Merge branch 'unstable' into stable

.gitignore

@@ -2,3 +2,4 @@
 .kateproject.d
 .vagrant/
 *.swp
+.vscode

.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "MD013": false,
+    "MD024": false
+}

.vscode/settings.json

@@ -3,5 +3,6 @@
         "*.yml": "ansible",
         "*.yaml": "ansible"
     },
-    "yaml.format.enable": false
+    "yaml.format.enable": false,
+    "ansible.python.interpreterPath": "/bin/python"
 }

CHANGELOG.md

@@ -1,4 +1,5 @@
 # Changelog
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
@@ -8,7 +9,6 @@ The **major** part of the version is the year
 The **minor** part changes is the month
 The **patch** part changes is incremented if multiple releases happen the same month
 
-
 ## [Unreleased]
 
 ### Added
@@ -21,6 +21,88 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [23.10] 2023-10-14
+
+### Added
+
+* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
+* apt: explicit `signed-by` directives for official sources
+* bind: add reload-zone helper
+* certbot: deploy-hook for proftpd
+* docker-host: added var for user namespace setting
+* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
+* dovecot: fix old_stats plugin for Dovecot 2.3
+* evocheck: add support for Debian >= 12 split SSH configuration
+* evolinux-base: add split SSH configuration for Debian >= 12
+* evolinux-base: configure `.bashrc` for all users
+* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
+* evolinux-base: reboot the server if the Cloud kernel has been installed
+* evolinux-users: add split SSH configuration for Debian >= 12
+* evolinux: install HPE Agentless Management Service (amsd)
+* fail2ban: add default variable fail2ban_dbpurgeage_default
+* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
+* kvm-host: release 23.10 for migrate-vm.sh
+* metricbeat/logstash: fix Ansible syntax
+* mysql: new munin graph to follow binlog_days over time
+* nagios-nrpe: add a NRPE check-local command with completion.
+* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
+* php: add new variable to disable overriding settings of php-fpm default pool (www)
+* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
+* userlogrotate: add a `userlogpurge` script disabled by default
+* userlogrotate: new version, with separate conf file
+* userlogrotate: rotate also php.log
+* java: allow version 17
+* timesyncd: new role, used instead of ntpd by default starting with Debian 12
+
+### Changed
+
+* all: change syntax "become: [yes,no]" → "become: [true,false]"
+* all: change syntax "force: [yes,no]" → "force: [true,false]"
+* elasticsearch: improve networking configuration
+* evolinux-base: include files under `sshd_config.d`
+* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
+* evomaintenance: upstream release 23.10.1
+* lxc-php: change LXC container in bookworm for php82
+* minifirewall: update nrpe script to check active configuration
+* minifirewall: upstream release 23.07
+* mysql: improve shell syntax for mysql_skip script
+* nagios-nrpe: set default check_load --per-cpu for BSD
+* pgbouncer: minor fixes
+* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
+* postfix (packmail) : optimize Amavis integration
+* postfix: disable sending mails via IPv6
+* postfix: new spam.sh update script that avoids reloading if files did not change.
+* postgresql: fix file `postgresql.pref.j2` for exclude package
+* postgresql: fix task `update apt cache` for PGDG repo
+* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
+* varnish: allow the systemd template to be overridden with a template outside of the role
+* lxc: purge openssh-server from container on install
+
+### Fixed
+
+* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
+* evocheck: fix IS_SSHALLOWUSERS condition
+* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
+* evolinux-base: fix file extension
+* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
+* lxc-php: fix APT keyring path inside containers
+* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
+* nagios-nrpe: remount `/usr` **after** installing the packages
+* nagios-nrpe: sync Redis check from redis roles
+* nginx: set default server directive in default vhost
+* opendkim: update apt cache before install
+* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
+* postfix: add missing `localhost.$mydomain` to `mydestination`
+* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
+* evolinux-base: use lineinfile instead of replace under root task
+* evolinux-base: Corriger autorisation pour evolinux_user
+* docker-host: Retirer directive state en trop
+* rbenv: Installer libyaml-dev
+
+### Removed
+
+* dovecot: remove Munin plugin dovecot (not working)
+
 ## [23.04] 2023-04-23
 
 ### Added
@@ -107,7 +189,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * evolinux-base: subversion is not installed anymore
 
-
 ## [22.12] 2022-12-14
 
 ### Added
@@ -162,7 +243,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
 
-
 ## [22.09] 2022-09-19
 
 ### Added
@@ -176,7 +256,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * proftpd: Add options to override configs (and add a warning if file was overriden)
 * proftpd: Allow user auth with ssh keys
 
-
 ### Changed
 
 * evocheck: upstream release 22.09
@@ -184,7 +263,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * generate-ldif: Support any MariaDB version
 * minifirewall: use handlers to restart minifirewall
 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
-* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) 
+* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
 * openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
 * nagios-nrpe: Upgrade check_mongo
 
@@ -302,7 +381,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
-* docker : Introduce new default settings + allow to change the docker data directory 
+* docker : Introduce new default settings + allow to change the docker data directory
 * docker : Introduce new variables to tweak daemon settings
 
 ### Changed
@@ -335,7 +414,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * minifirewall: restore "force-restart" and fix "restart-if-needed"
 * minifirewall: tail template follows symlinks
 * minifirewall: upstream release 22.05
-* opendkim : add generate opendkim-genkey in sha256 and key 4096 
+* opendkim : add generate opendkim-genkey in sha256 and key 4096
 * openvpn: use a local copy of files instead of cloning an external git repository
 * openvpn: use a subnet topology instead of the net30 default topology
 * tomcat: Tomcat 9 by default with Debian 11
@@ -698,6 +777,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [10.0.0] - 2020-05-13
 
 ### Added
+
 * apache: the default VHost doesn't redirect to https for ".well-known" paths
 * apt: added buster backports prerferences
 * apt: check if cron is installed before adding a cron job
@@ -734,6 +814,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * bind: enable bind9 munin plugin for recursive resolvers
 
 ### Changed
+
 * replace version_compare() with version()s
 * removed some deprecations for Ansible 2.7
 * apache: improve permissions in save_apache_status script
@@ -779,6 +860,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * varnish: remove custom ExecReload= script for Debian 10+
 
 ### Fixed
+
 * etc-git: fix warnings ansible-lint
 * evoadmin-web: Put the php config at the right place for Buster
 * lxc: Don't stop the container if it already exists
@@ -801,16 +883,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
 
 ### Removed
+
 * clamav : do not install the zoo package anymore
 
 ## [9.10.1] - 2019-06-21
 
 ### Changed
+
 * evocheck : update (version 19.06) from upstream
 
 ## [9.10.0] - 2019-06-21
 
 ### Added
+
 * apache: add server status suffix in VHost (and default site) if missing
 * apache: add a variable to customize the server-status host
 * apt: add a script to manage packages with "hold" mark
@@ -821,6 +906,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * redmine: enable gzip compression in nginx vhost
 
 ### Changed
+
 * evocheck : update (unreleased) from upstream
 * evomaintenance : use the web API instead of PG Insert
 * fluentd: store gpg key locally
@@ -833,23 +919,26 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * apt: Add Debian Buster repositories
 
 ### Fixed
+
 * rbenv: add check_mode for check rbenv and ruby versions
 * nagios-nrpe: fix redis_instances check when Redis port equal 0
 * redmine: fix 500 error on logging
 * evolinux-base: Validate sshd config with "-t" instead of "-T"
 * evolinux-base: Ensure rename is present
 * evolinux-users: Validate sshd config with "-t" instead of "-T"
-* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
+* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
 
 ## [9.9.0] - 2019-04-16
 
 ### Added
+
 * etc-git: ignore evobackup/.keep-* files
 * lxc: /home is mounted in the container by default
 * nginx : add "x-frame-options: sameorigin" for Munin
 
 ### Changed
-* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
+
+* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
 * apt: Ensure jessie-backport from archives.debian.org is accepted
 * apt: Remove jessie-update suite as it's no longer exists
 * apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
@@ -862,8 +951,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * tomcat: better tomcat version management
 * webapps/evoadmin-web: add dbadmin.sh to sudoers file
 
-
 ### Fixed
+
 * spamassasin: fix sa-update.sh and ensure service is started and enabled
 * tomcat-instance: deploy correct version of config files
 * tomcat-instance: deploy correct version of server.xml
@@ -871,20 +960,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.8.0] - 2019-01-31
 
 ### Added
+
 * filebeat: disable cloud_metadata processor by default
 * metricbeat: disable cloud_metadata processor by default
 * percona : new role to install Percona repositories and tools
 * redis: add variable for configure unixsocketperm
 
 ### Changed
+
 * redmine: refactoring of redmine role with use of rbenv
 
 ### Fixed
+
 * ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
 
 ## [9.7.0] - 2019-01-17
 
 ### Added
+
 * apache: add Munin configuration for Apache server-status URL
 * evomaintenance: database variables must be set or the task fails
 * fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
@@ -897,6 +990,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * proftpd: add FTPS and SFTP support
 
