From 4de33e41b5f85ec391be2706c8f8479df8d311bf Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 29 Oct 2020 10:41:21 +0100 Subject: [PATCH 01/24] mysql: fix typo in restart handler --- mysql/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 87a7613a..0ac28412 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -22,4 +22,4 @@ - name: 'restart xinetd' service: name: 'xinetd' - state: 'restart' + state: 'restarted From 7a37167e2009b28ad6b2413fbfd5220db2c736eb Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 29 Oct 2020 10:42:57 +0100 Subject: [PATCH 02/24] mysql: fix typo in restart handler --- mysql/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 0ac28412..80afafe5 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -22,4 +22,4 @@ - name: 'restart xinetd' service: name: 'xinetd' - state: 'restarted + state: 'restarted' From 15154169cfa32be5198f1b2c6e6fff6fe9b99f42 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 30 Oct 2020 11:56:24 +0100 Subject: [PATCH 03/24] kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) --- CHANGELOG.md | 1 + kvm-host/defaults/main.yml | 1 + kvm-host/meta/main.yml | 8 ++++---- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c309ba50..1130398e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode * lxc-php: Allow php containers to contact local MySQL with localhost diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml index 4c77a2ff..bb97c0f9 100644 --- a/kvm-host/defaults/main.yml +++ b/kvm-host/defaults/main.yml @@ -1,2 +1,3 @@ --- kvm_custom_libvirt_images_path: '' +kvm_install_drbd: True diff --git a/kvm-host/meta/main.yml b/kvm-host/meta/main.yml index 1d6d1c36..0976cf88 100644 --- a/kvm-host/meta/main.yml +++ b/kvm-host/meta/main.yml @@ -12,8 +12,8 @@ galaxy_info: - name: Debian versions: - jessie + - stretch + - buster -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - { role: evolix/drbd, when: kvm_install_drbd } From 6c202dcf4fc2691362bd1748f4361df225dfb37f Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 6 Nov 2020 16:26:31 +0100 Subject: [PATCH 04/24] Check that ansible_distribution_major_version is defined in sudo task This variable does not exist when run on OpenBSD servers, making the ansible playbook to exit in a fatal state. --- evolinux-users/tasks/sudo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 2f2ee07c..6f127da8 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -4,6 +4,6 @@ when: ansible_distribution_release == "jessie" - include: sudo_stretch.yml - when: ansible_distribution_major_version is version('9', '>=') + when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=') - meta: flush_handlers From b43d0f3629d4ea1030b3437743309435edafef13 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 19 Nov 2020 21:21:07 +0100 Subject: [PATCH 05/24] evoacme: upstream release 20.11 --- CHANGELOG.md | 2 +- evoacme/files/evoacme.sh | 8 +++++++- evoacme/files/make-csr.sh | 2 +- evoacme/files/vhost-domains.sh | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1130398e..9e0c9370 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,7 @@ The **patch** part changes incrementally at each release. ### Changed -* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable") +* evoacme: upstream release 20.11 ### Fixed diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 6db0cab7..431b8162 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -284,13 +284,19 @@ main() { export EVOACME_CHAIN="${LIVE_CHAIN}" export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" + # emulate certbot hooks environment variables + export RENEWED_LINEAGE="${LIVE_CHAIN}" + export RENEWED_DOMAINS="${VHOST}" + # search for files in hooks directory for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do + set +e # keep only executables files, not containing a "." if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then debug "Executing ${hook}" ${hook} fi + set -e done } @@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"} readonly TEST=${TEST:-"0"} readonly DRY_RUN=${DRY_RUN:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 372c58fc..78512e3a 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -265,7 +265,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index 41b065b6..f20e5dba 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -170,7 +170,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.11" readonly SRV_IP=${SRV_IP:-""} From 592030ee9a6c75882adece8127828af987f09caa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 21 Nov 2020 09:59:10 +0100 Subject: [PATCH 06/24] evoacme: variable to disable Debian version check (default: False) --- CHANGELOG.md | 1 + evoacme/defaults/main.yml | 2 ++ evoacme/tasks/main.yml | 1 + 3 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e0c9370..fcb3cec5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index e54ef2fc..ef16ee78 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille' evoacme_ssl_org: 'Evolix' evoacme_ssl_ou: 'Security' evoacme_ssl_email: 'security@evolix.net' + +evoacme_disable_debian_check: False diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index bd8cc055..4c71d90e 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -6,6 +6,7 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') msg: only compatible with Debian >= 9 + when: not evoacme_disable_debian_check - include: certbot.yml From 1d8b7c3bea565b78f1c831e9812140e543854a6e Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 24 Nov 2020 11:19:18 +0100 Subject: [PATCH 07/24] apt: disable APT Periodic This interfere with our usual workflow (listupgrade) Note : Using 0 instead of false is intentional, The value is used by the apt-daily script that except a "0" to disable itself. --- CHANGELOG.md | 1 + apt/tasks/config.