diff --git a/.gitignore b/.gitignore index 102ea9f6..080ae1f8 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .kateproject.d .vagrant/ *.swp +.vscode \ No newline at end of file diff --git a/.markdownlint.json b/.markdownlint.json new file mode 100644 index 00000000..9eb5b2db --- /dev/null +++ b/.markdownlint.json @@ -0,0 +1,4 @@ +{ + "MD013": false, + "MD024": false +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json index ce271884..799fe466 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -3,5 +3,6 @@ "*.yml": "ansible", "*.yaml": "ansible" }, - "yaml.format.enable": false + "yaml.format.enable": false, + "ansible.python.interpreterPath": "/bin/python" } \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 0db8d343..2a4c9e60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ # Changelog + All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). @@ -8,7 +9,6 @@ The **major** part of the version is the year The **minor** part changes is the month The **patch** part changes is incremented if multiple releases happen the same month - ## [Unreleased] ### Added @@ -21,6 +21,88 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [23.10] 2023-10-14 + +### Added + +* apt: disable `NonFreeFirmware` warning for VM on Debian 12+ +* apt: explicit `signed-by` directives for official sources +* bind: add reload-zone helper +* certbot: deploy-hook for proftpd +* docker-host: added var for user namespace setting +* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched) +* dovecot: fix old_stats plugin for Dovecot 2.3 +* evocheck: add support for Debian >= 12 split SSH configuration +* evolinux-base: add split SSH configuration for Debian >= 12 +* evolinux-base: configure `.bashrc` for all users +* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role +* evolinux-base: reboot the server if the Cloud kernel has been installed +* evolinux-users: add split SSH configuration for Debian >= 12 +* evolinux: install HPE Agentless Management Service (amsd) +* fail2ban: add default variable fail2ban_dbpurgeage_default +* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port +* kvm-host: release 23.10 for migrate-vm.sh +* metricbeat/logstash: fix Ansible syntax +* mysql: new munin graph to follow binlog_days over time +* nagios-nrpe: add a NRPE check-local command with completion. +* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients) +* php: add new variable to disable overriding settings of php-fpm default pool (www) +* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory` +* userlogrotate: add a `userlogpurge` script disabled by default +* userlogrotate: new version, with separate conf file +* userlogrotate: rotate also php.log +* java: allow version 17 +* timesyncd: new role, used instead of ntpd by default starting with Debian 12 + +### Changed + +* all: change syntax "become: [yes,no]" → "become: [true,false]" +* all: change syntax "force: [yes,no]" → "force: [true,false]" +* elasticsearch: improve networking configuration +* evolinux-base: include files under `sshd_config.d` +* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions +* evomaintenance: upstream release 23.10.1 +* lxc-php: change LXC container in bookworm for php82 +* minifirewall: update nrpe script to check active configuration +* minifirewall: upstream release 23.07 +* mysql: improve shell syntax for mysql_skip script +* nagios-nrpe: set default check_load --per-cpu for BSD +* pgbouncer: minor fixes +* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix) +* postfix (packmail) : optimize Amavis integration +* postfix: disable sending mails via IPv6 +* postfix: new spam.sh update script that avoids reloading if files did not change. +* postgresql: fix file `postgresql.pref.j2` for exclude package +* postgresql: fix task `update apt cache` for PGDG repo +* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/` +* varnish: allow the systemd template to be overridden with a template outside of the role +* lxc: purge openssh-server from container on install + +### Fixed + +* elasticsearch: comment the `Xlog:gc` line instead of changing it completely +* evocheck: fix IS_SSHALLOWUSERS condition +* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d` +* evolinux-base: fix file extension +* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh) +* lxc-php: fix APT keyring path inside containers +* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK +* nagios-nrpe: remount `/usr` **after** installing the packages +* nagios-nrpe: sync Redis check from redis roles +* nginx: set default server directive in default vhost +* opendkim: update apt cache before install +* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container +* postfix: add missing `localhost.$mydomain` to `mydestination` +* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX). +* evolinux-base: use lineinfile instead of replace under root task +* evolinux-base: Corriger autorisation pour evolinux_user +* docker-host: Retirer directive state en trop +* rbenv: Installer libyaml-dev + +### Removed + +* dovecot: remove Munin plugin dovecot (not working) + ## [23.04] 2023-04-23 ### Added @@ -107,7 +189,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: subversion is not installed anymore - ## [22.12] 2022-12-14 ### Added @@ -162,7 +243,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream - ## [22.09] 2022-09-19 ### Added @@ -176,7 +256,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: Add options to override configs (and add a warning if file was overriden) * proftpd: Allow user auth with ssh keys - ### Changed * evocheck: upstream release 22.09 @@ -184,7 +263,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * generate-ldif: Support any MariaDB version * minifirewall: use handlers to restart minifirewall * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command -* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) +* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) * openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS * nagios-nrpe: Upgrade check_mongo @@ -302,7 +381,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* docker : Introduce new default settings + allow to change the docker data directory +* docker : Introduce new default settings + allow to change the docker data directory * docker : Introduce new variables to tweak daemon settings ### Changed @@ -335,7 +414,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: restore "force-restart" and fix "restart-if-needed" * minifirewall: tail template follows symlinks * minifirewall: upstream release 22.05 -* opendkim : add generate opendkim-genkey in sha256 and key 4096 +* opendkim : add generate opendkim-genkey in sha256 and key 4096 * openvpn: use a local copy of files instead of cloning an external git repository * openvpn: use a subnet topology instead of the net30 default topology * tomcat: Tomcat 9 by default with Debian 11 @@ -698,6 +777,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [10.0.0] - 2020-05-13 ### Added + * apache: the default VHost doesn't redirect to https for ".well-known" paths * apt: added buster backports prerferences * apt: check if cron is installed before adding a cron job @@ -734,6 +814,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * bind: enable bind9 munin plugin for recursive resolvers ### Changed + * replace version_compare() with version()s * removed some deprecations for Ansible 2.7 * apache: improve permissions in save_apache_status script @@ -779,6 +860,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * varnish: remove custom ExecReload= script for Debian 10+ ### Fixed + * etc-git: fix warnings ansible-lint * evoadmin-web: Put the php config at the right place for Buster * lxc: Don't stop the container if it already exists @@ -801,16 +883,19 @@ The **patch** part changes is incremented if multiple releases happen the same m * packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available ### Removed + * clamav : do not install the zoo package anymore ## [9.10.1] - 2019-06-21 ### Changed + * evocheck : update (version 19.06) from upstream ## [9.10.0] - 2019-06-21 ### Added + * apache: add server status suffix in VHost (and default site) if missing * apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark @@ -821,6 +906,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * redmine: enable gzip compression in nginx vhost ### Changed + * evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert * fluentd: store gpg key locally @@ -833,23 +919,26 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: Add Debian Buster repositories ### Fixed + * rbenv: add check_mode for check rbenv and ruby versions * nagios-nrpe: fix redis_instances check when Redis port equal 0 * redmine: fix 500 error on logging * evolinux-base: Validate sshd config with "-t" instead of "-T" * evolinux-base: Ensure rename is present * evolinux-users: Validate sshd config with "-t" instead of "-T" -* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-* +* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-* ## [9.9.0] - 2019-04-16 ### Added + * etc-git: ignore evobackup/.keep-* files * lxc: /home is mounted in the container by default * nginx : add "x-frame-options: sameorigin" for Munin ### Changed -* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles + +* changed remote repository to * apt: Ensure jessie-backport from archives.debian.org is accepted * apt: Remove jessie-update suite as it's no longer exists * apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport @@ -862,8 +951,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * tomcat: better tomcat version management * webapps/evoadmin-web: add dbadmin.sh to sudoers file - ### Fixed + * spamassasin: fix sa-update.sh and ensure service is started and enabled * tomcat-instance: deploy correct version of config files * tomcat-instance: deploy correct version of server.xml @@ -871,20 +960,24 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.8.0] - 2019-01-31 ### Added + * filebeat: disable cloud_metadata processor by default * metricbeat: disable cloud_metadata processor by default * percona : new role to install Percona repositories and tools * redis: add variable for configure unixsocketperm ### Changed + * redmine: refactoring of redmine role with use of rbenv ### Fixed + * ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config ## [9.7.0] - 2019-01-17 ### Added + * apache: add Munin configuration for Apache server-status URL * evomaintenance: database variables must be set or the task fails * fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml @@ -897,6 +990,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: add FTPS and SFTP support ### Changed + * redis: distinction between main and master password * evocheck: update evocheck.sh for source install * php: added php-zip in the installed package list for debian 9 (and later) @@ -904,6 +998,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * java: update Oracle java package to 8u192 ### Fixed + * fail2ban: fix "ignoreip" update * metricbeat: fix username/password replacement * nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true) @@ -912,16 +1007,17 @@ The **patch** part changes is incremented if multiple releases happen the same m * redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script * redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account - ## [9.6.0] - 2018-12-04 ### Added + * evolinux-base: deploy custom motd if template are present * minifirewall: all variables are configurable (untouched by default) * minifirewall: main file is configurable * squid: minifirewall main file is configurable ### Changed + * minifirewall: compare config before/after (for restart condition) * squid: better replacement in minifirewall config * evoadmin-mail: complete refactoring, use Debian Package @@ -929,6 +1025,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.5.0] - 2018-11-14 ### Added + * apache: separate task to update IP whitelist * evolinux-base: install man package * evolinux-users: add newaliases handler @@ -942,11 +1039,13 @@ The **patch** part changes is incremented if multiple releases happen the same m * mysql: logdir can be customized ### Changed + * evocheck: update script from upstream * evomaintenance: update script from upstream * mysql: restart service if systemd unit has been patched ### Fixed + * packweb-apache: mod-security config is already included elsewhere * redis: for permissions on log and lib directories * redis: fix shell for instance users @@ -955,13 +1054,16 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.4.2] - 2018-10-12 ### Added + * evomaintenance: install dependencies manually when installing vendored version * nagios-nrpe: add an option to ignore servers in NOLB status ### Changed + * haproxy: move check_haproxy_stats to nagios-nrpe role ### Fixed + * evoacme: better error when apache2ctl fails * evomaintenance: fix role compatibility with OpenBSD * spamassassin: add missing right for amavis @@ -970,16 +1072,19 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.4.1] - 2018-09-28 ### Added + * redis: set masterauth when redis_password is defined * evomaintenance: variable to install a vendored version * evomaintenance: tasks/variables to handle minifirewall restarts ### Changed + * mysql-oracle: better handle packages and users ## [9.4.0] - 2018-09-20 ### Added + * etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`) * evolinux-base: better shell history * evolinux-users: add user to /etc/aliases @@ -994,9 +1099,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add check_redis_instances ### Changed + * dovecot: stronger TLS configuration ### Fixed + * apache: cleaner way to overwrite the server status suffix * packweb-apache: don't regenerate phpMyAdmin suffix each time * nginx: cleaner way to overwrite the server status suffix @@ -1005,11 +1112,13 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.3.2] - 2018-09-06 ### Added + * minifirewall: add a variable to disable the restart handler * minifirewall: add a variable to force a restart of the firewall (even with no change) * minifirewall: improve variables values and documentation ### Changed + * dovecot: enable SSL/TLS by default with snakeoil certificate ### Fixed @@ -1019,11 +1128,13 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.3.1] - 2018-08-30 ### Added + * metricbeat: new variables to configure elasticsearch hosts and auth ## [9.3.0] - 2018-08-24 ### Added + * elasticsearch: tmpdir configuration compatible with 5.x also * elasticsearch: add http.publish_host variable * evoacme: disable old certbot cron also in cron.daily @@ -1044,6 +1155,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add check_postgrey ### Changed + * etc-git: some entries of .gitignore are mandatory * evocheck: update upstream script * evolinux-base: improve hostname configuration (real vs. internal) @@ -1062,6 +1174,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * kvm-host: install kvm-tools package instead of copying add-vm.sh ### Fixed + * apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word. * bind: chroot-bind.sh must not be executed in check mode * evoacme: fix module detection in apache config @@ -1073,12 +1186,14 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.2.0] - 2018-05-16 ### Changed + * filebeat: install version 6.x by default * filebeat: cleanup unused code * squid: add some domaine and fix broken restrictions * elasticsearch: defaults to version 6.x ### Fixed + * evolinux-users: secondary groups are comma-separated * ntpd: fix configuration (server and ACL) * varnish: don't fork the process on startup with systemd @@ -1088,6 +1203,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added ### Changed + * apache: customize logrotate (52 weeks) * evolinux: groups for SSH configuration are used with Debian 10 and later * evolinux-base: fail2ban is not enabled by default @@ -1099,9 +1215,11 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.1.8] - 2018-04-16 ### Changed + * packweb-apache: use dependencies instead of include_role for apache and php roles ### Fixed + * mysql: use check_mode for apg command (Fix --check) * mysql/mysql-oracle: properly reload systemd * packweb-apache: use check_mode for apg command (Fix --check) @@ -1109,6 +1227,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.1.7] - 2018-04-06 ### Added + * added a few become attributes where missing * etc-git: add tags for Ansible * evolinux-base: install ncurses-term package @@ -1126,6 +1245,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * redmine: added missing tags ### Changed + * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`) * elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`). * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues) @@ -1141,6 +1261,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined ### Fixed + * dovecot: fix support of plus sign * mysql/mysql-oracle: mysqltuner cron task is executable * nginx: fix basic auth for default vhost @@ -1149,21 +1270,25 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.1.6] - 2018-02-02 ### Added + * mongodb: install python-pymongo for monitoring * nagios-nrpe: allowed_hosts can be updated ### Changed + * Changelog: explain the versioning scheme * Changelog: add a release date for 9.1.5 * evoacme: exclude typical certbot directories ### Fixed + * fail2ban: fix horrible typo, Python is not Ruby * nginx: fix servers status dirname ## [9.1.5] - 2018-01-18 ### Added + * There is a changelog! * redis: configuration variable for protected mode (v3.2+) * evolinux-users: users are in "adm" group for Debian 9 or later @@ -1175,41 +1300,49 @@ The **patch** part changes is incremented if multiple releases happen the same m * redmine: ability to install themes and plugins ### Changed + * rbenv: Ruby 2.5 becomes the default version * evocheck: update upstream version embedded in role (c993244) * bind: keep 52 weeks of logs ### Fixed + * squid: different logrotate file for Jessie or Stretch+ * evoacme: don't invoke evoacme if no vhost is found * evomaintenance: explicit quotes in config file * redmine: force xpath gem < 3.0.0 ### Security + * evomaintenance: fix permissions for config file ## [9.1.4] - 2017-12-20 ### Added + * php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later) * mysql: add a check_mysql_slave in nrpe configuration * ldap: slapd tcp port is configurable * elasticsearch: broader patterns for log rotation ### Changed + * split IP lists in 2 – default and additional – for easier customization. ### Fixed + * minifirewall: allow outgoing SSH connections over IPv6 * nodejs: rename source.list file ### Security + * evoadmin-web: change config.local.php file permissions * evolinux-base: change default_www file permissions ## [9.1.3] 2017-12-08 ### Added + * evolinux-base: install traceroute package * evolinux-base/ntpd: purge openntpd * tomcat: add Tomcat 8 cmpatibility @@ -1221,6 +1354,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * elastic: option for stack main version ### Changed + * nginx: rename Let's Encrypt snippet * nginx: simpler apt preferences for backports * generate-ldif: add clamd service instead of clamav_db @@ -1232,10 +1366,12 @@ The **patch** part changes is incremented if multiple releases happen the same m * mongodb: comatible with Stretch ### Removed + * mongodb: logfile/pidfile are not configurable on Jessie * minifirewall: remove zidane.evolix.net from HTTPSITES ### Fixed + * nginx: fix munin CGI graphs * ntpd: fix default configuration (localhost only) * logstash: fix permissions on pipeline configuration @@ -1246,14 +1382,17 @@ The **patch** part changes is incremented if multiple releases happen the same m ## [9.1.2] 2017-12-05 ### Fixed + * listupgrade: remount /usr as rw ## [9.1.1] 2017-11-21 ### Added + * amazon-ec2: add egress rules ### Fixed + * evoacme: fix multiple bugs ## [9.1.0] 2017-11-19 @@ -1261,6 +1400,7 @@ The **patch** part changes is incremented if multiple releases happen the same m _Warning: huge release, many entries are missing below._ ### Added + * amazon-ec2: new role, for EC2 instances creation * Move /usr rw remount into remount-usr role * kibana: host and basepath configuration @@ -1271,6 +1411,7 @@ _Warning: huge release, many entries are missing below._ * nagios-nrpe: add opendkim check ### Changed + * Combine evolix and additional trusted IP addresses * amazon-ec2: split tasks * apt: don't upgrade by default @@ -1281,6 +1422,7 @@ _Warning: huge release, many entries are missing below._ * ldap: better variables ### Fixed + * fail2ban: create config hierarchy beforehand * elasticsearch: fix datadir/tmpdir conditions * elastic: remove double ".list" suffix @@ -1291,10 +1433,10 @@ _Warning: huge release, many entries are missing below._ ### Security - ## [9.0.1] 2017-10-02 ### Added + * haproxy: add a Nagios check * php: add "sury" mode for PHP 7.1 on Stretch * minifirewall: explicit dependency on iptables @@ -1302,9 +1444,11 @@ _Warning: huge release, many entries are missing below._ * docker-host: new variable for docker home ### Changed + * php: install php5/php package after fpm/libapache2-mod-php ### Fixed + * mysql: add "REPLICATION CLIENT" privilege for nrpe * evoadmin-web: revert from variables to keywords in the templates * evoacme: many fixes diff --git a/amavis/files/amavis_purge_virusmails b/amavis/files/amavis_purge_virusmails new file mode 100644 index 00000000..ba7ef51a --- /dev/null +++ b/amavis/files/amavis_purge_virusmails @@ -0,0 +1,2 @@ +#!/bin/bash +find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index 4fa452e5..da46721e 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -16,3 +16,12 @@ notify: restart amavis tags: - amavis + +- name: Install purge custom cron + ansible.builtin.copy: + src: amavis_purge_virusmails + dest: /etc/cron.daily/amavis_purge_virusmails + mode: "0755" + tags: + - amavis + - amavis_purge_cron diff --git a/amazon-ec2/amazon-ec2-evolinux.yml b/amazon-ec2/amazon-ec2-evolinux.yml index 18dcb7a0..23f1f358 100644 --- a/amazon-ec2/amazon-ec2-evolinux.yml +++ b/amazon-ec2/amazon-ec2-evolinux.yml @@ -18,7 +18,7 @@ - name: Install Evolinux hosts: launched-instances - become: yes + become: true vars_files: - 'vars/secrets.yml' diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 2c4d75ff..596c63e9 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -7,7 +7,7 @@ owner: root group: root mode: "0640" - force: no + force: false tags: - apache @@ -30,7 +30,7 @@ owner: root group: root mode: "0640" - force: no + force: false notify: reload apache tags: - apache diff --git a/apache/tasks/log2mail.yml b/apache/tasks/log2mail.yml index 42b18dae..f0f1853d 100644 --- a/apache/tasks/log2mail.yml +++ b/apache/tasks/log2mail.yml @@ -14,6 +14,6 @@ owner: log2mail group: adm mode: "0644" - force: no + force: false tags: - apache diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index c1ca9d7b..78dabc61 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -73,7 +73,7 @@ owner: root group: root mode: "0640" - force: yes + force: true notify: reload apache tags: - apache @@ -85,7 +85,7 @@ owner: root group: root mode: "0640" - force: no + force: false notify: reload apache tags: - apache @@ -119,7 +119,7 @@ src: evolinux-default.conf.j2 dest: /etc/apache2/sites-available/000-evolinux-default.conf mode: "0640" - force: no + force: false notify: reload apache tags: - apache @@ -129,7 +129,7 @@ src: /etc/apache2/sites-available/000-evolinux-default.conf dest: /etc/apache2/sites-enabled/000-default.conf state: link - force: yes + force: true notify: reload apache when: apache_evolinux_default_enabled | bool tags: @@ -181,7 +181,7 @@ src: save_apache_status.sh dest: /usr/share/scripts/save_apache_status.sh mode: "0755" - force: no + force: false tags: - apache diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 7b188e51..271a8739 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -13,7 +13,7 @@ dest: "{{ apache_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ apache_serverstatus_suffix }}\u000A" - force: yes + force: true when: apache_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix diff --git a/apt/files/deb822-migration.py b/apt/files/deb822-migration.py index a8873923..f8693b28 100755 --- a/apt/files/deb822-migration.py +++ b/apt/files/deb822-migration.py @@ -1,4 +1,4 @@ -#!/bin/env python3 +#!/usr/bin/env python3 import re import sys @@ -13,7 +13,7 @@ destinations = { ".*-backports": "backports.sources", ".debian.org": "system.sources", "mirror.evolix.org": "system.sources", - "pub.evolix.net": "evolix_public_old.sources", + "pub.evolix.net": "evolix_public_old.sources.bak", "pub.evolix.org": "evolix_public.sources", "artifacts.elastic.co": "elastic.sources", "download.docker.com": "docker.sources", @@ -149,4 +149,4 @@ def main(): if __name__ == "__main__": main() -sys.exit(0) \ No newline at end of file +sys.exit(0) diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 421e59e6..0382892d 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -4,7 +4,7 @@ ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.sources.j2' dest: /etc/apt/sources.list.d/backports.sources - force: yes + force: true mode: "0640" register: apt_backports_sources tags: @@ -14,7 +14,7 @@ ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults - force: yes + force: true mode: "0640" register: apt_backports_config tags: diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index 9b7118b7..11de5c52 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -11,7 +11,7 @@ ansible.builtin.template: src: '{{ ansible_distribution_release }}_backports.list.j2' dest: /etc/apt/sources.list.d/backports.list - force: yes + force: true mode: "0640" register: apt_backports_list tags: @@ -21,7 +21,7 @@ ansible.builtin.copy: src: '{{ ansible_distribution_release }}_backports_preferences' dest: /etc/apt/preferences.d/0-backports-defaults - force: yes + force: true mode: "0640" register: apt_backports_config tags: diff --git a/apt/tasks/basics.deb822.yml b/apt/tasks/basics.deb822.yml index a8663572..617e6c92 100644 --- a/apt/tasks/basics.deb822.yml +++ b/apt/tasks/basics.deb822.yml @@ -5,7 +5,7 @@ src: "{{ ansible_distribution_release }}_basics.sources.j2" dest: /etc/apt/sources.list.d/system.sources mode: "0644" - force: yes + force: true register: apt_basic_sources tags: - apt @@ -15,7 +15,7 @@ src: "{{ ansible_distribution_release }}_security.sources.j2" dest: /etc/apt/sources.list.d/security.sources mode: "0644" - force: yes + force: true register: apt_security_sources tags: - apt diff --git a/apt/tasks/basics.oneline.yml b/apt/tasks/basics.oneline.yml index 4d457f0d..f949a0b2 100644 --- a/apt/tasks/basics.oneline.yml +++ b/apt/tasks/basics.oneline.yml @@ -5,7 +5,7 @@ src: "{{ ansible_distribution_release }}_basics.list.j2" dest: /etc/apt/sources.list mode: "0644" - force: yes + force: true register: apt_basic_list tags: - apt diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index 036645e7..0a91dddf 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -16,11 +16,19 @@ - apt when: _trusted_gpg_keyring.stat.exists +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Evolix GPG key ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -31,7 +39,7 @@ ansible.builtin.template: src: evolix_public.sources.j2 dest: /etc/apt/sources.list.d/evolix_public.sources - force: yes + force: true mode: "0640" register: apt_evolix_public tags: diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index 9c502a33..9501e595 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -16,11 +16,19 @@ - apt when: _trusted_gpg_keyring.stat.exists +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Evolix GPG key ansible.builtin.copy: src: pub_evolix.asc dest: "{{ apt_keyring_dir }}/pub_evolix.