evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
Details
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |2627|0|2627|0|:zzz:
Details
gitea/ansible-roles/pipeline/tag This commit looks good
Details

Browse source
This commit is contained in:
Jérémy Lecour 2023-10-14 07:38:22 +02:00 committed by Jérémy Lecour
parent a10cff94d0 3b3b130248
commit 198f3fab0a
Signed by: jlecour
SSH key fingerprint: SHA256:h+5LgHRKwN9lS0SsdVR5yZPeFlJE4Mt+8UtL4CcP8dY
233 changed files with 3472 additions and 1876 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -2,3 +2,4 @@
.kateproject.d
.vagrant/
*.swp
.vscode

4
.markdownlint.json Normal file
View file

@ -0,0 +1,4 @@
{
"MD013": false,
"MD024": false
}

3
.vscode/settings.json vendored
View file

@ -3,5 +3,6 @@
"*.yml": "ansible",
"*.yaml": "ansible"
},
"yaml.format.enable": false
"yaml.format.enable": false,
"ansible.python.interpreterPath": "/bin/python"
}

168
CHANGELOG.md
View file

@ -1,4 +1,5 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
@ -8,7 +9,6 @@ The **major** part of the version is the year
The **minor** part changes is the month
The **patch** part changes is incremented if multiple releases happen the same month
## [Unreleased]
### Added
@ -21,6 +21,88 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [23.10] 2023-10-14
### Added
* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
* apt: explicit `signed-by` directives for official sources
* bind: add reload-zone helper
* certbot: deploy-hook for proftpd
* docker-host: added var for user namespace setting
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
* dovecot: fix old_stats plugin for Dovecot 2.3
* evocheck: add support for Debian >= 12 split SSH configuration
* evolinux-base: add split SSH configuration for Debian >= 12
* evolinux-base: configure `.bashrc` for all users
* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
* evolinux-base: reboot the server if the Cloud kernel has been installed
* evolinux-users: add split SSH configuration for Debian >= 12
* evolinux: install HPE Agentless Management Service (amsd)
* fail2ban: add default variable fail2ban_dbpurgeage_default
* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
* kvm-host: release 23.10 for migrate-vm.sh
* metricbeat/logstash: fix Ansible syntax
* mysql: new munin graph to follow binlog_days over time
* nagios-nrpe: add a NRPE check-local command with completion.
* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
* php: add new variable to disable overriding settings of php-fpm default pool (www)
* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
* userlogrotate: add a `userlogpurge` script disabled by default
* userlogrotate: new version, with separate conf file
* userlogrotate: rotate also php.log
* java: allow version 17
* timesyncd: new role, used instead of ntpd by default starting with Debian 12
### Changed
* all: change syntax "become: [yes,no]" → "become: [true,false]"
* all: change syntax "force: [yes,no]" → "force: [true,false]"
* elasticsearch: improve networking configuration
* evolinux-base: include files under `sshd_config.d`
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
* evomaintenance: upstream release 23.10.1
* lxc-php: change LXC container in bookworm for php82
* minifirewall: update nrpe script to check active configuration
* minifirewall: upstream release 23.07
* mysql: improve shell syntax for mysql_skip script
* nagios-nrpe: set default check_load --per-cpu for BSD
* pgbouncer: minor fixes
* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
* postfix (packmail) : optimize Amavis integration
* postfix: disable sending mails via IPv6
* postfix: new spam.sh update script that avoids reloading if files did not change.
* postgresql: fix file `postgresql.pref.j2` for exclude package
* postgresql: fix task `update apt cache` for PGDG repo
* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
* varnish: allow the systemd template to be overridden with a template outside of the role
* lxc: purge openssh-server from container on install
### Fixed
* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
* evocheck: fix IS_SSHALLOWUSERS condition
* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
* evolinux-base: fix file extension
* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
* lxc-php: fix APT keyring path inside containers
* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
* nagios-nrpe: remount `/usr` **after** installing the packages
* nagios-nrpe: sync Redis check from redis roles
* nginx: set default server directive in default vhost
* opendkim: update apt cache before install
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
* postfix: add missing `localhost.$mydomain` to `mydestination`
* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
* evolinux-base: use lineinfile instead of replace under root task
* evolinux-base: Corriger autorisation pour evolinux_user
* docker-host: Retirer directive state en trop
* rbenv: Installer libyaml-dev
### Removed
* dovecot: remove Munin plugin dovecot (not working)
## [23.04] 2023-04-23
### Added
@ -107,7 +189,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* evolinux-base: subversion is not installed anymore
## [22.12] 2022-12-14
### Added
@ -162,7 +243,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
## [22.09] 2022-09-19
### Added
@ -176,7 +256,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* proftpd: Add options to override configs (and add a warning if file was overriden)
* proftpd: Allow user auth with ssh keys
### Changed
* evocheck: upstream release 22.09
@ -184,7 +263,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* generate-ldif: Support any MariaDB version
* minifirewall: use handlers to restart minifirewall
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
* nagios-nrpe: Upgrade check_mongo
@ -302,7 +381,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* docker : Introduce new default settings + allow to change the docker data directory
* docker : Introduce new default settings + allow to change the docker data directory
* docker : Introduce new variables to tweak daemon settings
### Changed
@ -335,7 +414,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* minifirewall: restore "force-restart" and fix "restart-if-needed"
* minifirewall: tail template follows symlinks
* minifirewall: upstream release 22.05
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* opendkim : add generate opendkim-genkey in sha256 and key 4096
* openvpn: use a local copy of files instead of cloning an external git repository
* openvpn: use a subnet topology instead of the net30 default topology
* tomcat: Tomcat 9 by default with Debian 11
@ -698,6 +777,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [10.0.0] - 2020-05-13
### Added
* apache: the default VHost doesn't redirect to https for ".well-known" paths
* apt: added buster backports prerferences
* apt: check if cron is installed before adding a cron job
@ -734,6 +814,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* bind: enable bind9 munin plugin for recursive resolvers
### Changed
* replace version_compare() with version()s
* removed some deprecations for Ansible 2.7
* apache: improve permissions in save_apache_status script
@ -779,6 +860,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* varnish: remove custom ExecReload= script for Debian 10+
### Fixed
* etc-git: fix warnings ansible-lint
* evoadmin-web: Put the php config at the right place for Buster
* lxc: Don't stop the container if it already exists
@ -801,16 +883,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
### Removed
* clamav : do not install the zoo package anymore
## [9.10.1] - 2019-06-21
### Changed
* evocheck : update (version 19.06) from upstream
## [9.10.0] - 2019-06-21
### Added
* apache: add server status suffix in VHost (and default site) if missing
* apache: add a variable to customize the server-status host
* apt: add a script to manage packages with "hold" mark
@ -821,6 +906,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: enable gzip compression in nginx vhost
### Changed
* evocheck : update (unreleased) from upstream
* evomaintenance : use the web API instead of PG Insert
* fluentd: store gpg key locally
@ -833,23 +919,26 @@ The **patch** part changes is incremented if multiple releases happen the same m
* apt: Add Debian Buster repositories
### Fixed
* rbenv: add check_mode for check rbenv and ruby versions
* nagios-nrpe: fix redis_instances check when Redis port equal 0
* redmine: fix 500 error on logging
* evolinux-base: Validate sshd config with "-t" instead of "-T"
* evolinux-base: Ensure rename is present
* evolinux-users: Validate sshd config with "-t" instead of "-T"
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
## [9.9.0] - 2019-04-16
### Added
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default
* nginx : add "x-frame-options: sameorigin" for Munin
### Changed
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
* apt: Ensure jessie-backport from archives.debian.org is accepted
* apt: Remove jessie-update suite as it's no longer exists
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
@ -862,8 +951,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
* tomcat: better tomcat version management
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
### Fixed
* spamassasin: fix sa-update.sh and ensure service is started and enabled
* tomcat-instance: deploy correct version of config files
* tomcat-instance: deploy correct version of server.xml
@ -871,20 +960,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.8.0] - 2019-01-31
### Added
* filebeat: disable cloud_metadata processor by default
* metricbeat: disable cloud_metadata processor by default
* percona : new role to install Percona repositories and tools
* redis: add variable for configure unixsocketperm
### Changed
* redmine: refactoring of redmine role with use of rbenv
### Fixed
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
## [9.7.0] - 2019-01-17
### Added
* apache: add Munin configuration for Apache server-status URL
* evomaintenance: database variables must be set or the task fails
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
@ -897,6 +990,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* proftpd: add FTPS and SFTP support
### Changed
* redis: distinction between main and master password
* evocheck: update evocheck.sh for source install
* php: added php-zip in the installed package list for debian 9 (and later)
@ -904,6 +998,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* java: update Oracle java package to 8u192
### Fixed
* fail2ban: fix "ignoreip" update
* metricbeat: fix username/password replacement
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
@ -912,16 +1007,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
## [9.6.0] - 2018-12-04
### Added
* evolinux-base: deploy custom motd if template are present
* minifirewall: all variables are configurable (untouched by default)
* minifirewall: main file is configurable
* squid: minifirewall main file is configurable
### Changed
* minifirewall: compare config before/after (for restart condition)
* squid: better replacement in minifirewall config
* evoadmin-mail: complete refactoring, use Debian Package
@ -929,6 +1025,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.5.0] - 2018-11-14
### Added
* apache: separate task to update IP whitelist
* evolinux-base: install man package
* evolinux-users: add newaliases handler
@ -942,11 +1039,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mysql: logdir can be customized
### Changed
* evocheck: update script from upstream
* evomaintenance: update script from upstream
* mysql: restart service if systemd unit has been patched
### Fixed
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
@ -955,13 +1054,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.2] - 2018-10-12
### Added
* evomaintenance: install dependencies manually when installing vendored version
* nagios-nrpe: add an option to ignore servers in NOLB status
### Changed
* haproxy: move check_haproxy_stats to nagios-nrpe role
### Fixed
* evoacme: better error when apache2ctl fails
* evomaintenance: fix role compatibility with OpenBSD
* spamassassin: add missing right for amavis
@ -970,16 +1072,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.4.1] - 2018-09-28
### Added
* redis: set masterauth when redis_password is defined
* evomaintenance: variable to install a vendored version
* evomaintenance: tasks/variables to handle minifirewall restarts
### Changed
* mysql-oracle: better handle packages and users
## [9.4.0] - 2018-09-20
### Added
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
* evolinux-base: better shell history
* evolinux-users: add user to /etc/aliases
@ -994,9 +1099,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_redis_instances
### Changed
* dovecot: stronger TLS configuration
### Fixed
* apache: cleaner way to overwrite the server status suffix
* packweb-apache: don't regenerate phpMyAdmin suffix each time
* nginx: cleaner way to overwrite the server status suffix
@ -1005,11 +1112,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.2] - 2018-09-06
### Added
* minifirewall: add a variable to disable the restart handler
* minifirewall: add a variable to force a restart of the firewall (even with no change)
* minifirewall: improve variables values and documentation
### Changed
* dovecot: enable SSL/TLS by default with snakeoil certificate
### Fixed
@ -1019,11 +1128,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.3.1] - 2018-08-30
### Added
* metricbeat: new variables to configure elasticsearch hosts and auth
## [9.3.0] - 2018-08-24
### Added
* elasticsearch: tmpdir configuration compatible with 5.x also
* elasticsearch: add http.publish_host variable
* evoacme: disable old certbot cron also in cron.daily
@ -1044,6 +1155,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* nagios-nrpe: add check_postgrey
### Changed
* etc-git: some entries of .gitignore are mandatory
* evocheck: update upstream script
* evolinux-base: improve hostname configuration (real vs. internal)
@ -1062,6 +1174,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* kvm-host: install kvm-tools package instead of copying add-vm.sh
### Fixed
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
* bind: chroot-bind.sh must not be executed in check mode
* evoacme: fix module detection in apache config
@ -1073,12 +1186,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.2.0] - 2018-05-16
### Changed
* filebeat: install version 6.x by default
* filebeat: cleanup unused code
* squid: add some domaine and fix broken restrictions
* elasticsearch: defaults to version 6.x
### Fixed
* evolinux-users: secondary groups are comma-separated
* ntpd: fix configuration (server and ACL)
* varnish: don't fork the process on startup with systemd
@ -1088,6 +1203,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
### Changed
* apache: customize logrotate (52 weeks)
* evolinux: groups for SSH configuration are used with Debian 10 and later
* evolinux-base: fail2ban is not enabled by default
@ -1099,9 +1215,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.8] - 2018-04-16
### Changed
* packweb-apache: use dependencies instead of include_role for apache and php roles
### Fixed
* mysql: use check_mode for apg command (Fix --check)
* mysql/mysql-oracle: properly reload systemd
* packweb-apache: use check_mode for apg command (Fix --check)
@ -1109,6 +1227,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.7] - 2018-04-06
### Added
* added a few become attributes where missing
* etc-git: add tags for Ansible
* evolinux-base: install ncurses-term package
@ -1126,6 +1245,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: added missing tags
### Changed
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
@ -1141,6 +1261,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
### Fixed
* dovecot: fix support of plus sign
* mysql/mysql-oracle: mysqltuner cron task is executable
* nginx: fix basic auth for default vhost
@ -1149,21 +1270,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.6] - 2018-02-02
### Added
* mongodb: install python-pymongo for monitoring
* nagios-nrpe: allowed_hosts can be updated
### Changed
* Changelog: explain the versioning scheme
* Changelog: add a release date for 9.1.5
* evoacme: exclude typical certbot directories
### Fixed
* fail2ban: fix horrible typo, Python is not Ruby
* nginx: fix servers status dirname
## [9.1.5] - 2018-01-18
### Added
* There is a changelog!
* redis: configuration variable for protected mode (v3.2+)
* evolinux-users: users are in "adm" group for Debian 9 or later
@ -1175,41 +1300,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
* redmine: ability to install themes and plugins
### Changed
* rbenv: Ruby 2.5 becomes the default version
* evocheck: update upstream version embedded in role (c993244)
* bind: keep 52 weeks of logs
### Fixed
* squid: different logrotate file for Jessie or Stretch+
* evoacme: don't invoke evoacme if no vhost is found
* evomaintenance: explicit quotes in config file
* redmine: force xpath gem < 3.0.0
### Security
* evomaintenance: fix permissions for config file
## [9.1.4] - 2017-12-20
### Added
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
* mysql: add a check_mysql_slave in nrpe configuration
* ldap: slapd tcp port is configurable
* elasticsearch: broader patterns for log rotation
### Changed
* split IP lists in 2 default and additional for easier customization.
### Fixed
* minifirewall: allow outgoing SSH connections over IPv6
* nodejs: rename source.list file
### Security
* evoadmin-web: change config.local.php file permissions
* evolinux-base: change default_www file permissions
## [9.1.3] 2017-12-08
### Added
* evolinux-base: install traceroute package
* evolinux-base/ntpd: purge openntpd
* tomcat: add Tomcat 8 cmpatibility
@ -1221,6 +1354,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* elastic: option for stack main version
### Changed
* nginx: rename Let's Encrypt snippet
* nginx: simpler apt preferences for backports
* generate-ldif: add clamd service instead of clamav_db
@ -1232,10 +1366,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
* mongodb: comatible with Stretch
### Removed
* mongodb: logfile/pidfile are not configurable on Jessie
* minifirewall: remove zidane.evolix.net from HTTPSITES
### Fixed
* nginx: fix munin CGI graphs
* ntpd: fix default configuration (localhost only)
* logstash: fix permissions on pipeline configuration
@ -1246,14 +1382,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
## [9.1.2] 2017-12-05
### Fixed
* listupgrade: remount /usr as rw
## [9.1.1] 2017-11-21
### Added
* amazon-ec2: add egress rules
### Fixed
* evoacme: fix multiple bugs
## [9.1.0] 2017-11-19
@ -1261,6 +1400,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
_Warning: huge release, many entries are missing below._
### Added
* amazon-ec2: new role, for EC2 instances creation
* Move /usr rw remount into remount-usr role
* kibana: host and basepath configuration
@ -1271,6 +1411,7 @@ _Warning: huge release, many entries are missing below._
* nagios-nrpe: add opendkim check
### Changed
* Combine evolix and additional trusted IP addresses
* amazon-ec2: split tasks
* apt: don't upgrade by default
@ -1281,6 +1422,7 @@ _Warning: huge release, many entries are missing below._
* ldap: better variables
### Fixed
* fail2ban: create config hierarchy beforehand
* elasticsearch: fix datadir/tmpdir conditions
* elastic: remove double ".list" suffix
@ -1291,10 +1433,10 @@ _Warning: huge release, many entries are missing below._
### Security
## [9.0.1] 2017-10-02
### Added
* haproxy: add a Nagios check
* php: add "sury" mode for PHP 7.1 on Stretch
* minifirewall: explicit dependency on iptables
@ -1302,9 +1444,11 @@ _Warning: huge release, many entries are missing below._
* docker-host: new variable for docker home
### Changed
* php: install php5/php package after fpm/libapache2-mod-php
### Fixed
* mysql: add "REPLICATION CLIENT" privilege for nrpe
* evoadmin-web: revert from variables to keywords in the templates
* evoacme: many fixes