 ### Changed
+
 * redis: distinction between main and master password
 * evocheck: update evocheck.sh for source install
 * php: added php-zip in the installed package list for debian 9 (and later)
@@ -904,6 +998,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * java: update Oracle java package to 8u192
 
 ### Fixed
+
 * fail2ban: fix "ignoreip" update
 * metricbeat: fix username/password replacement
 * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
@@ -912,16 +1007,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
 * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
 
-
 ## [9.6.0] - 2018-12-04
 
 ### Added
+
 * evolinux-base: deploy custom motd if template are present
 * minifirewall: all variables are configurable (untouched by default)
 * minifirewall: main file is configurable
 * squid: minifirewall main file is configurable
 
 ### Changed
+
 * minifirewall: compare config before/after (for restart condition)
 * squid: better replacement in minifirewall config
 * evoadmin-mail: complete refactoring, use Debian Package
@@ -929,6 +1025,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.5.0] - 2018-11-14
 
 ### Added
+
 * apache: separate task to update IP whitelist
 * evolinux-base: install man package
 * evolinux-users: add newaliases handler
@@ -942,11 +1039,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * mysql: logdir can be customized
 
 ### Changed
+
 * evocheck: update script from upstream
 * evomaintenance: update script from upstream
 * mysql: restart service if systemd unit has been patched
 
 ### Fixed
+
 * packweb-apache: mod-security config is already included elsewhere
 * redis: for permissions on log and lib directories
 * redis: fix shell for instance users
@@ -955,13 +1054,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.4.2] - 2018-10-12
 
 ### Added
+
 * evomaintenance: install dependencies manually when installing vendored version
 * nagios-nrpe: add an option to ignore servers in NOLB status
 
 ### Changed
+
 * haproxy: move check_haproxy_stats to nagios-nrpe role
 
 ### Fixed
+
 * evoacme: better error when apache2ctl fails
 * evomaintenance: fix role compatibility with OpenBSD
 * spamassassin: add missing right for amavis
@@ -970,16 +1072,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.4.1] - 2018-09-28
 
 ### Added
+
 * redis: set masterauth when redis_password is defined
 * evomaintenance: variable to install a vendored version
 * evomaintenance: tasks/variables to handle minifirewall restarts
 
 ### Changed
+
 * mysql-oracle: better handle packages and users
 
 ## [9.4.0] - 2018-09-20
 
 ### Added
+
 * etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
 * evolinux-base: better shell history
 * evolinux-users: add user to /etc/aliases
@@ -994,9 +1099,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * nagios-nrpe: add check_redis_instances
 
 ### Changed
+
 * dovecot: stronger TLS configuration
 
 ### Fixed
+
 * apache: cleaner way to overwrite the server status suffix
 * packweb-apache: don't regenerate phpMyAdmin suffix each time
 * nginx: cleaner way to overwrite the server status suffix
@@ -1005,11 +1112,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.3.2] - 2018-09-06
 
 ### Added
+
 * minifirewall: add a variable to disable the restart handler
 * minifirewall: add a variable to force a restart of the firewall (even with no change)
 * minifirewall: improve variables values and documentation
 
 ### Changed
+
 * dovecot: enable SSL/TLS by default with snakeoil certificate
 
 ### Fixed
@@ -1019,11 +1128,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.3.1] - 2018-08-30
 
 ### Added
+
 * metricbeat: new variables to configure elasticsearch hosts and auth
 
 ## [9.3.0] - 2018-08-24
 
 ### Added
+
 * elasticsearch: tmpdir configuration compatible with 5.x also
 * elasticsearch: add http.publish_host variable
 * evoacme: disable old certbot cron also in cron.daily
@@ -1044,6 +1155,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * nagios-nrpe: add check_postgrey
 
 ### Changed
+
 * etc-git: some entries of .gitignore are mandatory
 * evocheck: update upstream script
 * evolinux-base: improve hostname configuration (real vs. internal)
@@ -1062,6 +1174,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * kvm-host: install kvm-tools package instead of copying add-vm.sh
 
 ### Fixed
+
 * apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
 * bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
@@ -1073,12 +1186,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.2.0] - 2018-05-16
 
 ### Changed
+
 * filebeat: install version 6.x by default
 * filebeat: cleanup unused code
 * squid: add some domaine and fix broken restrictions
 * elasticsearch: defaults to version 6.x
 
 ### Fixed
+
 * evolinux-users: secondary groups are comma-separated
 * ntpd: fix configuration (server and ACL)
 * varnish: don't fork the process on startup with systemd
@@ -1088,6 +1203,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Added
 