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -31,7 +39,7 @@ ansible.builtin.template: src: evolix_public.list.j2 dest: /etc/apt/sources.list.d/evolix_public.list - force: yes + force: true mode: "0640" register: apt_evolix_public tags: diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 26ced4c7..e92b7b44 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -71,7 +71,7 @@ ansible.builtin.copy: src: check_held_packages.sh dest: /usr/share/scripts/check_held_packages.sh - force: yes + force: true mode: "0755" tags: - apt diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 295f42f1..4d357f8b 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -96,6 +96,18 @@ when: apt_clean_gandi_sourceslist | bool +- name: "Disable NonFreeFirmware warning for VM on Debian 12+" + ansible.builtin.lineinfile: + path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf + create: yes + line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";" + tags: + - apt + when: + - ansible_distribution_major_version is version('12', '>=') + - ansible_virtualization_role == "guest" + + - name: Install check for packages marked hold ansible.builtin.import_tasks: hold_packages.yml when: apt_install_hold_packages | bool diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index 720045bf..e7339e8b 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -14,9 +14,9 @@ - name: Migration scripts are installed ansible.builtin.copy: - src: "{{ item }}" - dest: "/usr/share/scripts/{{ item }}" - force: yes + src: "{{ item }}" + dest: "/usr/share/scripts/{{ item }}" + force: true mode: "0755" loop: - deb822-migration.py @@ -29,4 +29,22 @@ cmd: /usr/share/scripts/deb822-migration.sh ignore_errors: yes tags: - - apt \ No newline at end of file + - apt + +- name: Add signed-by when relevant for bookworm + ansible.builtin.lineinfile: + dest: /etc/apt/sources.list.d/system.sources + line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg" + insertafter: "Suites: bookworm bookworm-updates" + state: present + tags: + - apt + +- name: Add signed-by when relevant for bookworm-security + ansible.builtin.lineinfile: + dest: /etc/apt/sources.list.d/security.sources + line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg" + insertafter: "Suites: bookworm-security" + state: present + tags: + - apt diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index 5a0cd3aa..948c4adf 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -5,3 +5,4 @@ URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates Components: {{ apt_basics_components | mandatory }} Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 index 56180957..07f1345b 100644 --- a/apt/templates/bookworm_security.sources.j2 +++ b/apt/templates/bookworm_security.sources.j2 @@ -5,3 +5,4 @@ URIs: https://security.debian.org/debian-security Suites: bookworm-security Components: {{ apt_basics_components | mandatory }} Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg \ No newline at end of file diff --git a/apt/templates/stretch_backports.list.j2 b/apt/templates/stretch_backports.list.j2 index 4f69547d..ffd6f98f 100644 --- a/apt/templates/stretch_backports.list.j2 +++ b/apt/templates/stretch_backports.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }} +deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }} diff --git a/bind/files/reload-zone b/bind/files/reload-zone new file mode 100755 index 00000000..b9acc449 --- /dev/null +++ b/bind/files/reload-zone @@ -0,0 +1,14 @@ +#!/bin/bash +# +# Script utilitaire pour tester et recharger facilement un domaine dans Bind +# Usage : reload-zone +# +# TODO: +# - renommer le script (par ex bind-safe-reload) +# - vérifier le serial +# - ajouter un -h --help +# - prendre en charge plusieurs zones (ou aucune) +# - ajouter le script dans le role bind + +named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1" + diff --git a/bind/tasks/authoritative.yml b/bind/tasks/authoritative.yml index abfa96d8..7fbd827d 100644 --- a/bind/tasks/authoritative.yml +++ b/bind/tasks/authoritative.yml @@ -7,5 +7,5 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind \ No newline at end of file diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 67776531..1e20eee2 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -23,7 +23,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart apparmor when: check_apparmor.rc == 0 @@ -47,7 +47,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: - reload systemd - restart bind @@ -77,7 +77,7 @@ dest: /root/chroot-bind.sh mode: "0700" owner: root - force: yes + force: true backup: yes when: bind_chroot_set | bool @@ -109,7 +109,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart bind - ansible.builtin.include: munin.yml diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml index 4a655533..fee99750 100644 --- a/bind/tasks/munin.yml +++ b/bind/tasks/munin.yml @@ -48,7 +48,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart munin-node tags: - bind diff --git a/bind/tasks/recursive.yml b/bind/tasks/recursive.yml index 364f1021..887f206e 100644 --- a/bind/tasks/recursive.yml +++ b/bind/tasks/recursive.yml @@ -8,7 +8,7 @@ owner: bind group: bind mode: "0644" - force: yes + force: true notify: restart bind - name: enable zones.rfc1918 for recursive server diff --git a/certbot/files/hooks/deploy/proftpd.sh b/certbot/files/hooks/deploy/proftpd.sh new file mode 100755 index 00000000..1921458c --- /dev/null +++ b/certbot/files/hooks/deploy/proftpd.sh @@ -0,0 +1,44 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +daemon_found_and_running() { + test -n "$(pidof proftpd)" && test -n "${proftpd_bin}" +} +config_check() { + ${proftpd_bin} configtest > /dev/null 2>&1 +} +letsencrypt_used() { + grep -q -r -E "letsencrypt" /etc/proftpd/ +} +main() { + if daemon_found_and_running; then + if letsencrypt_used; then + if config_check; then + debug "ProFTPD detected... reloading" + systemctl reload proftpd + else + error "ProFTPD config is broken, you must fix it !" + fi + else + debug "ProFTPD doesn't use Let's Encrypt certificate. Skip." + fi + else + debug "ProFTPD is not running or missing. Skip." + fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly proftpd_bin=$(command -v proftpd) + +main diff --git a/certbot/tasks/acme-challenge.yml b/certbot/tasks/acme-challenge.yml index 29c0267d..acd93fe0 100644 --- a/certbot/tasks/acme-challenge.yml +++ b/certbot/tasks/acme-challenge.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: acme-challenge/nginx.conf.j2 dest: /etc/nginx/snippets/letsencrypt.conf - force: yes + force: true notify: reload nginx when: is_nginx.stat.exists @@ -30,7 +30,7 @@ ansible.builtin.template: src: acme-challenge/apache.conf.j2 dest: /etc/apache2/conf-available/letsencrypt.conf - force: yes + force: true notify: reload apache - name: ACME challenge for Apache is enabled diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml index 3048a4a4..157c8dc1 100644 --- a/certbot/tasks/install-legacy.yml +++ b/certbot/tasks/install-legacy.yml @@ -16,7 +16,7 @@ mode: '0755' owner: root group: root - force: yes + force: true notify: install letsencrypt-auto - name: Check certbot script @@ -49,7 +49,7 @@ ansible.builtin.copy: src: cron_jessie dest: /etc/cron.d/certbot - force: yes + force: true when: certbot_custom_crontab | bool - name: disable self-upgrade diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 42c9cecc..bc5dc88f 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -12,6 +12,9 @@ docker_conf_no_newprivileges: False # Toggle live restore (need to be disabled in swarm mode) docker_conf_live_restore: True +# Toggle user namespace +docker_conf_user_namespace: True + # Disable all default network connectivity docker_conf_disable_default_networking: False diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index db57a6b6..556570f5 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -22,11 +22,19 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Docker's official GPG key ansible.builtin.copy: src: docker-debian.asc dest: "{{ apt_keyring_dir }}/docker-debian.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -43,7 +51,6 @@ ansible.builtin.template: src: docker.sources.j2 dest: /etc/apt/sources.list.d/docker.sources - state: present register: docker_sources when: ansible_distribution_major_version is version('12', '>=') diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index a044234b..92d60f8d 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -4,8 +4,10 @@ ,"data-root": "{{ docker_home }}" {# Keep containers running while docker daemon downtime #} ,"live-restore": {{ docker_conf_live_restore | to_json }} +{% if docker_conf_user_namespace %} {# Turn on user namespace remaping #} ,"userns-remap": "default" +{% endif %} {% if docker_conf_use_iptables %} {# Use iptables instead of docker-proxy #} ,"userland-proxy": false diff --git a/dovecot/README.md b/dovecot/README.md index 736b95dc..8652006f 100644 --- a/dovecot/README.md +++ b/dovecot/README.md @@ -2,6 +2,8 @@ Installation and basic configuration of dovecot +Do not use this role to update Dovecot 2.2 to 2.3. + ## Tasks Minimal configuration is in `tasks/main.yml` @@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml` ## Available variables The full list of variables (with default values) can be found in `defaults/main.yml`. + +## Munin plugins + +### dovecot_stats_ + +Note : This is an Evolix patched version. + +This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default. + +To skip this plugin installation, use "--skip-tags dovecot_stats_". + diff --git a/dovecot/files/munin_config b/dovecot/files/munin_config deleted file mode 100644 index 1a0553d8..00000000 --- a/dovecot/files/munin_config +++ /dev/null @@ -1,2 +0,0 @@ -[dovecot] -group adm diff --git a/dovecot/files/munin_plugin b/dovecot/files/munin_plugin deleted file mode 100755 index f12c2b04..00000000 --- a/dovecot/files/munin_plugin +++ /dev/null @@ -1,128 +0,0 @@ -#! /bin/bash -# -# Munin Plugin -# to count logins to your dovecot mailserver -# -# Created by Dominik Schulz -# http://developer.gauner.org/munin/ -# Contributions by: -# - Stephane Enten -# - Steve Schnepp -# - pcy (make 'Connected Users' DERIVE, check existence of logfile in autoconf) -# -# Parameters understood: -# -# config (required) -# autoconf (optional - used by munin-config) -# -# Config variables: -# -# logfile - Where to find the syslog file -# -# Add the following line to a file in /etc/munin/plugin-conf.d: -# env.logfile /var/log/your/logfile.log -# -# Magic markers (optional - used by munin-config and installation scripts): -# -#%# family=auto -#%# capabilities=autoconf - -###################### -# Configuration -###################### -EXPR_BIN=/usr/bin/expr -LOGFILE=${logfile:-/var/log/mail.log} -###################### - -if [ "$1" = "autoconf" ]; then - [ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)" - exit 0 -fi - -if [ "$1" = "config" ]; then - echo 'graph_title Dovecot Logins' - echo 'graph_category mail' - echo 'graph_args --base 1000 -l 0' - echo 'graph_vlabel Login Counters' - - for t in Total TLS SSL IMAP POP3 - do - field=$(echo $t | tr '[:upper:]' '[:lower:]') - echo "login_$field.label $t Logins" - echo "login_$field.type DERIVE" - echo "login_$field.min 0" - done - - echo 'connected.label Connected Users' - echo "connected.type DERIVE" - - exit 0 -fi - -###################### -# Total Logins -###################### -echo -en "login_total.value " -VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# Connected Users -###################### -DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE) -CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE) -VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS) -if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then - VALUE=0 -fi -echo -en "connected.value " -echo $VALUE -echo -n -###################### -# TLS Logins -###################### -echo -en "login_tls.value " -VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# SSL Logins -###################### -echo -en "login_ssl.value " -VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# IMAP Logins -###################### -echo -en "login_imap.value " -VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n -###################### -# POP3 Logins -###################### -echo -en "login_pop3.value " -VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE) -if [ ! -z "$VALUE" ]; then - echo "$VALUE" -else - echo "0" -fi -echo -n diff --git a/dovecot/files/munin_plugin_dovecot1 b/dovecot/files/munin_plugin_dovecot1 new file mode 100644 index 00000000..83f4d897 --- /dev/null +++ b/dovecot/files/munin_plugin_dovecot1 @@ -0,0 +1,242 @@ +#!/usr/bin/perl + +#%# family=auto +#%# capabilities=autoconf + +use Munin::Plugin; + +$pos = undef; +$connected = 0; +$connectedimap = 0; +$connectedpop3 = 0; +$connections = 0; +$connectionsimap = 0; +$connectionspop3 = 0; +$login = 0; +$pop3login = 0; +$imaplogin = 0; +$tls = 0; +$ssl = 0; +$aborted = 0; + +($dirname = $0) =~ s/[^\/]+$//; + +$dovelogfile = 0 ; + +$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log'; + +if ( $logfile =~ /dovecot/ ) { + $dovelogfile = 1 ; +} + +# Use an overridden $PATH for all external programs if needed +$DOVEADM = "doveadm"; + +if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) { + + if (! -x $DOVEADM) { + print "no (no doveadm)\n"; + exit(0); + } + + if (! -f $logfile) { + print "no (logfile $logfile does not exist)\n"; + exit(0); + } + + if (-r "$logfile") { + print "yes\n"; + exit 0; + } else { + print "no (logfile not readable)\n"; + } + exit 0; +} + +if (-f "$logfile.0") { + $rotlogfile = $logfile . ".0"; +} elsif (-f "$logfile.1") { + $rotlogfile = $logfile . ".1"; +} elsif (-f "$logfile.01") { + $rotlogfile = $logfile . ".01"; +} else { + $rotlogfile = $logfile . ".0"; +} + +if ( $ARGV[0] and $ARGV[0] eq "config" ) { + print "multigraph dovecot_connections\n"; + print "graph_title Dovecot connections\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel connections\n"; + print "graph_category mail\n"; + print "connections.label Connections open\n"; + print "connections.type GAUGE\n"; + print "connections.draw LINE1\n"; + print "connections.min 0\n"; + print "connectionsimap.label IMAP\n"; + print "connectionsimap.type GAUGE\n"; + print "connectionsimap.draw AREA\n"; + print "connectionsimap.min 0\n"; + print "connectionspop3.label POP3\n"; + print "connectionspop3.type GAUGE\n"; + print "connectionspop3.draw STACK\n"; + print "connectionspop3.min 0\n"; + + print "multigraph dovecot_connected\n"; + print "graph_title Dovecot connected users\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel connections\n"; + print "graph_category mail\n"; + print "connected.label Connected users\n"; + print "connected.type GAUGE\n"; + print "connected.draw LINE1\n"; + print "connected.min 0\n"; + print "connectedimap.label IMAP\n"; + print "connectedimap.type GAUGE\n"; + print "connectedimap.draw AREA\n"; + print "connectedimap.min 0\n"; + print "connectedpop3.label POP3\n"; + print "connectedpop3.type GAUGE\n"; + print "connectedpop3.draw STACK\n"; + print "connectedpop3.min 0\n"; + + print "multigraph dovecot_logins\n"; + print "graph_title Dovecot logins\n"; + print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n"; + print "graph_vlabel logins/5 minute\n"; + print "graph_category mail\n"; + print "login.label Logins\n"; + print "login.type GAUGE\n"; + print "login.draw LINE1\n"; + print "login.min 0\n"; + print "imaplogin.label IMAP logins\n"; + print "imaplogin.type GAUGE\n"; + print "imaplogin.draw LINE1\n"; + print "imaplogin.min 0\n"; + print "pop3login.label POP3 logins\n"; + print "pop3login.type GAUGE\n"; + print "pop3login.draw LINE1\n"; + print "pop3login.min 0\n"; + print "tls.label TLS\n"; + print "tls.type GAUGE\n"; + print "tls.draw LINE1\n"; + print "tls.min 0\n"; + print "ssl.label SSL\n"; + print "ssl.type GAUGE\n"; + print "ssl.draw LINE1\n"; + print "ssl.min 0\n"; + print "aborted.label Aborted logins\n"; + print "aborted.type GAUGE\n"; + print "aborted.draw LINE1\n"; + print "aborted.min 0\n"; + exit 0; +} + +if (! -f $logfile and ! -f $rotlogfile) { + print "multigraph dovecot_connections\n"; + print "connections.value U"; + print "connectionsimap.value U"; + print "connectionspop3.value U"; + print "multigraph dovecot_connected\n"; + print "connected.value U\n"; + print "connectedimap.value U\n"; + print "connectedpop3.value U\n"; + print "multigraph dovecot_logins\n"; + print "login.value U\n"; + print "pop3login.value U\n"; + print "imaplogin.value U\n"; + print "tls.value U\n"; + print "ssl.value U\n"; + print "aborted.value U\n"; + + exit 0; +} + +# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren +# suggestie: doveadm who -1 | awk '{print $1" "$2" "$4}' | sort | uniq -c +$connectedimap = `$DOVEADM -f flow who | grep imap | wc -l`; +$connectedpop3 = `$DOVEADM -f flow who | grep pop3 | wc -l`; +$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`; +$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`; + +#trim +$connectedimap =~ s/\s+$//; +$connectedpop3 =~ s/\s+$//; +$connectionsimap =~ s/\s+$//; +$connectionspop3 =~ s/\s+$//; + +$connected = $connectedimap + $connectedpop3; +$connections = $connectionsimap + $connectionspop3; + +my ($pos) = restore_state(); + +$startsize = (stat $logfile)[7]; + +if (!defined $pos) { + # Initial run. + $pos = $startsize; +} + +if ($startsize < $pos) { + # Log rotated + parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]); + $pos = 0; +} + +parseDovecotfile ($logfile, $pos, $startsize); +$pos = $startsize; + +save_state($pos); + +print "multigraph dovecot_connections\n"; +print "connections.value $connections\n"; +print "connectionsimap.value $connectionsimap\n"; +print "connectionspop3.value $connectionspop3\n"; +print "multigraph dovecot_connected\n"; +print "connected.value $connected\n"; +print "connectedimap.value $connectedimap\n"; +print "connectedpop3.value $connectedpop3\n"; +print "multigraph dovecot_logins\n"; +print "login.value $login\n"; +print "pop3login.value $pop3login\n"; +print "imaplogin.value $imaplogin\n"; +print "tls.value $tls\n"; +print "ssl.value $ssl\n"; +print "aborted.value $aborted\n"; + + +sub parseDovecotfile { + my ($fname, $start, $stop) = @_; + open (logf, $fname) or exit 3; + seek (logf, $start, 0) or exit 2; + + while (tell (logf) < $stop) { + my $line =; + chomp ($line); + + if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; } + else { + if ($line =~ m/Aborted/) { + $aborted++; + + } elsif ($line =~ m/Login:/) { + $login++; + + if ( $line =~ m/TLS/) { + $tls++; + } elsif ($line =~ m/SSL/) { + $ssl++; + } + + if ( $line =~ m/pop3-login:/) { + $pop3login++; + } elsif ($line =~ m/imap-login:/) { + $imaplogin++; + } + } + } + } + close(logf); +} + +# vim:syntax=perl diff --git a/dovecot/files/munin_plugin_dovecot_stats_ b/dovecot/files/munin_plugin_dovecot_stats_ new file mode 100644 index 00000000..6daf9bae --- /dev/null +++ b/dovecot/files/munin_plugin_dovecot_stats_ @@ -0,0 +1,158 @@ +#!/bin/bash +: <<=cut + +=head1 NAME + +dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server + +=head1 CONFIGURATION + +This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user: + + doveadm who + +If you get a permission denied message, check the permissions on the socket mentioned in the error line. + +=head1 MAGIC MARKERS + + #%# family=contrib + #%# capability=autoconf suggest + +=head1 AUTHOR + +Paul Saunders + +=cut + +. $MUNIN_LIBDIR/plugins/plugin.sh +is_multigraph + +if [[ "$1" == "autoconf" ]]; then + if [[ -x /usr/bin/doveadm ]]; then + echo yes + else + echo no + fi + exit 0 +fi + +# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats". +dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}') + +verlte() { + [ "$1" = "$2" ] && return 1 || [ "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ] +} + +verlt() { + [ "$1" = "$2" ] && return 1 || verlte $2 $1 +} + +# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats". +stats_command="stats" +verlt $dovecot_version 2.3 || stats_command="oldstats" + + +if [[ "$1" == "suggest" ]]; then + doveadm $stats_command dump domain|awk 'NR!=1 {print $1}' + exit 0 +fi + +domain=$(basename $0) +domain=${domain#dovecot_stats_} + +if [[ -z $domain ]]; then + exit 1 +fi + +if [[ "$1" == "config" ]]; then + cat < 0 @@ -32,28 +32,89 @@ - name: Configure network publish_host ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml - line: "network.publish_host: {{ elasticsearch_network_publish_host }}" + line: "network.publish_host: {{ elasticsearch_network_publish_host }}" regexp: "^network.publish_host:" insertafter: "^network.host:" when: elasticsearch_network_publish_host | default("", True) | length > 0 tags: - config +- name: Configure network port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "network.port: {{ elasticsearch_network_port }}" + regexp: "^network.port:" + insertafter: "^network.host:" + when: elasticsearch_network_port | default("", True) | length > 0 + tags: + - config + +- name: Configure http host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "http.host: {{ elasticsearch_http_host }}" + regexp: "^http.host:" + insertafter: "^# *http.host:" + when: elasticsearch_http_host | default("", True) | length > 0 + tags: + - config + - name: Configure http publish_host ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml - line: "http.publish_host: {{ elasticsearch_http_publish_host }}" + line: "http.publish_host: {{ elasticsearch_http_publish_host }}" regexp: "^http.publish_host:" insertafter: "^http.port:" when: elasticsearch_http_publish_host | default("", True) | length > 0 tags: - config +- name: Configure http port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "http.port: {{ elasticsearch_http_port }}" + regexp: "^http.port:" + insertafter: "^http.host:" + when: elasticsearch_http_port | default("", True) | length > 0 + tags: + - config + +- name: Configure transport host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.host: {{ elasticsearch_transport_host }}" + regexp: "^transport.host:" + insertafter: "^# *transport.host:" + when: elasticsearch_transport_host | default("", True) | length > 0 + tags: + - config + +- name: Configure transport publish_host + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.publish_host: {{ elasticsearch_transport_publish_host }}" + regexp: "^transport.publish_host:" + insertafter: "^transport.host:" + when: elasticsearch_transport_publish_host | default("", True) | length > 0 + tags: + - config + +- name: Configure transport port + ansible.builtin.lineinfile: + dest: /etc/elasticsearch/elasticsearch.yml + line: "transport.port: {{ elasticsearch_transport_port }}" + regexp: "^transport.port:" + insertafter: "^transport.host:" + when: elasticsearch_transport_port | default("", True) | length > 0 + tags: + - config + - name: Configure discovery seed hosts ansible.builtin.lineinfile: dest: /etc/elasticsearch/elasticsearch.yml line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}" regexp: "^discovery.seed_hosts:" + insertafter: "^# *discovery.seed_hosts:" when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0 tags: - config @@ -118,14 +179,11 @@ tags: - config -- name: Disable garbage collector logs (JDK >= 9) - ansible.builtin.lineinfile: +- name: Disable garbage collector logs + ansible.builtin.replace: dest: /etc/elasticsearch/jvm.options - regexp: "Xlog:gc" - line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m" - owner: root - group: elasticsearch - mode: "0640" + regexp: '^([^#]*-Xlog:gc.