2
amavis/files/amavis_purge_virusmails Normal file
View file

@ -0,0 +1,2 @@
#!/bin/bash
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete

9
amavis/tasks/main.yml
View file

@ -16,3 +16,12 @@
notify: restart amavis
tags:
- amavis
- name: Install purge custom cron
ansible.builtin.copy:
src: amavis_purge_virusmails
dest: /etc/cron.daily/amavis_purge_virusmails
mode: "0755"
tags:
- amavis
- amavis_purge_cron

2
amazon-ec2/amazon-ec2-evolinux.yml
View file

@ -18,7 +18,7 @@
- name: Install Evolinux
hosts: launched-instances
become: yes
become: true
vars_files:
- 'vars/secrets.yml'

4
apache/tasks/auth.yml
View file

@ -7,7 +7,7 @@
owner: root
group: root
mode: "0640"
force: no
force: false
tags:
- apache
@ -30,7 +30,7 @@
owner: root
group: root
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache

2
apache/tasks/log2mail.yml
View file

@ -14,6 +14,6 @@
owner: log2mail
group: adm
mode: "0644"
force: no
force: false
tags:
- apache

10
apache/tasks/main.yml
View file

@ -73,7 +73,7 @@
owner: root
group: root
mode: "0640"
force: yes
force: true
notify: reload apache
tags:
- apache
@ -85,7 +85,7 @@
owner: root
group: root
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache
@ -119,7 +119,7 @@
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
force: no
force: false
notify: reload apache
tags:
- apache
@ -129,7 +129,7 @@
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
force: yes
force: true
notify: reload apache
when: apache_evolinux_default_enabled | bool
tags:
@ -181,7 +181,7 @@
src: save_apache_status.sh
dest: /usr/share/scripts/save_apache_status.sh
mode: "0755"
force: no
force: false
tags:
- apache

2
apache/tasks/server_status.yml
View file

@ -13,7 +13,7 @@
dest: "{{ apache_serverstatus_suffix_file }}"
# The last character "\u000A" is a line feed (LF), it's better to keep it
content: "{{ apache_serverstatus_suffix }}\u000A"
force: yes
force: true
when: apache_serverstatus_suffix | length > 0
- name: generate random string for server-status suffix

6
apt/files/deb822-migration.py
View file

@ -1,4 +1,4 @@
#!/bin/env python3
#!/usr/bin/env python3
import re
import sys
@ -13,7 +13,7 @@ destinations = {
".*-backports": "backports.sources",
".debian.org": "system.sources",
"mirror.evolix.org": "system.sources",
"pub.evolix.net": "evolix_public_old.sources",
"pub.evolix.net": "evolix_public_old.sources.bak",
"pub.evolix.org": "evolix_public.sources",
"artifacts.elastic.co": "elastic.sources",
"download.docker.com": "docker.sources",
@ -149,4 +149,4 @@ def main():
if __name__ == "__main__":
main()
sys.exit(0)
sys.exit(0)

4
apt/tasks/backports.deb822.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.sources.j2'
dest: /etc/apt/sources.list.d/backports.sources
force: yes
force: true
mode: "0640"
register: apt_backports_sources
tags:
@ -14,7 +14,7 @@
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
force: true
mode: "0640"
register: apt_backports_config
tags:

4
apt/tasks/backports.oneline.yml
View file

@ -11,7 +11,7 @@
ansible.builtin.template:
src: '{{ ansible_distribution_release }}_backports.list.j2'
dest: /etc/apt/sources.list.d/backports.list
force: yes
force: true
mode: "0640"
register: apt_backports_list
tags:
@ -21,7 +21,7 @@
ansible.builtin.copy:
src: '{{ ansible_distribution_release }}_backports_preferences'
dest: /etc/apt/preferences.d/0-backports-defaults
force: yes
force: true
mode: "0640"
register: apt_backports_config
tags:

4
apt/tasks/basics.deb822.yml
View file

@ -5,7 +5,7 @@
src: "{{ ansible_distribution_release }}_basics.sources.j2"
dest: /etc/apt/sources.list.d/system.sources
mode: "0644"
force: yes
force: true
register: apt_basic_sources
tags:
- apt
@ -15,7 +15,7 @@
src: "{{ ansible_distribution_release }}_security.sources.j2"
dest: /etc/apt/sources.list.d/security.sources
mode: "0644"
force: yes
force: true
register: apt_security_sources
tags:
- apt

2
apt/tasks/basics.oneline.yml
View file

@ -5,7 +5,7 @@
src: "{{ ansible_distribution_release }}_basics.list.j2"
dest: /etc/apt/sources.list
mode: "0644"
force: yes
force: true
register: apt_basic_list
tags:
- apt

12
apt/tasks/evolix_public.deb822.yml
View file

@ -16,11 +16,19 @@
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -31,7 +39,7 @@
ansible.builtin.template:
src: evolix_public.sources.j2
dest: /etc/apt/sources.list.d/evolix_public.sources
force: yes
force: true
mode: "0640"
register: apt_evolix_public
tags:

12
apt/tasks/evolix_public.oneline.yml
View file

@ -16,11 +16,19 @@
- apt
when: _trusted_gpg_keyring.stat.exists
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Evolix GPG key
ansible.builtin.copy:
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -31,7 +39,7 @@
ansible.builtin.template:
src: evolix_public.list.j2
dest: /etc/apt/sources.list.d/evolix_public.list
force: yes
force: true
mode: "0640"
register: apt_evolix_public
tags:

2
apt/tasks/hold_packages.yml
View file

@ -71,7 +71,7 @@
ansible.builtin.copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
force: true
mode: "0755"
tags:
- apt

12
apt/tasks/main.yml
View file

@ -96,6 +96,18 @@
when: apt_clean_gandi_sourceslist | bool
- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
ansible.builtin.lineinfile:
path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
create: yes
line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
tags:
- apt
when:
- ansible_distribution_major_version is version('12', '>=')
- ansible_virtualization_role == "guest"
- name: Install check for packages marked hold
ansible.builtin.import_tasks: hold_packages.yml
when: apt_install_hold_packages | bool

26
apt/tasks/migrate-to-deb822.yml
View file

@ -14,9 +14,9 @@
- name: Migration scripts are installed
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: yes
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: true
mode: "0755"
loop:
- deb822-migration.py
@ -29,4 +29,22 @@
cmd: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt
- apt
- name: Add signed-by when relevant for bookworm
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/system.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm bookworm-updates"
state: present
tags:
- apt
- name: Add signed-by when relevant for bookworm-security
ansible.builtin.lineinfile:
dest: /etc/apt/sources.list.d/security.sources
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
insertafter: "Suites: bookworm-security"
state: present
tags:
- apt

1
apt/templates/bookworm_basics.sources.j2
View file

@ -5,3 +5,4 @@ URIs: http://mirror.evolix.org/debian
Suites: bookworm bookworm-updates
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg

1
apt/templates/bookworm_security.sources.j2
View file

@ -5,3 +5,4 @@ URIs: https://security.debian.org/debian-security
Suites: bookworm-security
Components: {{ apt_basics_components | mandatory }}
Enabled: yes
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg

2
apt/templates/stretch_backports.list.j2
View file

@ -1,3 +1,3 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}

14
bind/files/reload-zone Executable file
View file

@ -0,0 +1,14 @@
#!/bin/bash
#
# Script utilitaire pour tester et recharger facilement un domaine dans Bind
# Usage : reload-zone <DOMAINE>
#
# TODO:
# - renommer le script (par ex bind-safe-reload)
# - vérifier le serial
# - ajouter un -h --help
# - prendre en charge plusieurs zones (ou aucune)
# - ajouter le script dans le role bind
named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1"

2
bind/tasks/authoritative.yml
View file

@ -7,5 +7,5 @@
owner: bind
group: bind
mode: "0644"
force: yes
force: true
notify: restart bind

8
bind/tasks/main.yml
View file

@ -23,7 +23,7 @@
owner: root
group: root
mode: "0644"
force: yes
force: true
notify: restart apparmor
when: check_apparmor.rc == 0
@ -47,7 +47,7 @@
owner: root
group: root
mode: "0644"
force: yes
force: true
notify:
- reload systemd
- restart bind
@ -77,7 +77,7 @@
dest: /root/chroot-bind.sh
mode: "0700"
owner: root
force: yes
force: true
backup: yes
when: bind_chroot_set | bool
@ -109,7 +109,7 @@
owner: root
group: root
mode: "0644"
force: yes
force: true
notify: restart bind
- ansible.builtin.include: munin.yml

2
bind/tasks/munin.yml
View file

@ -48,7 +48,7 @@
owner: root
group: root
mode: "0644"
force: yes
force: true
notify: restart munin-node
tags:
- bind

2
bind/tasks/recursive.yml
View file

@ -8,7 +8,7 @@
owner: bind
group: bind
mode: "0644"
force: yes
force: true
notify: restart bind
- name: enable zones.rfc1918 for recursive server

44
certbot/files/hooks/deploy/proftpd.sh Executable file
View file

@ -0,0 +1,44 @@
#!/bin/sh
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof proftpd)" && test -n "${proftpd_bin}"
}
config_check() {
${proftpd_bin} configtest > /dev/null 2>&1
}
letsencrypt_used() {
grep -q -r -E "letsencrypt" /etc/proftpd/
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "ProFTPD detected... reloading"
systemctl reload proftpd
else
error "ProFTPD config is broken, you must fix it !"
fi
else
debug "ProFTPD doesn't use Let's Encrypt certificate. Skip."
fi
else
debug "ProFTPD is not running or missing. Skip."
fi
}
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly proftpd_bin=$(command -v proftpd)
main

4
certbot/tasks/acme-challenge.yml
View file

@ -15,7 +15,7 @@
ansible.builtin.template:
src: acme-challenge/nginx.conf.j2
dest: /etc/nginx/snippets/letsencrypt.conf
force: yes
force: true
notify: reload nginx
when: is_nginx.stat.exists
@ -30,7 +30,7 @@
ansible.builtin.template:
src: acme-challenge/apache.conf.j2
dest: /etc/apache2/conf-available/letsencrypt.conf
force: yes
force: true
notify: reload apache
- name: ACME challenge for Apache is enabled

4
certbot/tasks/install-legacy.yml
View file

@ -16,7 +16,7 @@
mode: '0755'
owner: root
group: root
force: yes
force: true
notify: install letsencrypt-auto
- name: Check certbot script
@ -49,7 +49,7 @@
ansible.builtin.copy:
src: cron_jessie
dest: /etc/cron.d/certbot
force: yes
force: true
when: certbot_custom_crontab | bool
- name: disable self-upgrade

3
docker-host/defaults/main.yml
View file

@ -12,6 +12,9 @@ docker_conf_no_newprivileges: False
# Toggle live restore (need to be disabled in swarm mode)
docker_conf_live_restore: True
# Toggle user namespace
docker_conf_user_namespace: True
# Disable all default network connectivity
docker_conf_disable_default_networking: False

11
docker-host/tasks/main.yml
View file

@ -22,11 +22,19 @@
state: present
when: ansible_distribution_major_version is version('10', '<')
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Docker's official GPG key
ansible.builtin.copy:
src: docker-debian.asc
dest: "{{ apt_keyring_dir }}/docker-debian.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -43,7 +51,6 @@
ansible.builtin.template:
src: docker.sources.j2
dest: /etc/apt/sources.list.d/docker.sources
state: present
register: docker_sources
when: ansible_distribution_major_version is version('12', '>=')

2
docker-host/templates/daemon.json.j2
View file

@ -4,8 +4,10 @@
,"data-root": "{{ docker_home }}"
{# Keep containers running while docker daemon downtime #}
,"live-restore": {{ docker_conf_live_restore | to_json }}
{% if docker_conf_user_namespace %}
{# Turn on user namespace remaping #}
,"userns-remap": "default"
{% endif %}
{% if docker_conf_use_iptables %}
{# Use iptables instead of docker-proxy #}
,"userland-proxy": false

13
dovecot/README.md
View file

@ -2,6 +2,8 @@
Installation and basic configuration of dovecot
Do not use this role to update Dovecot 2.2 to 2.3.
## Tasks
Minimal configuration is in `tasks/main.yml`
@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml`
## Available variables
The full list of variables (with default values) can be found in `defaults/main.yml`.
## Munin plugins
### dovecot_stats_
Note : This is an Evolix patched version.
This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default.
To skip this plugin installation, use "--skip-tags dovecot_stats_".