 ### Changed
+
 * apache: customize logrotate (52 weeks)
 * evolinux: groups for SSH configuration are used with Debian 10 and later
 * evolinux-base: fail2ban is not enabled by default
@@ -1099,9 +1215,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.1.8] - 2018-04-16
 
 ### Changed
+
 * packweb-apache: use dependencies instead of include_role for apache and php roles
 
 ### Fixed
+
 * mysql: use check_mode for apg command (Fix --check)
 * mysql/mysql-oracle: properly reload systemd
 * packweb-apache: use check_mode for apg command (Fix --check)
@@ -1109,6 +1227,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.1.7] - 2018-04-06
 
 ### Added
+
 * added a few become attributes where missing
 * etc-git: add tags for Ansible
 * evolinux-base: install ncurses-term package
@@ -1126,6 +1245,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * redmine: added missing tags
 
 ### Changed
+
 * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
 * elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
@@ -1141,6 +1261,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
 
 ### Fixed
+
 * dovecot: fix support of plus sign
 * mysql/mysql-oracle: mysqltuner cron task is executable
 * nginx: fix basic auth for default vhost
@@ -1149,21 +1270,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.1.6] - 2018-02-02
 
 ### Added
+
 * mongodb: install python-pymongo for monitoring
 * nagios-nrpe: allowed_hosts can be updated
 
 ### Changed
+
 * Changelog: explain the versioning scheme
 * Changelog: add a release date for 9.1.5
 * evoacme: exclude typical certbot directories
 
 ### Fixed
+
 * fail2ban: fix horrible typo, Python is not Ruby
 * nginx: fix servers status dirname
 
 ## [9.1.5] - 2018-01-18
 
 ### Added
+
 * There is a changelog!
 * redis: configuration variable for protected mode (v3.2+)
 * evolinux-users: users are in "adm" group for Debian 9 or later
@@ -1175,41 +1300,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * redmine: ability to install themes and plugins
 
 ### Changed
+
 * rbenv: Ruby 2.5 becomes the default version
 * evocheck: update upstream version embedded in role (c993244)
 * bind: keep 52 weeks of logs
 
 ### Fixed
+
 * squid: different logrotate file for Jessie or Stretch+
 * evoacme: don't invoke evoacme if no vhost is found
 * evomaintenance: explicit quotes in config file
 * redmine: force xpath gem < 3.0.0
 
 ### Security
+
 * evomaintenance: fix permissions for config file
 
 ## [9.1.4] - 2017-12-20
 
 ### Added
+
 * php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
 * mysql: add a check_mysql_slave in nrpe configuration
 * ldap: slapd tcp port is configurable
 * elasticsearch: broader patterns for log rotation
 
 ### Changed
+
 * split IP lists in 2 – default and additional – for easier customization.
 
 ### Fixed
+
 * minifirewall: allow outgoing SSH connections over IPv6
 * nodejs: rename source.list file
 
 ### Security
+
 * evoadmin-web: change config.local.php file permissions
 * evolinux-base: change default_www file permissions
 
 ## [9.1.3] 2017-12-08
 
 ### Added
+
 * evolinux-base: install traceroute package
 * evolinux-base/ntpd: purge openntpd
 * tomcat: add Tomcat 8 cmpatibility
@@ -1221,6 +1354,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * elastic: option for stack main version
 
 ### Changed
+
 * nginx: rename Let's Encrypt snippet
 * nginx: simpler apt preferences for backports
 * generate-ldif: add clamd service instead of clamav_db
@@ -1232,10 +1366,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * mongodb: comatible with Stretch
 
 ### Removed
+
 * mongodb: logfile/pidfile are not configurable on Jessie
 * minifirewall: remove zidane.evolix.net from HTTPSITES
 
 ### Fixed
+
 * nginx: fix munin CGI graphs
 * ntpd: fix default configuration (localhost only)
 * logstash: fix permissions on pipeline configuration
@@ -1246,14 +1382,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ## [9.1.2] 2017-12-05
 
 ### Fixed
+
 * listupgrade: remount /usr as rw
 
 ## [9.1.1] 2017-11-21
 
 ### Added
+
 * amazon-ec2: add egress rules
 
 ### Fixed
+
 * evoacme: fix multiple bugs
 
 ## [9.1.0] 2017-11-19
@@ -1261,6 +1400,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 _Warning: huge release, many entries are missing below._
 
 ### Added
+
 * amazon-ec2: new role, for EC2 instances creation
 * Move /usr rw remount into remount-usr role
 * kibana: host and basepath configuration
@@ -1271,6 +1411,7 @@ _Warning: huge release, many entries are missing below._
 * nagios-nrpe: add opendkim check
 