+)' + replace: '#\1' tags: - config diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index 5188e3cc..2d5ca6b8 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -1,6 +1,7 @@ --- + - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: diff --git a/elasticsearch/tasks/plugin_head.yml b/elasticsearch/tasks/plugin_head.yml index 2a98d080..24a34643 100644 --- a/elasticsearch/tasks/plugin_head.yml +++ b/elasticsearch/tasks/plugin_head.yml @@ -32,7 +32,7 @@ environment: TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}" become_user: "{{ elasticsearch_plugin_head_owner }}" - become: yes + become: true - name: Elasticsearch HTTP/CORS are enabled ansible.builtin.lineinfile: diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index bae705d3..ef136bdf 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -10,12 +10,12 @@ - ansible_distribution == "Debian" - name: Install and configure utilities - ansible.builtin.include: utils.yml + ansible.builtin.import_tasks: utils.yml tags: - etc-git - name: Configure repositories - ansible.builtin.include: repositories.yml + ansible.builtin.import_tasks: repositories.yml tags: - etc-git when: etc_git_config_repositories | bool \ No newline at end of file diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index d9d64ad6..6c76d265 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -26,7 +26,7 @@ when: - _usr_share_scripts.stat.isdir -- ansible.builtin.include: repository.yml +- ansible.builtin.import_tasks: repository.yml vars: repository_path: "/usr/share/scripts" gitignore_items: [] diff --git a/etc-git/tasks/repository.yml b/etc-git/tasks/repository.yml index 1601a157..426eab41 100644 --- a/etc-git/tasks/repository.yml +++ b/etc-git/tasks/repository.yml @@ -38,7 +38,7 @@ dest: "{{ repository_path }}/.gitignore" owner: root mode: "0600" - force: no + force: false tags: - etc-git diff --git a/etc-git/tasks/utils.yml b/etc-git/tasks/utils.yml index b54e1c61..e33589b3 100644 --- a/etc-git/tasks/utils.yml +++ b/etc-git/tasks/utils.yml @@ -10,7 +10,7 @@ src: evocommit dest: /usr/local/bin/evocommit mode: "0755" - force: yes + force: true tags: - etc-git @@ -19,7 +19,7 @@ src: ansible-commit dest: /usr/local/bin/ansible-commit mode: "0755" - force: yes + force: true tags: - etc-git @@ -28,7 +28,7 @@ src: etc-git-optimize dest: /usr/share/scripts/etc-git-optimize mode: "0755" - force: yes + force: true tags: - etc-git @@ -37,7 +37,7 @@ src: etc-git-status dest: /usr/share/scripts/etc-git-status mode: "0755" - force: yes + force: true tags: - etc-git diff --git a/evoacme/tests/vagrant.yml b/evoacme/tests/vagrant.yml index 9eb9077d..83466e63 100644 --- a/evoacme/tests/vagrant.yml +++ b/evoacme/tests/vagrant.yml @@ -1,6 +1,6 @@ - hosts: default gather_facts: yes - become: yes + become: true roles: # - squid diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 05b5f8d1..9cc1dcbb 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04.01" +VERSION="23.07" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 52441988..65a26a3e 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04.01" +VERSION="23.07" readonly VERSION # base functions @@ -55,7 +55,7 @@ detect_os() { DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then - echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2 + echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2 echo "This version is built for Debian 9 and later." >&2 exit fi @@ -231,8 +231,15 @@ check_customcrontab() { test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" } check_sshallowusers() { - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ - || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + if is_debian_bookworm; then + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*" + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \ + && failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config" + else + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + fi } check_diskperf() { perfFile="/root/disk-perf.txt" @@ -276,7 +283,7 @@ check_alert5minifw() { fi } check_minifw() { - /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { @@ -307,7 +314,7 @@ check_nrpedisks() { test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" } check_nrpepid() { - if is_debian_bullseye; then + if { is_debian_bullseye || is_debian_bookworm ; }; then { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" @@ -874,19 +881,27 @@ check_ldap_backup() { check_redis_backup() { if is_installed redis-server; then # You could change the default path in /etc/evocheck.cf - # REDIS_BACKUP_PATH may contain space-separated paths, example: + # REDIS_BACKUP_PATH may contain space-separated paths, for example: # REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb' - # Old default path: /home/backup/dump.rdb - # New default path: /home/backup/redis/dump.rdb - if [ -z "${REDIS_BACKUP_PATH}" ]; then - if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then - failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)." - fi - else - for file in ${REDIS_BACKUP_PATH}; do - test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing." - done + # Warning : this script doesn't handle spaces in file paths ! + + REDIS_BACKUP_PATH="${REDIS_BACKUP_PATH:-$(find /home/backup/ -iname "*.rdb*")}" + + # Check number of dumps + n_instances=$(pgrep 'redis-server' | wc -l) + n_dumps=$(echo $REDIS_BACKUP_PATH | wc -w) + if [ ${n_dumps} -lt ${n_instances} ]; then + failed "IS_REDIS_BACKUP" "Missing Redis dump : ${n_instances} instance(s) found versus ${n_dumps} dump(s) found." fi + + # Check last dump date + age_threshold=$(date +"%s" -d "now - 2 days") + for dump in ${REDIS_BACKUP_PATH}; do + last_update=$(stat -c "%Z" $dump) + if [ "${last_update}" -lt "${age_threshold}" ]; then + failed "IS_REDIS_BACKUP" "Redis dump ${dump} is older than 2 days." + fi + done fi } check_elastic_backup() { @@ -1076,14 +1091,14 @@ check_usrsharescripts() { check_sshpermitrootno() { sshd_args="-C addr=,user=,host=,laddr=,lport=0" if is_debian_stretch; then - # Noop, we'll use the default $sshd_args + # Noop, we'll use the default $sshd_args : elif is_debian_buster; then - sshd_args="${sshd_args},rdomain=" + sshd_args="${sshd_args},rdomain=" else - # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument + # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument # -T doesn't require the additional -C. - sshd_args= + sshd_args= fi # shellcheck disable=SC2086 if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then @@ -1216,7 +1231,7 @@ check_lxc_container_resolv_conf() { else failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" fi - done + done fi } # Check that there are containers if lxc is installed. @@ -1302,7 +1317,7 @@ get_version() { case "${program}" in ## Special case if `command --version => 'command` is not the standard way to get the version # my_command) - # /path/to/my_command --get-version + # /path/to/my_command --get-version # ;; add-vm) diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 461540b3..2df0e814 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.04.01" +VERSION="23.07" readonly VERSION # base functions diff --git a/evocheck/tasks/cron.yml b/evocheck/tasks/cron.yml index cfea8ca2..4e9c249e 100644 --- a/evocheck/tasks/cron.yml +++ b/evocheck/tasks/cron.yml @@ -16,5 +16,5 @@ mode: "0644" owner: root group: root - force: yes + force: true when: is_cron_installed.rc == 0 diff --git a/evocheck/tasks/install.yml b/evocheck/tasks/install.yml index b210302b..d1c1daf0 100644 --- a/evocheck/tasks/install.yml +++ b/evocheck/tasks/install.yml @@ -36,7 +36,7 @@ dest: "{{ evocheck_bin_dir }}/evocheck.sh" mode: "0700" owner: root - force: yes + force: true tags: - evocheck @@ -44,6 +44,6 @@ ansible.builtin.copy: src: evocheck.cf dest: /etc/evocheck.cf - force: no + force: false tags: - evocheck diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 497a3d2b..f92fa90b 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -51,6 +51,7 @@ evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_intern evolinux_kernel_include: True evolinux_kernel_cloud_auto: True +evolinux_kernel_cloud_reboot: True evolinux_kernel_reboot_after_panic: True evolinux_kernel_disable_tcp_timestamps: True evolinux_kernel_customize_swappiness: True @@ -103,6 +104,8 @@ evolinux_system_locales: True evolinux_system_set_timezone: True evolinux_system_timezone: "Europe/Paris" +evolinux_system_include_ntpd: "{{ ansible_distribution_major_version is version('12', '<') }}" +evolinux_system_include_timesyncd: "{{ ansible_distribution_major_version is version('12', '>=') }}" evolinux_system_vim_skip_defaults: True evolinux_system_vim_default_editor: True @@ -173,6 +176,8 @@ evolinux_logs_default_dateext : True evolinux_logs_disable_logrotate_rsyslog: True evolinux_logs_rsyslog_conf: True evolinux_logrotate_dateformat: "-%Y%m%d%H" +evolinux_logs_disable_logcheck_journald: True +evolinux_logs_journald_conf: True # default www @@ -229,4 +234,4 @@ evolinux_cron_checkhpraid_frequency: daily evolinux_motd_include: True # Utils -evolinux_utils_include: True \ No newline at end of file +evolinux_utils_include: True diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 5f76413f..8ed50c7a 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="22.04.3" +VERSION="23.08" readonly VERSION dump_dir= @@ -15,7 +15,7 @@ show_version() { cat <, +Copyright 2018-2023 Evolix , Jérémy Lecour , Éric Morino , Brice Waegeneire @@ -23,7 +23,7 @@ Copyright 2018-2022 Evolix , ${REPOSITORY} -${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software, +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the GNU General Public License v3.0 for details. END @@ -442,14 +442,14 @@ task_iptables() { printf "\n#### ip6tables --table mangle --list ###############\n" ${ip6tables_bin} --table mangle --list --numeric --verbose --line-numbers fi - } > "${dump_dir}/iptables-v.txt") + } > "${dump_dir}/iptables-v.txt") 2> "${dump_dir}/iptables-v.err" last_rc=$? if [ ${last_rc} -eq 0 ]; then debug "* iptables -v OK" else debug "* iptables -v ERROR" - debug "${last_result}" + debug "$(cat ${dump_dir}/iptables-v.err)" # Ignore errors because we don't know if this is nft related or a real error # rc=10 fi @@ -467,14 +467,14 @@ task_iptables() { printf "\n#### ip6tables --table mangle --list ###############\n" ${ip6tables_bin} --table mangle --list --numeric fi - } > "${dump_dir}/iptables.txt") + } > "${dump_dir}/iptables.txt") 2> "${dump_dir}/iptables.err" last_rc=$? if [ ${last_rc} -eq 0 ]; then debug "* iptables OK" else debug "* iptables ERROR" - debug "${last_result}" + debug "$(cat ${dump_dir}/iptables.err)" # Ignore errors because we don't know if this is nft related or a real error # rc=10 fi @@ -485,14 +485,14 @@ task_iptables() { iptables_save_bin=$(command -v iptables-save) if [ -n "${iptables_save_bin}" ]; then - last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt") + ${iptables_save_bin} > "${dump_dir}/iptables-save.txt" 2> "${dump_dir}/iptables-save.err" last_rc=$? if [ ${last_rc} -eq 0 ]; then debug "* iptables-save OK" else debug "* iptables-save ERROR" - debug "${last_result}" + debug "$(cat ${dump_dir}/iptables-save.err)" # Ignore errors because we don't know if this is nft related or a real error # rc=10 fi @@ -503,14 +503,14 @@ task_iptables() { nft_bin=$(command -v nft) if [ -n "${nft_bin}" ]; then - last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt") + ${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt" 2> "${dump_dir}/nft-ruleset.err" last_rc=$? if [ ${last_rc} -eq 0 ]; then debug "* nft ruleset OK" else debug "* nft ruleset ERROR" - debug "${last_result}" + debug "$(cat ${dump_dir}/nft-ruleset.err)" rc=10 fi fi @@ -762,6 +762,10 @@ task_systemctl() { fi } +clean_empty_error_file() { + find "${dump_dir}" -type f -name "*.err" -size 0 -delete +} + main() { if [ -z "${dump_dir}" ]; then echo "ERROR: You must provide the --dump-dir argument" >&2 @@ -841,6 +845,7 @@ main() { task_systemctl fi + clean_empty_error_file debug "=> Your dump is available at ${dump_dir}" exit ${rc} diff --git a/evolinux-base/files/logs/journald.conf b/evolinux-base/files/logs/journald.conf new file mode 100644 index 00000000..97b0bcc5 --- /dev/null +++ b/evolinux-base/files/logs/journald.conf @@ -0,0 +1,2 @@ +[Journal] +MaxRetentionSec=1day diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 1c6df437..b9211532 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -79,3 +79,7 @@ name: log2mail state: restarted +- name: restart systemd-journald + ansible.builtin.service: + name: systemd-journald.service + state: restarted diff --git a/evolinux-base/tasks/bash.yml b/evolinux-base/tasks/bash.yml new file mode 100644 index 00000000..cca21c5f --- /dev/null +++ b/evolinux-base/tasks/bash.yml @@ -0,0 +1,14 @@ +--- + +- name: "Customize common bashrc" + ansible.builtin.lineinfile: + dest: /etc/bash.bashrc + line: "{{ item }}" + create: yes + state: present + loop: + - "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups" + - "export HISTSIZE=65535" + - "export HISTTIMEFORMAT=\"%c : \"" + - "shopt -s histappend" + - "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\"" diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 2d94fe2b..673ac397 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -20,7 +20,7 @@ src: default_www/index.html.j2 dest: /var/www/index.html mode: "0644" - force: no + force: false when: evolinux_default_www_files | bool # SSL cert diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 33822377..65ff2f45 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -12,4 +12,4 @@ src: /usr/local/sbin/dump-server-state dest: /usr/local/sbin/backup-server-state state: link - force: yes + force: true diff --git a/evolinux-base/tasks/hardware.dell.yml b/evolinux-base/tasks/hardware.dell.yml index a146ec5c..7eeefc49 100644 --- a/evolinux-base/tasks/hardware.dell.yml +++ b/evolinux-base/tasks/hardware.dell.yml @@ -41,13 +41,21 @@ state: absent when: perc_hba11_search.rc == 0 +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: MegaCLI SAS package is present block: - name: HWRaid GPG key is installed ansible.builtin.copy: src: hwraid.le-vert.net.asc dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/evolinux-base/tasks/hardware.hp.yml b/evolinux-base/tasks/hardware.hp.yml index ea17cae5..baded38c 100644 --- a/evolinux-base/tasks/hardware.hp.yml +++ b/evolinux-base/tasks/hardware.hp.yml @@ -1,10 +1,18 @@ --- +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: HPE GPG key is installed ansible.builtin.copy: src: hpePublicKey2048_key1.asc dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -35,6 +43,12 @@ tags: - packages +- name: Install HPE Agentless Management Service (amsd) + ansible.builtin.apt: + name: amsd + tags: + - packages + # NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role # So, if nagios-nrpe role is not installed it will not work - name: Install and configure check_hpraid cron (HP gen >=10) diff --git a/evolinux-base/tasks/hostname.yml b/evolinux-base/tasks/hostname.yml index b283a51e..a361ee44 100644 --- a/evolinux-base/tasks/hostname.yml +++ b/evolinux-base/tasks/hostname.yml @@ -41,7 +41,7 @@ ansible.builtin.copy: dest: /etc/mailname content: "{{ evolinux_fqdn }}\n" - force: yes + force: true when: evolinux_hostname_mailname | bool # Override facts diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index da3abf57..231ec02f 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -4,6 +4,7 @@ ansible.builtin.apt: name: "linux-image-cloud-amd64" state: present + register: _use_cloud_kernel when: - ansible_machine == "x86_64" - ansible_virtualization_role == "guest" @@ -17,6 +18,14 @@ - ansible_machine == "x86_64" - ansible_virtualization_role == "guest" - evolinux_kernel_cloud_auto | bool + +- name: "Reboot the server to enable the new kernel" + ansible.builtin.reboot: + reboot_timeout: 600 + search_paths: ['/lib/molly-guard', '/sbin'] + when: + - _use_cloud_kernel is changed + - evolinux_kernel_cloud_reboot | bool - name: Reboot after panic ansible.posix.sysctl: diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index a6dd97ad..75978711 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -2,6 +2,7 @@ # TODO: voir comment faire des backups initiaux des fichiers +# RSyslog - name: Copy rsyslog.conf ansible.builtin.copy: src: logs/rsyslog.conf @@ -10,6 +11,7 @@ notify: restart rsyslog when: evolinux_logs_rsyslog_conf | bool +# Logrotate - name: Disable logrotate default conf ansible.builtin.command: cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled @@ -61,4 +63,28 @@ insertafter: 'dateext' when: evolinux_logs_default_dateext | bool +# Logcheck +- name: Disable logcheck monitoring of journald + ansible.builtin.lineinfile: + dest: /etc/logrotate.conf + line: "#journal" + regexp: "^journal" + when: evolinux_logs_disable_logcheck_journald | bool + +# Journald +- name: /etc/systemd/journald.conf.d/ is present + ansible.builtin.file: + path: /etc/systemd/journald.conf.d/ + state: directory + mode: "0755" + when: evolinux_logs_journald_conf | bool + +- name: Copy journald.conf + ansible.builtin.copy: + src: logs/journald.conf + dest: /etc/systemd/journald.conf.d/00-evolinux-default.conf + mode: "0644" + notify: restart systemd-journald + when: evolinux_logs_journald_conf | bool + - ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index fc9f5b87..582bcfe0 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -74,6 +74,9 @@ # name: evolix/evolinux-users # when: evolinux_users_include +- name: Bash configuration + ansible.builtin.import_tasks: bash.yml + - name: Root user configuration ansible.builtin.import_tasks: root.yml when: evolinux_root_include | bool diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/postfix.yml index 1c5d986c..d9dba3e2 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/postfix.yml @@ -25,7 +25,7 @@ ansible.builtin.lineinfile: dest: /etc/postfix/main.cf state: present - line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost" + line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain" regexp: '^mydestination' notify: reload postfix tags: diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml index 3b17faf7..a3b51f5d 100644 --- a/evolinux-base/tasks/root.yml +++ b/evolinux-base/tasks/root.yml @@ -27,7 +27,7 @@ ansible.builtin.copy: content: "" dest: "/root/.bash_history" - force: no + force: false when: evolinux_root_bash_history | bool - name: Set umask in /root/.profile @@ -47,7 +47,7 @@ ansible.builtin.copy: src: root/gitconfig dest: "/root/.gitconfig" - force: no + force: false when: evolinux_root_gitconfig | bool - name: Is .bash_history append-only @@ -90,14 +90,40 @@ - "set shiftwidth=4" when: evolinux_root_vim_conf | bool -- name: disable SSH access for root +- name: disable SSH access for root (Debian < 12) ansible.builtin.replace: dest: /etc/ssh/sshd_config regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: evolinux_root_disable_ssh | bool + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('11', '<=') + +- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12) + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + line: "Include /etc/ssh/sshd_config.d/*.conf" + insertbefore: BOF + notify: reload ssh + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('12', '>=') + +- name: disable SSH access for root (Debian >= 12) + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf + line: "PermitRootLogin no" + regexp: "^#?PermitRootLogin " + create: yes + mode: "0644" + validate: '/usr/sbin/sshd -t -f %s' + notify: reload sshd + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('12', '>=') + ### Disabled : it seems useless and too dangerous for now # - name: remove root from AllowUsers directive diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml index 952b661f..6454e390 100644 --- a/evolinux-base/tasks/ssh.included-files.yml +++ b/evolinux-base/tasks/ssh.included-files.yml @@ -1,71 +1,22 @@ --- -# This is a copy of ssh.single-file.yml -# It needs to be changed when we move to a included-files configuration - - - ansible.builtin.debug: - msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!" when: evolinux_ssh_password_auth_addresses == [] -# From 'man sshd_config' : -# « If all of the criteria on the Match line are satisfied, the keywords -# on the following lines override those set in the global section of the config -# file, until either another Match line or the end of the file. -# If a keyword appears in multiple Match blocks that are satisfied, -# only the first instance of the keyword is applied. » -# -# We want to allow any user from a list of IP addresses to login with password, -# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses +- name: files under /etc/ssh/sshd_config.d are included + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + line: "Include /etc/ssh/sshd_config.d/*.conf" + insertbefore: BOF + notify: reload ssh -- name: "Security directives for Evolinux (Debian 10 or later)" - ansible.builtin.blockinfile: - dest: /etc/ssh/sshd_config - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" - block: | - Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} - PasswordAuthentication yes - Match Group {{ evolinux_internal_group }} - PasswordAuthentication no - insertafter: EOF - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: - - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version is version('10', '>=') +- name: add SSH server configuration template + ansible.builtin.template: + src: sshd/defaults.j2 + dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf + mode: "0644" -- name: Security directives for Evolinux (Jessie/Stretch) - ansible.builtin.blockinfile: - dest: /etc/ssh/sshd_config - marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS" - block: | - Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} - PasswordAuthentication yes - insertafter: EOF - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: - - evolinux_ssh_password_auth_addresses != [] - - ansible_distribution_major_version is version('10', '<') - -# We disable AcceptEnv because it can be a security issue, but also because we -# do not want clients to push their environment variables like LANG. -- name: disable AcceptEnv in ssh config - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^AcceptEnv' - replace: "#AcceptEnv" - notify: reload sshd - when: evolinux_ssh_disable_acceptenv | bool - -- name: Set log level to verbose (for Debian >= 9) - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^#?LogLevel [A-Z]+' - replace: "LogLevel VERBOSE" - notify: reload sshd - when: ansible_distribution_major_version is version('9', '>=') - -- name: "Get current user" +- name: "Get current user's group" ansible.builtin.command: cmd: logname changed_when: False @@ -73,10 +24,9 @@ check_mode: no when: evolinux_ssh_allow_current_user | bool -# we must double-escape caracters, because python - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "grep -ER '^AllowUsers' /etc/ssh" failed_when: False changed_when: False register: grep_allowusers_ssh @@ -85,20 +35,15 @@ - name: "Add AllowUsers sshd directive for current user" ansible.builtin.lineinfile: - dest: /etc/ssh/sshd_config - line: "\nAllowUsers {{ logname.stdout }}" + dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf + create: yes + line: "AllowUsers {{ logname.stdout }}" insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0 -- name: "Modify AllowUsers sshd directive for current user" - ansible.builtin.replace: - dest: /etc/ssh/sshd_config - regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$' - replace: '\1 {{ logname.stdout }}' - validate: '/usr/sbin/sshd -t -f %s' - notify: reload sshd - when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0 - - ansible.builtin.meta: flush_handlers + +# TODO si allowusers et allowgroups, ajouter utilisateur aux deux +# TODO si allowgroups, ajouter groupe de l’utilisateur diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index ecad62d9..52766796 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -131,6 +131,13 @@ - ansible.builtin.include_role: name: evolix/ntpd + when: + - evolinux_system_include_ntpd | bool + +- ansible.builtin.include_role: + name: evolix/timesyncd + when: + - evolinux_system_include_timesyncd | bool ## alert5 @@ -138,7 +145,7 @@ ansible.builtin.template: src: system/alert5.sysvinit.j2 dest: /etc/init.d/alert5 - force: no + force: false mode: "0755" when: - evolinux_system_alert5_init | bool @@ -153,13 +160,14 @@ - evolinux_system_alert5_enable | bool - ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch" - +- ansible.builtin.include_role: + name: evolix/remount-usr - name: Install alert5 init script (buster and later) ansible.builtin.template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh - force: no + force: false mode: "0755" when: - evolinux_system_alert5_init | bool @@ -169,7 +177,7 @@ ansible.builtin.copy: src: alert5.service dest: /etc/systemd/system/alert5.service - force: yes + force: true mode: "0644" when: - evolinux_system_alert5_init | bool diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index a97be579..a1c4d646 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -13,7 +13,7 @@ mode: "0700" owner: root group: root - force: no + force: false - name: update-evobackup-canary script is present ansible.builtin.copy: diff --git a/evolinux-base/templates/sshd/defaults.j2 b/evolinux-base/templates/sshd/defaults.j2 new file mode 100644 index 00000000..373141a6 --- /dev/null +++ b/evolinux-base/templates/sshd/defaults.j2 @@ -0,0 +1,15 @@ +Port 22 +{% if evolinux_root_disable_ssh %} +PermitRootLogin no +{% endif %} +LogLevel VERBOSE +SetEnv LC_ALL=en_US.UTF-8 + +{% if evolinux_ssh_password_auth_addresses %} +Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes +{% endif %} +{% if evolinux_internal_group %} +Match Group {{ evolinux_internal_group }} + PasswordAuthentication no +{% endif %} diff --git a/evolinux-todo/tasks/main.yml b/evolinux-todo/tasks/main.yml index 0cf5628c..9b0d9c80 100644 --- a/evolinux-todo/tasks/main.yml +++ b/evolinux-todo/tasks/main.yml @@ -12,5 +12,5 @@ src: todo.defaults.txt dest: /etc/evolinux/todo.txt mode: "0640" - force: no + force: false when: ansible_distribution == "Debian" diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml index 9110911f..9a696901 100644 --- a/evolinux-users/tasks/ssh.yml +++ b/evolinux-users/tasks/ssh.yml @@ -2,7 +2,7 @@ - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + cmd: "grep -Er '^AllowGroups' /etc/ssh" changed_when: False failed_when: False check_mode: no @@ -14,7 +14,7 @@ - name: verify AllowUsers directive ansible.builtin.command: - cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config" + cmd: "grep -Er '^AllowUsers' /etc/ssh" changed_when: False failed_when: False check_mode: no @@ -62,6 +62,37 @@ regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)' replace: "PermitRootLogin no" notify: reload sshd - when: evolinux_root_disable_ssh | bool + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('11', '<=') + +- name: verify PermitRootLogin directive (Debian >= 12) + ansible.builtin.command: + cmd: "grep -Er '^PermitRootLogin' /etc/ssh" + changed_when: False + failed_when: False + check_mode: no + register: grep_permitrootlogin_ssh + when: + - ansible_distribution_major_version is version('12', '>=') + +# TODO avertir lorsque PermitRootLogin est déjà configuré? +- ansible.builtin.debug: + var: grep_permitrootlogin_ssh + verbosity: 1 + +- name: disable root login (Debian >= 12) + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "PermitRootLogin no" + create: yes + mode: "0644" + validate: '/usr/sbin/sshd -t -f %s' + insertbefore: "BOF" + notify: reload sshd + when: + - evolinux_root_disable_ssh | bool + - ansible_distribution_major_version is version('12', '>=') + - grep_permitrootlogin_ssh.rc == 1 - ansible.builtin.meta: flush_handlers diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml index 2dac1f80..11446b4d 100644 --- a/evolinux-users/tasks/ssh_allowgroups.yml +++ b/evolinux-users/tasks/ssh_allowgroups.yml @@ -4,11 +4,13 @@ # even if it's been done before - name: verify AllowGroups directive ansible.builtin.command: - cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config" + cmd: "grep -Er '^AllowGroups' /etc/ssh" changed_when: False failed_when: False check_mode: no register: grep_allowgroups_ssh + when: + - ansible_distribution_major_version is version('11', '<=') - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" ansible.builtin.lineinfile: @@ -17,7 +19,9 @@ insertafter: 'Subsystem' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc != 0 + when: + - ansible_distribution_major_version is version('11', '<=') + - grep_allowgroups_ssh.rc != 0 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive" ansible.builtin.replace: @@ -26,4 +30,16 @@ replace: '\1 {{ evolinux_ssh_group }}' validate: '/usr/sbin/sshd -t -f %s' notify: reload sshd - when: grep_allowgroups_ssh.rc == 0 + when: + - ansible_distribution_major_version is version('11', '<=') + - grep_allowgroups_ssh.rc == 0 + +- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/z-evolinux-users.conf + line: "AllowGroups {{ evolinux_ssh_group }}" + create: yes + mode: "0644" + validate: '/usr/sbin/sshd -t -f %s' + when: + - ansible_distribution_major_version is version('12', '>=') diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 85149147..b3089aab 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -11,9 +11,9 @@ - block: - - ansible.builtin.include: sudo_stretch_common.yml + - ansible.builtin.include: sudo_common.yml - - ansible.builtin.include: sudo_stretch_user.yml + - ansible.builtin.include: sudo_user.yml vars: user: "{{ item.value }}" loop: "{{ evolinux_users | dict2items }}" diff --git a/evolinux-users/tasks/sudo_stretch_common.yml b/evolinux-users/tasks/sudo_common.yml similarity index 92% rename from evolinux-users/tasks/sudo_stretch_common.yml rename to evolinux-users/tasks/sudo_common.yml index ba7fb50b..0f463756 100644 --- a/evolinux-users/tasks/sudo_stretch_common.yml +++ b/evolinux-users/tasks/sudo_common.yml @@ -10,9 +10,9 @@ - name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)" ansible.builtin.template: - src: sudoers_stretch.j2 + src: sudoers.j2 dest: /etc/sudoers.d/evolinux - force: no + force: false mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux diff --git a/evolinux-users/tasks/sudo_jessie.yml b/evolinux-users/tasks/sudo_jessie.yml index 6400a8ee..2cc50500 100644 --- a/evolinux-users/tasks/sudo_jessie.yml +++ b/evolinux-users/tasks/sudo_jessie.yml @@ -4,7 +4,7 @@ ansible.builtin.template: src: sudoers_jessie.j2 dest: /etc/sudoers.d/evolinux - force: no + force: false mode: "0440" validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux diff --git a/evolinux-users/tasks/sudo_stretch_user.yml b/evolinux-users/tasks/sudo_user.yml similarity index 100% rename from evolinux-users/tasks/sudo_stretch_user.yml rename to evolinux-users/tasks/sudo_user.yml diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers.j2 similarity index 96% rename from evolinux-users/templates/sudoers_stretch.j2 rename to evolinux-users/templates/sudoers.j2 index 29a22da7..60b5b782 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers.j2 @@ -23,7 +23,8 @@ nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog nagios ALL = NOPASSWD: /sbin/ssacli controller all show status nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show - +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb + nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt %{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index bce0e562..3ddbdf76 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -1,21 +1,16 @@ #!/bin/sh -# EvoMaintenance script -# Dependencies (all OS): git postgresql-client -# Dependencies (Debian): sudo - -# Copyright 2007-2022 Evolix , Gregory Colpart , -# Jérémy Lecour and others. - -VERSION="22.07" +VERSION="23.10.1" show_version() { cat <, +Copyright 2007-2023 Evolix , Gregory Colpart , - Jérémy Lecour + Jérémy Lecour , + Brice Waegeneire , + Mathieu Trossevin and others. evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software, @@ -47,11 +42,11 @@ Options --no-evocheck disable evocheck execution --auto use "auto" mode --no-auto use "manual" mode (default) - --autosysadmin author change as autosysadmin + -u, --user=USER force USER value (default: logname(1)) -v, --verbose increase verbosity -n, --dry-run actions are not executed --help print this message and exit - --version print version and exit + -V, --version print version and exit END } @@ -109,7 +104,7 @@ get_begin_date() { get_ip() { ip=$(get_who | cut -d" " -f6 | sed -e "s/^(// ; s/)$//") - if is_autosysadmin || [ "${ip}" = ":0" ]; then + if is_autosysadmin || [ "${ip}" = ":0" ]; then ip="localhost" elif [ -z "${ip}" ]; then ip="unknown (no tty)" @@ -127,8 +122,8 @@ get_now() { } get_user() { - if is_autosysadmin; then - echo autosysadmin + if [ -n "${FORCE_USER}" ]; then + echo "${FORCE_USER}" else logname fi @@ -193,7 +188,7 @@ print_session_data() { } is_autosysadmin() { - test "${AUTOSYSADMIN}" -eq 1 + test "${USER}" = "autosysadmin" } is_repository_readonly() { @@ -404,7 +399,7 @@ AUTO=${AUTO:-"0"} EVOCHECK=${EVOCHECK:-"0"} GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20} API_ENDPOINT=${API_ENDPOINT:-""} -AUTOSYSADMIN=${AUTOSYSADMIN:-0} +FORCE_USER=${FORCE_USER:-""} # initialize variables MESSAGE="" @@ -482,6 +477,31 @@ while :; do # use "auto" mode AUTO=1 ;; + --autosysadmin) + # Deprecated, backward compatibility + # author change as autosysadmin + printf 'WARNING: "--autosysadmin" is deprecated, use "--user autosysadmin".\n' >&2 + FORCE_USER="autosysadmin" + ;; + -u|--user) + # user options, with value speparated by space + if [ -n "$2" ]; then + FORCE_USER=$2 + shift + else + printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --user=?*) + # message options, with value speparated by = + FORCE_USER=${1#*=} + ;; + --user=) + # message options, without value + printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2 + exit 1 + ;; -n|--dry-run) # disable actual commands DRY_RUN=1 diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index c8fb6183..7241081c 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -40,7 +40,7 @@ owner: root group: root mode: "{{ item.mode }}" - force: yes + force: true backup: yes loop: - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } diff --git a/evomaintenance/tasks/install_vendor_other.yml b/evomaintenance/tasks/install_vendor_other.yml index ece9aae2..32387b39 100644 --- a/evomaintenance/tasks/install_vendor_other.yml +++ b/evomaintenance/tasks/install_vendor_other.yml @@ -22,7 +22,7 @@ owner: root group: root mode: "{{ item.mode }}" - force: yes + force: true backup: yes loop: - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 098a550a..b4b3fda8 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -23,6 +23,7 @@ fail2ban_default_findtime: 10m fail2ban_default_action: "action_" fail2ban_sshd: True +fail2ban_sshd_port: "ssh,2222,22222" fail2ban_sshd_maxretry: 10 fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}" fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}" @@ -45,4 +46,6 @@ fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}" fail2ban_roundcube: False fail2ban_roundcube_maxretry: 5 fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}" -fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" \ No newline at end of file +fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}" + +fail2ban_dbpurgeage_default: "86400 second" diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml index 6fa86c91..c24335cd 100644 --- a/fail2ban/tasks/fix-dbpurgeage.yml +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -14,12 +14,12 @@ - name: ansible.builtin.set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }}" + fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }}" when: dbpurgeage.stdout | regex_search("^\\d+\w+$") - name: ansible.builtin.set_fact: - dbpurgeage_default : "{{ dbpurgeage.stdout }} second" + fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }} second" when: dbpurgeage.stdout | regex_search("^\\d+$") - name: Add crontab diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 index 8b6d9612..26c80f32 100644 --- a/fail2ban/templates/fail2ban_dbpurge.j2 +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -1,8 +1,8 @@ -#!/bin/sh +#!/bin/bash # Juin - Decembre 2022 : #64088 # Purge pour Stretch et Buster -/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');" +/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');" place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 ) place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) ) diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 6713c92e..a1247f69 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -21,7 +21,7 @@ action = %({{ fail2ban_default_action }})s [sshd] enabled = {{ fail2ban_sshd }} -port = ssh,2222,22222 +port = {{ fail2ban_sshd_port }} maxretry = {{ fail2ban_sshd_maxretry }} findtime = {{ fail2ban_sshd_findtime }} diff --git a/fail2ban/tests/test.yml b/fail2ban/tests/test.yml index 59e70a73..687b1a35 100644 --- a/fail2ban/tests/test.yml +++ b/fail2ban/tests/test.yml @@ -1,6 +1,6 @@ --- - hosts: all - become: yes + become: true # gather_facts: no roles: - role: fail2ban diff --git a/filebeat/tasks/apt_sources.yml b/filebeat/tasks/apt_sources.yml index a0395ffe..812c4303 100644 --- a/filebeat/tasks/apt_sources.yml +++ b/filebeat/tasks/apt_sources.yml @@ -5,11 +5,19 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Elastic GPG key is installed ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -33,4 +41,4 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: elastic_sources is changed \ No newline at end of file + when: elastic_sources is changed diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 86dd617b..9714183d 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index b6f262c1..de76320c 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,10 +1,18 @@ --- +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Fluentd GPG key ansible.builtin.copy: src: treasuredata.asc dest: "{{ apt_keyring_dir }}/treasuredata.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/haproxy/tasks/munin.yml b/haproxy/tasks/munin.yml index e2f2302d..f7a35e56 100644 --- a/haproxy/tasks/munin.yml +++ b/haproxy/tasks/munin.yml @@ -12,7 +12,7 @@ ansible.builtin.file: src: /usr/share/munin/plugins/haproxy_ng dest: /etc/munin/plugins/haproxy_ng - force: yes + force: true state: link notify: restart munin-node tags: diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index 5832c4d4..2a5a855c 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -23,7 +23,7 @@ ansible.builtin.template: src: haproxy_apt_preferences.j2 dest: /etc/apt/preferences.d/999-haproxy - force: yes + force: true mode: "0640" register: haproxy_apt_preferences tags: diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index 75d181d3..3c4b5b11 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -36,7 +36,7 @@ args: chdir: /srv/java-package creates: /srv/java-package/oracle-java8-server-jre_8u192_amd64.deb - become: False + become: false tags: - java diff --git a/java/vars/main.yml b/java/vars/main.yml index 6cc0c9a5..5bdd9be5 100644 --- a/java/vars/main.yml +++ b/java/vars/main.yml @@ -2,3 +2,4 @@ java_bin_path: 8: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 11: /usr/lib/jvm/java-11-openjdk-amd64/bin/java + 17: /usr/lib/jvm/java-17-openjdk-amd64/bin/java diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index 1e6b777b..2ea8ece4 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -5,11 +5,19 @@ # http://mirrors.jenkins.io/.* # http://jenkins.mirror.isppower.de/.* +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Jenkins GPG key ansible.builtin.copy: src: jenkins.asc dest: "{{ apt_keyring_dir }}/jenkins.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/keepalived/tasks/main.yml b/keepalived/tasks/main.yml index 3ab0f8be..30f9557a 100644 --- a/keepalived/tasks/main.yml +++ b/keepalived/tasks/main.yml @@ -14,7 +14,7 @@ mode: "0755" owner: root group: root - force: yes + force: true notify: restart keepalived tags: - keepalived @@ -27,7 +27,7 @@ mode: "0755" owner: root group: root - force: yes + force: true tags: - keepalived - nrpe diff --git a/kibana/tasks/apt_sources.yml b/kibana/tasks/apt_sources.yml index a0395ffe..812c4303 100644 --- a/kibana/tasks/apt_sources.yml +++ b/kibana/tasks/apt_sources.yml @@ -5,11 +5,19 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Elastic GPG key is installed ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -33,4 +41,4 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: elastic_sources is changed \ No newline at end of file + when: elastic_sources is changed diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index bcfb852a..ef1b37f1 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -1,6 +1,7 @@ --- + - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: diff --git a/kibana/tasks/proxy_nginx.yml b/kibana/tasks/proxy_nginx.yml index 7b680284..e3b672b8 100644 --- a/kibana/tasks/proxy_nginx.yml +++ b/kibana/tasks/proxy_nginx.yml @@ -4,13 +4,13 @@ ansible.builtin.template: src: nginx_proxy_kibana_ssl.j2 dest: /etc/nginx/sites-available/kibana_ssl.conf - force: no + force: false - name: Example proxy for Kibana with Nginx (without SSL) ansible.builtin.template: src: nginx_proxy_kibana_nossl.j2 dest: /etc/nginx/sites-available/kibana_nossl.conf - force: no + force: false # - name: Kibana host in Nginx is enabled # file: diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 78acfe1c..f945d401 100755 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -26,6 +26,10 @@ dryRun() { fi } +isSolo() { + test -z "$slaveKVMIP" +} + critical() { echo -ne "\e[31m${1}\e[39m\n" && exit 1 } @@ -50,6 +54,7 @@ defaultVCPU="${defaultVCPU:-"2"}" defaultRAM="${defaultRAM:-"4G"}" defaultRootSize="${defaultRootSize:-"20G"}" defaultHomeSize="${defaultHomeSize:-"40G"}" +defaultVmName="${defaultVmName:-}" DIALOGOUT=$(mktemp --tmpdir=/tmp addvm.XXX) export DIALOGOUT @@ -62,7 +67,9 @@ HELPFILE=$(mktemp --tmpdir=/tmp addvm.XXX) export HELPFILE tmpResFile=$(mktemp --tmpdir=/tmp addvm.XXX) masterKVM="$(hostname -s)" -slaveKVM="$(ssh "${slaveKVMIP}" hostname -s)" +if ! isSolo; then + slaveKVM="$(ssh "${slaveKVMIP}" hostname -s)" +fi # Exit & Cleanup function. clean() { @@ -81,7 +88,7 @@ ${DIALOG} \ "memory" 2 1 "${defaultRAM}" 2 10 20 0 \ "volRoot" 3 1 "${disks[0]}-${defaultRootSize}" 3 10 20 0 \ "volHome" 4 1 "${disks[1]}-${defaultHomeSize}" 4 10 20 0 \ - "vmName" 5 1 "" 5 10 20 0 \ + "vmName" 5 1 "${defaultVmName}" 5 10 20 0 \ 2> "${DIALOGOUT}" vCPU=$(sed 1'q;d' "${DIALOGOUT}") @@ -114,7 +121,9 @@ else critical "Unknow disk ${volRootDisk} !" fi dryRun lvcreate -L"${volRootSize}" -n"${vmName}_root" "${volRootDisk}" - dryRun ssh "${slaveKVMIP}" "lvcreate -L$volRootSize -n${vmName}_root ${volRootDisk}" + if ! isSolo; then + dryRun ssh "${slaveKVMIP}" "lvcreate -L$volRootSize -n${vmName}_root ${volRootDisk}" + fi fi if ! [[ "${volHome}" =~ ([^-]+)-([0-9]+G) ]]; then @@ -127,10 +136,12 @@ else critical "Unknow disk ${volHomeDisk} !" fi dryRun lvcreate -L"${volHomeSize}" -n"${vmName}_home" "${volHomeDisk}" - dryRun ssh "${slaveKVMIP}" "lvcreate -L$volHomeSize -n${vmName}_home ${volHomeDisk}" + if ! isSolo; then + dryRun ssh "${slaveKVMIP}" "lvcreate -L$volHomeSize -n${vmName}_home ${volHomeDisk}" + fi fi -if [ -f "/etc/drbd.d/${vmName}.res" ]; then +if ! isSolo && [ -f "/etc/drbd.d/${vmName}.res" ]; then warn "The DRBD resource file ${vmName}.res is already present! Continue? [y/N]" read -r if ! [[ "${REPLY}" =~ (Y|y) ]]; then @@ -138,22 +149,23 @@ if [ -f "/etc/drbd.d/${vmName}.res" ]; then fi fi -# Generates drbd resource file. +if ! isSolo; then + # Generates drbd resource file. -# shellcheck disable=SC2012 -if [ "$(ls /etc/drbd.d/ | wc -l)" -gt 1 ]; then - lastdrbdPort=$(grep -hEo ':[0-9]{4}' /etc/drbd.d/*.res | sort | uniq | tail -1 | sed 's/://') - drbdPort=$((lastdrbdPort+1)) - lastMinor=$(grep -hEo 'minor [0-9]{1,}' /etc/drbd.d/*.res | sed 's/minor //' | sort -n | tail -1) - minorvol0=$((lastMinor+1)) - minorvol1=$((lastMinor+2)) -else - drbdPort=7900 - minorvol0=0 - minorvol1=1 -fi + # shellcheck disable=SC2012 + if [ "$(ls /etc/drbd.d/ | wc -l)" -gt 1 ]; then + lastdrbdPort=$(grep -hEo ':[0-9]{4}' /etc/drbd.d/*.res | sort | uniq | tail -1 | sed 's/://') + drbdPort=$((lastdrbdPort+1)) + lastMinor=$(grep -hEo 'minor [0-9]{1,}' /etc/drbd.d/*.res | sed 's/minor //' | sort -n | tail -1) + minorvol0=$((lastMinor+1)) + minorvol1=$((lastMinor+2)) + else + drbdPort=7900 + minorvol0=0 + minorvol1=1 + fi -cat << EOT > "${tmpResFile}" + cat << EOT > "${tmpResFile}" resource "${vmName}" { net { cram-hmac-alg "sha1"; @@ -178,16 +190,16 @@ resource "${vmName}" { meta-disk internal; } EOT -if [[ "${volHomeDisk}" != "none" ]]; then - cat << EOT >> "${tmpResFile}" + if [[ "${volHomeDisk}" != "none" ]]; then + cat << EOT >> "${tmpResFile}" volume 1 { device minor ${minorvol1}; disk /dev/${volHomeDisk}/${vmName}_home; meta-disk internal; } EOT -fi -cat << EOT >> "${tmpResFile}" + fi + cat << EOT >> "${tmpResFile}" on ${masterKVM} { address ${masterKVMIP}:${drbdPort}; } @@ -197,45 +209,52 @@ cat << EOT >> "${tmpResFile}" } EOT -# Create/Activate the new drbd resources. -drbdadm="$(command -v drbdadm)" -if isDryRun; then - drbdadm="${drbdadm} --dry-run" -fi + # Create/Activate the new drbd resources. + drbdadm="$(command -v drbdadm)" + if isDryRun; then + drbdadm="${drbdadm} --dry-run" + fi -if isDryRun; then - # shellcheck disable=SC2064 - trap "rm /etc/drbd.d/${vmName}.res && ssh ${slaveKVMIP} rm /etc/drbd.d/${vmName}.res" 0 -fi -install -m 600 "${tmpResFile}" "/etc/drbd.d/${vmName}.res" -scp "/etc/drbd.d/${vmName}.res" "${slaveKVMIP}:/etc/drbd.d/" -${drbdadm} create-md "${vmName}" -# shellcheck disable=SC2029 -ssh "${slaveKVMIP}" "${drbdadm} create-md ${vmName}" -${drbdadm} adjust "${vmName}" -# shellcheck disable=SC2029 -ssh "${slaveKVMIP}" "${drbdadm} adjust ${vmName}" -${drbdadm} -- --overwrite-data-of-peer primary "${vmName}" + if isDryRun; then + # shellcheck disable=SC2064 + trap "rm /etc/drbd.d/${vmName}.res && ssh ${slaveKVMIP} rm /etc/drbd.d/${vmName}.res" 0 + fi + install -m 600 "${tmpResFile}" "/etc/drbd.d/${vmName}.res" + scp "/etc/drbd.d/${vmName}.res" "${slaveKVMIP}:/etc/drbd.d/" + ${drbdadm} create-md "${vmName}" + # shellcheck disable=SC2029 + ssh "${slaveKVMIP}" "${drbdadm} create-md ${vmName}" + ${drbdadm} adjust "${vmName}" + # shellcheck disable=SC2029 + ssh "${slaveKVMIP}" "${drbdadm} adjust ${vmName}" + ${drbdadm} -- --overwrite-data-of-peer primary "${vmName}" -if ! isDryRun; then - sleep 5 - drbdadm status | tail -4 + if ! isDryRun; then + sleep 5 + drbdadm status | tail -4 - drbdDiskPath="/dev/drbd/by-res/${vmName}/0" - if ! [ -b "${drbdDiskPath}" ]; then - warn "${drbdDiskPath} not found! Continue? [y/N]" - read -r - if ! [[ "${REPLY}" =~ (Y|y) ]]; then - exit 1 + drbdDiskPath="/dev/drbd/by-res/${vmName}/0" + if ! [ -b "${drbdDiskPath}" ]; then + warn "${drbdDiskPath} not found! Continue? [y/N]" + read -r + if ! [[ "${REPLY}" =~ (Y|y) ]]; then + exit 1 + fi fi fi fi -virtRootDisk="--disk path=/dev/drbd/by-disk/${volRootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw" -virtHomeDisk="" -if [ "${volHomeDisk}" != "none" ]; then - virtHomeDisk="--disk path=/dev/drbd/by-disk/${volHomeDisk}/${vmName}_home,bus=virtio,io=threads,cache=none,format=raw" +if isSolo; then + virtRootDisk="--disk path=/dev/${volRootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw" + virtHomeDisk="--disk path=/dev/${volHomeDisk}/${vmName}_home,bus=virtio,io=threads,cache=none,format=raw" +else + virtRootDisk="--disk path=/dev/drbd/by-disk/${volRootDisk}/${vmName}_root,bus=virtio,io=threads,cache=none,format=raw" + virtHomeDisk="" + if [ "${volHomeDisk}" != "none" ]; then + virtHomeDisk="--disk path=/dev/drbd/by-disk/${volHomeDisk}/${vmName}_home,bus=virtio,io=threads,cache=none,format=raw" + fi fi + if [ -n "${preseedURL}" ]; then bootMode="--location https://deb.debian.org/debian/dists/${debianVersion}/main/installer-amd64/ --extra-args auto=true priority=critical url=${preseedURL} hostname=${vmName}" fi @@ -269,5 +288,3 @@ fi if ! isDryRun && [ -x /usr/share/scripts/evomaintenance.sh ]; then echo "Install VM ${vmName} (add-vm.sh)" | /usr/share/scripts/evomaintenance.sh fi - - diff --git a/kvm-host/files/migrate-vm.sh b/kvm-host/files/migrate-vm.sh index b2244607..4676a123 100644 --- a/kvm-host/files/migrate-vm.sh +++ b/kvm-host/files/migrate-vm.sh @@ -8,16 +8,15 @@ # * logging (stdout/stderr + syslog) # * more checks, rollback if needed… # * different return codes for different errors -# * migrate "from" # * switch to Bash to use local and readonly variables -VERSION="21.04.1" +VERSION="23.10.1" show_version() { cat <, +Copyright 2018-2023 Evolix , Jérémy Lecour , Victor Laborie and others. @@ -39,24 +38,16 @@ show_usage() { cat < or migrate-vm --vm --resource - or migrate-vm --persistent - or migrate-vm --transient Options --vm VM name (from libvirt point of view) --resource DRBD resource name (default to VM name) - --transient Leave VM as defined on hosts - --persistent Undefine the VM on the source and define it on the destination (default) --help Print this message and exit --version Print version and exit END } -persistent() { - test "${persistent}" -eq 1 -} - server_ips() { ip addr show | grep 'inet '| awk '{print $2}' | cut -f1 -d'/' } @@ -70,6 +61,73 @@ is_drbd_resource() { test -f "$(drbd_config_file "${resource}")" && drbdadm role "${resource}" >/dev/null 2>&1 } +check_drbd_sync() { + resource=${1:-} + + set +e + dstate=$(drbdadm dstate "${resource}" | grep -vF 'UpToDate/UpToDate') + cstate=$(drbdadm cstate "${resource}" | grep -vF 'Connected') + set -e + + if [ -n "${dstate}" ] || [ -n "${cstate}" ]; then + echo "DRBD resource ${resource} is not up-to-date" >&2 + exit 1 + fi +} + +drbd_interface() { + drbd_peer=${1:-} + ip route get "${drbd_peer}" | grep --only-matching --extended-regexp 'dev\s+\S+' | awk '{print $2}' +} + +interface_speed() { + interface=${1:-} + fallback_speed="1000" + speed_path="/sys/class/net/${interface}/speed" + bridge_path="/sys/class/net/${interface}/brif" + + if [ -e "${bridge_path}" ]; then + # echo "${interface} is a bridge" >&2 + case "$(ls "${bridge_path}" | wc -l)" in + 0) + # echo "${interface} bridge is empty, fallback to ${fallback_speed}" >&2 + echo "${fallback_speed}" + ;; + 1) + bridge_iface="$(ls "${bridge_path}" | head -n 1)" + # echo "${interface} bridge has 1 interface: ${bridge_iface}" >&2 + interface_speed "${bridge_iface}" + ;; + *) + # echo "${interface} bridge has many interfaces" >&2 + min_speed="" + for bridge_iface in $(ls "${bridge_path}"); do + if realpath "/sys/class/net/${bridge_iface}" | grep --quiet --invert-match virtual; then + speed=$(head -n 1 "/sys/class/net/${bridge_iface}/speed") + # echo "${bridge_iface} is a physical interface, keep" >&2 + if [ -z "${min_speed}" ] || [ "${min_speed}" -gt "${speed}" ]; then + # echo "new min speed with ${bridge_iface}: ${speed}" >&2 + min_speed="${speed}" + fi + else + # echo "${bridge_iface} is a virtual interface, skip" >&2 + : # noop + fi + done + if [ -n "${min_speed}" ] && [ "${min_speed}" -gt "0" ]; then + echo "${min_speed}" + else + echo "${fallback_speed}" + fi + ;; + esac + elif [ -e "${speed_path}" ]; then + head -n 1 "${speed_path}" + else + echo "${fallback_speed}" + fi +} + drbd_peers() { drbd_config_file=$(drbd_config_file "${1:-}") @@ -81,6 +139,11 @@ is_vm_running_locally() { virsh list --state-running --name | grep --fixed-strings --line-regexp --quiet "${vm}" } +is_vm_defined_locally() { + vm=${1:-} + + virsh list --all --name | grep --fixed-strings --line-regexp --quiet "${vm}" +} execute_remotely() { remote=${1:-} @@ -88,7 +151,7 @@ execute_remotely() { command=${*} # shellcheck disable=SC2029 - ssh "${remote}" "${command}" + ssh -n -o BatchMode=yes "${remote}" "${command}" } set_drbd_role() { @@ -183,41 +246,43 @@ undefine_vm() { fi } -migrate_vm_from() { - vm=${1:-} - remote_ip=${2:-} - current_ip=${3:-} - - export VIRSH_DEFAULT_CONNECT_URI="qemu+ssh://${remote_ip}/system" - virsh migrate --live --unsafe --verbose "${vm}" "qemu:///system" "tcp://${current_ip}/" -} - migrate_vm_to() { vm=${1:-} remote_ip=${2:-} + drbd_interface=$(drbd_interface "${remote_ip}") + interface_speed=$(interface_speed "${drbd_interface}") + migrate_speed=$(echo "${interface_speed}*0.8/8" | bc) + + echo "Migration speed set to ${migrate_speed}MiB/s" + virsh --quiet migrate-setspeed "${vm}" "${migrate_speed}" + export VIRSH_DEFAULT_CONNECT_URI="qemu:///system" virsh migrate --live --unsafe --verbose "${vm}" "qemu+ssh://${remote_ip}/system" "tcp://${remote_ip}/" } -migrate_from() { - vm=${1:-} - resource=${2:-} - remote_ip=${3:-} - remote_host=${4:-} - current_ip=${5:-} - current_host=${6:-} +# start_vm() { +# vm=${1:-} +# remote_ip=${2:-} - echo "Start migration of ${vm} from ${remote_ip} (${remote_host})" +# command="virsh start ${vm}" - set_drbd_role primary "${resource}" - migrate_vm_from "${vm}" "${remote_ip}" "${current_ip}" - set_drbd_role secondary "${resource}" "${remote_ip}" - if persistent; then - define_vm "${vm}" - undefine_vm "${vm}" "${remote_ip}" - fi -} +# if [ -z "${remote}" ]; then +# retval=$(eval "${command}") +# retcode=$? +# if [ ${retcode} != 0 ]; then +# echo "An error occured while starting ${vm} : ${retval}" >&2 +# exit 1 +# fi +# else +# retval=$(execute_remotely "${remote}" "${command}") +# retcode=$? +# if [ ${retcode} != 0 ]; then +# echo "An error occured while remotely starting ${vm}: ${retval}" >&2 +# exit 1 +# fi +# fi +# } migrate_to() { vm=${1:-} @@ -227,13 +292,22 @@ migrate_to() { echo "Start migration of ${vm} to ${remote_ip} (${remote_host})" + check_drbd_sync "${resource}" + set_drbd_role primary "${resource}" "${remote_ip}" - migrate_vm_to "${vm}" "${remote_ip}" - set_drbd_role secondary "${resource}" - if persistent; then - define_vm "${vm}" "${remote_ip}" - undefine_vm "${vm}" + sleep 1 + + if is_vm_running_locally "${vm}"; then + migrate_vm_to "${vm}" "${remote_ip}" + else + echo "${vm} is not running locally, so it won't be started on ${remote_host}" fi + + define_vm "${vm}" "${remote_ip}" + undefine_vm "${vm}" + + sleep 1 + set_drbd_role secondary "${resource}" } main() { @@ -260,14 +334,21 @@ main() { fi done - if is_vm_running_locally "${vm}"; then + if is_vm_defined_locally "${vm}"; then migrate_to "${vm}" "${resource}" "${remote_ip}" "${remote_host}" else - echo "Migrating \"from\" is not supported yet" >&2 + echo "VM \"${vm}\" is not defined." >&2 exit 1 - - migrate_from "${vm}" "${resource}" "${remote_ip}" "${remote_host}" "${current_ip}" "${current_host}" fi + + # if is_vm_running_locally "${vm}"; then + # migrate_to "${vm}" "${resource}" "${remote_ip}" "${remote_host}" + # else + # echo "Migrating \"from\" is not supported yet" >&2 + # exit 1 + + # migrate_from "${vm}" "${resource}" "${remote_ip}" "${remote_host}" "${current_ip}" "${current_host}" + # fi } if [ "$(id -u)" -ne "0" ] ; then @@ -288,12 +369,11 @@ while :; do exit 0 ;; --transient) - transient=1 - persistent=0 + printf 'WARNING: "transient" mode has been removed.\n' >&2 + exit 1 ;; --persistent) - transient=0 - persistent=1 + printf 'WARNING: "persistent" mode is the only one available. You can remove this argument from your command.\n' >&2 ;; --vm) # with value separated by space @@ -357,8 +437,6 @@ done # Initial values vm=${vm:-} resource=${resource:-${vm}} -transient=${transient:-0} -persistent=${persistent:-1} set -u set -e diff --git a/kvm-host/tasks/munin.yml b/kvm-host/tasks/munin.yml index 45edc8d6..8cd45cb5 100644 --- a/kvm-host/tasks/munin.yml +++ b/kvm-host/tasks/munin.yml @@ -20,7 +20,7 @@ url: "https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/libvirt/{{ item }}" dest: "/usr/local/share/munin/plugins/" mode: "0755" - force: no + force: false loop: - kvm_cpu - kvm_io @@ -32,7 +32,7 @@ src: "/usr/local/share/munin/plugins/{{ plugin_name }}" dest: "/etc/munin/plugins/{{ plugin_name }}" state: link - force: yes + force: true loop: - kvm_cpu - kvm_io diff --git a/kvm-host/tasks/tools.yml b/kvm-host/tasks/tools.yml index 7931f541..fccf9307 100644 --- a/kvm-host/tasks/tools.yml +++ b/kvm-host/tasks/tools.yml @@ -17,7 +17,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: migrate-vm script is present ansible.builtin.copy: @@ -26,7 +26,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: kvmstats script is present ansible.builtin.copy: @@ -35,7 +35,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: kvmstats cron is present ansible.builtin.template: diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 71fe2caa..8207266e 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -18,7 +18,7 @@ mode: "0700" owner: root group: root - force: yes + force: true - name: Create /etc/evolinux ansible.builtin.file: @@ -35,7 +35,7 @@ mode: "0600" owner: root group: root - force: no + force: false - name: Cron.d is present ansible.builtin.file: @@ -56,7 +56,7 @@ name: "listupgrade.sh" cron_file: "listupgrade" user: root - job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}" + job: "/usr/share/scripts/listupgrade.sh --cron{{ listupgrade_cron_force | bool | ternary(' --force','') }}" minute: "{{ listupgrade_cron_minute }}" hour: "{{ listupgrade_cron_hour }}" weekday: "{{ listupgrade_cron_weekday }}" diff --git a/logstash/tasks/apt_sources.yml b/logstash/tasks/apt_sources.yml index a0395ffe..812c4303 100644 --- a/logstash/tasks/apt_sources.yml +++ b/logstash/tasks/apt_sources.yml @@ -5,11 +5,19 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Elastic GPG key is installed ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -33,4 +41,4 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: elastic_sources is changed \ No newline at end of file + when: elastic_sources is changed diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 4f3b8da7..c79f1858 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 17af05cf..c0612f4e 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -21,7 +21,7 @@ lxc_php_container_releases: php74: "bullseye" php80: "bullseye" php81: "bullseye" - php82: "bullseye" + php82: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -33,3 +33,5 @@ lxc_php_services: php82: 'php8.2-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" +apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" + diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index b57d5d77..07b54118 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -3,7 +3,7 @@ - name: "{{ lxc_php_version }} - Install ssmtp" community.general.lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y ssmtp " + container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends --yes --force-yes ssmtp " - name: "{{ lxc_php_version }} - Configure ssmtp" ansible.builtin.template: diff --git a/lxc-php/tasks/php56.yml b/lxc-php/tasks/php56.yml index d210d80b..b299652e 100644 --- a/lxc-php/tasks/php56.yml +++ b/lxc-php/tasks/php56.yml @@ -3,7 +3,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" community.general.lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install --yes --force-yes php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php5-sqlite php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" ansible.builtin.template: diff --git a/lxc-php/tasks/php80.yml b/lxc-php/tasks/php80.yml index 043c0174..66f51f6f 100644 --- a/lxc-php/tasks/php80.yml +++ b/lxc-php/tasks/php80.yml @@ -27,7 +27,15 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main" -- name: copy pub.evolix.net GPG key +- name: "Ensure {{ lxc_rootfs }}{{ lxc_apt_keyring_dir }} directory exists" + file: + path: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + +- name: copy pub.evolix.org GPG key ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" diff --git a/lxc-php/tasks/php81.yml b/lxc-php/tasks/php81.yml index a1e9c71b..0b92c3de 100644 --- a/lxc-php/tasks/php81.yml +++ b/lxc-php/tasks/php81.yml @@ -26,7 +26,15 @@ - "deb [signed-by={{ lxc_apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - "deb [signed-by={{ lxc_apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main" -- name: copy pub.evolix.net GPG key +- name: "Ensure {{ lxc_rootfs }}{{ lxc_apt_keyring_dir }} directory exists" + file: + path: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + +- name: copy pub.evolix.org GPG key ansible.builtin.copy: src: pub_evolix.asc dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" diff --git a/lxc-php/tasks/php82.yml b/lxc-php/tasks/php82.yml index 1fb81851..ede18853 100644 --- a/lxc-php/tasks/php82.yml +++ b/lxc-php/tasks/php82.yml @@ -7,37 +7,39 @@ - name: "{{ lxc_php_version }} - Install dependency packages" community.general.lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https gnupg" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" -- name: "{{ lxc_php_version }} - fix bullseye repository" - ansible.builtin.replace: - dest: "{{ lxc_rootfs }}/etc/apt/sources.list" - regexp: 'bullseye/updates' - replace: 'bullseye-security' +- name: "{{ lxc_php_version }} - delete sources.list bookworm repository" + ansible.builtin.file: + path: "{{ lxc_rootfs }}/etc/apt/sources.list" + state: absent -- name: "{{ lxc_php_version }} - Add sury repo" - ansible.builtin.lineinfile: - dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.list" - line: "{{ item }}" - state: present - create: yes +- name: "{{ lxc_php_version }} - system bookworm repository" + ansible.builtin.template: + src: bookworm_basics.