2
dovecot/files/munin_config
View file

@ -1,2 +0,0 @@
[dovecot]
group adm

128
dovecot/files/munin_plugin
View file

@ -1,128 +0,0 @@
#! /bin/bash
#
# Munin Plugin
# to count logins to your dovecot mailserver
#
# Created by Dominik Schulz <lkml@ds.gauner.org>
# http://developer.gauner.org/munin/
# Contributions by:
# - Stephane Enten <tuf@delyth.net>
# - Steve Schnepp <steve.schnepp@pwkf.org>
# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
#
# Parameters understood:
#
# config (required)
# autoconf (optional - used by munin-config)
#
# Config variables:
#
# logfile - Where to find the syslog file
#
# Add the following line to a file in /etc/munin/plugin-conf.d:
# env.logfile /var/log/your/logfile.log
#
# Magic markers (optional - used by munin-config and installation scripts):
#
#%# family=auto
#%# capabilities=autoconf
######################
# Configuration
######################
EXPR_BIN=/usr/bin/expr
LOGFILE=${logfile:-/var/log/mail.log}
######################
if [ "$1" = "autoconf" ]; then
[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Dovecot Logins'
echo 'graph_category mail'
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel Login Counters'
for t in Total TLS SSL IMAP POP3
do
field=$(echo $t | tr '[:upper:]' '[:lower:]')
echo "login_$field.label $t Logins"
echo "login_$field.type DERIVE"
echo "login_$field.min 0"
done
echo 'connected.label Connected Users'
echo "connected.type DERIVE"
exit 0
fi
######################
# Total Logins
######################
echo -en "login_total.value "
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# Connected Users
######################
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
VALUE=0
fi
echo -en "connected.value "
echo $VALUE
echo -n
######################
# TLS Logins
######################
echo -en "login_tls.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# SSL Logins
######################
echo -en "login_ssl.value "
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# IMAP Logins
######################
echo -en "login_imap.value "
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n
######################
# POP3 Logins
######################
echo -en "login_pop3.value "
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
if [ ! -z "$VALUE" ]; then
echo "$VALUE"
else
echo "0"
fi
echo -n

242
dovecot/files/munin_plugin_dovecot1 Normal file
View file

@ -0,0 +1,242 @@
#!/usr/bin/perl
#%# family=auto
#%# capabilities=autoconf
use Munin::Plugin;
$pos = undef;
$connected = 0;
$connectedimap = 0;
$connectedpop3 = 0;
$connections = 0;
$connectionsimap = 0;
$connectionspop3 = 0;
$login = 0;
$pop3login = 0;
$imaplogin = 0;
$tls = 0;
$ssl = 0;
$aborted = 0;
($dirname = $0) =~ s/[^\/]+$//;
$dovelogfile = 0 ;
$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log';
if ( $logfile =~ /dovecot/ ) {
$dovelogfile = 1 ;
}
# Use an overridden $PATH for all external programs if needed
$DOVEADM = "doveadm";
if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
if (! -x $DOVEADM) {
print "no (no doveadm)\n";
exit(0);
}
if (! -f $logfile) {
print "no (logfile $logfile does not exist)\n";
exit(0);
}
if (-r "$logfile") {
print "yes\n";
exit 0;
} else {
print "no (logfile not readable)\n";
}
exit 0;
}
if (-f "$logfile.0") {
$rotlogfile = $logfile . ".0";
} elsif (-f "$logfile.1") {
$rotlogfile = $logfile . ".1";
} elsif (-f "$logfile.01") {
$rotlogfile = $logfile . ".01";
} else {
$rotlogfile = $logfile . ".0";
}
if ( $ARGV[0] and $ARGV[0] eq "config" ) {
print "multigraph dovecot_connections\n";
print "graph_title Dovecot connections\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel connections\n";
print "graph_category mail\n";
print "connections.label Connections open\n";
print "connections.type GAUGE\n";
print "connections.draw LINE1\n";
print "connections.min 0\n";
print "connectionsimap.label IMAP\n";
print "connectionsimap.type GAUGE\n";
print "connectionsimap.draw AREA\n";
print "connectionsimap.min 0\n";
print "connectionspop3.label POP3\n";
print "connectionspop3.type GAUGE\n";
print "connectionspop3.draw STACK\n";
print "connectionspop3.min 0\n";
print "multigraph dovecot_connected\n";
print "graph_title Dovecot connected users\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel connections\n";
print "graph_category mail\n";
print "connected.label Connected users\n";
print "connected.type GAUGE\n";
print "connected.draw LINE1\n";
print "connected.min 0\n";
print "connectedimap.label IMAP\n";
print "connectedimap.type GAUGE\n";
print "connectedimap.draw AREA\n";
print "connectedimap.min 0\n";
print "connectedpop3.label POP3\n";
print "connectedpop3.type GAUGE\n";
print "connectedpop3.draw STACK\n";
print "connectedpop3.min 0\n";
print "multigraph dovecot_logins\n";
print "graph_title Dovecot logins\n";
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
print "graph_vlabel logins/5 minute\n";
print "graph_category mail\n";
print "login.label Logins\n";
print "login.type GAUGE\n";
print "login.draw LINE1\n";
print "login.min 0\n";
print "imaplogin.label IMAP logins\n";
print "imaplogin.type GAUGE\n";
print "imaplogin.draw LINE1\n";
print "imaplogin.min 0\n";
print "pop3login.label POP3 logins\n";
print "pop3login.type GAUGE\n";
print "pop3login.draw LINE1\n";
print "pop3login.min 0\n";
print "tls.label TLS\n";
print "tls.type GAUGE\n";
print "tls.draw LINE1\n";
print "tls.min 0\n";
print "ssl.label SSL\n";
print "ssl.type GAUGE\n";
print "ssl.draw LINE1\n";
print "ssl.min 0\n";
print "aborted.label Aborted logins\n";
print "aborted.type GAUGE\n";
print "aborted.draw LINE1\n";
print "aborted.min 0\n";
exit 0;
}
if (! -f $logfile and ! -f $rotlogfile) {
print "multigraph dovecot_connections\n";
print "connections.value U";
print "connectionsimap.value U";
print "connectionspop3.value U";
print "multigraph dovecot_connected\n";
print "connected.value U\n";
print "connectedimap.value U\n";
print "connectedpop3.value U\n";
print "multigraph dovecot_logins\n";
print "login.value U\n";
print "pop3login.value U\n";
print "imaplogin.value U\n";
print "tls.value U\n";
print "ssl.value U\n";
print "aborted.value U\n";
exit 0;
}
# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren
# suggestie: doveadm who -1 | awk '{print $1" "$2" "$4}' | sort | uniq -c
$connectedimap = `$DOVEADM -f flow who | grep imap | wc -l`;
$connectedpop3 = `$DOVEADM -f flow who | grep pop3 | wc -l`;
$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`;
$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`;
#trim
$connectedimap =~ s/\s+$//;
$connectedpop3 =~ s/\s+$//;
$connectionsimap =~ s/\s+$//;
$connectionspop3 =~ s/\s+$//;
$connected = $connectedimap + $connectedpop3;
$connections = $connectionsimap + $connectionspop3;
my ($pos) = restore_state();
$startsize = (stat $logfile)[7];
if (!defined $pos) {
# Initial run.
$pos = $startsize;
}
if ($startsize < $pos) {
# Log rotated
parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
$pos = 0;
}
parseDovecotfile ($logfile, $pos, $startsize);
$pos = $startsize;
save_state($pos);
print "multigraph dovecot_connections\n";
print "connections.value $connections\n";
print "connectionsimap.value $connectionsimap\n";
print "connectionspop3.value $connectionspop3\n";
print "multigraph dovecot_connected\n";
print "connected.value $connected\n";
print "connectedimap.value $connectedimap\n";
print "connectedpop3.value $connectedpop3\n";
print "multigraph dovecot_logins\n";
print "login.value $login\n";
print "pop3login.value $pop3login\n";
print "imaplogin.value $imaplogin\n";
print "tls.value $tls\n";
print "ssl.value $ssl\n";
print "aborted.value $aborted\n";
sub parseDovecotfile {
my ($fname, $start, $stop) = @_;
open (logf, $fname) or exit 3;
seek (logf, $start, 0) or exit 2;
while (tell (logf) < $stop) {
my $line =<logf>;
chomp ($line);
if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; }
else {
if ($line =~ m/Aborted/) {
$aborted++;
} elsif ($line =~ m/Login:/) {
$login++;
if ( $line =~ m/TLS/) {
$tls++;
} elsif ($line =~ m/SSL/) {
$ssl++;
}
if ( $line =~ m/pop3-login:/) {
$pop3login++;
} elsif ($line =~ m/imap-login:/) {
$imaplogin++;
}
}
}
}
close(logf);
}
# vim:syntax=perl

158
dovecot/files/munin_plugin_dovecot_stats_ Normal file
View file

@ -0,0 +1,158 @@
#!/bin/bash
: <<=cut
=head1 NAME
dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server
=head1 CONFIGURATION
This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user:
doveadm who
If you get a permission denied message, check the permissions on the socket mentioned in the error line.
=head1 MAGIC MARKERS
#%# family=contrib
#%# capability=autoconf suggest
=head1 AUTHOR
Paul Saunders <darac+munin@darac.org.uk>
=cut
. $MUNIN_LIBDIR/plugins/plugin.sh
is_multigraph
if [[ "$1" == "autoconf" ]]; then
if [[ -x /usr/bin/doveadm ]]; then
echo yes
else
echo no
fi
exit 0
fi
# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats".
dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}')
verlte() {
[ "$1" = "$2" ] && return 1 || [ "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
}
verlt() {
[ "$1" = "$2" ] && return 1 || verlte $2 $1
}
# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats".
stats_command="stats"
verlt $dovecot_version 2.3 || stats_command="oldstats"
if [[ "$1" == "suggest" ]]; then
doveadm $stats_command dump domain|awk 'NR!=1 {print $1}'
exit 0
fi
domain=$(basename $0)
domain=${domain#dovecot_stats_}
if [[ -z $domain ]]; then
exit 1
fi
if [[ "$1" == "config" ]]; then
cat <<EOF
multigraph dovecot_cpu_${domain//\./_}
graph_title Dovecot CPU Usage for $domain
graph_vlabel Seconds
graph_category mail
user_cpu.label User CPU
user_cpu.type DERIVE
user_cpu.min 0
user_cpu.cdef user_cpu,1000000,/
sys_cpu.label System CPU
sys_cpu.type DERIVE
sys_cpu.min 0
sys_cpu.cdef sys_cpu,1000000,/
multigraph dovecot_system_${domain//\./_}
graph_title Dovecot System Usage for $domain
graph_category mail
min_faults.label Minor page faults
min_faults.type DERIVE
min_faults.min 0
maj_faults.label Major page faults
maj_faults.type DERIVE
maj_faults.min 0
vol_cs.label Voluntary context switches
vol_cs.type DERIVE
vol_cs.min 0
invol_cs.label Involuntary context switches
invol_cs.type DERIVE
invol_cs.min 0
read_count.label read() syscalls
read_count.type DERIVE
read_count.min 0
write_count.label write() syscalls
write_count.type DERIVE
write_count.min 0
multigraph dovecot_mail_${domain//\./_}
graph_title Dovecot Mail Access for $domain
graph_category mail
num_logins.label Logins
num_logins.type DERIVE
num_logins.min 0
num_cmds.label Commands
num_cmds.type DERIVE
num_cmds.min 0
mail_lookup_path.label Path Lookups
mail_lookup_path.type DERIVE
mail_lookup_path.min 0
mail_lookup_attr.label Attr lookups
mail_lookup_attr.type DERIVE
mail_lookup_attr.min 0
mail_read_count.label Messages read
mail_read_count.type DERIVE
mail_read_count.min 0
mail_cache_hits.label Cache hits
mail_cache_hits.type DERIVE
mail_cache_hits.min 0
EOF
exit 0
fi
# Added by Will
if [ "${domain}" = "global" ]; then
args="global"
else
args="domain domain=$domain"
fi
# Fetch data
# Gawk script cadged from http://awk.info/?JanisP
doveadm $stats_command dump $args | gawk -F\\t -v cols="user_cpu sys_cpu min_faults maj_faults vol_cs invol_cs read_count write_count num_logins num_cmds mail_lookup_path mail_lookup_attr mail_read_count mail_cache_hits " -v domain=${domain//\./_} '
BEGIN {
n=split(cols,col," ")
for (i=1; i<=n; i++) s[col[i]]=i
}
NR==1 {
for (f=1;f<=NF; f++)
if ($f in s) c[s[$f]]=f
next
}
{ for (f=1; f<=n; f++) {
if (col[f] == "user_cpu") printf ("\nmultigraph dovecot_cpu_%s\n", domain)
if (col[f] == "min_faults") printf ("\nmultigraph dovecot_system_%s\n", domain)
if (col[f] == "num_logins") printf ("\nmultigraph dovecot_mail_%s\n", domain)
if (col[f] == "user_cpu" || col[f] == "sys_cpu")
printf("%s.value %d\n",col[f],$c[f] * 1000000)
else
printf("%s.value %d\n",col[f],$c[f])
}
}
'