 ### Changed
+
 * Combine evolix and additional trusted IP addresses
 * amazon-ec2: split tasks
 * apt: don't upgrade by default
@@ -1281,6 +1422,7 @@ _Warning: huge release, many entries are missing below._
 * ldap: better variables
 
 ### Fixed
+
 * fail2ban: create config hierarchy beforehand
 * elasticsearch: fix datadir/tmpdir conditions
 * elastic: remove double ".list" suffix
@@ -1291,10 +1433,10 @@ _Warning: huge release, many entries are missing below._
 
 ### Security
 
-
 ## [9.0.1] 2017-10-02
 
 ### Added
+
 * haproxy: add a Nagios check
 * php: add "sury" mode for PHP 7.1 on Stretch
 * minifirewall: explicit dependency on iptables
@@ -1302,9 +1444,11 @@ _Warning: huge release, many entries are missing below._
 * docker-host: new variable for docker home
 
 ### Changed
+
 * php: install php5/php package after fpm/libapache2-mod-php
 
 ### Fixed
+
 * mysql: add "REPLICATION CLIENT" privilege for nrpe
 * evoadmin-web: revert from variables to keywords in the templates
 * evoacme: many fixes

amavis/files/amavis_purge_virusmails

@@ -0,0 +1,2 @@
+#!/bin/bash
+find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete

amavis/tasks/main.yml

@@ -16,3 +16,12 @@
   notify: restart amavis
   tags:
   - amavis
+
+- name: Install purge custom cron
+  ansible.builtin.copy:
+    src: amavis_purge_virusmails
+    dest: /etc/cron.daily/amavis_purge_virusmails
+    mode: "0755"
+  tags:
+  - amavis
+  - amavis_purge_cron

amazon-ec2/amazon-ec2-evolinux.yml

@@ -18,7 +18,7 @@
 
 - name: Install Evolinux
   hosts: launched-instances
-  become: yes
+  become: true
 
   vars_files:
   - 'vars/secrets.yml'

apache/tasks/auth.yml

@@ -7,7 +7,7 @@
     owner: root
     group: root
     mode: "0640"
-    force: no
+    force: false
   tags:
     - apache
 
@@ -30,7 +30,7 @@
     owner: root
     group: root
     mode: "0640"
-    force: no
+    force: false
   notify: reload apache
   tags:
     - apache

apache/tasks/log2mail.yml

@@ -14,6 +14,6 @@
     owner: log2mail
     group: adm
     mode: "0644"
-    force: no
+    force: false
   tags:
     - apache

apache/tasks/main.yml

@@ -73,7 +73,7 @@
     owner: root
     group: root
     mode: "0640"
-    force: yes
+    force: true
   notify: reload apache
   tags:
   - apache
@@ -85,7 +85,7 @@
     owner: root
     group: root
     mode: "0640"
-    force: no
+    force: false
   notify: reload apache
   tags:
   - apache
@@ -119,7 +119,7 @@
     src: evolinux-default.conf.j2
     dest: /etc/apache2/sites-available/000-evolinux-default.conf
     mode: "0640"
-    force: no
+    force: false
   notify: reload apache
   tags:
     - apache
@@ -129,7 +129,7 @@
     src: /etc/apache2/sites-available/000-evolinux-default.conf
     dest: /etc/apache2/sites-enabled/000-default.conf
     state: link
-    force: yes
+    force: true
   notify: reload apache
   when: apache_evolinux_default_enabled | bool
   tags:
@@ -181,7 +181,7 @@
     src: save_apache_status.sh
     dest: /usr/share/scripts/save_apache_status.sh
     mode: "0755"
-    force: no
+    force: false
   tags:
     - apache
 

apache/tasks/server_status.yml

@@ -13,7 +13,7 @@
     dest: "{{ apache_serverstatus_suffix_file }}"
     # The last character "\u000A" is a line feed (LF), it's better to keep it
     content: "{{ apache_serverstatus_suffix }}\u000A"
-    force: yes
+    force: true
   when: apache_serverstatus_suffix | length > 0
 
 - name: generate random string for server-status suffix

apt/files/deb822-migration.py

@@ -1,4 +1,4 @@
-#!/bin/env python3
+#!/usr/bin/env python3
 
 import re
 import sys
@@ -13,7 +13,7 @@ destinations = {
     ".*-backports": "backports.sources",
     ".debian.org": "system.sources",
     "mirror.evolix.org": "system.sources",
-    "pub.evolix.net": "evolix_public_old.sources",
+    "pub.evolix.net": "evolix_public_old.sources.bak",
     "pub.evolix.org": "evolix_public.sources",
     "artifacts.elastic.co": "elastic.sources",
     "download.docker.com": "docker.sources",
@@ -149,4 +149,4 @@ def main():
 if __name__ == "__main__":
     main()
 