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources" + force: true mode: "0644" - loop: - - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main" - - "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php82 main" -- name: copy pub.evolix.net GPG key - ansible.builtin.copy: - src: pub_evolix.asc - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc +- name: "{{ lxc_php_version }} - security bookworm repository" + ansible.builtin.template: + src: bookworm_security.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources" + force: true mode: "0644" + +- name: "Ensure {{ lxc_rootfs }}{{ lxc_apt_keyring_dir }} directory exists" + file: + path: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}" + state: directory + mode: "755" owner: root group: root -- name: copy packages.sury.org GPG Key +- name: copy pub.evolix.org GPG key ansible.builtin.copy: - src: sury.gpg - dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg + src: pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" mode: "0644" owner: root group: root diff --git a/lxc-php/templates/bookworm_basics.sources.j2 b/lxc-php/templates/bookworm_basics.sources.j2 new file mode 100644 index 00000000..948c4adf --- /dev/null +++ b/lxc-php/templates/bookworm_basics.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: http://mirror.evolix.org/debian +Suites: bookworm bookworm-updates +Components: {{ apt_basics_components | mandatory }} +Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg diff --git a/lxc-php/templates/bookworm_security.sources.j2 b/lxc-php/templates/bookworm_security.sources.j2 new file mode 100644 index 00000000..c98d5671 --- /dev/null +++ b/lxc-php/templates/bookworm_security.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://security.debian.org/debian-security +Suites: bookworm-security +Components: {{ apt_basics_components | mandatory }} +Enabled: yes +Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg diff --git a/lxc-php/templates/sury.sources.j2 b/lxc-php/templates/sury.sources.j2 new file mode 100644 index 00000000..22725a58 --- /dev/null +++ b/lxc-php/templates/sury.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types: deb +URIs: https://packages.sury.org/php/ +Suites: {{ ansible_distribution_release }} +Components: main +Signed-by: {{ lxc_apt_keyring_dir }}/sury.gpg +Enabled: yes \ No newline at end of file diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index 3b70cdde..4d3851b6 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -69,3 +69,9 @@ src: "/etc/profile.d/evolinux.sh" remote_src: true dest: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d/evolinux.sh" + mode: '0644' + +- name: "Purge OpenSSH in container {{ name }}" + community.general.lxc_container: + name: "{{ name }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt-get purge -y openssh-server" diff --git a/memcached/tasks/nrpe.yml b/memcached/tasks/nrpe.yml index a01cf1e7..aba43da6 100644 --- a/memcached/tasks/nrpe.yml +++ b/memcached/tasks/nrpe.yml @@ -25,7 +25,7 @@ ansible.builtin.copy: src: check_memcached_instances.sh dest: /usr/local/lib/nagios/plugins/check_memcached_instances - force: yes + force: true mode: "0755" owner: root group: root diff --git a/metricbeat/tasks/apt_sources.yml b/metricbeat/tasks/apt_sources.yml index a0395ffe..812c4303 100644 --- a/metricbeat/tasks/apt_sources.yml +++ b/metricbeat/tasks/apt_sources.yml @@ -5,11 +5,19 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Elastic GPG key is installed ansible.builtin.copy: src: elastic.asc dest: "{{ apt_keyring_dir }}/elastic.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -33,4 +41,4 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: elastic_sources is changed \ No newline at end of file + when: elastic_sources is changed diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 16cc4865..5e7154b4 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: APT sources - ansible.builtin.import_tasks: apt_sources.yml + ansible.builtin.include_tasks: apt_sources.yml args: apply: tags: diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index bcf70ff8..fc034de4 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -1,5 +1,11 @@ #!/bin/sh +set -u + +return=0 +summary="" +details="" + is_alert5_enabled() { # It's not very clear how to reliably detect if a SysVinit script # wrapped in a systemd unit is enabled or not. @@ -39,48 +45,96 @@ is_minifirewall_started() { if test -x /usr/share/scripts/minifirewall_status; then /usr/share/scripts/minifirewall_status > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" fi fi } -return_critical() { - echo "CRITICAL: $1" - exit 2 +summary_critical() { + summary="CRITICAL: $1" + [ "${return}" -le 2 ] && return=2 } - -return_warning() { - echo "WARNING: $1" - exit 1 +summary_warning() { + summary="WARNING: $1" + [ "${return}" -le 1 ] && return=1 } - -return_ok() { - echo "OK: $1" - exit 0 +summary_ok() { + summary="OK: $1" + [ "${return}" -le 0 ] && return=0 +} +append_details() { + if [ -z "${details}" ]; then + details="${1}\n" + else + details="${details}$1\n" + fi } main() { if is_alert5_enabled; then - if is_minifirewall_enabled; then + append_details "alert5 is enabled" + + if is_minifirewall_enabled; then + append_details "minifirewall is enabled" + if is_minifirewall_started; then - return_ok "Minifirewall is started." + append_details "minifirewall is started" + + check_result=$(/etc/init.d/minifirewall check-active-config) + check_rc=$? + + if [ ${check_rc} -eq 0 ]; then + append_details "configuration is up-to-date" + summary_ok "minifirewall is started and configuration is up-to-date" + else + if echo "${check_result}" | grep --quiet --regexp 'usage'; then + append_details "minifirewall is too old to check active configuration" + else + case "${check_rc}" in + 1) + summary_warning "minifirewall is started, but unknown configuration state" + ;; + 2) + summary_critical "minifirewall is started, but configuration is outdated" + append_details "configuration is outdated" + ;; + *) + summary_unchk "minifirewall is started, but unknown configuration state" + ;; + esac + append_details "=> run '/etc/init.d/minifirewall check-active-config' for details" + fi + fi else - return_critical "Minifirewall is not started." + append_details "minifirewall is stopped" + summary_critical "minifirewall is stopped, but enabled in alert5 or systemd" fi else + append_details "minifirewall is disabled" + if is_minifirewall_started; then - return_warning "Minifirewall is started, but disabled in alert5 or systemd." + append_details "minifirewall is started" + summary_warning "minifirewall is started, but disabled in alert5 or systemd" else - return_ok "Minifirewall is not started, but disabled in alert5 or systemd." + append_details "minifirewall is stopped" + summary_ok "minifirewall is stopped, but disabled in alert5 or systemd" fi fi else + append_details "alert5 is disabled" + if is_minifirewall_started; then - return_warning "Minifirewall is started, but Alert5 script is not enabled." + append_details "minifirewall is started" + summary_warning "minifirewall is started, but alert5 is disabled" else - return_ok "Minifirewall is not started and Alert5 script is not enabled." + append_details "minifirewall is stopped" + summary_ok "minifirewall is stopped and alert5 is disabled" fi fi + + printf "%s\n\n%s\n" "${summary}" "${details}" + + exit "${return}" } main diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall index 3922e889..b1b659de 100755 --- a/minifirewall/files/minifirewall +++ b/minifirewall/files/minifirewall @@ -5,7 +5,7 @@ # It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall -# Copyright (c) 2007-2022 Evolix +# Copyright (c) 2007-2023 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 @@ -29,14 +29,19 @@ # Description: Firewall designed for standalone server ### END INIT INFO -VERSION="23.02" +VERSION="23.07" -NAME="minifirewall" +PROGNAME="minifirewall" # shellcheck disable=SC2034 DESC="Firewall designed for standalone server" set -u +if [ "$(id -u)" -ne "0" ] ; then + echo "${PROGNAME} must be run as root." >&2 + exit 1 +fi + # Variables configuration ######################### @@ -103,6 +108,13 @@ STATE_FILE_CURRENT='/var/run/minifirewall_state_current' STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous' STATE_FILE_DIFF='/var/run/minifirewall_state_diff' +ACTIVE_CONFIG='/var/run/minifirewall_active_config' +ACTIVE_CONFIG_DIFF="${ACTIVE_CONFIG}.diff" + +SAFETY_LOCK='/var/run/minifirewall_safety.lock' +SAFETY_OUTPUT='/var/run/minifirewall_safety.out' +SAFETY_TIMER=30 + LOGGER_BIN=$(command -v logger) # No colors by default @@ -115,8 +127,10 @@ CYAN='' WHITE='' BOLD='' RESET='' + # check if stdout is a terminal... if [ -t 1 ]; then + INTERACTIVE=1 # see if it supports colors... ncolors=$(tput colors) @@ -133,7 +147,10 @@ if [ -t 1 ]; then BOLD=$(tput bold) RESET='\e[m' fi +else + INTERACTIVE=0 fi +readonly INTERACTIVE ## pseudo dry-run : ## Uncomment and call these functions instead of the real iptables and ip6tables commands @@ -147,17 +164,20 @@ fi # } ## Beware that commands executed from included files are not modified by this trick. +is_interactive() { + test "${INTERACTIVE}" = "1" +} remove_colors() { sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g' } syslog_info() { if [ -x "${LOGGER_BIN}" ]; then - ${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" + ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1" fi } syslog_error() { if [ -x "${LOGGER_BIN}" ]; then - ${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1" + ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1" fi } sort_values() { @@ -254,14 +274,91 @@ source_configuration() { source_file_or_error "${config_file}" fi } +include_files() { + if [ -d "${includes_dir}" ]; then + find ${includes_dir} -type f -readable -not -name '*.*' | sort -h + else + echo "" + fi +} source_includes() { if [ -d "${includes_dir}" ]; then - include_files=$(find ${includes_dir} -type f -readable -not -name '*.*' | sort -h) - for include_file in ${include_files}; do + for include_file in $(include_files); do source_file_or_error "${include_file}" done fi } +filter_config_file() { + # Remove lines with: + # * empty or only whitespaces + # * comments + grep --extended-regexp --invert-match -e "^(\s*#)" -e "^\s*$" "${1}" +} +save_active_configuration() { + dest_file=${1} + rm -f "${dest_file}" + + echo "# ${config_file}" >> "${dest_file}" + filter_config_file "${config_file}" >> "${dest_file}" + + found_include_files=$(include_files) + if [ -n "${found_include_files}" ]; then + for include_file in ${found_include_files}; do + echo "# ${include_file}" >> "${dest_file}" + filter_config_file "${include_file}" >> "${dest_file}" + done + fi +} +check_active_configuration() { + # NRPE-compatible return codes + # 0: OK + # 1: WARNING + # 2: CRITICAL + # 3: UNKNOWN + rc=0 + + if [ -f "${ACTIVE_CONFIG}" ]; then + cmp_bin=$(command -v cmp) + diff_bin=$(command -v diff) + + if [ -z "${cmp_bin}" ]; then + printf "${YELLOW}WARNING: Skipped active configuration check (Can't find cmp(1) command)${RESET}\n" + rc=1 + elif [ -z "${diff_bin}" ]; then + printf "${YELLOW}WARNING: Skipped active configuration check (Can't find diff(1) command)${RESET}\n" + rc=1 + else + rm -f "${ACTIVE_CONFIG_DIFF}" + + tmp_config_file=$(mktemp --tmpdir=/tmp minifirewall.XXX) + save_active_configuration "${tmp_config_file}" + + cmp_result=$(cmp "${ACTIVE_CONFIG}" "${tmp_config_file}" 2>&1) + cmp_rc=$? + + if [ ${cmp_rc} -eq 0 ]; then + # echo " config has not changed since latest start" + printf "${GREEN}OK: Active configuration is up-to-date.${RESET}\n" + rc=0 + elif [ ${cmp_rc} -eq 1 ]; then + diff -u "${ACTIVE_CONFIG}" "${tmp_config_file}" > "${ACTIVE_CONFIG_DIFF}" + + printf "${RED}CRITICAL: Active configuration is not up-to-date (minifirewall not restarted after config change?), check %s${RESET}\n" "${ACTIVE_CONFIG_DIFF}" + rc=2 + else + printf "${RED}CRITICAL: Error while comparing rules:${RESET}\n" + printf "${cmp_result}\n" + rc=2 + fi + + rm -f "${tmp_config_file}" + fi + else + printf "${YELLOW}WARNING: Skipped active configuration check (missing file ${ACTIVE_CONFIG})${RESET}\n" + rc=1 + fi + exit ${rc} +} check_unpersisted_state() { cmp_bin=$(command -v cmp) diff_bin=$(command -v diff) @@ -279,7 +376,7 @@ check_unpersisted_state() { rm -f "${STATE_FILE_DIFF}" if [ -f "${STATE_FILE_LATEST}" ]; then - cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}") + cmp_result=$(cmp "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" 2>&1) cmp_rc=$? if [ ${cmp_rc} -eq 0 ]; then @@ -320,7 +417,7 @@ report_state_changes() { # But if there is a previous known state # let's compare with the new known state if [ -f "${STATE_FILE_PREVIOUS}" ]; then - cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}") + cmp_result=$(cmp "${STATE_FILE_PREVIOUS}" "${STATE_FILE_LATEST}" 2>&1) cmp_rc=$? if [ ${cmp_rc} -eq 0 ]; then @@ -339,11 +436,11 @@ report_state_changes() { start() { syslog_info "starting" - printf "${BOLD}${NAME} starting${RESET}\n" + printf "${BOLD}${PROGNAME} starting${RESET}\n" # Stop and warn if error! set -e - trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT + trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT # sysctl network security settings ################################## @@ -909,17 +1006,20 @@ start() { trap - INT TERM EXIT syslog_info "started" - printf "${GREEN}${BOLD}${NAME} started${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n" # No need to exit on error anymore set +e + # save active configuration + save_active_configuration "${ACTIVE_CONFIG}" + report_state_changes } stop() { syslog_info "stopping" - printf "${BOLD}${NAME} stopping${RESET}\n" + printf "${BOLD}${PROGNAME} stopping${RESET}\n" printf "${BLUE}flushing all rules and accepting everything${RESET}\n" @@ -1000,10 +1100,10 @@ stop() { ${IPT6} -X NEEDRESTRICT fi - rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" + rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" "${ACTIVE_CONFIG}" syslog_info "stopped" - printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n" } status() { @@ -1038,7 +1138,7 @@ status_without_numbers() { reset() { syslog_info "resetting" - printf "${BOLD}${NAME} resetting${RESET}\n" + printf "${BOLD}${PROGNAME} resetting${RESET}\n" ${IPT} -Z if is_ipv6_enabled; then @@ -1053,21 +1153,97 @@ reset() { fi syslog_info "reset" - printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" + printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n" } + +stop_if_locked() { + count=0 + + while [ ${count} -lt ${SAFETY_TIMER} ] && [ -f "${SAFETY_LOCK}" ]; do + count=$(( count + 1 )) + sleep 1 + done + + if [ -f "${SAFETY_LOCK}" ]; then + syslog_error "safety lock is still here after ${SAFETY_TIMER} seconds, we need to stop" + + stop + + syslog_info "remove safety lock" + rm -f "${SAFETY_LOCK}" + else + syslog_info "safety lock is not there anymore, life goes on" + fi +} + +safe_start() { + # start the firewall + start + + # create the lock file + syslog_info "add safety lock" + touch "${SAFETY_LOCK}" + + # run the special background command + nohup "${0}" stop-if-locked > "${SAFETY_OUTPUT}" 2>&1 & + + if is_interactive; then + syslog_info "safe-restart in interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next ${SAFETY_TIMER} seconds, minifirewall will be stopped." + # Ask for input + confirm_default="I'm locked out, please stop the firewall" + # printf "If the restart has locked you out you might see this but you shouldn't be able to type anything.\n" + printf "Minifirewall will be stopped in ${SAFETY_TIMER} seconds if you do nothing.\n" + printf "Remove \`${SAFETY_LOCK}' or type anything to keep minifirewall started: " + + read -r confirm + + if [ ! -f "${SAFETY_LOCK}" ]; then + printf "Safety lock is not there anymore.\nYou've probably been rescued by the safety checks.\n" + elif [ "${confirm}" != "${confirm_default}" ]; then + rm -f "${SAFETY_LOCK}" && printf "OK. Safety lock is removed.\n" + fi + else + syslog_info "safe-restart in non-interactive mode ; if safety lock (${SAFETY_LOCK}) is not removed in the next ${SAFETY_TIMER} seconds, minifirewall will be stopped." + fi +} + show_version() { cat <. +Copyright 2007-2023 Evolix . -${NAME} comes with ABSOLUTELY NO WARRANTY. +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License. END } +show_help() { + cat <&2 "%s - munin plugin to graph value of MySQL expire_logs_days system variable\n" ${0##*/} + printf >&2 "Usage: %s [config]\n" ${0##*/} +} + +case $# in + 0) + output_values + ;; + 1) + case $1 in + config) + output_config + ;; + *) + output_usage + exit 1 + ;; + esac + ;; + *) + output_usage + exit 1 + ;; +esac diff --git a/mysql/files/mysql_skip.sh b/mysql/files/mysql_skip.sh index 95bc28f7..ca72a9fc 100644 --- a/mysql/files/mysql_skip.sh +++ b/mysql/files/mysql_skip.sh @@ -18,29 +18,28 @@ log_file="/var/log/mysql_skip.log" mysql_skip_error() { error="$1" - error="$(date --iso-8601=seconds) Skiping: $error" - printf "Skipping: $error\n" - mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;' + mysql ${mysql_opt} -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;' - [ -n "$log_file" ] && echo "$error" >>"$log_file" + printf 'Skipping: %s\n' "$error" + [ -n "$log_file" ] && printf '%s Skipping: %s\n' "$(date --iso-8601=seconds)" "$error" >>"$log_file" } while true; do - slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')" - seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}') - last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')" + slave_status="$(mysql ${mysql_opt} -e 'SHOW SLAVE STATUS\G')" + seconds_behind_master=$(echo "${slave_status}" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}') + last_SQL_error="$(echo "${slave_status}" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')" - if [ "$seconds_behind_master" = "0" ]; then + if [ "${seconds_behind_master}" = "0" ]; then #printf 'Replication is up to date!\n' - if [ "$exit_when_uptodate" = "true" ]; then + if [ "${exit_when_uptodate}" = "true" ]; then exit 0 fi elif [ -z "$last_SQL_error" ]; then - sleep $sleep_interval + sleep ${sleep_interval} elif echo "$last_SQL_error" |grep -q -f $error_messages; then - mysql_skip_error "$last_SQL_error" + mysql_skip_error "${last_SQL_error}" fi sleep 1 diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index 174fc56a..3d8c494d 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -10,7 +10,7 @@ owner: root group: root mode: "0644" - force: yes + force: true tags: - mysql diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index dcf4e9e7..57346fb5 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -10,7 +10,8 @@ owner: root group: root mode: "0644" - force: yes + force: true + notify: "{{ mysql_restart_handler_name }}" tags: - mysql @@ -22,6 +23,7 @@ group: root mode: "0644" force: "{{ mysql_force_custom_config }}" + notify: "{{ mysql_restart_handler_name }}" tags: - mysql @@ -34,7 +36,7 @@ ansible.builtin.template: src: mariadb.systemd.j2 dest: /etc/systemd/system/mariadb.service.d/evolinux.conf - force: yes + force: true register: mariadb_systemd_override - name: reload systemd and restart MariaDB diff --git a/mysql/tasks/munin.yml b/mysql/tasks/munin.yml index 9b4e9617..dfe959c1 100644 --- a/mysql/tasks/munin.yml +++ b/mysql/tasks/munin.yml @@ -66,6 +66,15 @@ - replication notify: restart munin-node + - name: Install custom plugin for binlog retention tracking + ansible.builtin.copy: + src: mysql_binlog_days + dest: /etc/munin/plugins/mysql_binlog_days + owner: root + group: root + mode: "0755" + notify: restart munin-node + - name: verify Munin configuration for mysql < Debian 11 ansible.builtin.replace: dest: /etc/munin/plugin-conf.d/munin-node diff --git a/mysql/tasks/mysql_skip.yml b/mysql/tasks/mysql_skip.yml index 2455641a..e98567a7 100644 --- a/mysql/tasks/mysql_skip.yml +++ b/mysql/tasks/mysql_skip.yml @@ -7,7 +7,7 @@ owner: root group: root mode: "0700" - force: yes + force: true tags: - mysql_skip @@ -45,7 +45,7 @@ ansible.builtin.template: src: mysql_skip.systemd.j2 dest: /etc/systemd/system/mysql_skip.service - force: yes + force: true - name: "Start or stop systemd unit" ansible.builtin.systemd: diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index f8005ee2..9d81514a 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -76,7 +76,7 @@ src: mytop.j2 dest: /root/.mytop mode: "0600" - force: yes + force: true tags: - mytop - mysql @@ -87,7 +87,7 @@ src: mytop.bullseye.j2 dest: /root/.mytop mode: "0600" - force: yes + force: true tags: - mytop - mysql @@ -220,7 +220,7 @@ src: save_mysql_processlist.sh dest: "{{ _mysql_scripts_dir }}/save_mysql_processlist.sh" mode: "0755" - force: no + force: false tags: - mysql @@ -229,7 +229,7 @@ src: mysql_connections.sh dest: "{{ _mysql_scripts_dir }}/mysql_connections" mode: "0755" - force: no + force: false tags: - mysql @@ -238,7 +238,7 @@ src: mysql-queries-killer.sh dest: "{{ _mysql_scripts_dir }}/mysql-queries-killer.sh" mode: "0755" - force: no + force: false tags: - mysql @@ -247,6 +247,6 @@ src: evomariabackup.sh dest: "{{ _mysql_scripts_dir }}/evomariabackup" mode: "0755" - force: no + force: false tags: - mysql \ No newline at end of file diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index ba519361..28b85d99 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -6,6 +6,7 @@ nagios_nrpe_pgsql_passwd: PGSQL_PASSWD nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" nagios_nrpe_default_ntp_server: "pool.ntp.org" nagios_nrpe_ntp_server: Null +nagios_nrpe_process_processes: [ cron rsyslogd ntpd munin-node ] nagios_nrpe_force_update_allowed_hosts: False diff --git a/nagios-nrpe/files/check-local b/nagios-nrpe/files/check-local new file mode 100755 index 00000000..5d38d7a5 --- /dev/null +++ b/nagios-nrpe/files/check-local @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +CHECK_BIN=/usr/lib/nagios/plugins/check_nrpe + +server_address="127.0.0.1" + +if ! test -f "${CHECK_BIN}"; then + echo "${CHECK_BIN} is missing, please install nagios-nrpe-plugin package." + exit 1 +fi + +for file in /etc/nagios/{nrpe.cfg,nrpe_local.cfg,nrpe.d/evolix.cfg}; do + if [ -r ${file} ]; then + command_search=$(grep "\[check_$1\]" "${file}" | grep -v '^[[:blank:]]*#' | tail -n1 | cut -d'=' -f2-) + fi + if [ -n "${command_search}" ]; then + command="${command_search}" + fi + + if [ -r ${file} ]; then + server_address_search=$(grep "server_address" "${file}" | grep -v '^[[:blank:]]*#' | cut -d'=' -f2) + fi + if [ -n "${server_address_search}" ]; then + server_address="${server_address_search}" + fi +done + +if [ -n "${command}" ]; then + echo "Found command in /etc/nagios (take care, in some cases, Nagios can play another command):" + echo " ${command}" +fi + +echo "NRPE daemon output:" +"${CHECK_BIN}" -H "${server_address}" -c "check_$1" + + diff --git a/nagios-nrpe/files/check-local_completion b/nagios-nrpe/files/check-local_completion new file mode 100644 index 00000000..ea3ed64b --- /dev/null +++ b/nagios-nrpe/files/check-local_completion @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +_check_local_dynamic_completion() { + local cur; + cur=${COMP_WORDS[COMP_CWORD]}; + COMPREPLY=(); + COMPREPLY=( $( compgen -W '$(grep "\[check_" -Rs /etc/nagios/ | grep -vE "^[[:blank:]]*#" | awk -F"[\\\[\\\]=]" "{print \$2}" | sed "s/check_//" | sort | uniq)' -- $cur ) ); +} + +complete -F _check_local_dynamic_completion check-local + + diff --git a/nagios-nrpe/files/plugins/check_elasticsearch_shards b/nagios-nrpe/files/plugins/check_elasticsearch_shards new file mode 100755 index 00000000..53bae890 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_elasticsearch_shards @@ -0,0 +1,97 @@ +#!/bin/bash + +usage() { +cat << EOL + Usage : + + $0 --crendentials CREDENTIALS --nodeid NODE_ID + + -c|--crendentials CREDENTIALS # : + -n|--nodeid NODE_ID # the to check +EOL +} + + +return=0 +nb_shards=0 +nb_shards_max=0 +nb_shards_avail=0 +nb_shards_warn=0 +nb_shards_crit=0 +output="" + +# If no argument then show usage +if [ "$#" -eq 0 ]; then + usage + exit 2 +fi + +while :; do + case $1 in + -h|-\?|--help) # Call a "usage" function to display a synopsis, then exit. + usage + exit + ;; + -c|--crendentials) # Takes an option argument, ensuring it has been specified. + if [ -n "$2" ]; then + CREDENTIALS="$2" + shift + else + printf 'ERROR: "--crendentials" requires a non-empty option argument.\n' >&2 + exit 2 + fi + ;; + -n|--nodeid) # Takes an option argument, ensuring it has been specified. + if [ -n "$2" ]; then + NODE_ID="$2" + shift + else + printf 'ERROR: "--nodeid" requires a non-empty option argument.\n' >&2 + exit 2 + fi + ;; + -?*) + printf 'WARNING: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) # Default case: If no more options then break out of the loop. + break + esac + shift +done + +if [ ! -e "/usr/bin/jq" ]; then + printf "UNKNWON - jq is not installed" + exit 3 +fi + +nb_shards=$(curl -s -k -u ${CREDENTIALS} https://127.0.0.1:9200/_cat/allocation/${NODE_ID}?h=shards) +nb_shards_max=$(curl -s -k -u ${CREDENTIALS} https://127.0.0.1:9200/_cluster/settings?flat_settings | jq -r ".persistent[]" ) + +nb_shards_avail=$(( $nb_shards_max - $nb_shards )) + +if [ "$nb_shards_max" -ge "1000" ]; then + nb_shards_warn=$(( $nb_shards_max / 100 )) +elif [ $nb_shards_max -ge 100 ]; then + nb_shards_warn=$(( $nb_shards_max / 10 )) +else + nb_shards_warn=10 +fi + +nb_shards_crit=$(( $nb_shards_warn / 4 )) + +# debug… +# printf '%d out of %d, avail: %d, warn: %d, crit: %d' $nb_shards $nb_shards_max $nb_shards_avail $nb_shards_warn $nb_shards_crit + +if [ "${nb_shards_avail}" -le "${nb_shards_crit}" ]; then + printf "CRITICAL - %d USED / %d MAX" "${nb_shards}" "${nb_shards_max}" + exit 2 +elif [ "${nb_shards_avail}" -le "${nb_shards_warn}" ]; then + printf "WARNING - %d USED / %d MAX" "${nb_shards}" "${nb_shards_max}" + exit 1 +elif [ "${nb_shards_avail}" -ge "${nb_shards_warn}" ]; then + printf "OK - %d USED / %d MAX" "${nb_shards}" "${nb_shards_max}" + exit 0 +else + printf "UNKNWON - %d USED / %d MAX" "${nb_shards}" "${nb_shards_max}" + exit 3 +fi diff --git a/nagios-nrpe/files/plugins/check_gluster.rb b/nagios-nrpe/files/plugins/check_gluster.rb new file mode 100755 index 00000000..35cb44ef --- /dev/null +++ b/nagios-nrpe/files/plugins/check_gluster.rb @@ -0,0 +1,370 @@ +#!