6
dovecot/files/z-evolinux-dovecot.conf Normal file
View file

@ -0,0 +1,6 @@
[dovecot1]
user root
[dovecot_stats_*]
user root

4
dovecot/handlers/main.yml
View file

@ -14,3 +14,7 @@
name: log2mail
state: restarted
- name: restart munin-node
ansible.builtin.systemd:
name: munin-node
state: restarted

63
dovecot/tasks/munin.yml
View file

@ -8,16 +8,63 @@
- name: Munin plugins are present and configured
block:
- name: Install munin plugin
ansible.builtin.copy:
src: munin_plugin
dest: /etc/munin/plugins/dovecot
- name: Disable dovecot plugin
ansible.builtin.file:
path: /etc/munin/plugins/dovecot
state: absent
- name: Remove dovecot plugin conf
ansible.builtin.file:
path: /etc/munin/plugin-conf.d/dovecot
state: absent
- name: "Remount /usr if needed"
ansible.builtin.include_role:
name: remount-usr
- name: Ensures /usr/local/lib/munin/plugins/ dir exists
ansible.builtin.file:
path: "/usr/local/lib/munin/plugins/"
state: directory
mode: "0755"
- name: Install munin config
- name: Install dovecot1 plugin
# Original from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot1
ansible.builtin.copy:
src: munin_config
dest: /etc/munin/plugin-conf.d/dovecot
mode: "0644"
src: munin_plugin_dovecot1
dest: /usr/local/lib/munin/plugins/dovecot1
mode: "0755"
- name: Install dovecot_stats_ plugin
# Modified from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot_stats_
ansible.builtin.copy:
src: munin_plugin_dovecot_stats_
dest: /usr/local/lib/munin/plugins/dovecot_stats_
mode: "0755"
tags: dovecot_stats_
- name: Copy Munin config
ansible.builtin.copy:
src: z-evolinux-dovecot.conf
dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
mode: '0644'
notify: restart munin-node
- name: Enable dovecot1 plugin
ansible.builtin.file:
src: "/usr/local/lib/munin/plugins/dovecot1"
dest: "/etc/munin/plugins/dovecot1"
state: link
when: not ansible_check_mode
- name: Enable wildcard dovecot_stats_ plugin for all domains
ansible.builtin.file:
src: "/usr/local/lib/munin/plugins/dovecot_stats_"
dest: "/etc/munin/plugins/dovecot_stats_global"
state: link
when: not ansible_check_mode
tags: dovecot_stats_
when: munin_node_plugins_config.stat.exists

21
dovecot/templates/z-evolinux-defaults.conf.j2
View file

@ -1,5 +1,8 @@
# {{ ansible_managed }}
# Plugins list (must be before filters {} that modify it)
mail_plugins = $mail_plugins old_stats
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
disable_plaintext_auth = no
auth_mechanisms = plain login
@ -36,14 +39,26 @@ service login {
mail_max_userip_connections = 42
# Configuration pour stats dovecot
service stats {
unix_listener stats-reader {
protocol imap {
mail_plugins = $mail_plugins imap_old_stats
}
plugin {
old_stats_refresh = 30 secs
old_stats_track_cmds = yes
}
service old-stats {
fifo_listener old-stats-mail {
user = vmail
group = vmail
mode = 0660
}
unix_listener old-stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
unix_listener old-stats-writer {
user = vmail
group = vmail
mode = 0660

14
elasticsearch/defaults/main.yml
View file

@ -5,10 +5,20 @@ elasticsearch_cluster_name: Null
elasticsearch_cluster_members: Null
elasticsearch_minimum_master_nodes: Null
elasticsearch_node_name: "${HOSTNAME}"
elasticsearch_network_host:
- "_local_"
# https://www.elastic.co/guide/en/elasticsearch/reference/8.7/modules-network.html
elasticsearch_network_host: "_local_"
elasticsearch_network_publish_host: Null
elasticsearch_network_port: Null
elasticsearch_http_host: Null
elasticsearch_http_publish_host: Null
elasticsearch_http_port: Null
elasticsearch_transport_host: Null
elasticsearch_transport_publish_host: Null
elasticsearch_transport_port: Null
elasticsearch_discovery_seed_hosts: Null
elasticsearch_cluster_initial_master_nodes: Null
elasticsearch_custom_datadir: Null

2
elasticsearch/tasks/additional_scripts.yml
View file

@ -19,4 +19,4 @@
mode: "0755"
owner: "root"
group: "root"
force: yes
force: true

12
elasticsearch/tasks/apt_sources.yml
View file

@ -5,11 +5,19 @@
state: present
when: ansible_distribution_major_version is version('10', '<')
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Elastic GPG key is installed
ansible.builtin.copy:
src: elastic.asc
dest: "{{ apt_keyring_dir }}/elastic.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -33,4 +41,4 @@
- name: Update APT cache
ansible.builtin.apt:
update_cache: yes
when: elastic_sources is changed
when: elastic_sources is changed

2
elasticsearch/tasks/bootstrap_checks.yml
View file

@ -12,7 +12,7 @@
- name: Maximum map count check
ansible.posix.sysctl:
name: vm.max_map_count
value: 262144
value: "262144"
sysctl_file: /etc/sysctl.d/elasticsearch.conf
when: max_map_count | int < 262144
tags:

78
elasticsearch/tasks/configuration.yml
View file

@ -22,7 +22,7 @@
- name: Configure network host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "network.host: {{ elasticsearch_network_host }}"
line: "network.host: {{ elasticsearch_network_host }}"
regexp: "^network.host:"
insertafter: "^# *network.host:"
when: elasticsearch_network_host | default("", True) | length > 0
@ -32,28 +32,89 @@
- name: Configure network publish_host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
regexp: "^network.publish_host:"
insertafter: "^network.host:"
when: elasticsearch_network_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure network port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "network.port: {{ elasticsearch_network_port }}"
regexp: "^network.port:"
insertafter: "^network.host:"
when: elasticsearch_network_port | default("", True) | length > 0
tags:
- config
- name: Configure http host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.host: {{ elasticsearch_http_host }}"
regexp: "^http.host:"
insertafter: "^# *http.host:"
when: elasticsearch_http_host | default("", True) | length > 0
tags:
- config
- name: Configure http publish_host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
regexp: "^http.publish_host:"
insertafter: "^http.port:"
when: elasticsearch_http_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure http port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "http.port: {{ elasticsearch_http_port }}"
regexp: "^http.port:"
insertafter: "^http.host:"
when: elasticsearch_http_port | default("", True) | length > 0
tags:
- config
- name: Configure transport host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.host: {{ elasticsearch_transport_host }}"
regexp: "^transport.host:"
insertafter: "^# *transport.host:"
when: elasticsearch_transport_host | default("", True) | length > 0
tags:
- config
- name: Configure transport publish_host
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.publish_host: {{ elasticsearch_transport_publish_host }}"
regexp: "^transport.publish_host:"
insertafter: "^transport.host:"
when: elasticsearch_transport_publish_host | default("", True) | length > 0
tags:
- config
- name: Configure transport port
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "transport.port: {{ elasticsearch_transport_port }}"
regexp: "^transport.port:"
insertafter: "^transport.host:"
when: elasticsearch_transport_port | default("", True) | length > 0
tags:
- config
- name: Configure discovery seed hosts
ansible.builtin.lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
regexp: "^discovery.seed_hosts:"
insertafter: "^# *discovery.seed_hosts:"
when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0
tags:
- config
@ -118,14 +179,11 @@
tags:
- config
- name: Disable garbage collector logs (JDK >= 9)
ansible.builtin.lineinfile:
- name: Disable garbage collector logs
ansible.builtin.replace:
dest: /etc/elasticsearch/jvm.options
regexp: "Xlog:gc"
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
owner: root
group: elasticsearch
mode: "0640"
regexp: '^([^#]*-Xlog:gc.+)'
replace: '#\1'
tags:
- config

3
elasticsearch/tasks/packages.yml
View file

@ -1,6 +1,7 @@
---
- name: APT sources
ansible.builtin.import_tasks: apt_sources.yml
ansible.builtin.include_tasks: apt_sources.yml
args:
apply:
tags:

2
elasticsearch/tasks/plugin_head.yml
View file

@ -32,7 +32,7 @@
environment:
TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}"
become_user: "{{ elasticsearch_plugin_head_owner }}"
become: yes
become: true
- name: Elasticsearch HTTP/CORS are enabled
ansible.builtin.lineinfile:

4
etc-git/tasks/main.yml
View file

@ -10,12 +10,12 @@
- ansible_distribution == "Debian"
- name: Install and configure utilities
ansible.builtin.include: utils.yml
ansible.builtin.import_tasks: utils.yml
tags:
- etc-git
- name: Configure repositories
ansible.builtin.include: repositories.yml
ansible.builtin.import_tasks: repositories.yml
tags:
- etc-git
when: etc_git_config_repositories | bool

2
etc-git/tasks/repositories.yml
View file

@ -26,7 +26,7 @@
when:
- _usr_share_scripts.stat.isdir
- ansible.builtin.include: repository.yml
- ansible.builtin.import_tasks: repository.yml
vars:
repository_path: "/usr/share/scripts"
gitignore_items: []

