- include: pgdg-repo.yml + when: postgresql_version != '15' + +- name: Install postgresql package + apt: + name: + - "postgresql-{{postgresql_version}}" + - pgtop + - libdbd-pg-perl diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 38f21079..69374502 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -23,7 +23,7 @@ - name: Add PGDG GPG key copy: src: postgresql.asc - dest: /etc/apt/trusted.gpg.d/postgresql.asc + dest: "{{ apt_keyring_dir }}/postgresql.asc" force: yes mode: "0644" owner: root @@ -31,7 +31,7 @@ - name: Add PGDG repository apt_repository: - repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" + repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes - name: Add APT preference file diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index ba6b8d47..b2f2a3a8 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -34,7 +34,7 @@ group: root mode: "0755" force: yes - when: ansible_distribution_major_version is version('11', '==') + when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE lineinfile: diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index e78f6c7b..1d0af87a 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -17,6 +17,14 @@ - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb' when: ansible_distribution_major_version is version('10', '=') +- name: Install PHP packages from sid (Debian 12) + apt: + deb: '{{ item }}' + state: present + loop: + - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.13.2-1_all.deb' + when: ansible_distribution_major_version is version('12', '=') + - name: Install PHP packages apt: name: diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 9778da4e..ea4019a3 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -16,7 +16,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('9', '=') + when: ansible_distribution_release == "stretch" - name: "Set custom values for PHP config (Debian 10)" ini_file: @@ -25,7 +25,7 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('10', '=') + when: ansible_distribution_release == "buster" - name: "Set custom values for PHP config (Debian 11)" ini_file: @@ -34,7 +34,16 @@ option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" notify: reload apache2 - when: ansible_distribution_major_version is version('11', '=') + when: ansible_distribution_release == "bullseye" + +- name: "Set custom values for PHP config (Debian 11)" + ini_file: + dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache2 + when: ansible_distribution_release == "bookworm" - name: Install evoadmin VHost template: