Merge branch 'unstable' into change_timezone

2020-12-09 09:16:34 +01:00 · 2020-12-09 09:16:34 +01:00 · 18ce6a7a57
parent 0defe8b6f1 3c4986275c
commit 18ce6a7a57
29 changed files with 268 additions and 46 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,16 +13,26 @@ The **patch** part changes incrementally at each release.
 ### Added

 * dovecot: Update munin plugin & configure it
+* dovecot: vmail uid/gid are configurable
+* evoacme: variable to disable Debian version check (default: False)
+* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
+* minifirewall: upstream release 20.12
+* minifirewall: add variables to force upgrade the script and the config (default: False)
+* mysql: install save_mysql_processlist script
 * nextcloud: New role to setup a nextcloud instance
 * redis: variable to force use of port 6379 in instances mode
+* redis: check maxmemory in NRPE check
 * lxc-php: Allow php containers to contact local MySQL with localhost

 ### Changed

-* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable")
+* apt: disable APT Periodic
+* evoacme: upstream release 20.12
+* evocheck: upstream release 20.12

 ### Fixed

+* cerbot: parse HAProxy config file only if HAProxy is found
 * lxc: Force lxc containers to be in the correct timezone

 ### Removed
--- a/apt/tasks/config.yml
+++ b/apt/tasks/config.yml
@ -11,6 +11,7 @@
  with_items:
    - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
    - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
+    - { line: "APT::Periodic::Enable \"0\";",   regexp: 'APT::Periodic::Enable' }
  when: apt_evolinux_config
  tags:
    - apt
--- a/certbot/files/hooks/haproxy.sh
+++ b/certbot/files/hooks/haproxy.sh
@ -56,6 +56,9 @@ main() {
    fi

    if daemon_found_and_running; then
+        readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
+        readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)
+
        if found_renewed_lineage; then
            haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
            failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}

 readonly haproxy_bin=$(command -v haproxy)
-readonly haproxy_config_file="/etc/haproxy/haproxy.cfg"
-readonly haproxy_cert_dir=$(detect_haproxy_cert_dir)

 main
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@ -1,2 +1,4 @@
 ---
-dovecot_foo: bar
+
+dovecot_vmail_uid: 5000
+dovecot_vmail_gid: 5000
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@ -40,7 +40,7 @@
 - name: create vmail group
  group:
    name: vmail
-    gid: 5000
+    gid: "{{ dovecot_vmail_gid }}"
  tags:
  - dovecot

@ -48,7 +48,7 @@
  user:
    name: vmail
    group: vmail
-    uid: 5000
+    uid: "{{ dovecot_vmail_uid }}"
    shell: /bin/false
  tags:
  - dovecot
--- a/evoacme/defaults/main.yml
+++ b/evoacme/defaults/main.yml
@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille'
 evoacme_ssl_org: 'Evolix'
 evoacme_ssl_ou: 'Security'
 evoacme_ssl_email: 'security@evolix.net'
+
+evoacme_disable_debian_check: False
--- a/evoacme/files/evoacme.sh
+++ b/evoacme/files/evoacme.sh
@ -14,7 +14,7 @@ show_version() {
    cat <<END
 evoacme version ${VERSION}

-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2020 Evolix <info@evolix.fr>,
                    Victor Laborie <vlaborie@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>,
                    Benoit Série <bserie@evolix.fr>
@ -284,13 +284,19 @@ main() {
    export EVOACME_CHAIN="${LIVE_CHAIN}"
    export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}"

+    # emulate certbot hooks environment variables
+    export RENEWED_LINEAGE="${LIVE_DIR}"
+    export RENEWED_DOMAINS="${VHOST}"
+
    # search for files in hooks directory
    for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do
+        set +e
        # keep only executables files, not containing a "."
        if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then
            debug "Executing ${hook}"
            ${hook}
        fi
+        set -e
    done
 }

@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"}
 readonly TEST=${TEST:-"0"}
 readonly DRY_RUN=${DRY_RUN:-"0"}

-readonly VERSION="20.08"
+readonly VERSION="20.12"

 # Read configuration file, if it exists
 [ -r /etc/default/evoacme ] && . /etc/default/evoacme
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@ -13,7 +13,7 @@ show_version() {
    cat <<END
 make-csr version ${VERSION}

-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2020 Evolix <info@evolix.fr>,
                    Victor Laborie <vlaborie@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>,
                    Benoit Série <bserie@evolix.fr>
@ -265,7 +265,7 @@ readonly ARGS=$@
 readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}

-readonly VERSION="20.08"
+readonly VERSION="20.12"

 # Read configuration file, if it exists
 [ -r /etc/default/evoacme ] && . /etc/default/evoacme
--- a/evoacme/files/vhost-domains.sh
+++ b/evoacme/files/vhost-domains.sh
@ -13,7 +13,7 @@ show_version() {
    cat <<END
 vhost-domains version ${VERSION}

-Copyright 2009-2019 Evolix <info@evolix.fr>,
+Copyright 2009-2020 Evolix <info@evolix.fr>,
                    Victor Laborie <vlaborie@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>,
                    Benoit Série <bserie@evolix.fr>
@ -170,7 +170,7 @@ readonly ARGS=$@
 readonly VERBOSE=${VERBOSE:-"0"}
 readonly QUIET=${QUIET:-"0"}

-readonly VERSION="20.08"
+readonly VERSION="20.12"

 readonly SRV_IP=${SRV_IP:-""}

--- a/evoacme/tasks/main.yml
+++ b/evoacme/tasks/main.yml
@ -6,6 +6,7 @@
      - ansible_distribution == "Debian"
      - ansible_distribution_major_version is version('9', '>=')
    msg: only compatible with Debian >= 9
+  when: not evoacme_disable_debian_check

 - include: certbot.yml

--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix

-readonly VERSION="20.04.3"
+readonly VERSION="20.12"

 # base functions

@ -205,10 +205,13 @@ check_customsudoers() {
    grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
 }
 check_vartmpfs() {
-    df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
-}
-check_vartmpfs() {
-    df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
+    FINDMNT_BIN=$(command -v findmnt)
+    if [ -x "${FINDMNT_BIN}" ]; then
+        ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
+    else
+        df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
+    fi
+    
 }
 check_serveurbase() {
    is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
@ -559,7 +562,7 @@ check_evobackup_exclude_mount() {
    # shellcheck disable=SC2064
    trap "rm -f ${excludes_file}" 0
    # shellcheck disable=SC2044
-    for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do
+    for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
        grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
        not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
        for mount in ${not_excluded}; do
@ -878,15 +881,25 @@ check_sql_backup() {
    if (is_installed "mysql-server" || is_installed "mariadb-server"); then
        # You could change the default path in /etc/evocheck.cf
        SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
-        test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
+        for backup_path in ${SQL_BACKUP_PATH}; do
+            if [ ! -f "${backup_path}" ]; then
+                failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})"
+                test "${VERBOSE}" = 1 || break
+            fi
+        done
    fi
 }
 check_postgres_backup() {
-    if is_installed "postgresql-9*"; then
+    if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then
        # If you use something like barman, you should disable this check
        # You could change the default path in /etc/evocheck.cf
-        POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
-        test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
+        POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"}
+        for backup_path in ${POSTGRES_BACKUP_PATH}; do
+            if [ ! -f "${backup_path}" ]; then
+                failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})"
+                test "${VERBOSE}" = 1 || break
+            fi
+        done
    fi
 }
 check_mongo_backup() {
@ -1013,7 +1026,7 @@ check_duplicate_fs_label() {
    BLKID_BIN=$(command -v blkid)
    if [ -x "$BLKID_BIN" ]; then
        tmpFile=$(mktemp -p /tmp)
-        parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
+        parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
        for part in $parts; do
            echo "$part" >> "$tmpFile"
        done
@ -1517,8 +1530,6 @@ main() {

 # shellcheck disable=SC2034
 readonly PROGNAME=$(basename "$0")
-# shellcheck disable=SC2034
-readonly PROGDIR=$(realpath -m "$(dirname "$0")")
 # shellcheck disable=2124
 readonly ARGS=$@

--- a/evolinux-users/tasks/sudo.yml
+++ b/evolinux-users/tasks/sudo.yml
@ -4,6 +4,6 @@
  when: ansible_distribution_release == "jessie"

 - include: sudo_stretch.yml
-  when: ansible_distribution_major_version is version('9', '>=')
+  when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=')

 - meta: flush_handlers
--- a/kvm-host/defaults/main.yml
+++ b/kvm-host/defaults/main.yml
@ -1,2 +1,3 @@
 ---
 kvm_custom_libvirt_images_path: ''
+kvm_install_drbd: True
--- a/kvm-host/meta/main.yml
+++ b/kvm-host/meta/main.yml
@ -12,8 +12,8 @@ galaxy_info:
  - name: Debian
    versions:
    - jessie
+    - stretch
+    - buster

-dependencies: []
-  # List your role dependencies here, one per line.
-  # Be sure to remove the '[]' above if you add dependencies
-  # to this list.
+dependencies:
+  - { role: evolix/drbd, when: kvm_install_drbd }
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -5,11 +5,15 @@ minifirewall_tail_file: /etc/default/minifirewall.tail
 minifirewall_tail_included: False
 minifirewall_tail_force: True

+minifirewall_force_upgrade_script: False
+minifirewall_force_upgrade_config: False
+
 minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
 minifirewall_checkout_path: "/tmp/minifirewall"
 minifirewall_int: "{{ ansible_default_ipv4.interface }}"
 minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
+minifirewall_docker: "off"

 minifirewall_default_trusted_ips: []
 minifirewall_additional_trusted_ips: []
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@ -1,6 +1,5 @@
 # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
-# For fun, we keep last change from first CVS repository:
-# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $
+# Version 20.12 — 2020-12-01 22:55:35

 # Main interface
 INT='eth0'
@ -8,6 +7,12 @@ INT='eth0'
 # IPv6
 IPV6=on

+# Docker Mode
+# Changes the behaviour of minifirewall to not break the containers' network
+# For instance, turning it on will disable nat table purge
+# Also, we'll add the DOCKER-USER chain, in iptable
+DOCKER='off'
+
 # Trusted IPv4 local network
 # ...will be often IP/32 if you don't trust anything
 INTLAN='192.168.0.2/32'
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@ -51,13 +51,19 @@
  blockinfile:
    dest: "{{ minifirewall_main_file }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
-    content: |
+    block: |
      # Main interface
      INT='{{ minifirewall_int }}'

      # IPv6
      IPV6='{{ minifirewall_ipv6 }}'

+      # Docker Mode
+      # Changes the behaviour of minifirewall to not break the containers' network
+      # For instance, turning it on will disable nat table purge
+      # Also, we'll add the DOCKER-USER chain, in iptable
+      DOCKER='{{ minifirewall_docker }}'
+
      # Trusted IPv4 local network
      # ...will be often IP/32 if you don't trust anything
      INTLAN='{{ minifirewall_intlan }}'
@ -89,7 +95,7 @@
  blockinfile:
    dest: "{{ minifirewall_main_file }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
-    content: |
+    block: |
      # Protected services
      # (add also in Public services if needed)
      SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
--- a/minifirewall/tasks/install.yml
+++ b/minifirewall/tasks/install.yml
@ -9,7 +9,7 @@
  template:
    src: minifirewall.j2
    dest: /etc/init.d/minifirewall
-    force: no
+    force: "{{ minifirewall_force_upgrade_script | default('no') }}"
    mode: "0700"
    owner: root
    group: root
@ -18,7 +18,7 @@
  copy:
    src: minifirewall.conf
    dest: "{{ minifirewall_main_file }}"
-    force: no
+    force: "{{ minifirewall_force_upgrade_config | default('no') }}"
    mode: "0600"
    owner: root
    group: root
--- a/minifirewall/templates/minifirewall.j2
+++ b/minifirewall/templates/minifirewall.j2
@ -4,7 +4,7 @@
 # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
 # See https://gitea.evolix.org/evolix/minifirewall