-sys.exit(0)
+sys.exit(0)

apt/tasks/backports.deb822.yml

@@ -4,7 +4,7 @@
   ansible.builtin.template:
     src: '{{ ansible_distribution_release }}_backports.sources.j2'
     dest: /etc/apt/sources.list.d/backports.sources
-    force: yes
+    force: true
     mode: "0640"
   register: apt_backports_sources
   tags:
@@ -14,7 +14,7 @@
   ansible.builtin.copy:
     src: '{{ ansible_distribution_release }}_backports_preferences'
     dest: /etc/apt/preferences.d/0-backports-defaults
-    force: yes
+    force: true
     mode: "0640"
   register: apt_backports_config
   tags:

apt/tasks/backports.oneline.yml

@@ -11,7 +11,7 @@
   ansible.builtin.template:
     src: '{{ ansible_distribution_release }}_backports.list.j2'
     dest: /etc/apt/sources.list.d/backports.list
-    force: yes
+    force: true
     mode: "0640"
   register: apt_backports_list
   tags:
@@ -21,7 +21,7 @@
   ansible.builtin.copy:
     src: '{{ ansible_distribution_release }}_backports_preferences'
     dest: /etc/apt/preferences.d/0-backports-defaults
-    force: yes
+    force: true
     mode: "0640"
   register: apt_backports_config
   tags:

apt/tasks/basics.deb822.yml

@@ -5,7 +5,7 @@
     src: "{{ ansible_distribution_release }}_basics.sources.j2"
     dest: /etc/apt/sources.list.d/system.sources
     mode: "0644"
-    force: yes
+    force: true
   register: apt_basic_sources
   tags:
     - apt
@@ -15,7 +15,7 @@
     src: "{{ ansible_distribution_release }}_security.sources.j2"
     dest: /etc/apt/sources.list.d/security.sources
     mode: "0644"
-    force: yes
+    force: true
   register: apt_security_sources
   tags:
     - apt

apt/tasks/basics.oneline.yml

@@ -5,7 +5,7 @@
     src: "{{ ansible_distribution_release }}_basics.list.j2"
     dest: /etc/apt/sources.list
     mode: "0644"
-    force: yes
+    force: true
   register: apt_basic_list
   tags:
     - apt

apt/tasks/evolix_public.deb822.yml

@@ -16,11 +16,19 @@
     - apt
   when: _trusted_gpg_keyring.stat.exists
 
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
     src: pub_evolix.asc
     dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
-    force: yes
+    force: true
     mode: "0644"
     owner: root
     group: root
@@ -31,7 +39,7 @@
   ansible.builtin.template:
     src: evolix_public.sources.j2
     dest: /etc/apt/sources.list.d/evolix_public.sources
-    force: yes
+    force: true
     mode: "0640"
   register: apt_evolix_public
   tags:

apt/tasks/evolix_public.oneline.yml

@@ -16,11 +16,19 @@
     - apt
   when: _trusted_gpg_keyring.stat.exists
 
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
 - name: Add Evolix GPG key
   ansible.builtin.copy:
     src: pub_evolix.asc
     dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
-    force: yes
+    force: true
     mode: "0644"
     owner: root
     group: root
@@ -31,7 +39,7 @@
   ansible.builtin.template:
     src: evolix_public.list.j2
     dest: /etc/apt/sources.list.d/evolix_public.list
-    force: yes
+    force: true
     mode: "0640"
   register: apt_evolix_public
   tags:

apt/tasks/hold_packages.yml

@@ -71,7 +71,7 @@
   ansible.builtin.copy:
     src: check_held_packages.sh
     dest: /usr/share/scripts/check_held_packages.sh
-    force: yes
+    force: true
     mode: "0755"
   tags:
     - apt

apt/tasks/main.yml

@@ -96,6 +96,18 @@
   when: apt_clean_gandi_sourceslist | bool
 
 
+- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
+  ansible.builtin.lineinfile:
+    path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
+    create: yes
+    line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
+  tags:
+    - apt
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+    - ansible_virtualization_role == "guest"
+
+
 - name: Install check for packages marked hold
   ansible.builtin.import_tasks: hold_packages.yml
   when: apt_install_hold_packages | bool