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fcb3cec5..c0427b2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes incrementally at each release. ### Changed +* apt: disable APT Periodic * evoacme: upstream release 20.11 ### Fixed diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 988aac7a..48892b9e 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -11,6 +11,7 @@ with_items: - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' } when: apt_evolinux_config tags: - apt From 86d59cbb5fda0cbc36f20e1b04a07b1c8c464e32 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Nov 2020 13:58:59 +0100 Subject: [PATCH 08/24] mysql: install save_mysql_processlist script --- CHANGELOG.md | 1 + mysql/files/save_mysql_processlist.sh | 25 +++++++++++++++++++++++++ mysql/tasks/utils.yml | 9 +++++++++ 3 files changed, 35 insertions(+) create mode 100644 mysql/files/save_mysql_processlist.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index c0427b2f..fb0b5a7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) +* mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode * lxc-php: Allow php containers to contact local MySQL with localhost diff --git a/mysql/files/save_mysql_processlist.sh b/mysql/files/save_mysql_processlist.sh new file mode 100644 index 00000000..95abc57d --- /dev/null +++ b/mysql/files/save_mysql_processlist.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +processlist() { + mysqladmin --verbose --vertical processlist +} + +DIR="/var/log/mysql-processlist" +TS=`date +%Y%m%d%H%M%S` +FILE="${DIR}/${TS}" + +if [ ! -d "${DIR}" ]; then + mkdir -p "${DIR}" + chown root:adm "${DIR}" + chmod 750 "${DIR}" +fi + +processlist > "${FILE}" +chmod 640 "${FILE}" +chown root:adm "${FILE}" + +find "${DIR}" -type f -mtime +1 -delete + +exit 0 diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 7609a81e..164507aa 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -178,3 +178,12 @@ tags: - mysql - packages + +- name: "Install save_mysql_processlist.sh" + copy: + src: save_mysql_processlist.sh + dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh" + mode: "0755" + force: no + tags: + - mysql From aa62555e9ebd6750ad2e08d474b8119f51407a95 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 27 Nov 2020 11:07:18 +0100 Subject: [PATCH 09/24] Fix name file preference for PGDG repository --- postgresql/tasks/pgdg-repo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index dcc63d6f..978b2b9f 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -21,5 +21,5 @@ - name: Add APT preference file template: src: postgresql.pref.j2 - dest: /etc/apt/preferences.d/ + dest: /etc/apt/preferences.d/postgresql.pref mode: "0644" From ae07d508cf140c4ccc7860222706c96a90a59b2a Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 30 Nov 2020 10:51:34 +0100 Subject: [PATCH 10/24] Fix key and update just after add pgdg repo key --- postgresql/tasks/pgdg-repo.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 978b2b9f..8d937b82 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -18,6 +18,11 @@ #url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc data: "{{ lookup('file', 'ACCC4CF8.asc') }}" +- name: Update and upgrade apt packages for PGDG repository + apt: + upgrade: yes + update_cache: yes + - name: Add APT preference file template: src: postgresql.pref.j2 From 18ac1e72798fd44cc7b9056d9dc1c322b45cbf9f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 19:02:35 +0100 Subject: [PATCH 11/24] redis: check maxmemory in NRPE check If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" then we enforce the "maxmemory" limit --- CHANGELOG.md | 1 + redis/files/check_redis_instances.sh | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb0b5a7c..4c06e5f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode +* redis: check maxmemory in NRPE check * lxc-php: Allow php containers to contact local MySQL with localhost ### Changed diff --git a/redis/files/check_redis_instances.sh b/redis/files/check_redis_instances.sh index 7821aeb0..a7dead82 100644 --- a/redis/files/check_redis_instances.sh +++ b/redis/files/check_redis_instances.sh @@ -30,11 +30,21 @@ check_server() { host=$(config_var "bind" "${conf_file}") port=$(config_var "port" "${conf_file}") pass=$(config_var "requirepass" "${conf_file}") + maxmemory=$(config_var "maxmemory" "${conf_file}") + maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}") cmd="${check_bin} -H ${host} -p ${port}" + # If "requirepass" is set we add the password to the check if [ -n "${pass}" ]; then cmd="${cmd} -x ${pass}" fi + # If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" + # then we enforce the "maxmemory" limit + if [ -n "${maxmemory}" ]; then + if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then + cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90" + fi + fi result=$($cmd) ret="${?