-# Copyright (c) 2007-2015 Evolix
+# Copyright (c) 2007-2020 Evolix
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 3
@ -51,6 +51,20 @@ BROAD='255.255.255.255'
 PORTSROOT='0:1023'
 PORTSUSER='1024:65535'

+chain_exists()
+{
+    local chain_name="$1" ; shift
+    [ $# -eq 1 ] && local intable="--table $1"
+    iptables $intable -nL "$chain_name" >/dev/null 2>&1
+}
+
+# Configuration
+oldconfigfile="/etc/firewall.rc"
+configfile="{{ minifirewall_main_file }}"
+
+IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
+DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '='  -F "'" '{print $2}')
+INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '='  -F "'" '{print $2}')

 case "$1" in
 start)
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
 $IPT -A LOG_ACCEPT -j LOG  --log-prefix '[IPTABLES ACCEPT] : '
 $IPT -A LOG_ACCEPT -j ACCEPT

-# Configuration
-oldconfigfile="/etc/firewall.rc"
-configfile="{{ minifirewall_main_file }}"
-
 if test -f $oldconfigfile; then
    echo "$oldconfigfile is deprecated, rename to $configfile" >&2
    exit 1
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
 $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP


+if [ "$DOCKER" = "on" ]; then
+
+    $IPT -N MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-TRUSTED -j DROP
+
+    $IPT -N MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
+
+    $IPT -N MINIFW-DOCKER-PUB
+    $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PUB -j RETURN
+
+    # Flush DOCKER-USER if exist, create it if absent
+    if chain_exists 'DOCKER-USER'; then
+        $IPT -F DOCKER-USER
+    else
+        $IPT -N DOCKER-USER
+    fi;
+
+    # Pipe new connection through MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -i $INT -m state  --state NEW -j MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -j RETURN
+
+fi
+
+
 # Local services restrictions
 #############################

@ -218,6 +255,64 @@ for x in $SERVICESUDP3
    done


+if [ "$DOCKER" = "on" ]; then
+
+    # Public services defined in SERVICESTCP1 & SERVICESUDP1
+    for dstport in $SERVICESTCP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
+        done
+
+    for dstport in $SERVICESUDP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
+        done
+
+    # Privileged services (accessible from privileged & trusted IPs)
+    for dstport in $SERVICESTCP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    # Trusted services (accessible from trusted IPs)
+    for dstport in $SERVICESTCP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+fi
+
 # External services
 ###################

@ -323,11 +418,24 @@ trap - INT TERM EXIT
    $IPT -F ONLYTRUSTED
    $IPT -F ONLYPRIVILEGIED
    $IPT -F NEEDRESTRICT
-    $IPT -t nat -F
+    [ "$DOCKER" = "off" ] && $IPT -t nat -F
    $IPT -t mangle -F
    [ "$IPV6" != "off" ] && $IPT6 -F INPUT
    [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT

+    if [ "$DOCKER" = "on" ]; then
+        $IPT -F DOCKER-USER
+        $IPT -A DOCKER-USER -j RETURN
+
+        $IPT -F MINIFW-DOCKER-PUB
+        $IPT -X MINIFW-DOCKER-PUB
+        $IPT -F MINIFW-DOCKER-PRIVILEGED
+        $IPT -X MINIFW-DOCKER-PRIVILEGED
+        $IPT -F MINIFW-DOCKER-TRUSTED
+        $IPT -X MINIFW-DOCKER-TRUSTED
+
+    fi
+
    # Accept all
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
--- a/mysql/files/save_mysql_processlist.sh
+++ b/mysql/files/save_mysql_processlist.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+processlist() {
+    mysqladmin --verbose --vertical processlist
+}
+
+DIR="/var/log/mysql-processlist"
+TS=`date +%Y%m%d%H%M%S`
+FILE="${DIR}/${TS}"
+
+if [ ! -d "${DIR}" ]; then
+    mkdir -p "${DIR}"
+    chown root:adm "${DIR}"
+    chmod 750 "${DIR}"
+fi
+
+processlist > "${FILE}"
+chmod 640 "${FILE}"
+chown root:adm "${FILE}"
+
+find "${DIR}" -type f -mtime +1 -delete
+
+exit 0
--- a/mysql/handlers/main.yml
+++ b/mysql/handlers/main.yml
@ -22,4 +22,4 @@
 - name: 'restart xinetd'
  service:
    name: 'xinetd'
-    state: 'restart'
+    state: 'restarted'
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@ -178,3 +178,12 @@
  tags:
    - mysql
    - packages
+
+- name: "Install save_mysql_processlist.sh"
+  copy:
+    src: save_mysql_processlist.sh
+    dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh"
+    mode: "0755"
+    force: no
+  tags:
+    - mysql
--- a/postgresql/defaults/main.yml
+++ b/postgresql/defaults/main.yml
@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5
 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB"