apt/tasks/migrate-to-deb822.yml

@@ -14,9 +14,9 @@
 
 - name: Migration scripts are installed
   ansible.builtin.copy:
-    src: "{{ item  }}"
-    dest: "/usr/share/scripts/{{ item  }}"
-    force: yes
+    src: "{{ item }}"
+    dest: "/usr/share/scripts/{{ item }}"
+    force: true
     mode: "0755"
   loop:
     - deb822-migration.py
@@ -29,4 +29,22 @@
     cmd: /usr/share/scripts/deb822-migration.sh
   ignore_errors: yes
   tags:
-    - apt
+    - apt
+
+- name: Add signed-by when relevant for bookworm
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/sources.list.d/system.sources
+    line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
+    insertafter: "Suites: bookworm bookworm-updates"
+    state: present
+  tags:
+    - apt
+
+- name: Add signed-by when relevant for bookworm-security
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/sources.list.d/security.sources
+    line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
+    insertafter: "Suites: bookworm-security"
+    state: present
+  tags:
+    - apt

apt/templates/bookworm_basics.sources.j2

@@ -5,3 +5,4 @@ URIs: http://mirror.evolix.org/debian
 Suites: bookworm bookworm-updates
 Components: {{ apt_basics_components | mandatory }} 
 Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg

apt/templates/bookworm_security.sources.j2

@@ -5,3 +5,4 @@ URIs: https://security.debian.org/debian-security
 Suites: bookworm-security
 Components: {{ apt_basics_components | mandatory }} 
 Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg

apt/templates/stretch_backports.list.j2

@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}
+deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}

bind/files/reload-zone

@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# Script utilitaire pour tester et recharger facilement un domaine dans Bind
+# Usage : reload-zone <DOMAINE>
+#
+# TODO:
+# - renommer le script (par ex bind-safe-reload)
+# - vérifier le serial
+# - ajouter un -h --help
+# - prendre en charge plusieurs zones (ou aucune)
+# - ajouter le script dans le role bind
+
+named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1"
+

bind/tasks/authoritative.yml

@@ -7,5 +7,5 @@
     owner: bind
     group: bind
     mode: "0644"
-    force: yes
+    force: true
   notify: restart bind

bind/tasks/main.yml

@@ -23,7 +23,7 @@
     owner: root
     group: root
     mode: "0644"
-    force: yes
+    force: true
   notify: restart apparmor
   when: check_apparmor.rc == 0
 
@@ -47,7 +47,7 @@
     owner: root
     group: root
     mode: "0644"
-    force: yes
+    force: true
   notify:
     - reload systemd
     - restart bind
@@ -77,7 +77,7 @@
     dest: /root/chroot-bind.sh
     mode: "0700"
     owner: root
-    force: yes
+    force: true
     backup: yes
   when: bind_chroot_set | bool
 
@@ -109,7 +109,7 @@
     owner: root
     group: root
     mode: "0644"
-    force: yes
+    force: true
   notify: restart bind
 
 - ansible.builtin.include: munin.yml

bind/tasks/munin.yml

@@ -48,7 +48,7 @@
     owner: root
     group: root
     mode: "0644"
-    force: yes
+    force: true
   notify: restart munin-node
   tags:
     - bind

bind/tasks/recursive.yml

@@ -8,7 +8,7 @@
     owner: bind
     group: bind
     mode: "0644"
-    force: yes
+    force: true
   notify: restart bind
 
 - name: enable zones.rfc1918 for recursive server

certbot/files/hooks/deploy/proftpd.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+daemon_found_and_running() {
+    test -n "$(pidof proftpd)" && test -n "${proftpd_bin}"
+}
+config_check() {
+    ${proftpd_bin} configtest > /dev/null 2>&1
+}
+letsencrypt_used() {
+    grep -q -r -E "letsencrypt" /etc/proftpd/
+}
+main() {
+    if daemon_found_and_running; then
+        if letsencrypt_used; then
+            if config_check; then
+                debug "ProFTPD detected... reloading"
+                systemctl reload proftpd
+            else
+                error "ProFTPD config is broken, you must fix it !"
+            fi
+        else
+            debug "ProFTPD doesn't use Let's Encrypt certificate. Skip."
+        fi
+    else
+        debug "ProFTPD is not running or missing. Skip."
+    fi
+}
+
+readonly PROGNAME=$(basename "$0")
+readonly VERBOSE=${VERBOSE:-"0"}
+readonly QUIET=${QUIET:-"0"}
+
+readonly proftpd_bin=$(command -v proftpd)
+
+main

certbot/tasks/acme-challenge.yml

@@ -15,7 +15,7 @@
   ansible.builtin.template:
     src: acme-challenge/nginx.conf.j2
     dest: /etc/nginx/snippets/letsencrypt.conf
-    force: yes
+    force: true
   notify: reload nginx
   when: is_nginx.stat.exists
 