}" if [ "${ret}" -ge 2 ]; then From b6817cb62c0517eadaed4ffc570a45153b1dda52 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:27:05 +0100 Subject: [PATCH 12/24] evoacme: upstream release 20.12 --- CHANGELOG.md | 2 +- evoacme/files/evoacme.sh | 6 +++--- evoacme/files/make-csr.sh | 4 ++-- evoacme/files/vhost-domains.sh | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c06e5f0..32bfdeda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes incrementally at each release. ### Changed * apt: disable APT Periodic -* evoacme: upstream release 20.11 +* evoacme: upstream release 20.12 ### Fixed diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 431b8162..2ea2d273 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -14,7 +14,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -285,7 +285,7 @@ main() { export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" # emulate certbot hooks environment variables - export RENEWED_LINEAGE="${LIVE_CHAIN}" + export RENEWED_LINEAGE="${LIVE_DIR}" export RENEWED_DOMAINS="${VHOST}" # search for files in hooks directory @@ -309,7 +309,7 @@ readonly QUIET=${QUIET:-"0"} readonly TEST=${TEST:-"0"} readonly DRY_RUN=${DRY_RUN:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 78512e3a..f82ad65b 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -265,7 +265,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index f20e5dba..5a60c23c 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -170,7 +170,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.11" +readonly VERSION="20.12" readonly SRV_IP=${SRV_IP:-""} From 9aa24f4cde128eab02707548676f260a649dd23c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:47:38 +0100 Subject: [PATCH 13/24] minifirewall: Docker support --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 1 + minifirewall/files/minifirewall.conf | 6 ++ minifirewall/tasks/config.yml | 6 ++ minifirewall/templates/minifirewall.j2 | 118 +++++++++++++++++++++++-- 5 files changed, 127 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32bfdeda..67448efd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) +* minifirewall: Docker support * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 5489b06a..e12da941 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -10,6 +10,7 @@ minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" +minifirewall_docker: "off" minifirewall_default_trusted_ips: [] minifirewall_additional_trusted_ips: [] diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 7285822a..2ddefe62 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -8,6 +8,12 @@ INT='eth0' # IPv6 IPV6=on +# Docker Mode +# Changes the behaviour of minifirewall to not break the containers' network +# For instance, turning it on will disable nat table purge +# Also, we'll add the DOCKER-USER chain, in iptable +DOCKER='off' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='192.168.0.2/32' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 82be385c..347e58a9 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -58,6 +58,12 @@ # IPv6 IPV6='{{ minifirewall_ipv6 }}' + # Docker Mode + # Changes the behaviour of minifirewall to not break the containers' network + # For instance, turning it on will disable nat table purge + # Also, we'll add the DOCKER-USER chain, in iptable + DOCKER='{{ minifirewall_docker }}' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='{{ minifirewall_intlan }}' diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index 8045ce60..de9e3b96 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -51,6 +51,20 @@ BROAD='255.255.255.255' PORTSROOT='0:1023' PORTSUSER='1024:65535' +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local intable="--table $1" + iptables $intable -nL "$chain_name" >/dev/null 2>&1 +} + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="{{ minifirewall_main_file }}" + +IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') case "$1" in start) @@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j ACCEPT -# Configuration -oldconfigfile="/etc/firewall.rc" -configfile="{{ minifirewall_main_file }}" - if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 exit 1 @@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP +if [ "$DOCKER" = "on" ]; then + + $IPT -N MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-TRUSTED -j DROP + + $IPT -N MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN + + $IPT -N MINIFW-DOCKER-PUB + $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PUB -j RETURN + + # Flush DOCKER-USER if exist, create it if absent + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + # Pipe new connection through MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -j RETURN + +fi + + # Local services restrictions ############################# @@ -218,6 +255,64 @@ for x in $SERVICESUDP3 done +if [ "$DOCKER" = "on" ]; then + + # Public services defined in SERVICESTCP1 & SERVICESUDP1 + for dstport in $SERVICESTCP1 + do + $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN + done + + for dstport in $SERVICESUDP1 + do + $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN + done + + # Privileged services (accessible from privileged & trusted IPs) + for dstport in $SERVICESTCP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + # Trusted services (accessible from trusted IPs) + for dstport in $SERVICESTCP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done +fi + # External services ################### @@ -323,11 +418,24 @@ trap - INT TERM EXIT $IPT -F ONLYTRUSTED $IPT -F ONLYPRIVILEGIED $IPT -F NEEDRESTRICT - $IPT -t nat -F + [ "$DOCKER" = "off" ] && $IPT -t nat -F $IPT -t mangle -F [ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + if [ "$DOCKER" = "on" ]; then + $IPT -F DOCKER-USER + $IPT -A DOCKER-USER -j RETURN + + $IPT -F MINIFW-DOCKER-PUB + $IPT -X MINIFW-DOCKER-PUB + $IPT -F MINIFW-DOCKER-PRIVILEGED + $IPT -X MINIFW-DOCKER-PRIVILEGED + $IPT -F MINIFW-DOCKER-TRUSTED + $IPT -X MINIFW-DOCKER-TRUSTED + + fi + # Accept all $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT From fc71bb59452a4b7f56cb743eb005c9f7e702a090 