 # PostgreSQL version
-postgresql_version: '9.6'
+postgresql_version: ''

 # Set locales
 locales_default: fr_FR.UTF-8
--- a/postgresql/tasks/packages_buster.yml
+++ b/postgresql/tasks/packages_buster.yml
@ -1,5 +1,10 @@
 ---

+- name: "Set variables (Debian 10)"
+  set_fact:
+    postgresql_version: '11'
+  when: postgresql_version == ""
+
 - include: pgdg-repo.yml
  when: postgresql_version != '11'

--- a/postgresql/tasks/packages_jessie.yml
+++ b/postgresql/tasks/packages_jessie.yml
@ -1,5 +1,10 @@
 ---

+- name: "Set variables (Debian 8)"
+  set_fact:
+    postgresql_version: '9.4'
+  when: postgresql_version == ""
+
 - include: pgdg-repo.yml
  when: postgresql_version != '9.4'

--- a/postgresql/tasks/packages_stretch.yml
+++ b/postgresql/tasks/packages_stretch.yml
@ -1,5 +1,10 @@
 ---

+- name: "Set variables (Debian 9)"
+  set_fact:
+    postgresql_version: '9.6'
+  when: postgresql_version == ""
+
 - include: pgdg-repo.yml
  when: postgresql_version != '9.6'

--- a/postgresql/tasks/pgdg-repo.yml
+++ b/postgresql/tasks/pgdg-repo.yml
@ -18,8 +18,13 @@
    #url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
    data: "{{ lookup('file', 'ACCC4CF8.asc') }}"

+- name: Update and upgrade apt packages for PGDG repository
+  apt:
+    upgrade: yes
+    update_cache: yes
+
 - name: Add APT preference file
  template:
    src: postgresql.pref.j2
-    dest: /etc/apt/preferences.d/
+    dest: /etc/apt/preferences.d/postgresql.pref
    mode: "0644"
--- a/redis/files/check_redis_instances.sh
+++ b/redis/files/check_redis_instances.sh
@ -30,11 +30,21 @@ check_server() {
    host=$(config_var "bind" "${conf_file}")
    port=$(config_var "port" "${conf_file}")
    pass=$(config_var "requirepass" "${conf_file}")
+    maxmemory=$(config_var "maxmemory" "${conf_file}")
+    maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}")

    cmd="${check_bin} -H ${host} -p ${port}"
+    # If "requirepass" is set we add the password to the check
    if [ -n "${pass}" ]; then
        cmd="${cmd} -x ${pass}"
    fi
+    # If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction"
+    # then we enforce the "maxmemory" limit
+    if [ -n "${maxmemory}" ]; then
+        if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then
+            cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90"
+        fi
+    fi
    result=$($cmd)
    ret="${?}"
    if [ "${ret}" -ge 2 ]; then
--- a/redis/tasks/default-log2mail.yml
+++ b/redis/tasks/default-log2mail.yml
@ -8,7 +8,7 @@
    mode: "0640"
    create: yes
    marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
-    content: |
+    block: |
      file = {{ redis_log_dir }}/redis-server.log
      pattern = "Cannot allocate memory"
      mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}