@@ -30,7 +30,7 @@
       ansible.builtin.template:
         src: acme-challenge/apache.conf.j2
         dest: /etc/apache2/conf-available/letsencrypt.conf
-        force: yes
+        force: true
       notify: reload apache
 
     - name: ACME challenge for Apache is enabled

certbot/tasks/install-legacy.yml

@@ -16,7 +16,7 @@
     mode: '0755'
     owner: root
     group: root
-    force: yes
+    force: true
   notify: install letsencrypt-auto
 
 - name: Check certbot script
@@ -49,7 +49,7 @@
   ansible.builtin.copy:
     src: cron_jessie
     dest: /etc/cron.d/certbot
-    force: yes
+    force: true
   when: certbot_custom_crontab | bool
 
 - name: disable self-upgrade

docker-host/defaults/main.yml

@@ -12,6 +12,9 @@ docker_conf_no_newprivileges: False
 # Toggle live restore (need to be disabled in swarm mode)
 docker_conf_live_restore: True
 
+# Toggle user namespace
+docker_conf_user_namespace: True
+
 # Disable all default network connectivity
 docker_conf_disable_default_networking: False
 

docker-host/tasks/main.yml

@@ -22,11 +22,19 @@
     state: present
   when: ansible_distribution_major_version is version('10', '<')
 
+- name: "Ensure {{ apt_keyring_dir }} directory exists"
+  file:
+    path: "{{ apt_keyring_dir }}"
+    state: directory
+    mode: "755"
+    owner: root
+    group: root
+
 - name: Add Docker's official GPG key
   ansible.builtin.copy:
     src: docker-debian.asc
     dest: "{{ apt_keyring_dir }}/docker-debian.asc"
-    force: yes
+    force: true
     mode: "0644"
     owner: root
     group: root
@@ -43,7 +51,6 @@
   ansible.builtin.template:
     src: docker.sources.j2
     dest: /etc/apt/sources.list.d/docker.sources
-    state: present
   register: docker_sources
   when: ansible_distribution_major_version is version('12', '>=')
 

docker-host/templates/daemon.json.j2

@@ -4,8 +4,10 @@
   ,"data-root": "{{ docker_home }}"
   {# Keep containers running while docker daemon downtime #}
   ,"live-restore": {{ docker_conf_live_restore | to_json }}
+{% if docker_conf_user_namespace %}
   {# Turn on user namespace remaping #}
   ,"userns-remap": "default"
+{% endif %}
 {% if docker_conf_use_iptables %}
   {# Use iptables instead of docker-proxy #}
   ,"userland-proxy": false

dovecot/README.md

@@ -2,6 +2,8 @@
 
 Installation and basic configuration of dovecot
 
+Do not use this role to update Dovecot 2.2 to 2.3.
+
 ## Tasks
 
 Minimal configuration is in `tasks/main.yml`
@@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml`
 ## Available variables
 
 The full list of variables (with default values) can be found in `defaults/main.yml`.
+
+## Munin plugins
+
+### dovecot_stats_
+
+Note : This is an Evolix patched version.
+
+This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default.
+
+To skip this plugin installation, use "--skip-tags dovecot_stats_".
+

dovecot/files/munin_config

@@ -1,2 +0,0 @@
-[dovecot]
-group adm

dovecot/files/munin_plugin

@@ -1,128 +0,0 @@
-#! /bin/bash
-#
-# Munin Plugin
-# to count logins to your dovecot mailserver
-#
-# Created by Dominik Schulz <lkml@ds.gauner.org>
-# http://developer.gauner.org/munin/
-# Contributions by:
-# - Stephane Enten <tuf@delyth.net>
-# - Steve Schnepp <steve.schnepp@pwkf.org>
-# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
-#
-# Parameters understood:
-#
-#	config		(required)
-#	autoconf 	(optional - used by munin-config)
-#
-# Config variables:
-#
-#       logfile        - Where to find the syslog file
-#
-# Add the following line to a file in /etc/munin/plugin-conf.d:
-# 	env.logfile /var/log/your/logfile.log
-#
-# Magic markers (optional - used by munin-config and installation scripts):
-#
-#%# family=auto
-#%# capabilities=autoconf
-
-######################
-# Configuration
-######################
-EXPR_BIN=/usr/bin/expr
-LOGFILE=${logfile:-/var/log/mail.log}