2
etc-git/tasks/repository.yml
View file

@ -38,7 +38,7 @@
dest: "{{ repository_path }}/.gitignore"
owner: root
mode: "0600"
force: no
force: false
tags:
- etc-git

8
etc-git/tasks/utils.yml
View file

@ -10,7 +10,7 @@
src: evocommit
dest: /usr/local/bin/evocommit
mode: "0755"
force: yes
force: true
tags:
- etc-git
@ -19,7 +19,7 @@
src: ansible-commit
dest: /usr/local/bin/ansible-commit
mode: "0755"
force: yes
force: true
tags:
- etc-git
@ -28,7 +28,7 @@
src: etc-git-optimize
dest: /usr/share/scripts/etc-git-optimize
mode: "0755"
force: yes
force: true
tags:
- etc-git
@ -37,7 +37,7 @@
src: etc-git-status
dest: /usr/share/scripts/etc-git-status
mode: "0755"
force: yes
force: true
tags:
- etc-git

2
evoacme/tests/vagrant.yml
View file

@ -1,6 +1,6 @@
- hosts: default
gather_facts: yes
become: yes
become: true
roles:
# - squid

2
evocheck/files/evocheck.jessie.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="23.04.01"
VERSION="23.07"
readonly VERSION
# base functions

61
evocheck/files/evocheck.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="23.04.01"
VERSION="23.07"
readonly VERSION
# base functions
@ -55,7 +55,7 @@ detect_os() {
DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "This version is built for Debian 9 and later." >&2
exit
fi
@ -231,8 +231,15 @@ check_customcrontab() {
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
check_sshallowusers() {
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
if is_debian_bookworm; then
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
else
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
fi
}
check_diskperf() {
perfFile="/root/disk-perf.txt"
@ -276,7 +283,7 @@ check_alert5minifw() {
fi
}
check_minifw() {
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW" "minifirewall seems not started"
}
check_minifw_includes() {
@ -307,7 +314,7 @@ check_nrpedisks() {
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
}
check_nrpepid() {
if is_debian_bullseye; then
if { is_debian_bullseye || is_debian_bookworm ; }; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
@ -874,19 +881,27 @@ check_ldap_backup() {
check_redis_backup() {
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
# REDIS_BACKUP_PATH may contain space-separated paths, example:
# REDIS_BACKUP_PATH may contain space-separated paths, for example:
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
# Old default path: /home/backup/dump.rdb
# New default path: /home/backup/redis/dump.rdb
if [ -z "${REDIS_BACKUP_PATH}" ]; then
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
fi
else
for file in ${REDIS_BACKUP_PATH}; do
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
done
# Warning : this script doesn't handle spaces in file paths !
REDIS_BACKUP_PATH="${REDIS_BACKUP_PATH:-$(find /home/backup/ -iname "*.rdb*")}"
# Check number of dumps
n_instances=$(pgrep 'redis-server' | wc -l)
n_dumps=$(echo $REDIS_BACKUP_PATH | wc -w)
if [ ${n_dumps} -lt ${n_instances} ]; then
failed "IS_REDIS_BACKUP" "Missing Redis dump : ${n_instances} instance(s) found versus ${n_dumps} dump(s) found."
fi
# Check last dump date
age_threshold=$(date +"%s" -d "now - 2 days")
for dump in ${REDIS_BACKUP_PATH}; do
last_update=$(stat -c "%Z" $dump)
if [ "${last_update}" -lt "${age_threshold}" ]; then
failed "IS_REDIS_BACKUP" "Redis dump ${dump} is older than 2 days."
fi
done
fi
}
check_elastic_backup() {
@ -1076,14 +1091,14 @@ check_usrsharescripts() {
check_sshpermitrootno() {
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if is_debian_stretch; then
# Noop, we'll use the default $sshd_args
# Noop, we'll use the default $sshd_args
:
elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
sshd_args="${sshd_args},rdomain="
else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# -T doesn't require the additional -C.
sshd_args=
sshd_args=
fi
# shellcheck disable=SC2086
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
@ -1216,7 +1231,7 @@ check_lxc_container_resolv_conf() {
else
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
fi
done
done
fi
}
# Check that there are containers if lxc is installed.
@ -1302,7 +1317,7 @@ get_version() {
case "${program}" in
## Special case if `command --version => 'command` is not the standard way to get the version
# my_command)
# /path/to/my_command --get-version
# /path/to/my_command --get-version
# ;;
add-vm)

2
evocheck/files/evocheck.wheezy.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="23.04.01"
VERSION="23.07"
readonly VERSION
# base functions

2
evocheck/tasks/cron.yml
View file

@ -16,5 +16,5 @@
mode: "0644"
owner: root
group: root
force: yes
force: true
when: is_cron_installed.rc == 0

4
evocheck/tasks/install.yml
View file

@ -36,7 +36,7 @@
dest: "{{ evocheck_bin_dir }}/evocheck.sh"
mode: "0700"
owner: root
force: yes
force: true
tags:
- evocheck
@ -44,6 +44,6 @@
ansible.builtin.copy:
src: evocheck.cf
dest: /etc/evocheck.cf
force: no
force: false
tags:
- evocheck

7
evolinux-base/defaults/main.yml
View file

@ -51,6 +51,7 @@ evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_intern
evolinux_kernel_include: True
evolinux_kernel_cloud_auto: True
evolinux_kernel_cloud_reboot: True
evolinux_kernel_reboot_after_panic: True
evolinux_kernel_disable_tcp_timestamps: True
evolinux_kernel_customize_swappiness: True
@ -103,6 +104,8 @@ evolinux_system_locales: True
evolinux_system_set_timezone: True
evolinux_system_timezone: "Europe/Paris"
evolinux_system_include_ntpd: "{{ ansible_distribution_major_version is version('12', '<') }}"
evolinux_system_include_timesyncd: "{{ ansible_distribution_major_version is version('12', '>=') }}"
evolinux_system_vim_skip_defaults: True
evolinux_system_vim_default_editor: True
@ -173,6 +176,8 @@ evolinux_logs_default_dateext : True
evolinux_logs_disable_logrotate_rsyslog: True
evolinux_logs_rsyslog_conf: True
evolinux_logrotate_dateformat: "-%Y%m%d%H"
evolinux_logs_disable_logcheck_journald: True
evolinux_logs_journald_conf: True
# default www
@ -229,4 +234,4 @@ evolinux_cron_checkhpraid_frequency: daily
evolinux_motd_include: True
# Utils
evolinux_utils_include: True
evolinux_utils_include: True

27
evolinux-base/files/dump-server-state.sh
View file

@ -3,7 +3,7 @@
PROGNAME="dump-server-state"
REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state"
VERSION="22.04.3"
VERSION="23.08"
readonly VERSION
dump_dir=
@ -15,7 +15,7 @@ show_version() {
cat <<END
${PROGNAME} version ${VERSION}
Copyright 2018-2022 Evolix <info@evolix.fr>,
Copyright 2018-2023 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Éric Morino <emorino@evolix.fr>,
Brice Waegeneire <bwaegeneire@evolix.fr>
@ -23,7 +23,7 @@ Copyright 2018-2022 Evolix <info@evolix.fr>,
${REPOSITORY}
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
@ -442,14 +442,14 @@ task_iptables() {
printf "\n#### ip6tables --table mangle --list ###############\n"
${ip6tables_bin} --table mangle --list --numeric --verbose --line-numbers
fi
} > "${dump_dir}/iptables-v.txt")
} > "${dump_dir}/iptables-v.txt") 2> "${dump_dir}/iptables-v.err"
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* iptables -v OK"
else
debug "* iptables -v ERROR"
debug "${last_result}"
debug "$(cat ${dump_dir}/iptables-v.err)"
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
@ -467,14 +467,14 @@ task_iptables() {
printf "\n#### ip6tables --table mangle --list ###############\n"
${ip6tables_bin} --table mangle --list --numeric
fi
} > "${dump_dir}/iptables.txt")
} > "${dump_dir}/iptables.txt") 2> "${dump_dir}/iptables.err"
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* iptables OK"
else
debug "* iptables ERROR"
debug "${last_result}"
debug "$(cat ${dump_dir}/iptables.err)"
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
@ -485,14 +485,14 @@ task_iptables() {
iptables_save_bin=$(command -v iptables-save)
if [ -n "${iptables_save_bin}" ]; then
last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt")
${iptables_save_bin} > "${dump_dir}/iptables-save.txt" 2> "${dump_dir}/iptables-save.err"
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* iptables-save OK"
else
debug "* iptables-save ERROR"
debug "${last_result}"
debug "$(cat ${dump_dir}/iptables-save.err)"
# Ignore errors because we don't know if this is nft related or a real error
# rc=10
fi
@ -503,14 +503,14 @@ task_iptables() {
nft_bin=$(command -v nft)
if [ -n "${nft_bin}" ]; then
last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt")
${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt" 2> "${dump_dir}/nft-ruleset.err"
last_rc=$?
if [ ${last_rc} -eq 0 ]; then
debug "* nft ruleset OK"
else
debug "* nft ruleset ERROR"
debug "${last_result}"
debug "$(cat ${dump_dir}/nft-ruleset.err)"
rc=10
fi
fi
@ -762,6 +762,10 @@ task_systemctl() {
fi
}
clean_empty_error_file() {
find "${dump_dir}" -type f -name "*.err" -size 0 -delete
}
main() {
if [ -z "${dump_dir}" ]; then
echo "ERROR: You must provide the --dump-dir argument" >&2
@ -841,6 +845,7 @@ main() {
task_systemctl
fi
clean_empty_error_file
debug "=> Your dump is available at ${dump_dir}"
exit ${rc}

2
evolinux-base/files/logs/journald.conf Normal file
View file

@ -0,0 +1,2 @@
[Journal]
MaxRetentionSec=1day

4
evolinux-base/handlers/main.yml
View file

@ -79,3 +79,7 @@
name: log2mail
state: restarted
- name: restart systemd-journald
ansible.builtin.service:
name: systemd-journald.service
state: restarted

14
evolinux-base/tasks/bash.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: "Customize common bashrc"
ansible.builtin.lineinfile:
dest: /etc/bash.bashrc
line: "{{ item }}"
create: yes
state: present
loop:
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
- "export HISTSIZE=65535"
- "export HISTTIMEFORMAT=\"%c : \""
- "shopt -s histappend"
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""