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 1 Dec 2020 22:57:13 +0100 Subject: [PATCH 14/24] minifirewall: upstream release 20.12 --- CHANGELOG.md | 2 +- minifirewall/files/minifirewall.conf | 3 +-- minifirewall/templates/minifirewall.j2 | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67448efd..e409b444 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes incrementally at each release. * dovecot: Update munin plugin & configure it * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) -* minifirewall: Docker support +* minifirewall: upstream release 20.12 * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 2ddefe62..1c637483 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -1,6 +1,5 @@ # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall -# For fun, we keep last change from first CVS repository: -# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ +# Version 20.12 — 2020-12-01 22:55:35 # Main interface INT='eth0' diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index de9e3b96..13b5130d 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -4,7 +4,7 @@ # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall -# Copyright (c) 2007-2015 Evolix +# Copyright (c) 2007-2020 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 From 84bd3372d5d1303aa20de28c8c590ddece8b571e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 2 Dec 2020 15:22:35 +0100 Subject: [PATCH 15/24] blockinfile: change from "content" to "block" It solves the diff bug : https://github.com/ansible/ansible/issues/62315 --- minifirewall/tasks/config.yml | 4 ++-- redis/tasks/default-log2mail.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 347e58a9..4c852d6b 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -51,7 +51,7 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" - content: | + block: | # Main interface INT='{{ minifirewall_int }}' @@ -95,7 +95,7 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" - content: | + block: | # Protected services # (add also in Public services if needed) SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 8614a11d..21628b0c 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -8,7 +8,7 @@ mode: "0640" create: yes marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" - content: | + block: | file = {{ redis_log_dir }}/redis-server.log pattern = "Cannot allocate memory" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} From 98f798b9fb949537820e22256a6abc2d2a138e5e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Dec 2020 17:26:16 +0100 Subject: [PATCH 16/24] cerbot: parse HAProxy config file only if HAProxy is found --- CHANGELOG.md | 2 ++ certbot/files/hooks/haproxy.sh | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e409b444..08b8b5b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,8 @@ The **patch** part changes incrementally at each release. ### Fixed +* cerbot: parse HAProxy config file only if HAProxy is found + ### Removed ### Security diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh index 1a7f5d4e..932a3e90 100644 --- a/certbot/files/hooks/haproxy.sh +++ b/certbot/files/hooks/haproxy.sh @@ -56,6 +56,9 @@ main() { fi if daemon_found_and_running; then + readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" + readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) + if found_renewed_lineage; then haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" @@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} readonly haproxy_bin=$(command -v haproxy) -readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" -readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) main From 5522f822f74c0879a74ba6a1068cb91c877e90ee Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:18:56 +0100 Subject: [PATCH 17/24] add set facts for buster --- postgresql/tasks/packages_buster.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3f45e84c..3b6b3e49 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -1,5 +1,9 @@ --- +- name: "Set variables (Debian 10)" + set_fact: + postgresql_version: '11' + - include: pgdg-repo.yml when: postgresql_version != '11' From 2a94a3bdf1e6184ed12d2515ddc3941c0b97db8f Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:21:57 +0100 Subject: [PATCH 18/24] fix packages_buster --- postgresql/tasks/packages_buster.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3b6b3e49..4b2e9efc 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -3,6 +3,7 @@ - name: "Set variables (Debian 10)" set_fact: postgresql_version: '11' + when: postgresql_version = '' - include: pgdg-repo.yml when: postgresql_version != '11' From 0f7dcb57b11ee98a18d4e103ce6797820b3ce1f0 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:24:11 +0100 Subject: [PATCH 19/24] add postgresql_version to empty --- postgresql/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index c81ff575..7b2b3734 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.6' +postgresql_version: '' # Set locales locales_default: fr_FR.UTF-8 From 1160a5e809d163120d373fda5365762453b50ba5 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 7 Dec 2020 16:43:59 +0100 Subject: [PATCH 20/24] postgresql: correct confitinal on set_fact --- postgresql/tasks/packages_buster.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 4b2e9efc..3a1a440e 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -3,7 +3,7 @@ - name: "Set variables (Debian 10)" set_fact: postgresql_version: '11' - when: postgresql_version = '' + when: postgresql_version == "" - include: pgdg-repo.yml when: postgresql_version != '11' From c324866cd2b888505ff92b37cb931d7da0ec3d44 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Mon, 7 Dec 2020 16:45:32 +0100 Subject: [PATCH 21/24] Add set variables for debian stretch and jessie --- postgresql/tasks/packages_jessie.yml | 5 +++++ postgresql/tasks/packages_stretch.