2
evolinux-base/tasks/default_www.yml
View file

@ -20,7 +20,7 @@
src: default_www/index.html.j2
dest: /var/www/index.html
mode: "0644"
force: no
force: false
when: evolinux_default_www_files | bool
# SSL cert

2
evolinux-base/tasks/dump-server-state.yml
View file

@ -12,4 +12,4 @@
src: /usr/local/sbin/dump-server-state
dest: /usr/local/sbin/backup-server-state
state: link
force: yes
force: true

10
evolinux-base/tasks/hardware.dell.yml
View file

@ -41,13 +41,21 @@
state: absent
when: perc_hba11_search.rc == 0
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: MegaCLI SAS package is present
block:
- name: HWRaid GPG key is installed
ansible.builtin.copy:
src: hwraid.le-vert.net.asc
dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root

16
evolinux-base/tasks/hardware.hp.yml
View file

@ -1,10 +1,18 @@
---
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: HPE GPG key is installed
ansible.builtin.copy:
src: hpePublicKey2048_key1.asc
dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -35,6 +43,12 @@
tags:
- packages
- name: Install HPE Agentless Management Service (amsd)
ansible.builtin.apt:
name: amsd
tags:
- packages
# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role
# So, if nagios-nrpe role is not installed it will not work
- name: Install and configure check_hpraid cron (HP gen >=10)

2
evolinux-base/tasks/hostname.yml
View file

@ -41,7 +41,7 @@
ansible.builtin.copy:
dest: /etc/mailname
content: "{{ evolinux_fqdn }}\n"
force: yes
force: true
when: evolinux_hostname_mailname | bool
# Override facts

9
evolinux-base/tasks/kernel.yml
View file

@ -4,6 +4,7 @@
ansible.builtin.apt:
name: "linux-image-cloud-amd64"
state: present
register: _use_cloud_kernel
when:
- ansible_machine == "x86_64"
- ansible_virtualization_role == "guest"
@ -17,6 +18,14 @@
- ansible_machine == "x86_64"
- ansible_virtualization_role == "guest"
- evolinux_kernel_cloud_auto | bool
- name: "Reboot the server to enable the new kernel"
ansible.builtin.reboot:
reboot_timeout: 600
search_paths: ['/lib/molly-guard', '/sbin']
when:
- _use_cloud_kernel is changed
- evolinux_kernel_cloud_reboot | bool
- name: Reboot after panic
ansible.posix.sysctl:

26
evolinux-base/tasks/logs.yml
View file

@ -2,6 +2,7 @@
# TODO: voir comment faire des backups initiaux des fichiers
# RSyslog
- name: Copy rsyslog.conf
ansible.builtin.copy:
src: logs/rsyslog.conf
@ -10,6 +11,7 @@
notify: restart rsyslog
when: evolinux_logs_rsyslog_conf | bool
# Logrotate
- name: Disable logrotate default conf
ansible.builtin.command:
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
@ -61,4 +63,28 @@
insertafter: 'dateext'
when: evolinux_logs_default_dateext | bool
# Logcheck
- name: Disable logcheck monitoring of journald
ansible.builtin.lineinfile:
dest: /etc/logrotate.conf
line: "#journal"
regexp: "^journal"
when: evolinux_logs_disable_logcheck_journald | bool
# Journald
- name: /etc/systemd/journald.conf.d/ is present
ansible.builtin.file:
path: /etc/systemd/journald.conf.d/
state: directory
mode: "0755"
when: evolinux_logs_journald_conf | bool
- name: Copy journald.conf
ansible.builtin.copy:
src: logs/journald.conf
dest: /etc/systemd/journald.conf.d/00-evolinux-default.conf
mode: "0644"
notify: restart systemd-journald
when: evolinux_logs_journald_conf | bool
- ansible.builtin.meta: flush_handlers

3
evolinux-base/tasks/main.yml
View file

@ -74,6 +74,9 @@
# name: evolix/evolinux-users
# when: evolinux_users_include
- name: Bash configuration
ansible.builtin.import_tasks: bash.yml
- name: Root user configuration
ansible.builtin.import_tasks: root.yml
when: evolinux_root_include | bool

2
evolinux-base/tasks/postfix.yml
View file

@ -25,7 +25,7 @@
ansible.builtin.lineinfile:
dest: /etc/postfix/main.cf
state: present
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain"
regexp: '^mydestination'
notify: reload postfix
tags:

34
evolinux-base/tasks/root.yml
View file

@ -27,7 +27,7 @@
ansible.builtin.copy:
content: ""
dest: "/root/.bash_history"
force: no
force: false
when: evolinux_root_bash_history | bool
- name: Set umask in /root/.profile
@ -47,7 +47,7 @@
ansible.builtin.copy:
src: root/gitconfig
dest: "/root/.gitconfig"
force: no
force: false
when: evolinux_root_gitconfig | bool
- name: Is .bash_history append-only
@ -90,14 +90,40 @@
- "set shiftwidth=4"
when: evolinux_root_vim_conf | bool
- name: disable SSH access for root
- name: disable SSH access for root (Debian < 12)
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_root_disable_ssh | bool
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('11', '<=')
- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: "Include /etc/ssh/sshd_config.d/*.conf"
insertbefore: BOF
notify: reload ssh
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
- name: disable SSH access for root (Debian >= 12)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
line: "PermitRootLogin no"
regexp: "^#?PermitRootLogin "
create: yes
mode: "0644"
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive

95
evolinux-base/tasks/ssh.included-files.yml
View file

@ -1,71 +1,22 @@
---
# This is a copy of ssh.single-file.yml
# It needs to be changed when we move to a included-files configuration
- ansible.builtin.debug:
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
when: evolinux_ssh_password_auth_addresses == []
# From 'man sshd_config' :
# « If all of the criteria on the Match line are satisfied, the keywords
# on the following lines override those set in the global section of the config
# file, until either another Match line or the end of the file.
# If a keyword appears in multiple Match blocks that are satisfied,
# only the first instance of the keyword is applied. »
#
# We want to allow any user from a list of IP addresses to login with password,
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
- name: files under /etc/ssh/sshd_config.d are included
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
line: "Include /etc/ssh/sshd_config.d/*.conf"
insertbefore: BOF
notify: reload ssh
- name: "Security directives for Evolinux (Debian 10 or later)"
ansible.builtin.blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
block: |
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
PasswordAuthentication yes
Match Group {{ evolinux_internal_group }}
PasswordAuthentication no
insertafter: EOF
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
- ansible_distribution_major_version is version('10', '>=')
- name: add SSH server configuration template
ansible.builtin.template:
src: sshd/defaults.j2
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
mode: "0644"
- name: Security directives for Evolinux (Jessie/Stretch)
ansible.builtin.blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
block: |
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
PasswordAuthentication yes
insertafter: EOF
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
- ansible_distribution_major_version is version('10', '<')
# We disable AcceptEnv because it can be a security issue, but also because we
# do not want clients to push their environment variables like LANG.
- name: disable AcceptEnv in ssh config
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^AcceptEnv'
replace: "#AcceptEnv"
notify: reload sshd
when: evolinux_ssh_disable_acceptenv | bool
- name: Set log level to verbose (for Debian >= 9)
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^#?LogLevel [A-Z]+'
replace: "LogLevel VERBOSE"
notify: reload sshd
when: ansible_distribution_major_version is version('9', '>=')
- name: "Get current user"
- name: "Get current user's group"
ansible.builtin.command:
cmd: logname
changed_when: False
@ -73,10 +24,9 @@
check_mode: no
when: evolinux_ssh_allow_current_user | bool
# we must double-escape caracters, because python
- name: verify AllowUsers directive
ansible.builtin.command:
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
cmd: "grep -ER '^AllowUsers' /etc/ssh"
failed_when: False
changed_when: False
register: grep_allowusers_ssh
@ -85,20 +35,15 @@
- name: "Add AllowUsers sshd directive for current user"
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ logname.stdout }}"
dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
create: yes
line: "AllowUsers {{ logname.stdout }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
- name: "Modify AllowUsers sshd directive for current user"
ansible.builtin.replace:
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
replace: '\1 {{ logname.stdout }}'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
- ansible.builtin.meta: flush_handlers
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
# TODO si allowgroups, ajouter groupe de lutilisateur

16
evolinux-base/tasks/system.yml
View file

@ -131,6 +131,13 @@
- ansible.builtin.include_role:
name: evolix/ntpd
when:
- evolinux_system_include_ntpd | bool
- ansible.builtin.include_role:
name: evolix/timesyncd
when:
- evolinux_system_include_timesyncd | bool
## alert5
@ -138,7 +145,7 @@
ansible.builtin.template:
src: system/alert5.sysvinit.j2
dest: /etc/init.d/alert5
force: no
force: false
mode: "0755"
when:
- evolinux_system_alert5_init | bool
@ -153,13 +160,14 @@
- evolinux_system_alert5_enable | bool
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
- ansible.builtin.include_role:
name: evolix/remount-usr
- name: Install alert5 init script (buster and later)
ansible.builtin.template:
src: system/alert5.sh.j2
dest: /usr/share/scripts/alert5.sh
force: no
force: false
mode: "0755"
when:
- evolinux_system_alert5_init | bool
@ -169,7 +177,7 @@
ansible.builtin.copy:
src: alert5.service
dest: /etc/systemd/system/alert5.service
force: yes
force: true
mode: "0644"
when:
- evolinux_system_alert5_init | bool

2
evolinux-base/tasks/utils.yml
View file

@ -13,7 +13,7 @@
mode: "0700"
owner: root
group: root
force: no
force: false
- name: update-evobackup-canary script is present
ansible.builtin.copy:

15
evolinux-base/templates/sshd/defaults.j2 Normal file
View file

@ -0,0 +1,15 @@
Port 22
{% if evolinux_root_disable_ssh %}
PermitRootLogin no
{% endif %}
LogLevel VERBOSE
SetEnv LC_ALL=en_US.UTF-8
{% if evolinux_ssh_password_auth_addresses %}
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
PasswordAuthentication yes
{% endif %}
{% if evolinux_internal_group %}
Match Group {{ evolinux_internal_group }}
PasswordAuthentication no
{% endif %}

2
evolinux-todo/tasks/main.yml
View file

@ -12,5 +12,5 @@
src: todo.defaults.txt
dest: /etc/evolinux/todo.txt
mode: "0640"
force: no
force: false
when: ansible_distribution == "Debian"