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index abf0ad08..3e21bc0e 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 8)" + set_fact: + postgresql_version: '9.4' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.4' diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d6a3aa5e..eff513f9 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 9)" + set_fact: + postgresql_version: '9.6' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.6' From 4d6f88f0f4fdf4197b56a0d962ad656bf23ffb0a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 7 Dec 2020 17:23:21 +0100 Subject: [PATCH 22/24] minifirewall: add variables to force upgrade the script and the config (default: False) --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 3 +++ minifirewall/tasks/install.yml | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08b8b5b4..f2ce2a6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * minifirewall: upstream release 20.12 +* minifirewall: add variables to force upgrade the script and the config (default: False) * mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index e12da941..fd4e726b 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -5,6 +5,9 @@ minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False minifirewall_tail_force: True +minifirewall_force_upgrade_script: False +minifirewall_force_upgrade_config: False + minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index a4bcf734..5d6438ed 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -9,7 +9,7 @@ template: src: minifirewall.j2 dest: /etc/init.d/minifirewall - force: no + force: "{{ minifirewall_force_upgrade_script | default('no') }}" mode: "0700" owner: root group: root @@ -18,7 +18,7 @@ copy: src: minifirewall.conf dest: "{{ minifirewall_main_file }}" - force: no + force: "{{ minifirewall_force_upgrade_config | default('no') }}" mode: "0600" owner: root group: root From 772bce8c0b0150e7a8c4bf32314d5653148f7142 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 7 Dec 2020 17:26:45 +0100 Subject: [PATCH 23/24] dovecot: vmail uid/gid are configurable --- CHANGELOG.md | 1 + dovecot/defaults/main.yml | 4 +++- dovecot/tasks/main.yml | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2ce2a6e..f2d562e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* dovecot: vmail uid/gid are configurable * evoacme: variable to disable Debian version check (default: False) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * minifirewall: upstream release 20.12 diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 884bc1ca..52e06bda 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -1,2 +1,4 @@ --- -dovecot_foo: bar + +dovecot_vmail_uid: 5000 +dovecot_vmail_gid: 5000 diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8492e00a..8508a902 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -40,7 +40,7 @@ - name: create vmail group group: name: vmail - gid: 5000 + gid: "{{ dovecot_vmail_gid }}" tags: - dovecot @@ -48,7 +48,7 @@ user: name: vmail group: vmail - uid: 5000 + uid: "{{ dovecot_vmail_uid }}" shell: /bin/false tags: - dovecot From 3c4986275c781b7ad6651ad6271fb9aa66348890 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 8 Dec 2020 11:07:42 +0100 Subject: [PATCH 24/24] evocheck: upstream release 20.12 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 37 ++++++++++++++++++++++++------------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2d562e7..4eefc696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes incrementally at each release. * apt: disable APT Periodic * evoacme: upstream release 20.12 +* evocheck: upstream release 20.12 ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5c3f1365..287982e2 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -readonly VERSION="20.04.3" +readonly VERSION="20.12" # base functions @@ -205,10 +205,13 @@ check_customsudoers() { grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" } check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" -} -check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi + } check_serveurbase() { is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" @@ -559,7 +562,7 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2064 trap "rm -f ${excludes_file}" 0 # shellcheck disable=SC2044 - for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do @@ -878,15 +881,25 @@ check_sql_backup() { if (is_installed "mysql-server" || is_installed "mariadb-server"); then # You could change the default path in /etc/evocheck.cf SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} - test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})" + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_postgres_backup() { - if is_installed "postgresql-9*"; then + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf - POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} - test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})" + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_mongo_backup() { @@ -1013,7 +1026,7 @@ check_duplicate_fs_label() { BLKID_BIN=$(command -v blkid) if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" done @@ -1517,8 +1530,6 @@ main() { # shellcheck disable=SC2034 readonly PROGNAME=$(basename "$0") -# shellcheck disable=SC2034 -readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@