37
evolinux-users/tasks/ssh.yml
View file

@ -2,7 +2,7 @@
- name: verify AllowGroups directive
ansible.builtin.command:
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
cmd: "grep -Er '^AllowGroups' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
@ -14,7 +14,7 @@
- name: verify AllowUsers directive
ansible.builtin.command:
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
cmd: "grep -Er '^AllowUsers' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
@ -62,6 +62,37 @@
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
replace: "PermitRootLogin no"
notify: reload sshd
when: evolinux_root_disable_ssh | bool
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('11', '<=')
- name: verify PermitRootLogin directive (Debian >= 12)
ansible.builtin.command:
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
register: grep_permitrootlogin_ssh
when:
- ansible_distribution_major_version is version('12', '>=')
# TODO avertir lorsque PermitRootLogin est déjà configuré?
- ansible.builtin.debug:
var: grep_permitrootlogin_ssh
verbosity: 1
- name: disable root login (Debian >= 12)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
line: "PermitRootLogin no"
create: yes
mode: "0644"
validate: '/usr/sbin/sshd -t -f %s'
insertbefore: "BOF"
notify: reload sshd
when:
- evolinux_root_disable_ssh | bool
- ansible_distribution_major_version is version('12', '>=')
- grep_permitrootlogin_ssh.rc == 1
- ansible.builtin.meta: flush_handlers

22
evolinux-users/tasks/ssh_allowgroups.yml
View file

@ -4,11 +4,13 @@
# even if it's been done before
- name: verify AllowGroups directive
ansible.builtin.command:
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
cmd: "grep -Er '^AllowGroups' /etc/ssh"
changed_when: False
failed_when: False
check_mode: no
register: grep_allowgroups_ssh
when:
- ansible_distribution_major_version is version('11', '<=')
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
ansible.builtin.lineinfile:
@ -17,7 +19,9 @@
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc != 0
when:
- ansible_distribution_major_version is version('11', '<=')
- grep_allowgroups_ssh.rc != 0
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
ansible.builtin.replace:
@ -26,4 +30,16 @@
replace: '\1 {{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc == 0
when:
- ansible_distribution_major_version is version('11', '<=')
- grep_allowgroups_ssh.rc == 0
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
line: "AllowGroups {{ evolinux_ssh_group }}"
create: yes
mode: "0644"
validate: '/usr/sbin/sshd -t -f %s'
when:
- ansible_distribution_major_version is version('12', '>=')

4
evolinux-users/tasks/sudo.yml
View file

@ -11,9 +11,9 @@
- block:
- ansible.builtin.include: sudo_stretch_common.yml
- ansible.builtin.include: sudo_common.yml
- ansible.builtin.include: sudo_stretch_user.yml
- ansible.builtin.include: sudo_user.yml
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"

4
evolinux-users/tasks/sudo_stretch_common.yml → evolinux-users/tasks/sudo_common.yml
View file

@ -10,9 +10,9 @@
- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
ansible.builtin.template:
src: sudoers_stretch.j2
src: sudoers.j2
dest: /etc/sudoers.d/evolinux
force: no
force: false
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux

2
evolinux-users/tasks/sudo_jessie.yml
View file

@ -4,7 +4,7 @@
ansible.builtin.template:
src: sudoers_jessie.j2
dest: /etc/sudoers.d/evolinux
force: no
force: false
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
register: copy_sudoers_evolinux

0
evolinux-users/tasks/sudo_stretch_user.yml → evolinux-users/tasks/sudo_user.yml
View file

3
evolinux-users/templates/sudoers_stretch.j2 → evolinux-users/templates/sudoers.j2
View file

@ -23,7 +23,8 @@ nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
nagios ALL = NOPASSWD: /sbin/ssacli controller all show status
nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL

54
evomaintenance/files/evomaintenance.sh
View file

@ -1,21 +1,16 @@
#!/bin/sh
# EvoMaintenance script
# Dependencies (all OS): git postgresql-client
# Dependencies (Debian): sudo
# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
# Jérémy Lecour <jlecour@evolix.fr> and others.
VERSION="22.07"
VERSION="23.10.1"
show_version() {
cat <<END
evomaintenance version ${VERSION}
Copyright 2007-2022 Evolix <info@evolix.fr>,
Copyright 2007-2023 Evolix <info@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
Jérémy Lecour <jlecour@evolix.fr>,
Brice Waegeneire <bwaegeneire@evolix.fr>,
Mathieu Trossevin <mtrossevin@evolix.fr>
and others.
evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software,
@ -47,11 +42,11 @@ Options
--no-evocheck disable evocheck execution
--auto use "auto" mode
--no-auto use "manual" mode (default)
--autosysadmin author change as autosysadmin
-u, --user=USER force USER value (default: logname(1))
-v, --verbose increase verbosity
-n, --dry-run actions are not executed
--help print this message and exit
--version print version and exit
-V, --version print version and exit
END
}
@ -109,7 +104,7 @@ get_begin_date() {
get_ip() {
ip=$(get_who | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
if is_autosysadmin || [ "${ip}" = ":0" ]; then
if is_autosysadmin || [ "${ip}" = ":0" ]; then
ip="localhost"
elif [ -z "${ip}" ]; then
ip="unknown (no tty)"
@ -127,8 +122,8 @@ get_now() {
}
get_user() {
if is_autosysadmin; then
echo autosysadmin
if [ -n "${FORCE_USER}" ]; then
echo "${FORCE_USER}"
else
logname
fi
@ -193,7 +188,7 @@ print_session_data() {
}
is_autosysadmin() {
test "${AUTOSYSADMIN}" -eq 1
test "${USER}" = "autosysadmin"
}
is_repository_readonly() {
@ -404,7 +399,7 @@ AUTO=${AUTO:-"0"}
EVOCHECK=${EVOCHECK:-"0"}
GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20}
API_ENDPOINT=${API_ENDPOINT:-""}
AUTOSYSADMIN=${AUTOSYSADMIN:-0}
FORCE_USER=${FORCE_USER:-""}
# initialize variables
MESSAGE=""
@ -482,6 +477,31 @@ while :; do
# use "auto" mode
AUTO=1
;;
--autosysadmin)
# Deprecated, backward compatibility
# author change as autosysadmin
printf 'WARNING: "--autosysadmin" is deprecated, use "--user autosysadmin".\n' >&2
FORCE_USER="autosysadmin"
;;
-u|--user)
# user options, with value speparated by space
if [ -n "$2" ]; then
FORCE_USER=$2
shift
else
printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--user=?*)
# message options, with value speparated by =
FORCE_USER=${1#*=}
;;
--user=)
# message options, without value
printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2
exit 1
;;
-n|--dry-run)
# disable actual commands
DRY_RUN=1

2
evomaintenance/tasks/install_vendor_debian.yml
View file

@ -40,7 +40,7 @@
owner: root
group: root
mode: "{{ item.mode }}"
force: yes
force: true
backup: yes
loop:
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }

2
evomaintenance/tasks/install_vendor_other.yml
View file

@ -22,7 +22,7 @@
owner: root
group: root
mode: "{{ item.mode }}"
force: yes
force: true
backup: yes
loop:
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }

5
fail2ban/defaults/main.yml
View file

@ -23,6 +23,7 @@ fail2ban_default_findtime: 10m
fail2ban_default_action: "action_"
fail2ban_sshd: True
fail2ban_sshd_port: "ssh,2222,22222"
fail2ban_sshd_maxretry: 10
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
@ -45,4 +46,6 @@ fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_roundcube: False
fail2ban_roundcube_maxretry: 5
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
fail2ban_dbpurgeage_default: "86400 second"

4
fail2ban/tasks/fix-dbpurgeage.yml
View file

@ -14,12 +14,12 @@
- name:
ansible.builtin.set_fact:
dbpurgeage_default : "{{ dbpurgeage.stdout }}"
fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }}"
when: dbpurgeage.stdout | regex_search("^\\d+\w+$")
- name:
ansible.builtin.set_fact:
dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
when: dbpurgeage.stdout | regex_search("^\\d+$")
- name: Add crontab

4
fail2ban/templates/fail2ban_dbpurge.j2
View file

@ -1,8 +1,8 @@
#!/bin/sh
#!/bin/bash
# Juin - Decembre 2022 : #64088
# Purge pour Stretch et Buster
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )

2
fail2ban/templates/jail.local.j2
View file

@ -21,7 +21,7 @@ action = %({{ fail2ban_default_action }})s
[sshd]
enabled = {{ fail2ban_sshd }}
port = ssh,2222,22222
port = {{ fail2ban_sshd_port }}
maxretry = {{ fail2ban_sshd_maxretry }}
findtime = {{ fail2ban_sshd_findtime }}

2
fail2ban/tests/test.yml
View file

@ -1,6 +1,6 @@
---
- hosts: all
become: yes
become: true
# gather_facts: no
roles:
- role: fail2ban

12
filebeat/tasks/apt_sources.yml
View file

@ -5,11 +5,19 @@
state: present
when: ansible_distribution_major_version is version('10', '<')
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Elastic GPG key is installed
ansible.builtin.copy:
src: elastic.asc
dest: "{{ apt_keyring_dir }}/elastic.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root
@ -33,4 +41,4 @@
- name: Update APT cache
ansible.builtin.apt:
update_cache: yes
when: elastic_sources is changed
when: elastic_sources is changed

2
filebeat/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: APT sources
ansible.builtin.import_tasks: apt_sources.yml
ansible.builtin.include_tasks: apt_sources.yml
args:
apply:
tags:

10
fluentd/tasks/main.yml
View file

@ -1,10 +1,18 @@
---
- name: "Ensure {{ apt_keyring_dir }} directory exists"
file:
path: "{{ apt_keyring_dir }}"
state: directory
mode: "755"
owner: root
group: root
- name: Add Fluentd GPG key
ansible.builtin.copy:
src: treasuredata.asc
dest: "{{ apt_keyring_dir }}/treasuredata.asc"
force: yes
force: true
mode: "0644"
owner: root
group: root

2
haproxy/tasks/munin.yml
View file

@ -12,7 +12,7 @@
ansible.builtin.file:
src: /usr/share/munin/plugins/haproxy_ng
dest: /etc/munin/plugins/haproxy_ng
force: yes
force: true
state: link
notify: restart munin-node
tags:

Some files were not shown because too many files have changed in this diff Show more