/usr/bin/env ruby + +# We use old ruby 1.8.7 +# rubocop:disable Style/HashSyntax + +# We match all exceptions except SystemExit to redefine exit status for nagios +# rubocop:disable Lint/RescueException + +# Other disables +# rubocop:disable Metrics/AbcSize, Metrics/LineLength, Metrics/MethodLength, Metrics/ClassLength + +# Nagios exit codes +module NagiosStatus + OK = 0 + WARNING = 1 + CRITICAL = 2 +end + +# Top level module +module CheckGluster + require 'optparse' + + PARAMS = { + # gluster command + :gluster_command => '/usr/sbin/gluster', + :glusterd_pid_path => '/var/run/glusterd.pid', + # Daemons to check with gluster volume status + :check_running_daemons => { + 'bitrot' => ['Bitrot Daemon', 'Scrubber Daemon'], + 'heal' => ['Self-heal Daemon'], + 'nfs' => ['NFS Server'] + }, + # Parameters to re-run failed command + :rerun => { :times => 10, :delay => 0.5 }, + # persistent state file + :state_file => '/var/run/check_gluster_state.yaml', + :state_ttl => 1200, + :self_name => '127.0.0.1' + }.freeze + + # Parse command line options + class OptionsParser + attr_reader :checks, :state_file, :state_ttl, :self_name + + def initialize + @checks = PARAMS[:check_running_daemons].keys + @state_file = PARAMS[:state_file] + @state_ttl = PARAMS[:state_ttl] + @self_name = PARAMS[:self_name] + end + + def parse! + option_parser = OptionParser.new + + option_parser.on( + '-c', + '--checks ' + @checks.join(','), + Array, + 'Checks to run. Default is ' + @checks.join(',') + ) do |list| + list.each do |check| + raise OptionParser::InvalidOption, check.to_s unless @checks.include? check + end + @checks = list + end + + option_parser.on( + '-s', + '--state-file /path/to/file', + String, + 'State storage file. Default is ' + @state_file + ) do |x| + @state_file = x.to_s + end + + option_parser.on( + '-n', + '--self-name address', + String, + 'IP of self as far as glusterd know. Default is ' + @self_name + ) do |x| + @self_name = x.to_s + end + + option_parser.on( + '-t', + '--ttl seconds', + Integer, + 'State storage TTL. Default is ' + @state_ttl.to_s + ) do |x| + @state_ttl = x.to_i + end + + begin + option_parser.parse! + @checks + rescue OptionParser::InvalidOption, OptionParser::MissingArgument, OptionParser::InvalidArgument => ex + puts "Error: #{ex.message}" + puts option_parser.help + exit(NagiosStatus::CRITICAL) + end + end + end + + # Actual check class + class Check + begin + require 'open3' + require 'rubygems' + $VERBOSE = nil + require 'crack' + $VERBOSE = true + require 'socket' + require 'yaml' + rescue Exception => ex + puts ex.message + exit(NagiosStatus::CRITICAL) + end + + def initialize(*var) + var = var.shift + @state_file = var.nil? && var[:state_file].nil? ? PARAMS[:state_file] : var[:state_file] + @state_ttl = var.nil? && var[:state_ttl].nil? ? PARAMS[:state_ttl] : var[:state_ttl] + end + + def check_glusterd + pid = File.open(PARAMS[:glusterd_pid_path], &:readline).to_i + Process.kill('CHLD', pid) + rescue Errno::ESRCH + raise 'Glusterd is not running' + end + + def get_services_from_checks(checks) + services = [] + checks.each do |check| + PARAMS[:check_running_daemons][check].each do |service| + services.concat(any_to_array(service)) + end + end + services + end + + def gluster(command, xml = true) + data = { 'stdout' => '', 'error' => '', 'status' => 1 } + command = '--xml ' + command if xml + Open3.popen3(PARAMS[:gluster_command] + ' ' + command) do |stdin, stdout, stderr, wait_thr| + stdin.close + data['stdout'] = stdout.read + data['sterr'] = stderr.read + data['status'] = wait_thr.value + end + raise data['status'].to_s + ' : ' + data['stdout'] unless data['status'].success? + return data['stdout'] unless xml + data = Crack::XML.parse(data['stdout']) + if data['cliOutput']['opRet'].to_i != 0 || data['cliOutput']['opErrno'].to_i != 0 + raise "Error on #{command} : #{data['cliOutput']['opErrstr']}" + end + data['cliOutput'] + end + + def peer_status + peers = gluster('peer status')['peerStatus']['peer'] + peers = any_to_array(peers) + peers.each do |peer| + raise "#{peer['hostname']} is disconnected" unless peer['connected'].to_i == 1 + raise "#{peer['hostname']} has wrong state #{peer['state']}" unless peer['state'].to_i == 3 + end + end + + def pool_list + peers = gluster('pool list')['peerStatus']['peer'] + peers = any_to_array(peers) + peers.each do |peer| + raise "#{peer['hostname']} is disconnected" unless peer['connected'].to_i == 1 + raise "#{peer['hostname']} has wrong state #{peer['state']}" if peer['hostname'] != 'localhost' && peer['state'].to_i != 3 + end + end + + def volume_list + volumes = gluster('volume list')['volList']['volume'] + any_to_array(volumes) + end + + def volume_info(volume) + volume = gluster("volume info #{volume}")['volInfo']['volumes']['volume'] + raise "volume #{volume['name']} is stopped" unless volume['status'].to_i == 1 + # volume info is not well formated XML + volume['bricks']['brick'].map { |s| s.gsub(/.*/, '').split(':') } + end + + def volume_status(volume, bricks, checks, self_name) + nodes = gluster("volume status #{volume}")['volStatus']['volumes']['volume']['node'] + nodes = any_to_array(nodes) + # Check that all bricks are running + bricks.each do |brick| + raise "volume #{brick[0]}:#{brick[1]} is not running" unless check_running(nodes, brick[0], brick[1]) + # Check that processes are running + get_services_from_checks(checks).each do |daemon| + brick_to_check = brick[0] + if brick[0] == self_name + brick_to_check = 'localhost' + end + raise "Daemon #{brick[0]}:\"#{daemon}\" is not started" unless check_running(nodes, daemon, brick_to_check) + end + end + end + + def check_running(nodes, hostname, path) + nodes.each do |node| + return true if node['hostname'] == hostname && node['path'] == path && node['status'].to_i == 1 + end + false + end + + def volume_heal_info(volume) + info = gluster("volume heal #{volume} info", false).split("\n") + info = parse_heal(info) + if @state_ttl > 0 + info = merge_heal(load_state(@state_file), info) + store_state(@state_file, info) + end + split_entries = [] + time = Time.now.to_i + info.each do |brick, data| + raise "Brick #{brick} is disconnected" unless data['status'] + data['content'].each do |line, saved_time| + if @state_ttl == 0 + split_entries.push(brick + line) + elsif time - saved_time >= @state_ttl + split_entries.push(brick + line + '=' + (time - saved_time).to_s + 's') + end + end + end + raise 'Files are split-brained : ' + split_entries.join(' ') unless split_entries.empty? + end + + def parse_heal(info) + bricks = {} + brick = '' + time = Time.now.to_i + info.each do |line| + if line =~ /^Brick / + brick = line.gsub(/^Brick /, '') + bricks[brick] = { 'content' => {} } + elsif line =~ /^Status: Connected/ + bricks[brick]['status'] = true + elsif line =~ /^Status.*/ + bricks[brick]['status'] = false + elsif line =~ /^Number of entries: / + bricks[brick]['entries'] = line.gsub(/^Number of entries: /, '').to_i + else + line.gsub!(/\s+$/, '') + bricks[brick]['content'][line] = time if line != '' + end + end + bricks + end + + def merge_heal(old, new) + old.each do |brick, data| + data['content'].each do |line, time| + new[brick]['content'][line] = time if new.key?(brick) && new[brick]['content'].key?(line) + end + end + new + end + + def store_state(file, data) + fh = File.open(file, File::WRONLY | File::CREAT | File::TRUNC, 0600) + fh.flock(File::LOCK_EX) + fh.write(data.to_yaml) + fh.close + end + + def load_state(file) + return {} unless File.exist?(file) + fh = File.open(file, File::RDONLY) + fh.flock(File::LOCK_EX) + data = fh.read + fh.close + begin + data = YAML.load(data) + raise LoadError if data.class.to_s != 'Hash' + rescue Psych::SyntaxError, LoadError + raise 'file ' + file.to_s + ' has incorrect format' + end + data + end + + # rubocop:disable Metrics/CyclomaticComplexity + def volume_bitrot_scrub_status(volume) + info = [] + i = 0 + # Try to run bitrot scrub status not more than 10 times + while info.empty? + i += 1 + begin + info = gluster("volume bitrot #{volume} scrub status", false).split("\n") + rescue ArgumentError => ex + raise ex if ex.message != 'invalid byte sequence in UTF-8' || i > PARAMS[:rerun][:times] + sleep PARAMS[:rerun][:delay] + end + end + status = parse_bitrot_status(info) + raise 'BitRot is not enabled' unless status['state'] + status['nodes'].each do |node, _v| + raise "BitRot error on #{node}" unless status['nodes'][node]['errors'] == 0 + end + end + # rubocop:enable Metrics/CyclomaticComplexity + + def parse_bitrot_status(info) + info.map! { |s| s.gsub(/localhost/, Socket.gethostname) } + status = { 'state' => false, 'nodes' => {} } + node = '' + info.each do |line| + if line =~ /^State of scrub: Active/ + status['state'] = true + elsif line =~ /^Node: / + node = line.gsub(/^Node: /, '') + status['nodes'][node] = {} + elsif line =~ /^Error count: / + status['nodes'][node]['errors'] = line.gsub(/^Error count: /, '').to_i + end + end + status + end + + def any_to_array(any) + return [any] if any.class.to_s != 'Array' + any + end + + private :get_services_from_checks, :gluster, :any_to_array + private :check_running, :parse_heal, :parse_bitrot_status + private :merge_heal, :store_state, :load_state + end +end + +begin + # Parse parameters + option_parser = CheckGluster::OptionsParser.new + option_parser.parse! + checks = option_parser.checks + self_name = option_parser.self_name + + # Run gluster checks + gluster_check = CheckGluster::Check.new(:state_file => option_parser.state_file, :state_ttl => option_parser.state_ttl) + gluster_check.check_glusterd + gluster_check.peer_status + gluster_check.pool_list + gluster_check.volume_list.each do |volume| + bricks = gluster_check.volume_info(volume) + gluster_check.volume_status(volume, bricks, checks, self_name) + gluster_check.volume_heal_info(volume) if checks.include? 'heal' + gluster_check.volume_bitrot_scrub_status(volume) if checks.include? 'bitrot' + end + + puts 'OK: Gluster cluster is healthy' + exit(NagiosStatus::OK) +# Normal exit +rescue SystemExit => ex + raise ex +# Anything else goes to nagios error with critial status +rescue Exception => ex + puts "Error: #{ex.message}" + exit(NagiosStatus::CRITICAL) +end + +# rubocop:enable all diff --git a/nagios-nrpe/files/plugins/check_process b/nagios-nrpe/files/plugins/check_process index 46ef34dd..59e7f6cb 100755 --- a/nagios-nrpe/files/plugins/check_process +++ b/nagios-nrpe/files/plugins/check_process @@ -1,7 +1,13 @@ #!/bin/bash rc=0 -for proc in cron rsyslogd ntpd munin-node; do +if [ $# -gt 0 ]; then + procs=$@ +else + # We keep this old list to be retro compatible + procs="cron rsyslogd ntpd munin-node" +fi +for proc in $procs ; do sudo /usr/lib/nagios//plugins/check_procs -C $proc -c 1: rc=$(($rc|$?)) done diff --git a/nagios-nrpe/files/plugins/check_redis_instances b/nagios-nrpe/files/plugins/check_redis_instances index 5923eef7..32580486 100755 --- a/nagios-nrpe/files/plugins/check_redis_instances +++ b/nagios-nrpe/files/plugins/check_redis_instances @@ -30,11 +30,21 @@ check_server() { host=$(config_var "bind" "${conf_file}") port=$(config_var "port" "${conf_file}") pass=$(config_var "requirepass" "${conf_file}") + maxmemory=$(config_var "maxmemory" "${conf_file}") + maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}") cmd="${check_bin} -H ${host} -p ${port}" + # If "requirepass" is set we add the password to the check if [ -n "${pass}" ]; then cmd="${cmd} -x ${pass}" fi + # If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" + # then we enforce the "maxmemory" limit + if [ -n "${maxmemory}" ]; then + if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then + cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90" + fi + fi result=$($cmd) ret="${?}" if [ "${ret}" -ge 2 ]; then @@ -54,7 +64,7 @@ check_server() { config_var() { variable=$1 file=$2 - test -f $file && grep -E "^${variable}\s+.+$" $file | awk '{ print $2 }' + test -f "${file}" && grep -E "^${variable}\s+.+$" "${file}" | awk '{ print $2 }' | sed -e "s/^[\"']//" -e "s/[\"']$//" } # default instance @@ -63,11 +73,11 @@ if systemctl is-enabled -q redis-server; then fi # additional instances -conf_files=$(ls -1 /etc/redis-*/redis.conf) +conf_files=$(ls -1 /etc/redis-*/redis.conf 2> /dev/null) for conf_file in ${conf_files}; do - name=$(dirname ${conf_file} | sed '{s|/etc/redis-||}') + name=$(dirname "${conf_file}" | sed '{s|/etc/redis-||}') if systemctl is-enabled -q "redis-server@${name}.service"; then - check_server $name $conf_file + check_server "${name}" "${conf_file}" else nb_unchk=$((nb_unchk + 1)) output="${output}UNCHK - ${name} (unit is disabled or missing)\n" diff --git a/nagios-nrpe/files/plugins/check_ssl_local b/nagios-nrpe/files/plugins/check_ssl_local index 860ed676..76b54748 100755 --- a/nagios-nrpe/files/plugins/check_ssl_local +++ b/nagios-nrpe/files/plugins/check_ssl_local @@ -16,54 +16,54 @@ critical=0 warning=0 -if [[ ! -f "$certs_list_path" ]]; then - touch "$certs_list_path" +if [[ ! -f "${certs_list_path}" ]]; then + touch "${certs_list_path}" fi -certs_list=$(cat "$certs_list_path" | sed -E 's/(.*)#.*/\1/g' | grep -v -E '^$') +certs_list=$(sed -E 's/(.*)#.*/\1/g' "${certs_list_path}" | grep -v -E '^$') -for cert_path in $certs_list; do - - if [ ! -f "$cert_path" ] && [ ! -d "$cert_path" ]; then - >&2 echo "Warning: path '$cert_path' is not a file or a directory." +for cert_path in ${certs_list}; do + + if [ ! -f "$cert_path" ] && [ ! -d "${cert_path}" ]; then + echo "Warning: path '${cert_path}' is not a file or a directory." warning=1 continue fi - enddate=$(openssl x509 -noout -enddate -in "$cert_path" | cut -d'=' -f2) - + enddate=$(openssl x509 -noout -enddate -in "${cert_path}" | cut -d'=' -f2) + # Check cert expiré (critique) - if ! openssl x509 -checkend 0 -in "$cert_path" &> /dev/null; then + if ! openssl x509 -checkend 0 -in "${cert_path}" &> /dev/null; then critical=1 - >&2 echo "Critical: Cert '$cert_path' has expired on $enddate." + echo "Critical: Cert '${cert_path}' has expired on ${enddate}." continue fi # Check cert expire < 10 jours (critique) - if ! openssl x509 -checkend "$_10_days" -in "$cert_path" &> /dev/null; then + if ! openssl x509 -checkend "${_10_days}" -in "${cert_path}" &> /dev/null; then critical=1 - >&2 echo "Critical: Cert '$cert_path' will expire on $enddate." + echo "Critical: Cert '${cert_path}' will expire on ${enddate}." continue fi # Check cert expire < 15 jours (warning) - if ! openssl x509 -checkend "$_15_days" -in "$cert_path" &> /dev/null; then + if ! openssl x509 -checkend "${_15_days}" -in "${cert_path}" &> /dev/null; then warning=1 - >&2 echo "Warning: Cert '$cert_path' will expire on $enddate." + echo "Warning: Cert '${cert_path}' will expire on ${enddate}." continue fi # Cert expire > 15 jours (OK) - echo "Cert '$cert_path' OK." + echo "Cert '${cert_path}' OK." done -if [ $critical -eq 1 ]; then +if [ "${critical}" -eq 1 ]; then exit 2 -elif [ $warning -eq 1 ]; then +elif [ "${warning}" -eq 1 ]; then exit 1 else exit 0 fi - + diff --git a/nagios-nrpe/tasks/check-local.yml b/nagios-nrpe/tasks/check-local.yml new file mode 100644 index 00000000..d28d9113 --- /dev/null +++ b/nagios-nrpe/tasks/check-local.yml @@ -0,0 +1,28 @@ +--- +# Install check-local utilitary + +- name: Package nagios-nrpe-plugin is intalled + ansible.builtin.apt: + name: nagios-nrpe-plugin + +- name: "Remount /usr if needed" + ansible.builtin.include_role: + name: remount-usr + +- name: Utilitary check-local is installed + ansible.builtin.copy: + src: check-local + dest: /usr/local/bin/check-local + mode: "0755" + +- name: Package bash-completion is intalled + ansible.builtin.apt: + name: bash-completion + +- name: Completion for utilitary check-local is installed + ansible.builtin.copy: + src: check-local_completion + dest: /etc/bash_completion.d/check-local + mode: "0755" + + diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index c05cf85a..5d4c01aa 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -17,6 +17,7 @@ ansible.builtin.apt: name: - libfcgi-client-perl + - ruby-crack state: present when: - ansible_distribution == "Debian" @@ -30,7 +31,7 @@ dest: /etc/nagios/nrpe.d/evolix.cfg group: nagios mode: "0640" - force: no + force: false notify: restart nagios-nrpe-server tags: - nagios-nrpe @@ -84,4 +85,6 @@ tags: - nagios-nrpe -- ansible.builtin.include_tasks: wrapper.yml \ No newline at end of file +- ansible.builtin.include_tasks: wrapper.yml + +- ansible.builtin.include_tasks: check-local.yml diff --git a/nagios-nrpe/tasks/wrapper.yml b/nagios-nrpe/tasks/wrapper.yml index add493fd..4eb98350 100644 --- a/nagios-nrpe/tasks/wrapper.yml +++ b/nagios-nrpe/tasks/wrapper.yml @@ -24,7 +24,7 @@ owner: root group: root mode: "0750" - force: yes + force: true - name: "symlink for backward compatibility" ansible.builtin.file: @@ -40,4 +40,4 @@ owner: root group: staff mode: "0755" - force: yes \ No newline at end of file + force: true \ No newline at end of file diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 263fde10..a7bcab7d 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -66,7 +66,7 @@ command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0 command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1 command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup -command[check_process]={{ nagios_plugins_directory }}/check_process +command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_process_processes | join(' ') }} command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0 @@ -83,6 +83,7 @@ command[check_php-fpm73]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php74/rootfs/etc/php/7.4/fpm/pool.d/ command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ +command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool diff --git a/nagios-nrpe/templates/evolix_bsd.cfg.j2 b/nagios-nrpe/templates/evolix_bsd.cfg.j2 index 436bf125..cdeb53a1 100644 --- a/nagios-nrpe/templates/evolix_bsd.cfg.j2 +++ b/nagios-nrpe/templates/evolix_bsd.cfg.j2 @@ -7,7 +7,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10 -command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20 +command[check_load]=/usr/local/libexec/nagios/check_load --percpu -w 0.7,0.6,0.5 -c 0.9,0.8,0.7 command[check_disk1]=/usr/local/libexec/nagios/check_disk -x /lib/init/rw -x /dev -x /dev/shm -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=/usr/local/libexec/nagios/check_procs -w 5 -c 10 -s Z command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200 diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index 22473df1..3314c1c8 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -1,10 +1,18 @@ --- +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add NewRelic GPG key ansible.builtin.copy: src: newrelic.asc dest: "{{ apt_keyring_dir }}/newrelic.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -28,4 +36,4 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: newrelic_sources is changed \ No newline at end of file + when: newrelic_sources is changed diff --git a/nginx/tasks/logrotate.yml b/nginx/tasks/logrotate.yml index d475e419..9081ef41 100644 --- a/nginx/tasks/logrotate.yml +++ b/nginx/tasks/logrotate.yml @@ -4,7 +4,7 @@ ansible.builtin.copy: src: logrotate_nginx dest: /etc/logrotate.d/nginx - force: no + force: false tags: - nginx - logrotate diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index aec36bec..1284a6a1 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -40,7 +40,7 @@ src: nginx/evolinux-defaults.conf dest: /etc/nginx/conf.d/z-evolinux-defaults.conf mode: "0640" - # force: yes + # force: true notify: reload nginx tags: - nginx @@ -57,7 +57,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -74,7 +74,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -88,7 +88,7 @@ group: www-data directory_mode: "0640" mode: "0640" - force: no + force: false notify: reload nginx tags: - nginx @@ -128,7 +128,7 @@ src: /etc/nginx/sites-available/evolinux-default.conf dest: /etc/nginx/sites-enabled/default state: link - force: yes + force: true notify: reload nginx when: nginx_evolinux_default_enabled | bool tags: diff --git a/nginx/tasks/packages_backports.yml b/nginx/tasks/packages_backports.yml index aac2304d..88402bb9 100644 --- a/nginx/tasks/packages_backports.yml +++ b/nginx/tasks/packages_backports.yml @@ -12,7 +12,7 @@ ansible.builtin.template: src: apt/nginx_preferences dest: /etc/apt/preferences.d/999-nginx - force: yes + force: true mode: "0640" register: nginx_apt_preferences tags: diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index e97d898a..d6cecbe3 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -13,7 +13,7 @@ dest: "{{ nginx_serverstatus_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ nginx_serverstatus_suffix }}\u000A" - force: yes + force: true when: nginx_serverstatus_suffix | length > 0 - name: generate random string for server-status suffix diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index a0ed95c3..97645827 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -1,12 +1,12 @@ server { - listen [::]:80; - listen 80; + listen [::]:80 default_server; + listen 80 default_server; server_name {{ ansible_fqdn }}; return 301 https://{{ ansible_fqdn }}$request_uri; } server { - listen 443 ssl; + listen 443 ssl default_server; # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}.crt; diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 645f8f90..4cf34988 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -1,5 +1,13 @@ --- +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Yarn GPG key is installed ansible.builtin.copy: src: yarn.asc diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim-evolix.conf similarity index 100% rename from opendkim/files/opendkim.conf rename to opendkim/files/opendkim-evolix.conf diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 1c7a416a..02a7aaec 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -7,6 +7,7 @@ - ssl-cert - dns-root-data state: present + update_cache: yes tags: - opendkim @@ -45,12 +46,22 @@ tags: - opendkim +- name: Add Include in opendkim.conf + ansible.builtin.lineinfile: + dest: /etc/opendkim.conf + line: 'Include /etc/opendkim-evolix.conf' + state: present + create: no + mode: "0644" + tags: + - opendkim + - name: copy OpenDKIM config ansible.builtin.copy: - src: opendkim.conf - dest: /etc/opendkim.conf + src: opendkim-evolix.conf + dest: /etc/opendkim-evolix.conf mode: "0644" - force: yes + force: true notify: restart opendkim tags: - opendkim @@ -62,7 +73,7 @@ owner: opendkim group: opendkim mode: "0750" - force: yes + force: true tags: - opendkim diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 9810a472..173299b4 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -154,7 +154,7 @@ ansible.builtin.copy: src: logrotate_openvpn dest: /etc/logrotate.d/openvpn - force: no + force: false - name: Generate a password for the management interface ansible.builtin.set_fact: diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 434e75d0..b7e05f71 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -43,7 +43,7 @@ owner: root group: root mode: "0644" - force: no + force: false - name: Copy Apache settings for modules ansible.builtin.template: @@ -52,7 +52,7 @@ owner: root group: root mode: "0644" - force: no + force: false - name: Ensure Apache modules configs are enabled ansible.builtin.command: diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml index 08c94381..f6e8b309 100644 --- a/packweb-apache/tasks/awstats.yml +++ b/packweb-apache/tasks/awstats.yml @@ -31,7 +31,7 @@ Require all granted - force: no + force: false mode: "0644" - name: Enable apache awstats-icon configuration diff --git a/packweb-apache/tasks/dependencies.yml b/packweb-apache/tasks/dependencies.yml index cd0efd40..bf29b849 100644 --- a/packweb-apache/tasks/dependencies.yml +++ b/packweb-apache/tasks/dependencies.yml @@ -70,6 +70,13 @@ lxc_php_create_mysql_link: True when: "'php81' in packweb_multiphp_versions" +- ansible.builtin.include_role: + name: evolix/lxc-php + vars: + lxc_php_version: php82 + lxc_php_create_mysql_link: True + when: "'php82' in packweb_multiphp_versions" + - ansible.builtin.include_role: name: evolix/webapps/evoadmin-web vars: @@ -77,4 +84,4 @@ evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" - include_role: - name: evolix/evoacme \ No newline at end of file + name: evolix/evoacme diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index 11832300..abb1c552 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: phpmyadmin_apt_preferences.j2 dest: /etc/apt/preferences.d/999-phpmyadmin - force: yes + force: true mode: "0644" when: ansible_distribution_major_version is version('10', '=') @@ -53,7 +53,7 @@ dest: "{{ packweb_phpmyadmin_suffix_file }}" # The last character "\u000A" is a line feed (LF), it's better to keep it content: "{{ packweb_phpmyadmin_suffix }}\u000A" - force: yes + force: true when: packweb_phpmyadmin_suffix | length > 0 - name: generate random string for phpmyadmin suffix diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index 32637df7..e415ece6 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -15,11 +15,19 @@ state: absent when: _trusted_gpg_keyring.stat.exists +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add Percona GPG key ansible.builtin.copy: src: percona.asc dest: "{{ apt_keyring_dir }}/percona.asc" - force: yes + force: true mode: "0644" owner: root group: root diff --git a/pgbouncer/README.md b/pgbouncer/README.md index 2542f497..94cdeccf 100644 --- a/pgbouncer/README.md +++ b/pgbouncer/README.md @@ -14,6 +14,7 @@ Main variables are : * `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`), * `pgbouncer_databases`: the databases that clients of PgBouncer can connect to, * `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to. +* `pgbouncer_auth_type`: the variable `auth_type` define by default to `scram-sha-256`, if you installed PgBouncer on PostgreSQL version inferior to 14, set this variable to `md5`. The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this: @@ -31,8 +32,26 @@ pgbouncer_account_list: - { name: "account2", hash: "" } ``` -The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';` +The value of `hash` can be obtained by running this command on the PostgreSQL server: -> These accounts must exist on the PostegreSQL server. +``` +select passwd from pg_shadow where usename='account1'; +``` + +> These accounts must exist on the PostgreSQL server. + +The variables `pgbouncer_admin_users` and `pgbouncer_stats_users` list the SQL user can be access on pgbouncer console. This variables can be defines like this : + +``` +pgbouncer_admin_users: + - account1 + - account2 +``` + +``` +pgbouncer_stats_users: + - account1 + - account2 +``` The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml index 7b246270..211e6a5d 100644 --- a/pgbouncer/defaults/main.yml +++ b/pgbouncer/defaults/main.yml @@ -1,7 +1,18 @@ --- -pgbouncer_listen_addr: "127.0.0.1" +pgbouncer_listen_addr: + - "127.0.0.1" pgbouncer_listen_port: "6432" +# For PostgreSQL version < 14, use "md5" +# For PostgreSQL version >= 14, use "scram-sha-256" +pgbouncer_auth_type: "scram-sha-256" + +# Each entry must have "name", "host" and "port" keys pgbouncer_databases: [] -pgbouncer_account_list: [] +pgbouncer_admin_users: [] + +pgbouncer_stats_users: [] + +# Each entry must have "name" and "hash" keys +pgbouncer_account_list: [] \ No newline at end of file diff --git a/pgbouncer/handlers/main.yml b/pgbouncer/handlers/main.yml index f539a226..9ce44055 100644 --- a/pgbouncer/handlers/main.yml +++ b/pgbouncer/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: Restart PgBouncer +- name: restart pgbouncer ansible.builtin.systemd: name: pgbouncer.service state: restarted diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml index 1d76931f..0463899d 100644 --- a/pgbouncer/tasks/main.yml +++ b/pgbouncer/tasks/main.yml @@ -3,18 +3,22 @@ ansible.builtin.apt: name: pgbouncer state: present + - name: Limit for PgBouncer is set ansible.builtin.lineinfile: path: /etc/default/pgbouncer + regexp: "ulimit -n" line: ulimit -n 65536 - notify: Restart PgBouncer + notify: restart pgbouncer + - name: Add config file for PgBouncer ansible.builtin.template: src: pgbouncer.ini.j2 dest: /etc/pgbouncer/pgbouncer.ini - notify: Restart PgBouncer + notify: restart pgbouncer + - name: Populate userlist.txt ansible.builtin.template: src: userlist.txt.j2 dest: /etc/pgbouncer/userlist.txt - notify: Restart PgBouncer + notify: restart pgbouncer diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 index 30d34ccb..b2d89e47 100644 --- a/pgbouncer/templates/pgbouncer.ini.j2 +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -7,13 +7,16 @@ logfile = /var/log/postgresql/pgbouncer.log pidfile = /var/run/postgresql/pgbouncer.pid -listen_addr = {{ pgbouncer_listen_addr }} +listen_addr = {{ pgbouncer_listen_addr | join(',') }} listen_port = {{ pgbouncer_listen_port }} unix_socket_dir = -auth_type = scram-sha-256 +auth_type = {{ pgbouncer_auth_type }} auth_file = /etc/pgbouncer/userlist.txt +admin_users = {{ pgbouncer_admin_users | join(",") }} +stats_users = {{ pgbouncer_stats_users | join(",") }} + # La connexion au serveur redevient libre lorsque le client termine une transaction # Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requête se termine) pool_mode = transaction @@ -26,4 +29,4 @@ default_pool_size = 20 # Ne pas enregistrer les connexions qui se passent bien log_connections = 0 -log_disconnections = 0 +log_disconnections = 0 \ No newline at end of file diff --git a/php/defaults/main.yml b/php/defaults/main.yml index 2e633d0f..e43f01eb 100644 --- a/php/defaults/main.yml +++ b/php/defaults/main.yml @@ -1,12 +1,13 @@ --- -php_sury_enable: False -php_fpm_enable: False -php_apache_enable: False -php_symfony_requirements: False +php_sury_enable: false +php_fpm_enable: false +php_apache_enable: false +php_symfony_requirements: false -php_modules_mysqlnd: False +php_modules_mysqlnd: false -php_fpm_remove_default_pool: False +php_fpm_remove_default_pool: false +php_fpm_override_default_pool: true apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file diff --git a/php/files/pub_evolix.asc b/php/files/pub_evolix.asc new file mode 100644 index 00000000..4a21bdfe --- /dev/null +++ b/php/files/pub_evolix.asc @@ -0,0 +1,87 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N +YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN +OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV +Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw +ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7 +7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11 +mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma +dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3 +huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm +vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk ++XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB +tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy +PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A +BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy +x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq +yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7 +D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt +c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N +q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F +btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ +ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa +C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D +jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp +5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo +JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3 +Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F +5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o +aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba +mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp +g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs +h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M +Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb +sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A +5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A +etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8 +smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ +Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX +mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F +V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT +foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7 +b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5 +FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI +7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb ++dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc +fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF +bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR +Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+ +7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/ +RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc +8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX +fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd +gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/ +YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1 +4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL +1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK +3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj +9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB +jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC +LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG +j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H +BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M +jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q +BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym +Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6 +lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH +El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV +sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp +IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz +DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM +G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0 +IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs +UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac +lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm +AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r +adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf +SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v +2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz +kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg +2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad +OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf +nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk +jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH +oA9QflpnDubMnCve +=ZCml +-----END PGP PUBLIC KEY BLOCK----- diff --git a/php/files/reg.asc b/php/files/reg.asc deleted file mode 100644 index 3fadeb07..00000000 --- a/php/files/reg.asc +++ /dev/null @@ -1,920 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: SKS 1.1.6 -Comment: Hostname: keyserver.ubuntu.com - -mQINBEoHZ5kBEAC680PjynWTcP3ZtVfWWL6zQAcD8JoC+c5MbnpFScqtBc2MdlVZu6zED+B5 -sw2SSLf1EZlfbTPc3GcWTwdiXj2GQKzjMra1MZKUnVOD/uMVkj0ZTszUQziW01O9sWPhxbMu -Qr7OD04jQ7TjtBBEJD+yf0HJsDVC7TCbpcNNtmhXByXqw7bgo0rzxeOB3hL88I7AcC7ve5iR -xwXoXJYs1hgJMPmZXJmhKb0a3pVk075yMsXnxlOqM7XBk++zodDR03Ym21GLFOu+3DLTX9aC -aU/AjXb/udtEBAHv+iVxZChzka/KkYMY+KX8A7niE/UN2PIfhWDTmLLcTyBAOuis6cUqDm2a -w0IbXh359dfBbgV4/QLoafcM841W47Menp9tb0Qz1uHYwV6jjDEmbpGgEJRGIqd143j/zGBP -xffmtPq1zn/QFVBQNltLiMyclAR1Yb4fksDkt8JGmvI+FwaHdx3dn1VU0hbdYR/5CHtsxN4V -P/juUOrjbagp5zBBXLlVIVceGoD0mNkNWPyZh8C3SHg2Y+Q7t+cz4xysQN5BUHL4DX6nEIJA -u0cZdBtr8dtkJToYlhSFaLFwZh/XmOgOndSNmeJz4ll29Xc3V2/hCQlllHXux5E79rRNRKK/ -rSydUzYir755udPWw18+6mPUzT6NDaVDDAwSOLOn99OUJt6bBQARAQABtB9HcmVnb3J5IENv -bHBhcnQgPHJlZ0Bldm9saXguY2E+iQI3BBMBCAAhBQJWEagEAhsDBQsJCAcDBRUKCQgLBRYC -AwEAAh4BAheAAAoJEESXUni4YStdYDAQAKuwOHT+wDS6vL6Xqp/59eKLaB02lTQuTDFq55K4 -dK9TNYOTmPoxvgeJigT3pHHfKQFS/wwigkOfv8VebBZAcjY03N+Joau1Vi+Er2VNR5Pt0jAf -ApwZqe+8NMAfefculZvO0g91g2lcqJoMUIaUemAqOD/CoAMMXGQSNlX4BLsI7dbvkLLjbPSa -wEODAMvuSLilI38dj7wBC30IAOQkOdkB34I/eL/sGruOxYSK7UFJfNU1aD2oQhTkYEQ5cgNK -vE325fOx7m/sZ5aAlNvtZ3jS4ym45feT9xrbG2qHTbJiVAhdtfHMXGOU6/0UHJ3+YHHdzZhu -0NCWinu18nDVeDWLmkqkZd77QtTpC/zw5s3+t8lpyqUAF+bN80ZHbB47bFphIupmWGDP2ihM -NBWBwwFZb7ry27mLyyXKVOFWrYZPrdlNheEjUP7x0GzEO0kuxYO4fyTic5lu594hxwt/LWV1 -s48SV95dXqpQIRroV8ePZoJxlD4hXh1x23AgkWgG+SS3perIGypmouOdl9CQ3yAYSCfcTKw2 -dOWOxGubseyBWw3EDlWKZLkrqbBGxfBz8XJ92iCJ27rRhtpd6XEbqhRfPR9TGTliIfaruTLp -MPrKZh74Hs7LAhHo0nkwcOoE/iYHhQpNXHMnj0hqMcwzzf6MlSrgJ/VPgQ721d5nTwrjtCBH -cmVnb3J5IENvbHBhcnQgPHJlZ0BkZWJpYW4ub3JnPohGBBARAgAGBQJMa+/FAAoJENXKmwTy -xCO8ggsAnAzhqo1IQ+3qwCWD9ifx4niyPiAFAKCo1ou0sB38EuQXnWCyp1ajblx37ohGBBAR -AgAGBQJQn+UPAAoJEHDzXiRtUx5z2B0An3U1rm/gCkoWtAcsC/IYQ2hMVaMDAJ9ddV8IywsM -vnKJ35rfg1PLT4KNFohGBBARCAAGBQJKB3HmAAoJEDIXXA3BAnoOiOgAn2tHyIuAGEY2ctJC -yM+C7hmyMNMKAJ9asA/uRkG4wiJwEP8DCnNB7Obfq4hGBBARCAAGBQJMXHEgAAoJEOFVF/Ir -CSDAnq0An2xcCMh6H6vIT9rmbxHgGbc8VfTEAKCopbM+QMAGQvOROMfqWJhiCB0fHIhGBBAR -CAAGBQJMXT8rAAoJENTl7azAFD0tTz4AmwaE8zBHaUWbUnsYwWXqxavmf8BCAKC1hL9GKk60 -yXTEW1W1QUm8jIYILIhGBBARCAAGBQJMXzSgAAoJEPmF40AK/HR2eqoAni/Hvg2M4e4vrju5 -wPT+dONsA9/vAKC1X1c4YL1XiJ0fXpT02U13r9e8AIhGBBARCAAGBQJMZ0yhAAoJEJ94+Dzo -xDRhLFYAnihJShfS/zRoG7iTNhgwqyLxGqczAJ0WIP7yfVZbP1N5oe6LwhQsZ1BdVohGBBAR -CgAGBQJMXlHCAAoJENoZYjcCOz9Pjd8AoMdNUjbpkScdndClI4EqT7tn6PI/AJ9Luiw8fIEs -iD5yM8NOkdykX1LPyYkBHAQTAQgABgUCSttnewAKCRAtDVq4fCU9UlJJCACTQKre8pA3ud/V -esa7/TmJI1S1cVWj8FlS/gatvLJndd90i50p9uGm1yA4g8iwMnGdcIWCuRfBlhjUnUJnTX4B -QdnUU6HCv9RQ/OlJ99k7vNhswtgoEGQWq1mH1opSviZ3xhMwFTiXISQ12i4TiGSiUfbXItzq -yxOf/gtjAMGrfnNB4MUYPrHL/lSMs24evYFR5DgOKDwVE3vVY2Wf2ytWKZJQNvKcm7sxIxKq -W3OlW4wzG2IMxMSTl6SHYOqIhRGS9xAj9hpIfD5XzZjl/iHmMZMcuRA1LPxQjqdZ5CeF391P -p6vEobkSyX0LyDvqcvy//VHn0l8cRuyEmgrTpdmTiQGcBBABCAAGBQJMdo7oAAoJECI64FW9 -lOFUIpkMAJ/obi1HblArRgKmxiCIMD2/nTcj/ML3tL9HfZ8bpWZ6YJIUsFRcmHCVWaOaCBMJ -omiICZbcot3v7/1p0D/AE57i0IFPZpXXu4utC8B70JjWaMJT22kVi3hvhrChxlZYNZlkXr8G -mKhGJpzEfVlg3hp26jbj3jEEGmjJlii7uuSrV1VJjyZaDfTNbgXMbUL/3sISsKODINCLlgCG -iVqa6Xc8bIo54zQ1Rx30Ijn/6ElFvBMSdZPu4wQ9hKrJGhrqY9FZ/U0xfaawEzxbmdZKDxVO -Xdd/qD3lNAi8Jg6m6qQO9/A4c/Ln80ll8St6MrfLwJ58QRWawTQcl8wSTxouC/ag85VwW1lX -FfnulWVjqRAY41gVY2SaBb78A8pwuwy+ixBWGqAyGRVjahNj/uznD3kwQh1DUwjyDe9lV0TV -5IpQy4YfXjkukwt8kVvQUL/p9w3/gmPZ2lXBuEgMT/NKZWKszgp/JZ45qDUD8hgPlK9bICRm -iQ1KjcAV3mh6dYLwJ4kBnAQTAQIABgUCUipIgwAKCRDvc+baWDa4Gqa8C/9aWvMONUnoDGjS -H6gIsnJn0pGQ4zx/SU+Bt8MG0SPbtv8Zu1twofiX7xSV8p7/RmESaQyjbzOD9mMvXwl5mF2N -q8IbDhvJmEcCCgVolhM1g1YtF8uM/Az74tNLmI8gsIiX/Er8045jMANp+UozOLvrzx9NpVBj -InDRhXt5ZF4YeMdB44cZL2OH8juSbpZAPFAi3Lm39gSMj3eUiUavT6r0Ok7AC3qMiaTvvtb1 -VU5vl/CcevaFE0DfZQ3+1iXsshnUu6ql2NvFPSn0tR1S8Ekk8NfItbAGComC4BF71MXxY9Af -RW21ROLzRR5Szm93E5DirjTC+vfxQYwEmemn9v8KWxMlmFTu08GbBhi54bBb0iuaRc9lf5E2 -dixJqLU4JVUPxjOk6tFvQHtZQRj7e5fu/lusZ++WKXnZsH0AiRekbN/j1Qh65aDi17w0ebXX -lsKc1kqryHNTq4PBrhrKbNBa+tlFDcmn3yUReIxfcZ1Bm3N6PxNiQSxx9Wf6LL/1rPuJAhwE -EAECAAYFAkxccZ8ACgkQ8aab5CnA/+7HvQ//dhkVGegUq2TyePOTWBxK7EyLVEZEBr2HXa+y -Xqg2i8Fdou5smHNEd0q8dz9oMBEWcZtRYmGKzinGcmxzArdmVyXV4fEkUab9zfL8g6dGxo+N -wqoHt9DteuJEURwakSJ7oDW+DlfzxMJ924sg5cuUtqcnZwy73a58Y5fkPaZVf+/HrkadZT3f -7fM8pb7JgJSRhgmdi3MfbUQcDgbZ604MifdEVIbXX56ex/9OuthbQ3lp6jHsvHcXPG5qt9th -RXkztoyKcArSimHcOFrLqWAQsF8u8PIYNaTKyJO8uRDYjMGcJQv6B8HqV2eiLCZtIEdcoWev -Y/oeflGDh0PbGpswAiQzoSxjvVdPgPUTqNnsl/eWvup4govByKV4y8dxgyM5a68a2N2t4ki2 -TwVu8LpCRzuiin0EvgkM4jKSFU/KPiZemdLq31D6o0dQorx+Im31XWv/H8XoI2jGbNeMVWHq -5WumzPhTfgFVajQEc94Te29vea9OV+mlgIDuTzqLD2Je5G6BDqu5EmTlO5sPDJAwM1c2ckJb -fHjtUih3Vw2B339NqF+aneOX9MH4blAlX2V5vuz0xtmEcd7Dy6wKjzmX1Tcec4VjDDgtCoH7 -vWzCeQmlWLzf1tF9keUvRn7eUktyAqozvNdE4fs6+3igdFKoI1RHNkFO45AuFe1goN+uDFOJ -AhwEEAECAAYFAkxgK4sACgkQHnWacmqf3XRTUBAAtb4DXxkzn14Qo9JME9KfZ3QA1ZfoNffR -PgxHkLX3q/KzGvbQYQc86kh6b/19aV1ahcUBrpABOkV/0k6tASrs9N6V6KBcIQbJwRETyWU6 -G/rG47h+4fWIMew5XwCzUzvqAD5GDp2XfivDQuVt1Ta2WcEAmKVYNlHYowpnEqxvLNSSbXuX -Afe+OK4XxaFr7i4zr8zS6S7NRigAdENCt2Mr4slo0ldnRn6uQ57ixfs23g8LO4/89zW+GxKG -PPUQbo9epE4hCewTAyWwrpVz9NxrodvDL6D1W7kY6caiOd5tArNKpwF/GCH/vsGPU3NsFISI -+P8GJUwtmM/47xgcteHthx2yC0HUArTV0w4+PnAaelpxzAyqd3KxLLUNJ3vjv3xpwV3eGWSG -zd3UZ4AYTJmSlbgzuJzQIwwyxHsA7ypUUsbdrsoQaTkACUOsHO1l/oT4P+z3/tWPuXqUmO+D -Ly/pBiCRrV7c4cHMzud/dKBXuAK/gS7VD4Is+K8/srdEJTrPB88zleiLOdffymHtCAmZPn93 -bvPXUcJk1PiNQYRwQIuIjHJbbZL8rxqVo4NCmi2HwjqMaow4GLEPSEdqEu83LpSU0Ts0BJvF -/6UTUEs04zDjSXpAGrPhWoom2jxUllAJq5Aek+f662dZpxVLxzMHWrLly7Fb1WPLbCrWhqIl -k+SJAhwEEAECAAYFAkxgNzgACgkQ14hMRxjhj0QJqg/+LKFGM1orBnYv+DZeVGbcPrBJVkeK -nAVgX+HpIo9uY7F6rRMZU8BHmxqM66k/tPwwrVzrgrLScK6spQTUjxKbjGkktT+LPVdFdB9F -2QdEYCwX1AB+0InLVtrXF/yFFTqlxxgLCRamRziO6w/1QDFMsDdNbIgxErjMb7d0MqRFNlvR -fO/ElovAPWlf+4zA0xiCRVbV3tbNl1/ILh41C8gc1VoTYdmUP7W3F6xCpy4MirSkY8LLDcax -wF9blsfc+gj8mW5yegBZnEoZchasl1thZ7Jt05tMkcEFTVYMfeReo/5Ww/dEpSfhjhryq5MH -0sSBT/1YGwbdgBRVzmocrWtQJ9i22MY3RboKNeAFs/wx9L38z570rOdemtfuXzKmI8jlcfQI -BIrE0p1zHE0OzgdfAI/uiJMZ3dRZJXsr8iVWuER97QqYZZkgDMaSHxvuKcNKQol9AbnDWbpl -q0J7CBo5si41rXpUIb/18FydC3k2KzjkCAaZs7VUCguWU/YKVw68kfrksJB0gIGqh66wYda9 -dpJVmjVNTR5bWbo8//ZHQXFfGccWoRImEZ7dD4xKTl1B1ihmgad0H7Bynd0IiORVs5zbdbIE -FCwnMjjB5nr4teU0wq20H8CaR36Rw38KgRrcJdSrJVDrmg+A4PPsW3aA1K3oCvREoR2+p322 -8j2c0pyJAhwEEAECAAYFAkxljxgACgkQE8C1Zno4sLCijQ//VodIvktCD/rmvxmbby+tjTFp -yNPRgiIdLyXU0Wfoi0TqzLsATfOluWVpJqSqIQ36g0wYc9T8BemqcBepDhj5e9NpYe4oq5kF -IxIJHzH5jHSM32vPVxJU4PzYcZzAMEVWCEBx0CHgW2cYc/Sq+YNq8Y/c69R8WNjse0qOZP7g -zTInr4JqL181TVvGHt9Ak4KNakxEVLXGIXVSV9QDDGCpYMkfpEy7pwvtV68DFVj2nHHetzCp -3gYi90nsVvk3t8iowNUTlKkxnj4dZ2lFMJfZBBeNev31JLkhyqExUoBzZMDmW+c58nye8Ode -hXnvZ9nc0pe2Z6XWLuraYDqNDKGMWsOTG8gCPVrZL5BtHr4Qh5uuAwT44PzkdPCdw9NaHw1n -0s47Uuailgg+ZuZgFXxNcRD5A93Ovl6/skln7KyTr+kJ6BsDcdWzcXpgQ62/3ayxgaOEZlKE -VLJsngKhcjlINiIXc6t0AVZhAlgLrLAvi1G19ISqNPNBRGUWeCYjC++RCaC7i/vAFWIQOTLA -NfCtzwhF+kopF2tmmt0ubapaH2CycmWLr0EIvPUIJ7GAW6tkjjv8tfkn2VtT59+gE1WmwR4q -55XkJ8zbX9tJx62w84zkQA6nMnbBQ9nfWY1eThRk5IOXKElyk8cNIZlqIPPH8RVP/Ng9Pjj4 -+vSOAjkT8LyJAhwEEAECAAYFAkxmx/gACgkQHAH0Q8nJPFo1uw/+Nu1AJqt6ifpA/EaWoDnU -9hSYcpVq3mGivwEE08U5/2trXl5fcAe8qvdPB8JIYRROTLSUIsTkERftzxMzsCIb+iMj7bKx -5Ip18GSmTOcJU32hin/l/DZlDxB9/bo8LqCurbpEDeZ84zV//F6AqMc0mUyxhdVA/y8gEp6x -YNnVHU+AmIxzHkE4n+Rrc6JdGUODOL4iZcewBl2IKcYzRzcELIFMzjnSNbA/uxKE9g1kTa0F -QUTTpy/y5f36ykfWWdrz9OZFR81/UlZ//gv+sr1UHs6uMs0QayF2QJW4iF0KX4IQWCcbSRyn -iHuOzpmJuTFu0KNmU2cfRFLgyer80glsqicj0MwI9shdtpp2+ulfi2itC/gGM00cynt2WP3d -arrohFDOwCuAVWjp5dtENk8LNCK2aYEXlHiW10kaGi9k67AVfrV55p8WVTWcpT9oQ76wafnp -jUb6XPou4DM0Z5ItJqvDQv8823b5BCnMeyG61x9qCTMhGMEzDLFFkXalViQtIjsS0tzF+S1I -B+dVVvCC0tMnPWoyyqYNqtC0rIS0I+89uQuDD/4jAf6hL7sKLUzdLs8NByjQoV9nIaXEHzp7 -jBlgAZgx2SX+eK8wF/Lo4d0a0jddX8PRZEjkx0HOhaYcW59tui/ZXr2UDwlTTuyfsSpo35K0 -+VdJ+mtz8gHZ2lCJAhwEEAECAAYFAkx25QoACgkQryKDqnbirHtS6w//Xt2HPPu9r9Lp4Z7C -U1EtWEDzBHZoiYrX8GBjfx7XJqX0kJWAXTHoN9HtGDwCil2bTb3WwopNrFUShR2yEs2Tbo8I -j1n4veQxx5japTb9b3gwh/8lRRPCfF++jn9q6927D+0jJde7hx3G/o0OoJP2H04kEM5wrzup -1nOkH/L5+bFerw4eYir+hl0oVfrnK40RKSnzy+6sD+FCFwLipOofDX+qVp1VguzwkfAwLTSD -PVxsjfvxKdRCj49RbI0Q1svMu8iS0Hu+i6e+pPVgvy2Bh9iPQiPNaGG9IeHy5mnq9T8yxKd3 -KY0mj6ipuHm3c1HPJln5bFlt1K6mrysbZtxafo+O6XeIUoRNqKi9eyA9udgIdHPuMAypsYFq -M1Pn7TLdSnRCyuhG0UFlr/nx3VVH7PLOerxMCZf7ApfcWA/s/iBG2DLpeB698UKOSfogcbWO -JW7Dteg4ZCL9zLxRiTZHLsMHnW/aZAAwoh/zV2Kpd6qbrZSyqgn3Pys8kwiFnnf9aWdqXmls -oNswHZeh3JvMOgs2QyY9X/+Bz3k1vf4a2aU2gINvL55aRmtgd3VDvWVk41WcRAvOfBPCC9TL -0UKbIBT+/rxuse6UiS/lVRNngvOpuUBmd0Zo/PiXxsxq+aKX6FQzZs0HsqAR/Ov7bmbh7Z+c -WwE0ZEogPivsD97qv2aJAhwEEAECAAYFAlVxpVAACgkQ2oKDDjzMOjq1exAAo41+8W0VSibl -OmQWDesxI8T+Qlw1v3Luf1CexMx9UsEktH5yP+guCeVpADMupSeKis8q0ayOgqXim6gyRjHS -1HklDGwUnhUyfDu5VNqy7BOrbUKq32TOqudwtq5PEyohof89/hR0UwfC18hBkumW7NfCmEY+ -kUkvlAVzVwbSAm1bjkFu3DLD3RKN4d4UG3kFc4tqY0BweC85UvJaFFnY362RLCBV4gTjXVgl -UIHXpDSt863NBTtbNJUTIf1tt5sFqknZh2N5UzgtkTz6t4N47+k0VZfxuk/f9MmuDEHAEBBp -lj4X+ofPXbxbr2iaAZjT/LjU76tYq7thkbU2NRB6RtDv+Tqfib5z5ecwNEKIgQ6BelCh7pRI -wnMYhx3wj2aeY28vJ9vE76NizPWiZpYzD3MHyWfN+kIuSDRZPBhSNLnfA5uUuBQNjS1Ad+QR -Xo6CtWZ1cE/7Xv6DCKmk0ThbGrvwkHKJGrpJeaaf8lP0fo0L9cIipqx3NSSKHGe+B7zhQZO0 -QBlTfXRlErjuZ/j+V8MTZqsmlhdVi+hElTioj24MQJiXfB956RuOM+g4P9v2QT5RRD0C4XaS -+KSC3eejZGYEeJAmB0uRztsRntyryw2LF6WxcSyEg0pY+/SLFxMfRIPlcAxMM0SB7HSAFZ5V -nQJHc7bBkNpw179YqexsIKaJAhwEEAEIAAYFAkxccTMACgkQ8RQITAhhERF8zQ//R2Bls2xP -vxotETrAPF5MOjDqlK6aeOnSyI7shiWWXL+7ds52SWsmD7IL+7XW0t+fwvfEVOb+qNWIiVaS -Yg4nvZQnTkCqTnDxTzdxipEaiK0MC0bXmAikBQjZ0iiveOMYOeRx2PWuUOHrymcvJ+atlkq6 -pk/mycZGpVitnO9crTb17SLsm71k5aV2u7EBCEUcbakmrx1mDvBoi/tSns5y9YEPTc6JcKtz -VqbyiSAY5dZSaLc8IW9Aqn533kPyIwYXnbxd8cPFDxDLhIeBmZnVTLURE3517RXZu1ngZEFh -pSoT3w0Xg0cgh7eJ4Vmo8MnW3p33+dSHbWRlgrNZcB0PBWZrByS/iS1b9REgFTyU4UeI7lH5 -zLgPdxPKBvCNObRhKg/dAmqSDq5EHYgWxn50p3TCfhrDrkoD+3seeee+mNARjLP4EDyBF4/k -57SqT7ytj9TWQoQuGAodQqNXwMKNcldz4FRZ3rMFrUpJj3uD9x2tlT/3bCVKQ1QcPSzKcEcq -zq9AZzjH7cVEbgpKI5zBJlejWB6aGvHLIhYZb4EYuO03OgEDDj9AUvIBFBxKdRvCzeTZOCTM -/8oAgSSVmFewEI4E0yNxvZu7wjSV5LI0AiyhwnCWlfYM9Hgxbai3cv2osIK2p5GXbaRykhwc -jc4lPrIsEE3At2UzlzO4TTI202GJAhwEEAEIAAYFAkxdPzMACgkQhy9wLE1uJahHJA//a9iV -wDsx+OxFu8+vPEXmJCKt1o17+PyhskIvNSXlVPvpYIpqNKUJQXpqBkiNASrCOQSHrQtw6p28 -9i011TMqmMZsUkjqk/Y3Yzx+SPT6KUfny7qQzGW2DpHL1qILDFMywzvt9djzWT6hmH5LCLSB -3aWMHIwPDvtvylzHPIN2XIABSBxnHgeEi+2ZZoLZE7HlQbwsAU7Xguj0K1DHe+urOBYvU0rq -ceqiJhnY8b71bwQRhFqVhoFkW/IPp7dujQxeJVvHZQLLNkB4RMqG+kR2Ku04U1Fxbh7oc0vr -e8EAYdMfutU3ZRWZ4D8Ltr+q/hxy6dm/bHrpFu6NIxox6KrR8zewcoGDQKI9BlQn8mrIof0W -YWNUusb//Vbz58iOh3POcjs7VkD7aPo9R/TaruBIWv77kbjszlQaKKHWV4aIVS9EXW0cPpeF -OQUaq91aAxB8Tw0Clx1TfVc/QZJB7/l6k8deXgo/+4JCU/BBmsplR6mG5mhY1Iq5PnuutU+W -+sHQRYSiq0EKdwmAaq3AIz7D+rWafv83Ea1cZaMph23ChqVX/e+YVI7rxxYCY1bubd7TtYWb -VG2W8ufTwemZBxWFq8HXc9d+Qm3LHV20Qxp5fAoYr6O67XYgQicIFW7f0lJ54igqH67wFjOf -zOTHfWK0izIeLVtp8xmj7hbFrXXd46+JAhwEEAEIAAYFAkxdRNoACgkQU5RHndNSTFGQ7Q// -YTQ8KFH7n9MYRpb83fTRfkyreyQyTdbcBsQw7R8Tksx/qbidiZZfI2cILweIqsumN2bF+ibQ -VYx/PpKEStaW1VQI5Crx/kSRmBaOlipbbfO+A3sbp98hpKMmaIxvV7IhN9qKhjcQR0YGXcam -5oVVwjIb2n89nqiS0qnGIUSTLzK5IR8Chob6tpnD3jQAnxE96wyhADedhCVMf799HSoQiiAH -TUarSv/HMIws34LRgZ2voFXADq+CE1Q2rBEapwrcDSkEQEZ79LImeuS/S1Be2ritRO+TFLzc -982LuHBxUa4MlcwWtWaQQ6PW/c5J7QJz0RiqaaL0DZxCw/Cr2e3MIfTCdK0zPg4A9BrNsQkR -/zYmePPTejvbsYpsWbpOknwZNqoYRc4cEaukAtdhZhFUDfL7jfh5HppCIM6EN3ovmTsRhauv -LeAI3J7JqrPp2yLDbL43U+1ejsD22+l2rmJQcQpRsdD8KlJX8bD3J0fCRhhIFNABjMmy3e4T -bij7ZM3ovNZLCgjHmNa5ASMyS3l/T2Rqu9rh/pZbPWS2hPTlmYTStpb2T+Ax/anpXSW3ZiAW -fHGOSjNrl9+LFqCdjyzvk/u2kbgd9VtjjFfpPS8xS1dGk7iIHHQQ1GZXc8s2WB9XkGGpD/j3 -8bvLJG9EXtqVWwJLo6t/PMOgnHK9dneq4I+JAhwEEAEIAAYFAkxfI2cACgkQeo9J6LY0gL4z -KQ//YgbbsU+C4e9A4L+b9lOTh4ICrmYg0jD86oBtjTsomMO+UP3T+mVH/meHWTzr+6ib1vsu -Nz85E5OWHeHL1Mzj60gbZSn/PMcfL++kKVCMhJs/HN6z4t/hY+GkafkeZgglnqItkZGK85ME -SmpoecuYsExEj9fQaNjHuCOrp3c+B0PJ3PSQ3qTknsOnUwkOgAhgeni1RusUqckryre1pPrb -Oy9RrTroHGsbvzfbYEYS8IVoaMP1AJj6o1kb6vomTmWlh7r5UM5iZRcFrKK3qjQaTYr9f8vf -vpJZ0GlWT6T4szOmekTnYuZJGOumkLScn66qSihvxXXlurPP0XzVObz7YrZ+GEDNJxXwPJpw -fpYZHsuSXv9Pu8S1wjbvL1xq8WEjwd9q4kgch6r5SD4+syLydwLHiBXTc5dfVO5Xs6KzWtXE -MNsFBrDO3pgHtWvS2V6peL/yG7RJJztzZUc/IYZWuEJIU76rzU4YK/SC2Vse9lVA3I4s0knw -5TCFvZHTV9KIjqT95xOgdlZKmQc0uXSPNrVfoi28JOfcAGnSnRX52KFt6yBrhCBCWuVTZTgk -hKSIktI9PPC/C3xyLwxJjz1jPwEomhtnNx9B04W17G5c8nW1yCjxPxY4Q9LCYpMYXGB2Nena -YydDbgfA6ua1exRQ+ZkWpnHqsmCLL7B0C/7oTOeJAhwEEAEIAAYFAkxfNK8ACgkQ0V0xOIIA -QXMoXhAAs79q+JHo7ulKZvKDkh+OVOXrSh5eKGUmuqK4RJuxrHmthUFkNTsyNBEZc2+QWw4B -8q8ka0x2/1eIDqwsKwHOfcQdyMepGiKnGWm58vL5CeoV/pZW/Yzrs6Q13o6/mm02bcxiVlqs -ZGFiRaueY2QJ66viPY0TJPlK3CavKKgZQ4xQtfQ/MDg8sdEnu3G/1PWyyHfMVsq7fG6MXCdY -TisgHAEyQJXgpCnk1YIuwxZQPKbMhcjiGbkKBMeQi9uZDiDUtY6s6S5MZGsG5v0KTuoBt2Kw -XHbTgkFT9wKaQnK4rfMjGtZFuwiZw8MPsFgz2QAR+1s4mIkCbLPPl+jwL+F4UkEUJvpKWcPI -AHnDe2q82vOc5ToWfm/C1cSf7cuLi2hGuSKw8JHuJ4hBF5NaMhmsrBOxjS9BC1OrutNvjoa/ -bBihJxX6pyz6Fhd3wnjtF8f+H2pxu9/9M6bv6lkHZDQxfnt2+muwsRncx/wU5JJcxzxUzcLl -wctSMFHmNU2egx6Kw+vPgPdkthrOZjkLQZZj9DZxHK2j2ENAm4jVF2Z6cUHHm5tVTsR7XF5t -CeFRNPUlhoEz4zdJiN2qflMY0pm9MjBpF44O8usWrEpUiPN53bIOpbPM08zYZ+BBGPOgxZbh -6Y68YUAq9XfVn9okE73HeyLLS/bpBj1QSe6QapV7sg+JAhwEEAEIAAYFAkxh7k8ACgkQcDc8 -8SkNuc7NWg/+It0T/mHuye7+PG1kQbutyVw69/C7yyZkoICrcQQ+Oh81Ba+DENSKrPVkmt2o -U3HR1bL+QbFDjUa+hnLHXh4N9hlREDbsaYdYz3xLbXeGOPDt0QrLn3mdZ2cZrZwLjcqsu+bz -5sRZMbKKTXqKkMQaDcJa2CU60aEoH9d+QJkIhOHiqkNvVyrKbiMoGnJoKDppwG1e3+Ri/oXA -6Sx3cWwmdVrNlwNAKraTFlw5Xh0RUQ5NJstxX56PN7tMm+PEnY94bPTJHiyzG1obm2Ona7sg -+P3DIvqMFIkldhNz/DdeCjSN4qrB2u71tC7xwAneqqLpPuYhpMpFtD/JX2lOhoOvo43n+atM -jqIU7xhZ2W0L7n64Ym31+wqqz6NEx+aVp+OgYVJPH6MA6jel3/KFhHoWpdnLJIL3XLq3Op4U -tCio5JfouHfuHVdslmKlH/6rO8SFY4VZGF+RZURMze0I6b3HN3WQb9Qv78hg0ZrI4E7JIbhc -oQQDIXgASS575vjK63/WRuMDxEpLEUflESKBsG02GJWe6knx5lACdIyD/8kZ6MIV9mE31Nqd -zVKv+i7BBomu+ci/4B4LXn5LcPphmGPAvL1aabC7D/9lxLPA5Ur6LHDU08LA7S3j5Z7Iob4m -KbS7pKaBdYPLm+kfAlw88bDnPioZwkWSggD5/6iwEN2XseeJAhwEEAEIAAYFAkxh9TkACgkQ -dzH8zGPk4neH6A/+PTNKtYOQmFxM+1QJEqK8+4ZOyeIB74wHGI0VyFWRb6Bt6K7OIYAfp8Vr -F4kH3DYPqRYWZLyG8Krkff3HUwdgBdrsRRQKN5Q1YwpwpofCcdDY9l3fmlUNx4MQN4Cx9uBT -XY1OGTOMHHCog2eIOIkc3sT4xZ/zIcgFKM245lXl+fLvbJId8jZjYFwefNerUX1bucNoaloC -drmbUN2OItXISlczLhSZlXcOyxU2Q1DICK4EksZy0y6XRnYA4/7JK209AS5jIZb6UvV4kMGU -y0/CBTW9fJx1jZthN4bLxHMSVFHvG8oqRPmr7bO6KyvnxeGY/0bd30nA0hoVyDtKuIAuBYXL -nrnjHogjF5sl4LCXLNDmIqbYoXMCAuYrlGaGsLzqGqjPX22yb+5B3zYCB17nCP4/l84auAJL -6/EOrkOjTRPWIqsRO+dK8QENfp2zYfWmr0G7xBQPdeDvyFHbY6LO+PwzVfzESGranmiliTDq -fGUGT/F6F3eBhKb392zDllJgfeKLt8V00vqaY8jqXS4AB6ze7XkcEXKsshN2atVsstUmjLKZ -iSO73irt1X/Cg6SrKkjDgUhwTmOxywkHBYjsot2NSYcrdkYEfK3nPpesB19dgJYzPn0Mborc -vJ3ixf5c2mjT1GHIdrp6XEjqLs2zu8dKLDiTJPSV/Q1H1nEasMKJAhwEEAEIAAYFAkxi3k8A -CgkQd8b7Q+PTCCRE8A/+OY2000flzIxhqxc23BzEOXWxwZ+tH2r0UQTq8kwZiSsva+NIjN5G -bx3MMcT4IyGF3VaxKZRJDPGcK3ByJS8HnCv58OE2iF9sUT2BZJEIfgniHgDA6iLyyQDmM9N6 -9UVoYYqIWff6Ve+4gPYebafy3UAgUJLHdrknfhE2fseE3jEtdsn9AizP7hc46xPkeuaAD474 -4jtM8h0zVk36l3gdRwFZEWMsxATskct3hLjKv4R/EFdEgIo8x7hK0uxvc6JyyguOznrwAgP4 -0LgXv+Ci2BWrf0awhOyuDJ+BiViKtEuzcqgwPR4GgOKkvzti8jkPNAvjCEIHTpWJwkIZ+SNW -aaIZVfbZdSTMf3tfVkUJ8tLImtfHwJ9b+BPxpiP1DENZtxmbOsKPKeH1SIGO2BUt/Y+i0KYM -rJmhQiL4k62PIRRhMKuYjQ5sasa9oyAACxg6nJMJoeJalJtcE0ZynCwdCFIkhYLXVPAgHCUo -/c5Wq20YMW0sqerdf/oLwTHe8Gyru8JfcRS1mLBuTPWQUGIt2h37WMysv4hCHT29N98w6zJL -jIGHH6Sd8PBw+WBxg6rpeGH8VVuLfHerB6XEMxoQM7FVAefDUCrHzWUrNHgSl5qG14HQ+46y -xxegb5XNGM+ku721W/t7YsA15ASgZi8ehaQ7iSl56TGu8vQCTaDqPmqJAhwEEAEIAAYFAkxn -Ti8ACgkQs0ZPiWqhWUgz+BAArOWNP1VqUSh1LpZ2mgjMLCW8cPChtEKI4/RHUElI9r6BVMGR -/35Ww1HMcayD+H7WZDXXiBqG/yPJJtmMfBW0xWH3dbo1pEn8IUZd6mWSlbhzxRkVr6AFhDKo -4T6QVQQ6nwJg9aBveBAXGnsr9/PieQNsp9IyACxZCvjoEh+2TV6xE4r0WaPKGLai5qPuvzSN -2efP1Fl6gtmoxgI0yiLDyMlQZPi+/jXC7qcae74qYFUqih1hAq3EaCfiUNCVCulAEYnzhu+Y -qJorF+Xl3vV/i/NT09k7GwvxLy1waPAi93yekg/QwkJMSrvehxXJlPdkUXUKCsgE9o+1CztW -iIK37utWFTnkApQaKUyHJA8T++ReyRXDCEq3Mu82ZMQDzsWRhJuWmX7/5MAw/1H6yG0HLxC8 -sGH64oduKWZIlWwjkox0pUrA/ZkEDaznUxUK0ay0exYtcPJ9uUcmXsFvxCe0SOGwarNKbEjs -FkZ/lelB2LZprKk/10BqRg3AzPEix8IK9hRRM5jXK1ZDEYRGYw/c9VoQPf7eMpF52zAZ45h8 -UjL/q6oAg3egW+ddbsEEXzsAgpcfNKhN/edoUKhQd5d2h0S8IpmPMrwvqrRaRSlOrqMhbqro -GQhFOV4+fO6zwkV0P6Y9QSIKibjZDS+QUZPXCLfpKRSYVQlkFwGVeVUcZzqJAhwEEAEIAAYF -Akxsv4oACgkQ5E+AFtNjD4l5ohAAtgotU7QYfbvY/6b2DKShrm0guTeROOi1imRMfMD5Nvy4 -CazA7qm07G9Jxo/yFYHMaXXeG02vx0pSb6Gbx9Z/jtwrOALmtIUAajTFmcC1Koshn1KAlqtV -FriWzwAz/jYIK8BL8Db3LCgGP0SSyIaD86x3VXm4JE04AJeAtFUikQwBU6iNA8Mue0rmdIgz -vQ2Fg7qk11Nafx4xT7XU/K4BAy8U+6Ai4F8VPxdh94zc+Z5qVd5lRZ9fYsdzztYoc8xtOzjJ -YzDACo6j6covoSD56gQi9htJzraPtKaWu+gz4P0ijZ/naX/hsXlOnZ7IQzaByetVgXoU2Hg5 -D6UN7YCrQ75TB+Q7Mh702dvihXCr2smUkBOBnEqKoxrLqLtrDYPLw7ELuM+bRzZb2nfBYzh7 -/o5hEG3NO1rXIQ21cYvfPSggkI1fq8kOsWbd9uIXR4iHycohZ9DsSW4iQ7+IwVu1Giypf/R2 -Fpz+cL6aGI5DKFRBuz5ucjyhJrl9wes8v1hsTDNAPSbOyd3I4PHa3N4gxWbFvV6TZfSwHKm2 -fot2bglB+n9otZaPBVnHdsntQsRnS6K7Ptft/EZ1zJvWJcOnAjZEtj62mbrP2bQ48r+wkWy0 -LbOoQZ20auH/YaqOO8ZdA3QGpvK2GCfYB6JzD3bQomsQWMlaAkx1wfFQUBQ5xtOJAhwEEAEI -AAYFAkxvKsUACgkQfFas/pR4l9iqyQ//el6hebIh5S7ekU/6R/msFAmuluGh03OAMYa+JwUm -YqXR6iGf0Ftw7XgYJt2NiY5ZtaOULtZe3zOslFio4KRAwjKgEOzSzEDc0wFtZnj0/LlSTk9c -zrrymcJQCAgKKV4WTffgiPpzDM1ajaHxY0WQfYJng/5pVxWb6QXjtB5mupf4T1Yv2blWAKpK -Fw67Fz/iN4DlWil21vx3FgpAHY+7JVB/129BnbdHtbzP2CiQxZ9PoQt40bhrinI4cHyPHcHk -EPKBD6GnyuyIoPGYRsILp76rH9vWQJWtY71DQwlB9+w/JTVP3TRinXJ0BSBvFGNcP4hqY5b+ -8tKmSBPJM0umER6Q16HosZtI+8rY+4yvaHjtEIqau/AdBnCW/EBeG1YyjDOQAQzVdOR84PLf -Nyz+eqeZI17fZtokRjTg41J2b1+F0GbUOTQueqzlTK3spWYrPgDe54luHoYmgVqlsj71Zv7F -cWEf7L9RdcA7sqCQXpDggcOTRDVg+eR6eCLGJetBfq4fsX0ae10TRh/pGut8Vu6NTcFGw5c8 -vt74h+WFIXPknpBeKl1HcKUXTLJxQP5CDrZF/HzUaLYI1SaKv1jVm36gV2YZvuZQyim4vBgg -V1/9K1EMgUW7GRnQoOpQP6zxFWnpPXPY3TDvdleaqeET3xET75mGgD0WIUreBaKjp+CJAhwE -EAEIAAYFAkxv+OAACgkQnQteWx7sjw4tUw/9FgAffwwit35JdS4S0LQqmkmGXlMvfZEkfezj -GH6ITG/YWri9QE0ktGJqyCbP9tnL3WCno8bs90tmrQyagjbp7EsADz8L36vbYrOU72mNHaeL -qbJcCoztUSWAe9aPJ4ESwTXbXCkl8xE0fm1zTF0MLq3T40Qqw67oMTBygYqhb8zeY43bKOzZ -f0fBLqFE8+LTZDEk00Ucc72M+W+J87rdiHUuJDFdAZbuAvBGT9p1YNkcqaRWSmgRddJ9nBTD -a/Qe9IBnAXBblouKiVvSTGpcyAyGKJ9cPtaviCLRXk17rGli43AymorBdGPpliZmMtrInMm4 -FAhSoU3nwB6b8oI5gMh46Dze05PYkVVZylO4Vo2AILUkeo6tagy3t+BEFAmonnpluJKZkfcY -/FvvoaT8oej2U13tXStA0FXMOJd9fGLruJ+yZnAFPrVHZWA3ziyO/u9iprB7ZjqrT1OM1Nob -ZP7NwGxdqED3AYJAb3H97s4dMGAJO3WzGgHOfuZEMsH0/vIc3nWAkj9jsFcDxJ8uTVM6uy2R -oIfBM3/XspyZvm2MBTuEJvwhXW7JTnxsUEpZ7aJQVJLT9Z8PPj7rPLJCkDQsdwBw+e0heTl+ -BspMqppnKw0mXmrRfnqGGxgLtlIRn8bNEp4K3AVuNP2iWp9rMSVPg0qLGSFgEH1DtoN2DsiJ -AhwEEAEIAAYFAlWS7hEACgkQ66DGxxwAJW8VIhAAtBkHOqKPOA4A5MKAzWSIYAfX6FiUfFaI -Edwqm5ZmxHItPQk+Ze8VN8jUEzzArrvGOZnctSZy7dMgT4WY+CNy3FUtg4WbmuvflcvCHlSr -ontSVeFjxL8qhkBgUzaxqohesB899mszzDyaM0GMD7FKt4UisOV4K9VqhXKHBhcKi0foQKgx -+VMD35N4+SqgSUF4+td913DNxdxvF5BKICwp9edYv6NpP/u9DMqG3lceVCy+rR3VEGTsFGNa -HpJI0Sny797FR3w4k18wKQGaGwUtdMz6GcmhnDxgiV2V1StLloK6wbAVA4YY3BfE4l7XmJZS -bStlL54h9tffDi0Dj1oJkSKXMdnI8FdpQEvGTGP9ARUz7MCxwiRzcJfOpfxATt3793o6fMLU -2dOzrCCl+09bgG5+wls8nda2RB2RE1EHksoaNyz4OGpq9seYGe0qhNLN+lvIJsv1BaZNdD0s -CaF+xbUGCoYQgvOh3DCiZbg+Ao138YEQw9eKE+Xifi8M36IeBTdq7S1OcRCwaDMmVchLFT5X -AHmFeO3L3zCO1C95WmNsFg04+4avHqgOp5MolLSrOEvKTnFW1Ebv2BJizs45d28VAI/JhgPx -T0w69M9Jpybd+Cbg93fHTXclLAPyQWXzhlfDPmKhukhSsG5JXIt0gyBUsq6lUygyWZcewBwa -uy2JAhwEEAEKAAYFAkxdthEACgkQXTKNCCqqsUB3ZA//S25k6cAkZpIddDahnJxDIon8VWhe -JzGmOMfb+hMbQ0y7xeCKRdNBa5yw3LKttLugofqcrGV3V6lmE9jWz5hK2we+ZAdCo/wXUWuL -FJQW8WKY7hmDBwxROJ4jgC0LTgeRZhYEvhKpCH/rtSQuymstcTJd+5jkEE2FU1AOsoAOsaPx -1DAb+uqSv2VefP/TG4sZ2vg0fdEuJd1+SiuTTLLEAnsG2yQT9brcXDvXPOckawFAM1KOwk7S -fkYekg0iSA4Ii9RlXOhpxNcW/zZf3WuS/wrCCVYoY6OgH/+rp8LkBG7hdeAfRsMjozqtBYUE -JwPSvLfRnG76neTa0DSi1bigpOMvHDIeATuS/hR7UdmTkSMwZ8AvQBOaSRHobjQwjfDY7WYM -kvErANQkevWiWA4WshsS/MpEKxiUe6SGlLVeJZfX1dy6Jmh1WzswqoQ9eXQXX8zBltPAfKFs -KRmf+OpHT94qYZsMhqAXOd51joUtCBmqeuzvdp9KM+R8cmuoPVqmZ8ZMdMbD2dQUap5yVxw5 -yO3CfGMXGPGfvA/8fOav/3MwWXUL5Zqv/ZhdjpP/ZNEB4txLJk1rIg4kjKrZxz2PggbMcCGQ -0uf3SBZa6qXPVT0KbMjzvRKao473eNX2OPqk+K2hIYuZTVhAcKKuvN8qQu+o003Kzw1SWlLj -1zrwaX+JAhwEEAEKAAYFAkxeUcQACgkQORS1MvTfvpmBNg//eJFnqXakbedse6wPpmk56CxU -47abeG6ZCu/0FTwhwnagYfGXUKGTCepVjI/wLpevVeoXDbYmrUOT9zxqIL2Xssp/wz3Qb+HX -deft/drFmb4XMrdUGwi+N1nhvPCXjWOtyUrzuYXnpCz8e0vjSfn6RpJ6qdgTs3Psyca9kPPo -1Zgx29sumQMx7b0hcmRbSxNOmm/vGCpJKb43sHsYN2ESMCNzazQtpbt/HZ/xA/HqJCfEiKJm -GUQ5rboqvhpruhbUFnuLIpGRvLJqE3kRm2iq1XfnfjXqUVbX2aHxNXcNKa601Yla3HGisEAB -ILGvCRa12hrmh43EPpwLCnTOIB3Sejndl+8waKd0smV7Ox0oT1nSo5MHl/VtVLJzPnCX+EfB -bzOepXJ5HRRsX5sHOTPHjJTOUuQvzfKen5nAu6iKsQnawpwQvIN1C7/OtEhqDAjWFr+eqG49 -bqN9a+EKu53bnXqM46N0/kRWXJAsHKfllki9e0bRKV5rIH0grsCN8P8qq5003cp/owAyySX+ -Pu9jFs9Hw4nGmEkuZPYXkjg3wTYClaPjrmbKfWXgVl2BjW+N7xU1yJZaAJSpd8vqGtLK4qz4 -wk0CrGr59EHPeAE9fAxNg+oonDQ7YcuDnHkVY7LNpIGXQkChrv1YgBzzAN6CFBI8GgG3C5Gv -bYCj+NsHFyaJAhwEEAEKAAYFAkxlr5QACgkQMiR/u0CtH6b0ZA//atTqqwPfQWupcXoA/doN -nXnBZDHUePFkCBan7YHitR0kPBVPP10dRfyd9ShKs25+DgAFTr2JKKk4ofc8ib+2SB4rTPIf -gvc1h3GgtI7CXzuwKdcHojmOYXQQsLaxcQDNqEJqS6oGh1oHd8DQJTn/OiARVUvxi6LkioOp -eE0KAkUOfZfnROz5E7ox2ImvMNvhy6VcD6q2q4E4nuWXaSVw13/MqZ8lGHRhytdrVLvVndSK -U9EP79Tm+nIRwgqeJ0CttcSESoKLngTAvHSwVpiMcO9rLfWqYZB6FmhEjCyPl7hV1e9jXf80 -PLDihKscVEroxww4nflbIFOPsKP12vXuQs7cQr3BFE9yCowLz0X961WM2V4Cc6o6txY1MzU7 -FY7mFrwIy9b/WNLBXJUB+dpnKzmY38ECLJQ+gTxahgumxaNe0wQclIrkrnGLszOrIgLyVAL6 -/qD2qUywoNb3WWOHg6fOabKfTF3zBdzSYPNRXbhWNxt05EXARXRwYR/mkwpAdT3TUgbGlOcU -hNAqmtzEvT/Q/Cu0nPvwXnJ1Foix6S+zrFAM8gs6zeUc8Q3k0EQvi8m54jILnt5QqYFSGM40 -FLgryKBF9hjwcPN1Hu1Qij8Z3H9MllV6Df36YSgKN1XpG3Jy9ktJcHvQPgHYVmXNsmQlmQxE -ei/ZYehdgLeU0Q+JAhwEEAEKAAYFAkxsD/QACgkQeFPaTUmIGtMxgw//TrRErKK8vl8VnvHO -8TK8KAMFi/GaRM0RKze4nJp72CGSrY5/bg2jAlS0hEKmSirlbLD8+U5/wWa5SrQT36AcyXYm -I3weWgzNSvbCS3N1WnefhlUhkaC1PRMX3AI7EqwyTUX7o8Q8A/HVTgbgHnIKxO1y1EhcfY1I -WEvA1wTR29928n63dmy03rKB2cJvQupGd/xRPXBx55h79NlLOJOadlYsUrk3B+RWBZHsn7xp -wWXn+38fwuIFs7DJye3Eh1ceDootTd6wlI7Km8Nh0+bCCVbeInxp3THavrz1ohGhQ8O6AmPx -wX7TN2EakX5mrwePFgHasLpgciOVRpDsaoQPF7taQg+d7knrrgbD9Xf6JkDl9/sxnlZ//t72 -eQR3X+CGQFmfhl5rw+h28FkPxrFO+n6nk6opm1z1n8FFjQnTzFxp2taqVs3s58ondUiPWb2p -E8HOHQX9b4iYY5x6hrZehkSwoJOlwGssiJZSa9eCWs+yvJoJOG8yHunh48o91gY7kaqxGT9o -K+2MzW/uwh7ztZ/ElJj4Vg4XTOqHgSDmUKZjA6e8Z1xuXoVT7D7axP0NvgIj1jjeCD1ncQsf -Ay6tynZm/+Mz/PLwfe9uYGt5ZncwY9aKZRr8a9sUnaaIjeq7ywugKfQyxr1v4sjcQqELKfsM -NLrvOMjw2eLg+3UC9p6JAiIEEAEKAAwFAkxi3T4FgwlmAYAACgkQzNLtlNIXOemGQhAAo5Zp -Oa83tEIyfPOcj7HkQPTutAs8H+kgxzPMLYFhXSYKLPMsoH1TGMFC1JH6PjrzRdk6g7jmoUEK -2F6EL5QpFFKFNVWahRWY49F67jryslVdeZKvFMEY0qjqsJ9nEBIZW8wJ/7BNvYmZxBlWq7PU -0SKbbGNVexMagwctygY+mdnknS6vI3aom/yFByVcVXIdF52GJiAWA9nIx/poKS0ecCd4UuZr -eQd+d+x/z4Bww5E62k2mB9d+VDik1kjzL7bXfPV3+bWoyBmfl9zEYgNnQ3ICurKztkRmu1/k -1+68wHfU/0MR/1nJ9DkEfBi9Z7T3shtCiU+993wSHPeKgurkQwn+wzkthCNRNs3kOwee5Whs -/zD/dyZgH+lrJDHmW6C8zaa/K6Om9+AacXLId1xjQpmmkO83Tkf9qQvtC/UlocllGxHo3hAJ -dfxONF/jwY6Zs8NvRWPuswTEQOLCLeww5AhVfapOLBhcG7xZEye6VLArPNq4OsD2b8NyCd39 -GxtBdxR6/8OQbGoEmrYf7aGS+ga6oygj/+ut1M6w4YkQCbLd+OjL2ZUG85tALP/1KdCp1pTg -YW/TmF0BeT7ICa/MmZeYyO0DUKqvsbH7Dyk0aiYgu+Gm3ob6JNC7MGadUkWIyjLUHkPNmnXV -rGT4KAkRtX+cQl/R+rR+ewB6RErUtCmJAjcEEwEIACECGwMCHgECF4AFAkoHaOQFCwkIBwMF -FQoJCAsFFgIDAQAACgkQRJdSeLhhK13PHBAAiyiTX8GMp3CgLyIiieHJnBIQS5fxBICbsSrO -j8OHWnNAVwkiRbtXZQ2g4D4NvyGBuPN2hskjuGOj7aCsqpE4Ln23RfBTAI3fF3JgMGwkqWh3 -9a7Sjnw8DwxqaHB3zfs2AvPnolSUNyzc45VslNsE2j359UmvwZAGpqN0A1GfobFMWjmt3QoD -q58C8EyFOWx/Mzcl0qUrvGRbQjQ8najAYugpBjdRZ0MzGfro/pmoETJnTgrZimHNXvDtSTmZ -HTVYYbxj/99Iw5DeYschcK0yvbPFXGo12ndRrEs270LpOMmBpdBaW8bCj2uzATQLZbuaM/je -py3bzEFcCHUMkF+ekIf9zp6IUkSc2B3kkbQmVJKxOeiKWzCXvuu6pU1nRqrG/565CRkwWWol -p4TvlktQgHSZ6CoIxzDnYRE0eiGpsLxA10nE9VrUCjME5a+AYLQxj7ztDdDfb5r9Lq+1/bUN -gtiiQ0fbaNVXXe14+daezFw0sCGB14MWSPQz62rkG6piKB4ZMilRijiicWg/k/Rvlbi+QzH3 -PGhqaVOV0JpCTfh3rolf54x3JN3bdlW8wcev0DLPJOAuhv8nXoBBdilH999RH0lGv1NzbAIy -7goaG+XOe/fmxiZwhUQhmTdfFnXEtR8UL9/7+dv9nfVY+kIZIdSN+Sa5+pGs7bik8dfi1xy0 -IkdyZWdvcnkgQ29scGFydCA8cmVnQGdjb2xwYXJ0LmNvbT6IRgQQEQIABgUCTGvvxQAKCRDV -ypsE8sQjvNDlAKC18LdtboThQEnkx1lTvZZSZfApWgCfdj0UAdJxB9OLNqm3L8ukPYl8DW6I -RgQQEQIABgUCUJ/lDwAKCRBw814kbVMecylQAKCzW0oYdLbYjN2+VkMFlr9WWoeWugCfTyfX -Czqy8U9NJX0KMsEsVBmwB7yIRgQQEQgABgUCSgdx3wAKCRAyF1wNwQJ6DvPzAKCBblkNp8NA -k+lQwKAeqyjGAr+kawCfXlAQCvjXpRb6fYYu9X0S4r3gdfiIRgQQEQgABgUCTFxxIAAKCRDh -VRfyKwkgwGBWAKCXP+R5VvROrrh366WPoeX552dN6QCbB8aK562QKVhd4OGwbqhHAJzpE7KI -RgQQEQgABgUCTF0/KwAKCRDU5e2swBQ9LSl6AKCpl0Sd/zaVE+rXCmCg9lF4Z/DyJACfVE+x -FXdayyRPKh6cy6g1x+KeMQCIRgQQEQgABgUCTF80oAAKCRD5heNACvx0dlAxAJ9JA62AWyTp -1xpVLyxGchSp7G1I3ACeIJGHywtqpfbJfG6YiFjt2C5uVVeIRgQQEQgABgUCTGdMoQAKCRCf -ePg86MQ0YfqTAJ9hOim0VRfs5+pf6rsMNStUWZXksACeODXRe1BY90f2o28VOFpxoDQMhZmI -RgQQEQoABgUCTF5RwgAKCRDaGWI3Ajs/T8IZAKDCaii1ecrI+HP8NT7zero94/RE5QCdH9zl -k7ui4NR8EuEegYPvqFw7cI+JARwEEwEIAAYFAkrbZ3sACgkQLQ1auHwlPVLxQgf/Y5PQaqBd -FXEs9QkD2Ei7WaD1AZkGwpICpVmV1kA724sJ0uXgLavd1E9NtjhMVKWYwdjEl2556oZL2i/H -XfRz+VgRcysjLM/ICcGDxy6OygziguJRpwBWk0xMowNgWFGIDvTt+Hlc7f5UnBrSE4hGmWHQ -9Vxc4qFiADKL5IuiLssYgJY31xkwSyWcEnUe8WolOb4BOX7SLuuTIO6u/Ud+Zh+N3o2amWBn -3l/OBfi2lM/TTrjFEiJ0KOfyutiGV6a6/SkfGKBzhgdzWj4M8vIMthxFAapU++3WXF7qNQAX -f50EN2TKXKHgmidfpWFqmbPhIkEaoheUYYOCaiaXY/IKgIkBnAQQAQgABgUCTHaO6AAKCRAi -OuBVvZThVI98DACKydotmw0GE4sNu7CHhGMZJqvSu2MSMK7IyjoShr/JU9PO9yXEB6TQpfLw -E5b9bso87SouahOJV+bYvBaLx7JTT0awNSMRxlGnf4il8F0FOcl3RgXpgv14YxXxs8KJHLV4 -GhHRwVxzJu8hdNltsTJ7JjJQS3kUYjBpIfJlyp4yNvZvUeRQJWTs1l31CkPwU6fXP6pxCP7s -loh/zL1zVGY2q0GrTkFlrCJIxceiPNll44Rl4PrIMTmBQHVipToRinsrFbyD5QTAjiorVol2 -il078fK2IeavCxtRUR6jTiHx4/IWqt+kPycq11EK4bFMKQIAJeF0aBoAX4fWOoSPIFWI/Nz4 -m+EecHCk5frctfxNV6VAB5Lf4XwjEho9HFZwqmSQ9snMi3zrEZnhnrCJ1/Gs/ALt9vu0Z6d2 -ZoLFgxW2hdOyaXrE54rMKillYoTLZ5d8+uTQVoN8XFz5SliSNb1tu1//i8U9Y1tpSUUTD87G -SuNV6q49gYSeDqZ54EZEiHeJAZwEEwECAAYFAlIqSIMACgkQ73Pm2lg2uBpHzAv/dOSlPdQx -6o4MrM1lB6imRf4KPTmjkIwnO4N5iFrsZch+BNJ64PdGukhuAi1EXY7LBJlXRO9BPxdJI6IF -R91ELvM5VzNzZDdwZVPDV8wJwkpBTQTgNJXCjETePf6adpQ1ORMm6Kg40WIH67BLBN993Bfz -dQbskas89BxmEdqaz1eGDaBTHO2N39jOG4vTNouatsTsUlDxCxNW/razg0uLgMPpL8dJpZ0B -4cCi7z/+r+OYrV2DQlJo6Cc/vieROA2ElFa3p9unYRcuY4Mcn6Hl4gA3QnuQDsn00GPDTqBG -OEvhjcrHghhB0WzxAu+lc6te4vOTS0OCVTWMNU/ROaG7x8vQSFqaNWxEigkVlRDofxsyGQw7 -CxNS1mwsYAc2kbA84N4OxMZ4sHkLnheoVjUYaXz3JmLMnlA0AerkZVQRfzm/+rlEwLW79G1G -tsVaRP0WmG9/nNZXAr2wfD8menJAIV1lB/pCSkNlHmEM4uGFAb1lA/EENQS8sz8NvvdvLNYs -iQIcBBABAgAGBQJMXHGfAAoJEPGmm+QpwP/ujggP/1V5FTQ8rwB8uw4u7Zg5EEta/aM4E8Pb -idUJ8KDr6p5Zad+hGWCPKT3nloPbN3iaYXblmxDuAYhHl1neH96tWYU6vygmiR2Xo53y06tY -EKQbdIF3+pfOCSFh9NnFlAqw72cMWsL0VqSoZL+SgY4IojwupFWPNIJbB0JaOSW21kFf6/U1 -juAbtat4J8+l4j8mNgWCUeHBENN78lYD506VIuuJRlsWiUBhH0unzY33A1BoJwyXo0TmL3wd -0g2JIGT5sJmpeMkMlKminVjZCcY7AzoTS60QrCj2FCGBtfbUOH9OQvBojWOPz7ALmKj/aOl7 -3UtGnvlscJPeilteNQFWEib1e85ufAG0Ry1AEDtR0GsdARJhqiG6jRn3v0lBxfG2dVWbHrFq -a5FkUm73c9r+xjDC5NquWhd4GHyG3IgVPMvkw8sciL33o9A/XhNdjQiZmpok77nswvbuNOEX -diQVnHcylh7bNaoXR6+3R8FVA/TThpW2EjxIg9TwAPfJFKWV0SWfyJSOZLFOiEYDEqBI190j -3WSJNV+p0+lN8CDu8jFHxehsTGOAALCSQq0mZTKJJh0GH7d2YD5BV9isUvsfne52GLx/xmoJ -+cKJfszaWq2FoMhIPD/tnVYA/LPodylTRC6/8C0WIMR0eAaF+ByCoU7aEMWJDEJfX2MoyQHa -fBV8iQIcBBABAgAGBQJMYCuLAAoJEB51mnJqn910WK8QAOJQVb/ihBQC0IsBpJwKyOH5B/XI -jwE6BeErvO0rnmcYTr57AXwKNYxOvtIV8uS8gFzfaZJM4YHsF5BNToT3l2UIrWGK+O5nUL7S -UM32plf7QPI/NSfyCtBxKWfXgbFQ8X/oNdwq7HMzCtRqZDoYv5btUajFsTP8gykqXqH9Ry4G -hCFmnP0UNUWwTq4D2/bImt+iOOw4C7MXyROQ8aZd69aUsAln340L7rXz/yGTGvabdLXKuVDE -QJtiZ1m/bewAw3A7zw3mKtMAA8Em8EJuTfmFvVQEpBBdacjwIn+ZpSzuY11arLIWNp78Yegp -mFsuCANZDr/V33Xxo2Bb+4cbuOzSlXw+mOx1WYo1Fkj5Ga2IGkTbijqByIPwnCB03T/3nG/u -hde1SS9YGGNL17Z2qDOlNtufKsbfPJf9xtiEN1vJ2cbOEDD+WbC2nvJQju4t4WaX06Kyok6b -HPqupuGSOaa9VMYk6TzPAOG9hzcD8SBjO6S59z/qtGNqKZOcTWpeXWI/4qdvWtAPmafB4fVt -2XS+vOwn1c4gNQFK+nCatlYywfuKxoQqGC+i/ld8wuniugtOjX4XbK2HzvuKMuCo0z6x/7Nx -pOJAOf1jgWuQWruIt5VEULh56mhglEV1vL93aCUxOE7kKAcas7Ojbve/EQruWlFbzxJW6VgE -1ncxHX5yiQIcBBABAgAGBQJMYDc4AAoJENeITEcY4Y9ExdYQANMHDBB1HSdVXEmkfVjMgW5O -BF0AphUt1r9ptI6NvzcuJ5lFTIXHDa263UBRpHb65EgaHYqKC5LKLSXmUoKXcTU9fBLWFRYG -N11qVpdoO1WSD7R7U7ZDbix76ujLCfOtPlqrh0TzHEzE3U22X3hxL+rHjDbvrLQuEhKbVYaB -WaY1THCJjB4SA4YcWOXUNNA1i+baXlDw2XKqZrEriv+zARTxlF1GzpXBoh9ymH9TsyPg1dg9 -BbzzGy6r99LMMHmt/kB8BrOX6BfnzeLwSmg4VZ/aUWSAKK2cxbvmQFA5HkuFJ2sUc2VXmuPR -DRY+vurz9PHMF5WZI8ait4/2m+W4zvsYZdgOPPkGr63+DVKssczpZWSq4zX5Ykmd9e+bsCUn -E9jAI0iH4P4SKyFt1IkRWMAaUxQjN2v5/CIyydaavQGKM7AB0CjZL2835LwqiboOmptxzuWJ -5HJM5JSqr1HMHP8vokNKcbrU0taV9IuTuBjPl198TR1vxPhHYcACIt6TP4wr1ApAsax3yoDd -T/KrmCaczIeX6BmFFqXjDM/azhpQKIyFGgbDzrRAQ/CatG8Vy1baA5uJIsmiLxc7imwtUf5r -uJOlXSi72uQd9eBx55mlt+zNHbrxULPYBIL4zOe3g1SXb0leZsvPjVAWcj21AgH2QJx1IoV0 -POwfFLEVCjTxiQIcBBABAgAGBQJMZY8YAAoJEBPAtWZ6OLCw8NEQALA9UfSTm/Zqc2pJn+nN -q4sfhPUhYlTUxE1D49FzF4GmUHDYzMlU8VVZub5LahrITDINOIidmf49wXc3BcjcEKCUjND2 -aL/0JMtyMMORH+3g/Vz8HvktL3EnOiTw+Z9p1GNbEROI195VIWwNRjU/EYv78ErcrQ99MzJu -O5yz+Qibp6JUSIzMGVTAiGIPzdJvnbd9JQXfg+fhanWKIIzj0dqNmH7tqYuld0K1nD/5cf5j -o8Gc2L8GQgIStjUF5OwkElnO45iSYz4rgw2PfHVQBX8GsLBGRhKcxUK9psNBHIP0eWUk7sTG -4/cbLgkQow+u0ryitmu+IJ/Q79NUiRNrw6a0rf2FUY3Nh/AbVqLVdQChKrxGtDQuJtpwh+uV -RYTmc1rPmyPbsWj6xmgfvkLgX14E+5EPx8H1wyRsRpBPEW+Wb397I5eEt+gCEjfjrCprD/xX -eNSRMdOT9NVG1HJ3wmeTEddkpbDNhtY09ydMzS1O3auJReh0L7ZRn8gPmnXk4EPamDNzY8N2 -OVByXKEPhb3bHD9RCHEaSe02BDcR1nbpbVAX3onquvK4ejZMuZIXXktbBcnqHz+zbRGRyoQO -Jsgh6bv3qun3fer12w22PJ8Q8ifhAmcS+Lhadvq4hskVprr5tRmvxHRKPgZF0ZqGOmqvikyV -YhFvZabdkKACAYCZiQIcBBABAgAGBQJMZsf4AAoJEBwB9EPJyTxaJbQP/1OgrWHtcJ39T7gf -wh+3lbFvmcQ4ggc45PfnM7jM+OZbkPZOMnTmXgDXIz+0SKbPUVH86XPbeZAXHXavtIFvqbPC -yC284oQeG0gzwS5yxygry5jj0fZmw2W0MfSQWEuUkj4HBkqEhgXGmbsYhCbbN6+O8XvBvIvY -EIYO5a7wSzi/21NPuG3hcGMFV2yzr6p2FtvXfO5biWGcf0yvkj0YeBzaCwdty4F+1qGAIHcH -oPhXCEggJKZtOYVZmsHz6/6RYghmRaSoGoG7Jj9+6udgZCycn6EKPVTE+p3tMiHxJzviEFRD -Ov6iNBC55cFhSbMplkW7fH/M6rkW/e6+1zhxP1K11gwNTtoMJelrePLRpf/w12lNJl9jhe6h -fw07mluEogjhXLVOQWSFjz3Y1Tfb0ez53ev/ooucvk9XT/svl2UM/K6RqyWYl1A8KCp5OgW5 -nXzRZ6fc4Ht9OY0sxMNLTLZ3enwrVa857n2VrnOgRTe8bFqNSMcR39QMAD6h9qmJR7cNbFKn -IyQQiOtKCDFbZ7wyMroepw8wNLXPlvtMvS2zSBmMC/gJsdZVHK0u3O1Rpp1Jhq/qsve7D/fE -NhHih8FBKPH1YXUOILdR0zDkyBUdXHBUpZlcRovaznkigKX6LL7f2SbXZo/jO0L1FHDhYQs7 -kl7OmWIXh8XW4m0ocB3IiQIcBBABAgAGBQJMduUKAAoJEK8ig6p24qx7z1gP/3wRRaEX7n5p -oZUnpEcNy3ZRQPAfVAAX07aBSnTuHzuphX0smAfJu5fqEuYP1XzBUV/WSxuQ6nGtFoVSLEpg -W3EX+KgLUGEv7Y4NI9LUNd47CNcZ3Fo26hQ1ur66c0asuLjseHbHl1aYwRgOarMy3X8JO1b8 -x3z9edPan11kBIeLpjlBnnScZVB9EB2ezptxaXvyvyq/+SAfRMnGKKO6qx5vG9uK2g7GOPJk -dzS5LGeguixNjh7pN1ewiSHO/AqPyywVGYiYB9dnVWT0RwCZMXs3YmytZHfc58EpmKDoI19W -MFA4Hsdgwp9ucXJMfZZ1Xw0i02fJQKs911aw0dF/hVjHSOQfVAiNvBFn8u5l4hgFG3JkZ6Yl -rktrC6HThK3mo+KUNlynB70xSLXwxIHYkQUTxGr0HqZgRQJL03pPqk2Y+Lx4ndu4g0YwnInv -1arb5Yfg/y4IJ6GDY6W6gvPP4wUrxue1w6BwqRwO0rD0vRMJtJqzoIRNCE8aqtQP96OmH5iy -xAQo39Mvz5cntzaNMV9LOm7RgSaBvt/hLwxfhG2KX6Fca8hAXo0Q9dg5FbHSyLxF0mSZTRpO -NPFzMz5zc2yUpjW3Holt9+5n9pzi8EUVwfNnFzijagzbL9bwuyc37M9wnPp5x2wLx3MF2o/3 -fNzpyo5Lh+IH7efZcG4XnUsYiQIcBBABAgAGBQJVcaVQAAoJENqCgw48zDo65e0P/2RDhlCL -zEUuut3KmGhBmPbiTX7CnpwFhatNFIb+C1EJ2giPmmrwn0O25ED8dJFC0GhZrwNatuRzSefI -yc75hGrTr/BFqRLAOD4xfMqOE5U4+z0frVTyuxB9Gdr31EmZ9miykKnfzcz1YY4MpQtzQOWj -SiYFgjofwcpI+b5MjnqG3T8q1PzONnvvx7BrXt0lRNqL5MyByaV51CPbENyhWeJMu5tX3hAR -rsuWoBP3kw6Df/ij5I71EfO4vD8C8F6AKWt8mBjyOfIpDmHkxNU0HYrmOnxzqXGqHTu+II83 -vgJOurjZ7TnqEe9jB4XMNF7w6+SPL6u3bNfzH0KPpEjzBV7jQKFUhllkRbcf2PeLnmzex3+U -pEJjS5HLOkJt3B8wyANnZB358921snsv4LVJmgx1aVpeYWNo8vRgzKRMZT5Qk3ckXmuzHN3O -FGKwLJnHmnha6rXG0ShlYjNY2wJjfmwaed4wU9k7T73tFbzoWJ1NXP37iQuEnOINVbNCQdfK -cvL/82Q3LcpiapN1E/QYdfYjNju9NVpnSFICDEEYOfvodDlxbEQegZdd8zVHayYQJuc62sUd -zPvMYLvQTq+x5tk1vJD+VSJ1sAbVZ3gzAANyMyYQ4670RK9H8z4ygxa09lAunkcJ3cUHRFat -JyRM/u5NYxmCxxL5l0/UqOJg775tiQIcBBABCAAGBQJMXHEzAAoJEPEUCEwIYRERgesP/1xd -2SPeYmC5X4OpUDsbqQoe79ojCbmd+2CoFHm+GM0WbtJHFi3BEJcVW//QNQJRSE5dKXCHtIDb -jDhzlTKYT4q0f0p25mWMJFOXqb8sNiorXXdDz7k7GwrRZFsi/XlyiIrCwVHwLpyDGkY5IPBz -p5JMXuxViM/TYn9BIX58rP7eVwAcazSBIs+QpAvUi4pfxNdPhrHh3Pczllxg6DamsEPBZsjM -fz7pJxiddkJgAlDpIa8C3ZX4HdMnoPZhMh3JHxry4CIceMC8BOuX4c3GyXuFkKTMJSlRViKG -57WyN7eQe17UZni23QLifLYD7V1r4cY7cWj1s/qsGtLsvtuVL2brOvHeHVEE7s6dWpQea6lo -jLtlWjNXvb7WQ6XNFqpal5x7MG95QbBKWGHfifhVt7WrDSW6kbouXYYEgRhSZBkPPjSZXTEv -54YkBVwCsb9fykKLOTy+wyJ5Ttj1kxtrMWsaofhDYOo9OtywwKL4AnfBMhE3NcrZ5Yf5MHHx -NK/A95j9p8/HY1dKSHNDRub7PMM73Xp0fc/6cCyl9sTM9SFymKvvcMFChRcy1ZF9kVkXP3w4 -ZzoJz2YSTK4zIRY/Qqc+Z+BhX/rRuhwiILuCH9hXhhvBx9rKBxxKcTw1Gl5hZ8nP2CGXNkAV -qSXL/0H8hschAtxw203KMvqbpSq7bYkniQIcBBABCAAGBQJMXT8zAAoJEIcvcCxNbiWo+oQP -/2mKGGHKVA63SdyOkyAaz+mV2y9jIw+0hf2D6eoQ/OJ2l6vQqc4atQ9NsMBH5SKo+kPLhfof -NcO6axy4ngb27YK1czUS0oyF+Vv618k+1WePw4Kh4afVZGrGsHBiv8DcKbeAoEn3gVORu5UY -ElINIsW9ZIuIypyFXhV/zf30zR8MOd1uuJjif4ac7V+n+O0GpBgzCkKZoCdO7NJ3QH7RmpJ/ -TYAug0UMY9YvU1P2ffTvZuHxdY8adJGnieFnsLrO7yYHlva6Y2T47m0QwM6BXe673hj45H7s -rZpbvNIEyRiXpucEm7YBCboiA8vBTjXOo8D27Aa5MoZUHF+znB9gRKWKUnkCyCT409yo8qJI -5uSm5LWOa3Dsje3jlzfQh0BVLbq2f/g/kgm06Sb8jWzLYHUvA/+K774sOQu2gSG0FkV8BQJc -M9RMdImzIMpNpV9JYOWZCzVbTe2ZzzZuNXQJFG7reuZ8SoB8JyrLEqNbfzJ4G+pNbXZbrSA3 -ybMgkaIvt5xDujQSwH/we/V3W296WHmVbU1U1W6lfW43KbOXriCrLl/j6qiy9ln/gkVc/Amx -Mh2RC5bKOCTRJ2TgPms2+a4tSpOrqapcpa0OnZJJTG/sifz9/3eDGPTKoVkN1fYZqTp+0s8m -NohYO6YMJsuqkYNr7UAHOTE1p8nhrq4RQlaIiQIcBBABCAAGBQJMXUTaAAoJEFOUR53TUkxR -rf4P/jp1G3yjSGwglzqEbvu4rzO6LrC8ZqnxOSWjKd8xN/CIje6naB5P3gRFLphJaDUgnlpx -nQYODkDZlMPsSmUY6+GrM+XDPIEnw2Yp2Vb6OVTSeDzgpjgNsdKptNGR2ENFpC5ReAKEKAUy -7bLcraD04IV35hnuHNevjq86VO+Dev/SQ2NJf0NrOuC3iW2YA5SEXcJYGp1vXAZjRUprOnxK -n/e04kTTA4b3cKzoEo/bQqk7C+7fLG1vHziDDPszsZ09G7eAhnhZmFVTk/jvBxJ9ra56Bo8l -ArknJ7A/LHvGe2SEd9MVcoKIHGpM3IPhJldZiXNeyz/HuUA+xKAY2Ox+p0vDlKUAF/koME7u -2wwx4ncMnRdbVOGNGDJTJhJGWk3VIUsicbQQ8M+wKnkJmLNI0ZGWdoNADdIR/xSIhL8bUaVu -PC8amQwK3VD7iNRcbNnIw0+Xbzev892lbBvav1Y/V6G9lBeS4KrLu1s5h+cmCq84RlW3xCzY -B3yZhWUeojvuplyNKPApJwkjWXGC1LK6VldZzYksXMb+9JxtoE6A/9F++NKqEmDilKl15YFV -Dy/beTjoSK1+6T6RrTKOPt6kFu2460PTa9KOqjpQ60hxOn/YpyAeEK/MtRuBjAT+wBCIX+NY -UIxHNX3mcl35l6Gb1nYtL4CxBG4h557CGM4s65IJiQIcBBABCAAGBQJMXyNnAAoJEHqPSei2 -NIC+Za4P+gLihkZlHwFEM0pNSR9GoL6OsaEnsUebefwcLSrX10Ee+5mpODki11Sf1flIWJ7J -I+2Gj7U2NtFFXBvzNCUDN30Xb+QJBSU+pgJERtXThl8hKYuot79wg7FclsIo9P/NEQ60/tji -2iSQ/w12NIApczn6FmX/xVaKafJyf/QRnI0mxQvd5w7JEoeIKvaUVjt5Zz9fUhTiM/9kDCv7 -E4a+PuVP7nyQdSCoduhFYQwLf+727mxtdLjK5OHXl1jYx5tcFdTyumZpB7bG/R6U2wb55kxd -iAltk4U+59p7NG7JSu5Lnexq+p5/281vVH33PrIINuZUhmpPovFNeDz6lFqEICQvaiS2STte -/BY6yBwIDx/1nUhiBF3yUU1TOQrtQUfRjox4QRj1g8YpGspsUXagBltN04l4tev6Hw8tCn7A -/f/RkdQ/7U6N24ZP3BdBx1R9nKvksE+C+v5QwlqpufU8Zaj1YpmPBn/yfSzSCvd9cE8pa4zO -KujACMEsPh0c/BDoiWsmxKLTzOoeKGwl15x6x1Y1yTKOLD0wXXvEM0TVF3x3RJgvpdnvonN6 -c7URWq31zKcISwLOKCK1c0UK7hyD8zFISiPChiUUdGicZ1Jo0me+xp7R9b2QQnwVj4kO94gY -maw/3ouaDqOrU80N5pVC5vC8XSp/iGAY8wR0fc0qsPY6iQIcBBABCAAGBQJMXzSvAAoJENFd -MTiCAEFz+XAQAJo4XauT6qsxxS3i4ADlzeesoE5g+QPzg5mpVP8NA+kEXqLuvW7ZZjDzMClh -bpnhT9L6lgMdKOzODa8PzMMe8lMlQtGQsfby9Jy7c15wFwO3YLr0OesnS0gGMV0cxpu7XVmZ -ROPqOn1eVk25eaZHO3dHrc4ve2OMP3ZG+df3+kwQpiMgrl5x+9UHOWfqEtyT590yzofK3FCj -qHZwMUt2pYeCksErljI2hmrKDqp1zVcjE7OoQwc6M14i2HvhYwAtvEJTuqyIjFZL/XzGS4La -2q43fiLlAJalwlvIBEtRH7E5qWJEiS8gs47+Qcwigw16RhVp0FxhD7kT1vHrCoqwMFh5ULQB -fEYVQVbfVaXU9vL61LOvPfnE7QVCMnREwzCyYlD+FonI/LK1pqbzXgEJjh48rXEVuzic1G3Z -zipxiAbJNattO5aWuQjlEQv1ykWGIwh5Fa+LEQ6Idcxi32CsD7FFCYI4dg9GpZwM0NjJYrYN -sN+Nl8/o96LBGzCsminV+M+jXyGN7S08DoEyuuoAwmiY/48lAQJQChMH+M0M/UthALdcTooe -epFC3AiHiIaKUouRyqo60vNbAixbv1olxZpu12KlgCAg/ra9VcYjvt48msQTtmDQLz8/aY2L -eoFLm4L4NMqIQ5Dxywqen1MTKkk6GIx+7pAJH5Z3izmQJEYpiQIcBBABCAAGBQJMYe5MAAoJ -EHA3PPEpDbnOyQgQAJcCcEi6GZBjFHjNE3N2iLVUMItWSEdx93NabuJi7FpuhorwaJphZiYY -3ehgSa4t0/gNzkRkscCmbzjAr/auQsS+iSpINgCKUJ+dwOO7t03owH7ARXb4gmWY58poL+J5 -ZgkqDok7ZtW09G+OenTaAccIpmb1IaGHDASwZ74EuH5M2P3iP42h7Q7Slhxer1GVloLD4SPs -8W/3Rslwh+/ccYfweNC3gLvU1q50bj6kvO6OWemcI1NAWtxEDTGjsS+BsXBPlYQRF3tqtoQF -Ht3xUKlGjHBO0DYymOMAlQzXfW7uqUYenrOXmOV048rqZxRtSdQwlXUHyaGIuyCRWqzzqYip -ArtquhHSSKedxe5wltdqeB9G/D/zwHR1fz4VFkECxRp0rWnnOnWJEp6+uxYPiIV/36qB7X9d -NFxlt0Vu3vZZiXgo9RMLjdQdYuBBJrshlwKkOlYPDzpYjHWmXJjKUIhDTqD5Kr2CTw3TrRyu -mHevt0nbqlnzoHd935ZssJdbYGDC+F9aUfcyzwJN+CH34zKz5gtteGP48DewptBF61Dyl0Pa -rHthrkwMqdZBA6cHE4lGpvrGh3GXASqf/rtAHwLM4brOhtH/LYYjvO81wThRmtjyjmSsokSl -0p496fHxPDuGr7kbBDMtdfVdty8zJ8IaWI11wTYExu/6VgY9dlhuiQIcBBABCAAGBQJMYfU5 -AAoJEHcx/Mxj5OJ3X+MQAIdfUJP5Pmxv6T+yNRYSZ44Kx6cJJVvPtWkV+h5gx2sY/uTAS4/y -oiBrtnxilEr1D3MbWyElI6jZPlDXxl/Jx42kEEur5BkVOFmAmAJYRork7qCds2RAWGnhqlNH -vuMIz1/PfJlcB2hS5qo+JZLxTFk4ltOTUT6W8ENacKzcpzWGeQvqG/dY8H8FL2hnvNLiGITY -XZY6hWGvW5Ti5xzIBXj7QN1C3WZAmxTOt9C/t6PHHktfC+MNGN9zQEBAn9MLkE80oSwEX38q -/ukX1RpXCUTZmxIbXOaLc6deaTcxjJbBOX+YE1dSXrg3KxhXg1IUsMVBhQx96p+yhTUwznfE -F3pZQiWZhVP9/qGa56tR6pejRM8nfgZaLNcT7nVibIk/7Js+fXRYp5nWUKf3f0BoymQss9MU -cQLFs2Dm/l6iX1gFUgqoiOVIAX8DRc7MfJ+UTlHBOMGDKVok9nVsZegQYe6P/C88vfFlI1Qy -fV4KAdAb4YwD2HatpcjDcX5TRX49mD+pmK0bx4+L3toRG6W3OPvTcsaubE9peNfjwS5L6CF/ -M0Fq6IhIUobcDRjmUNtiXk77WmI0ZM1RiaaknHHCHXGQgS+QPd82Htox2ndOwP0ScgbqlL4D -LT3ZJqRJVWgnWK/n2BrctT63KFAZa68Epm4v0GZtTjpJpL1DYnUd/J6OiQIcBBABCAAGBQJM -Yt5PAAoJEHfG+0Pj0wgkbVQP/1NGXS+oar0Y3GuQZ+HwYq4t7Sh8CbCIZlei01oDcC95Fl65 -HtTZJcd8RTPCkTilZV4orC+gHppLVGi2GQdSJ6C4whlnliwDtgU6uJ9uuP6EKTsGh1jAoTlq -eSDx1n8/F4JG6A1xVOekZ8NzTIfpfdFlAYANe+z674ZrRPi6tL5euQ9/iJpi//bZJMVvmttM -2QJ+XxNn/CrGKGZbA1PjBYYol3s7DjZLhR3IhgK/rvmVCo+0waZzPqI0CD/axU2OXT8B4lIG -WvDcccX/8p1tzIjlXNNsDV804c+VtUVX3jZMISmVMWLfkShhnUEhfwi5CUNtctL1SPlqwvbK -q3bxZjol/OFu2KbW1IjhZ2dJ2e1hQ1V8jUjSYQ4xdDDwzS/Z6EWWn7cLycAR8xF4CQd92hCx -o5AIgkQGG1R6iraztY5H/fdhXjzySby6q9Zvfa+rw0GkXpJzffKwrjZu27+QCqvNGX/3b1f2 -s0eZ3EkFam9cMD3df8PCPU7Wt/IN8Sxv7JQqkb6StQF3NjI/lnFLcb7qf4dhZItGZBbkWfwj -M2PMEIbCl66bi8XqviJUUskn2XWfhaodv13VyXGeGzVEw4+N4auDM1w3WZ5SnSXWrFazIXCw -IBWYFSyHlKawy+Rd3I9ueYyA7PqgwdczNxTwILXhB0+pBd0Z9FMxjL85C1N7iQIcBBABCAAG -BQJMZ04vAAoJELNGT4lqoVlI9tEP/0yGcqKoQuNUIsuMasD3zVuh5j77i4wo/FCqQvMQIlzd -PWl+gC9W0xDA7vILOcqZEErIi4PPGwqpQYGUgh9KynP4HQau+43qe2BrvdauFCIJPsmuwfER -OwrgdSkKyvdXA08WG77v0a1V+u6nsnmbXg5/xZZdwCAKt+kILPVemxeIy+f1AAHj2zLnDGfy -0JE1jN4w+JZrhdWtsYXWMnfRFQQqPbnVqi5BkFDeRalBn0R4mLTCCOZn/fGodA7EdmRL1dLN -X9FbnfD8AWMDEPMDZ/h8HdK7dD16XxW7i5o6ZbVvftyf/yaF+bhtOyTHabkdSlMJXHzl5mnW -mH8NVlTTQt05SJ86NhOjr98dhSvcQOxFT/fVajDcXAQbdKnylAWHEjnejGgt9QwpM99l/Mp4 -8j2rLgqfexF54y53km5ssTub3QJ19FG0FPLvRB5fnXfzOvn8iDhcC5V7dA7q08afUjaLDTVG -6byCHe8TR9weCaCrV7vvGHzmEEPRNzu02C86SXGZw05eRMWFKJL0AG1avj6k24hsnatuoUke -6IA5zcx81GbkqPDiOiiYJOEZFY1Eokm6MhIQ30HwUO0TQ93TdNgD0pJdAiElPyhs6csf6/Jr -ijOSajEDcEOuKzqYnrmY2AmDgfyOrjoW44ADKOcRTnnhAF26ljBzwqa4xguz9HEUiQIcBBAB -CAAGBQJMbL+KAAoJEORPgBbTYw+Jb74QAIQ2ADLJSvn+c5MBWYwc2NcFrRHIc0JXwmn+wzG+ -QLeFDGO9SV//LM9L0XIIbsFFn71Rv+/KqyFLn9SyeGdJakuL/AMC4qF1m6bCzwSMdoZeYBwK -2r3bgPU4xW94O8zKOfRF9kwxP+QK2adfR1y7j3X70rICZYAua2ugkZcIDkN549PBze+2LYnR -3CIhyOV6nYTArKhYuaDiNnS822l8VThOgk/Dmdof0+ExQfl7Nc2oAk7wljhmLX7nMonNZcDI -ct+fDsVS856UYg3aJR8EuDCAayZHZvo24/bKPwroxl26+tEEfsqks7epWZZRGY0lH+IY2qoP -oFhHPodpAw+faiafD5/06Vo3SzH2i/btYQEwwCCA21cRLwpv9432Ia4ekvjPQ2E3fjBWGyNs -UA49MYhtllX/8jk6LE+AIU43PFit6ZB2BzVBunsy/LH4ZLxdi5sLTA1f0dO9jNkqf3xGbRIp -PVXtQ6t/9PUXAy1evqWBQgRNHVScKL6pjuoLurSIenQCbcNQo1iNLB9DuenAHNUBP6Ny3cby -hqMpazBoCIb4HqtdeUBmzdDZ3okIdjXQaxsHZhDsLNQM1ggj9mu0vJWSkXfdXpew2Z/J3Cco -lOuTcTqfGi5kdoDHPLvFDEYyrGKiHTV6P7TxoIxml4A0rY6gHFYlF1b5SXmUiCt+cKMgiQIc -BBABCAAGBQJMbyrFAAoJEHxWrP6UeJfYj6EP/0SlRe8esTX01wSot7D9mZfjK/yvpA3g2YQi -3U86Nb2vvLvJAamLzV+Ka5GL34lPASAIgwfilQyVhmAsyTOQ1sIU+rPav4olOoUTBaORlzL6 -1AmhtI5N0HpjgnIDLmtKF5F/kRxm7JmcgnHgiKoSZCzZH2tomVVIGA9/aSDznr4N/uJZ0yWT -6MxKbmS3udM8WAgKxNN8IB2Z/xVDJ2dXMt0a4IgHNAn7wgfaizOiOKaJ77c4c/LNRiyhomA3 -VgHDBTP+WgDwEcJupo6RiXWyvd1yDTEsHCApieODSIlniWUePiuwjBPNNKwH0/yRo1fkK6cY -kqbCD8Dk10p7HUr1+BEGW2fns45mpwJH9PvbJ7e7VldPs7AKmEKC0HHKZ9BNa3AJiujwnaUj -EYt6hq+/DRUQp6iqTPDAKE1bNTA4JD55zd1gGthsGHKfTSAydT/kdvxWH8fK6F0vOssQy7iD -o+8VVoVpbl3qJ1MtvbJTxum4ElFhPYaG4Oh/JPK1vhWVXva9T1PX6sGskdC9DPgDLStCweq3 -RqzAhjPvcqgpx39mZGU/SQzwVUFN7aqASNl0ZFUMmnZ/4aNNYXY9yEAvx8GetdZm8s+0gw4O -zecerDlVf6xykodTT9sK3qiiRF53P5A8HlgyXoewut6MyKGEwhItfUshFSp7MMMJcycl+I8Y -iQIcBBABCAAGBQJMb/jgAAoJEJ0LXlse7I8OrucP/jRV886elnIly0yuYX3ALXDPgGKFwbRZ -GWC1qjf3ESdrqjC+On7jMLnT3/A4l03F23bpHEAOnTl5Ounb1PrhDnvo7msJUH1ZdtqsoT16 -sAPbq14Rsg4+n7f72KYKwcQaNVkgizg/W6a8VJDOxQQgkrZh3Lp90O8krIp6MDgd+XKEQRjV -HxyhzpHHyqAaY+/nhRY3VXATZ/5K4+pdyRt0aWlpvftYTvX/iZnGBrsfjgYkBZnix/+PfFtF -A2p0AXfiFfFuU3BlE/kG35gGDgbYf9SouHuYeR6TLgEMOekxeqPacbTTpM051Mq4tewfFQHM -raLLSMCucl+duu7kyDRXfwZ+zoQ7I74UT9gRkI/jSYecRKAoSYnoewDo2bNMEsnYjFwyf+Zt -MEV3glEDcE7FXgm20YYjFb7uMQIVbiuXnFho9RQFyu6z67cfIcJzEn1pttMdV0vmMfi872Cr -BKGHxYu4gP1a+yQWx6N4Xgm1eJVdAdzhmkX7mH5C2GKLPIWzwT+onyi3qCCUWp4NL+2QescH -IVkc8daU0AH4IGp0A83dpRDb91vYWFImVW2brurAsBwNtKRhpd6yG+ufE8+9PBzQ+hZD4+C0 -jyR/T5HAsuMQNSfcDDEi70E6wRLEd/KYp0YePkoAKES5CB3n46XS+WESddBXfeK0OZpAbXye -45lyiQIcBBABCAAGBQJVku4RAAoJEOugxsccACVvHtQP/1218tsrXF0nLofFs9edddWw4NLo -ZYc3HvELTHfyq4/41ERGOQoevO5/3tMzSyAG5C2lmKOz8SDHjAwkLmbqiYI2EbwYxLg1lTzw -1jZGpjzBfKm+dll3SWroKiyesv/iPrExc6fJ1mxLWtP6G7R4m6ibmz46uywwreT6WvhKRKzs -IPQdf84W13y2ItpFe9n2U3/Sy50brOnqAiLj/zIP5PIaaHzrqUIevdINFgyIWee2s7tTDcNm -zV8TV6+cMs4jT8nqguNy0lBGjMsSm4BviQRZJON7h/v3/yf67TctHMWJxeD62STnXS6wjEIk -TTYSNSEZGvMw6Ti3lVB4nlx7WW8wLX9X5/1QdPc9jZyVpsh8QzqUtp+jDo6dfXPBYfUlwm1v -Q84BVfcknpMkVMDLX9EMS8M2HLWBGCOEa2/n88ocUnjX2ZL5C2MGlK1TTyxSWCA8D9beVpKa -PdYP8JfUiZpC5nLKKBvyEGJhUa2dOY6jdbPRZX+V2TWMIwGWq03kSv4VBHdErK+HUXXcFvue -OdQBEOcN4H78RPd20CNTEIE4bsxgT+riXcjUDDrfIH4EQsA4oh1Z5fXpE47y3ZMMJuWfRzrg -es5QTKNFKDfLsDwPvgyJV3iLbJeKp3G/Te+scm3UDYi9dCB0eu1MiKM6SIxrJIGzl068Xndh -QNLOTpCjiQIcBBABCgAGBQJMXbYRAAoJEF0yjQgqqrFAvAsQALNsAqgOJrnudiKERxnGU8dD -YlxWPADlESd/DfsoEFkyd87GXVzfOE3ZaGKW66PB/D8eEfiT3wWVNpmAfIoHePXkPsA7NSyD -CORROlpxXE9zFaiRYMzY3EdCsvSjSn2F3K7pymCC5yuYFXTW1J6x+CS8YCEautV5h6oIsGsD -4zqXyHLWM6Htm1J1Rk0vW9tJqtfO39CFD/McuOUC6QMNLeBlWri8VDFmdGixOmLNAtBoZkPv -i7AE3BFa4utWcLLjm5gMDsPW2xag21LAwX+xiZ/G0xkDfwKM6w01KcIp03wVzWBwtaUApsmu -6fsH6gFPFuqrAKadAJY/L/U0A5QI8Lw8joq152skYYwzwC0INYTw+gst4IJDWPtjd5sK80Q9 -NJpnqLJv91KAn5+Ya/i+K3jjFQLwII8x1rX+B+hxsbofh95VdfPJW7W2ZMFAc5kpiN6Vmw6O -X5i0x407cMV2TslvGI5L0aQ1T9mnMipqMnQNX9sMjCUSRNVa1DTYPr4ANkPy4ssXxenRN6Y6 -J1Y2KORYgm93FfUpQaUUHOPzBT8PlfuTn1rNZpIABEl7RB2qpsJIWytQjZ8U/9epUiiChMXk -1zmB8izRWAoX9NtLM7KttiFht1nRYgB+8Q9/Ta5mros/htAW4slcFzNwEqFFEYNpgdtfh+S5 -50o9SeOpmQQqiQIcBBABCgAGBQJMXlHEAAoJEDkUtTL0376Zk/AP/2NHH69E18cRAOuET57I -oRZmJqa+a+cIdmXFIhWlxUtQfEBdXwSDDcCNVZCWWabiHieSEahXSbCQIpjsjfTLHVVmBBCY -a1XFHixF3tnR8auN/KONFQ5tl5IViAw0tYBX1zbx3FqZf/XMqzOr/twpKrbI2VaslvjPpu1E -sZ7KiXnqjWU1Dp9ydwK7sdb34V6w/N/uonaulFq6IZ4GzQzIaF7/SkOwm9am9TKON/OmE9HL -hz4kGimtnvztfaGQANF/YxBdjXEvtUp76y8QwXrxOD8f7EFQmascGPIJqgR9KLYp1Tsw6EFJ -eKpDGJjzevkBN8eeIDLOWfcG+qlhNHHtnbfXnv9Ojr8b1idvSsdqvwFBAjw2svZAK5f0wkrx -KU3U5/hTIz89EQuT0o/oJWBj67ONQYHyh4CYMZi3oTiqFWQH10utKi4kGnM8jaDA2No4q4xk -n6L99QIU+RClkamJVBQdmzoSYpjiFoAlXDIhwQGt+QmhbizZLp6NqxXJOOHJ8ictRpRlzHOq -ERlLNkmaaf4YTyBeEIH+GYad/xiqDQqm5NQHFBira2dZskxKC3SND1e5sTd0nYIur09wbJG+ -z72oKoiPMCf4Lzawpi83Yz3Swks8hZ32fbObhuiAmfXqEfDlhbf6Hz9NqTxE57faXm8pWrRy -o1QgHe7WNpM8vth/iQIcBBABCgAGBQJMZa+UAAoJEDIkf7tArR+mQ54P/j192Qx1SS9xW+Ao -2V6IdWidRtV25Pkt4LckZAIJHfVEvjpM8z1uuY34YacjFeZWtfI3mpM9JUQ2Zx854oSX9z0S -iQ0u5XnPNBavYZ+DKgGygOyDQdNdjvdzR13IT3RIu+OAnAFkBfwS2r8i2rrWpeZxltPR1Uc8 -J0ZtJ+DLgdbtWZxCGIl5eupdbf03oNQ0GHP/h4W9Ls2kvJOzILQx24+9tCZBIi6ZuHjlawhV -uZwTvhuc9HNhl5knHeyOZCFfBcNTWFnxuHIzYq0AU/12+WYuZ+SLll7+yA1yHpP7tQrz6oSY -rQGLzsBq0/kONM4WYmhMQVtgxuxjZV7DK8+1f1YlbKCGrk/R4lZ2JklJ2+qI2WMiiW4BdZ3o -CkEi8z5Z2vISsbTe9LujYnEbiTyCiEZlrz5bkavOgMP8T/0NlA0GSUt1Jo4hkLG9eWUfYgq/ -7N9vMQd0ihpUVKciJyqaSixVZVX2OdUW0nCh2ftwOzfvjhBG3GydQDb6Q8tdiOeLL4kB/zpO -VfZu3UydE7CAtqzvNj9DRR6hfyuELHULoxkP7DHCJIx2k4ZZwgUmLHYIyni8ITsRUnapzqwO -Gy4wmQM9ZGvI1vFXINsV8FUKg55scO7baXwizGX6UQ4jwvCBkt7i/1lYhY5udn8vmQ0cRf9Z -HjKhTYfZ05hp1dAc9Z7piQIcBBABCgAGBQJMbA/0AAoJEHhT2k1JiBrTtIEP+wRhrJcz3w7K -y8F8xF7+ihU9k/lvDjqZLlYKuX6kJsTupTygmC7bNVw4uBfGzlujY5kroa375kGK0Q6Uh4PT -ffiySDUmKj4ap29rlLT3JzFuu5CIH2jskPEAYhqgaf1NZUKAcIncDtVGZWi5J/Gi8faVyRnn -tE86gVvHzlgsDoz4WLE/Wer/LUkotK66I9sn6t877lm948GIrJ0pknNHB1bCcR6YhNRS6fI5 -n9W3bkHBBs+ilCd1GlWKl+a/NmBnr3yMKEYrM8hdh8RVJlHW1puyLruumoxolSToGvhAIPV5 -E8D8dc92Pa5N0tELtw4a1Ao9zl4X980QQ9XPqp19LdgrN4ipqxgaxlVywzSq1fObqtSd5IYo -NuLz3PvoFeoDyP0degy+4PxXX+hERcpe224No/Oo6cPvyxblgftFpMlRVuxLJx79m2B0db/A -lIEN4RAa6mO77ZcJnAeInD6ZWnHw+bVPTbGnsz/9L8EJA/SjILpBcG9UO9pqUYu+aL80AgDF -FoWlq/Oy5YOjTIBBMcE9iN4V7RV0S7ygA7xXQ8JEon3lrgVNRQ3tyrqclXKw90ehPS8ntYJe -8rr7M7hw9SGC/UwLlZctG0BO/Le1aoRI7U6NTnfKgdhfn2UAPX7tgSAX/xgZDcuF3T8KeTwH -/GYjjUzgeoKuZMtfMjXtEOfxiQIiBBABCgAMBQJMYt0+BYMJZgGAAAoJEMzS7ZTSFznpEuUP -/ih8u8cHaYsnA0vQnfXUB3NDtKpwPA39yTh12Em2QWP9ezw9CizD9VRBmR3kksbxvFI7lNHF -bBR26jzHvz5wh0OFAoL0QpnwqO6YVDYAnDbwU+9Gyk9zFz5WAiTaj1AFMA2Y6tfq9M6eYOG8 -7eNVVdRI6NOwmjO5cO1NNFO6fo4zxa93VLX8CS+4Xgt+qYnJc6bZDbwUPdmfSr0UgRVVbZAO -CGE4f2tSeLQwEOkO44XB1rgRilyGu9dRShgxLQoauAXzsQvqMzaNwjal2bz+yunhj14Q81xk -xJZ96I0w7IzMPmu5tjyPa/1Bhn+f8cHkqQQKcu4Bf2OEtANNU6M98reiS/K4cHEj0ChdFiHX -l2z4WxSsihbC3megEX96l9A2uVgJK0VsSPQQkGKzVsJkEAsld8tC4XK4OzukpXB184h68huy -TL1jdJkYcZoBQ/3Lo6Z7TJ5ZvnUhdpuvQdRfmBYK1AuRuNuhmPDYV2/qqmFOYBrpUY2/qv0k -xOYUduergCG6cI8zFK+KWn3S3sfxVt/032qe7oa9/VsloGBRwiaLl7MAwzHJfUgZCMIcfJgx -6sQRhrvZbwWg64UyG+xFuocSqTRkcCU2fezMZHhLA6B6CZgk0sY/VBQLBBOy4bmtb54AslmW -f39NNnD/VzkSqURypo3aDKn/f/v9+JNBfcCJiQI3BBMBCAAhAhsDAh4BAheABQJKB2jkBQsJ -CAcDBRUKCQgLBRYCAwEAAAoJEESXUni4YStd9mcP/AtRNozdY/n06hAVJCnI2W0U0/BknKBd -z8SXGItd3Mb++tWs8tMvZw40hB3C6oQJu9CdZ4tzZtf1jSUxoAJjGTGOiz0pooeINAuN0xRa -eLzUPyQNJpd1/CsZPFgtn4FeUa/T9WwHxZn/XzDBPd+N3uKzM63ZRpKU2lkSvSrh7fvqP13A -h8Zq/quMgOsCbQR6Dp1swJIm0s9gPfN4mEVXeknXnd2vRGrblJYL3u8V7cfjUjnCUlFmB7U5 -TiROYZYeP3OIuDsAqv8+xweBswWxCxX0LYsuRHRxmLKWEYHAV6e0czRSJYKQdV90+URoOZin -Qdeo24cWK6caJEavAHFnDcKP5aMCrCtp9hM9EB1J5/w0zOEXLotwhD3cWVDv1k2s0w9wkNZp -PJKRdXL9f0en47MpqJqR9/8U9X9j8t8tTUbo9PcUcf3YB4hvmEBauBHrCBNslMx58uPYOFjV -YqbwHUzhTKHhUGVHbCkQrUOjD0z3sjKlzXFqO8Ba3sDAP+hs9+g3YUQX+A403rYJoI/b4Bvy -eZ4ryKanz4/zhskMDdSBZ/UvduPm+gHEyq8Xtj/jxRDX0EqLvkphDdUgZqnmanx3FkkH9EOx -fUxnqpdwJvAj6k3diWEuei7pSbTBlqi80fLRUm43135UP6AryHtUnraBSsaGskH4pznmwUfW -Kh5WtChHcmVnb3J5IENvbHBhcnQgKEV2b2xpeCkgPHJlZ0Bldm9saXguZnI+iEYEEBECAAYF -Akxr78UACgkQ1cqbBPLEI7xL7ACghnGFWacQR2ySOwHGcuP3y2NepV8AoLz9sWYoqYd0SL5T -192WWkJWAboKiEYEEBECAAYFAlCf5Q8ACgkQcPNeJG1THnOB7QCghdTeFj/8kaopb1WjUCof -BrrhzNQAnjYiGUchyKzDS++2vV4VPwxvMZZIiEYEEBEIAAYFAkoHceYACgkQMhdcDcECeg7B -0gCfXpPTRYvu8+YGBrnl3ryzbBrYCiIAnRMek3cGNpJrDT76nPCVkp9J7zqjiEYEEBEIAAYF -AkxccSAACgkQ4VUX8isJIMAYjQCfRZD7k69DKbhcMYOYWt5paHpg6SMAoIPdjQhnId+yPSTL -h05O6LtJU7XOiEYEEBEIAAYFAkxdPysACgkQ1OXtrMAUPS2JYACeP1vgz920Qbq9CMig1p7V -9Bve+7sAn0FIeNCiAGp7owWq6mZX4BOD0o/IiEYEEBEIAAYFAkxfNKAACgkQ+YXjQAr8dHYl -2QCfa1lGYuTcxswPc6nqR8P9G1KoS5gAoNsq+dtZCJmYMIflfGNOxlzLUsNziEYEEBEIAAYF -AkxnTKEACgkQn3j4POjENGFPMQCeNYzQIXlYtcurpdjQru//evWc084AnA4MQEEKUkVvRLOl -PvkCi847vss1iEYEEBEKAAYFAkxeUcIACgkQ2hliNwI7P0846ACgm2JlzfNk5w49MB4cGDwy -Aodz+MQAnjanm/JlttRZCU+zLaxHxEj4JovdiQEcBBMBCAAGBQJK22d7AAoJEC0NWrh8JT1S -LqwIAKQmrdBXWS2UmANTYLBfDuytJJm+mHj1YSJ8ro92xzst6WBmqxMwQ2EscOv7S0rI/LGr -8PfXBnpp7Mf3zhwEXeUts0ZUt/Vy6s8UAVPTGPSQlj/Ya8u0mFfXkdGsLMgMdds9Cz8fLbZr -SycslmVmLtK4S+rhjQhJ0vXt2sL5VJ3HRznCpmSP5+ZQOlH/PenHLmV0kC9KcOsrxgvV6Rls -HIZ7oiATogYm/kuwXwQ+0qQAMsTY3AGwE0yuMXvDuDUnGdUBzaZJJZ/wodDFYlDxTJb9NOh5 -P7PDBQghiR0LrnU+Y4b4Oh6ne61EyGRhP5ULvZ8RZsvDCO27gjNxRH1nJkmJAZwEEAEIAAYF -Akx2jugACgkQIjrgVb2U4VSOeAwAsBhm8cj/o2YZPP0gFdUCUyr6ecydoD1d0ER8wwvOci64 -bA6Xeu+i8LtcAHKowj0h1uVye9SXK7FpfyPlD3j6hbikG5CKXSwwEfEOUHmBIdY+UarL2Att -791yM3hADK/LjKObU/hEFs+b50xsug4pbYGbnDgitj4AG7mrqLLReCAV708jbizQyxizDl2w -/aXbgRvjjVczuxFeFYGlkIFv+da3NoeYCV1oH7Wcg2vrBb+TrxgIbAMW4V36v+fIPaTsderL -QQTv86Rq5Uv+FvZaoA1y7rXMpDbD8OJ1DdRv5BeDAGOAWUFYj+XDDdpfKt91zOlzfr74hikP -1NWx0NEyG09wxvkV/6P1zjbv8NVedwhDBs6QQsco/oYx25Pqsin+x0mnc1NiDpR+9Oe7c4ha -6JzzN3ufllxydLpK4D1RC/ITKhNhIrG26qSEtk9K6zM4QQbD/Ngh/hztcHMObLYv4MIz/Uus -K+CoJDI9kPAISK7zKTHfGTbM4O+gST0gqcFSiQGcBBMBAgAGBQJSKkiDAAoJEO9z5tpYNrga -fAoL/0E2pxy8oF9vH2d87G/tYfJB1sndWixltZtLYJMZ6HVAwYBsq6ju02893SllpZ6xp99x -xAss+xeJF8PlpH5nauQOn07IyUNTytxa6kJ/xHcIuVEVFEBU5SUaXStqfugM/EE/V8pbW5di -oIILQx52NKli/JhrBWlW4/1k8moyuCkZqYsdwwp2QgLrJhcTNB1nWx4DBgonAL7GOGy7s2DP -6zoQT2rDmlMY+Y0GrYkt6dwwed0y8mP/6c1ayLP/5E7ZlJK7Lj/3WFxYXeOOP3rU2xm+Brym -u1ND4gGC9P+p3rlEBJ/loSruk9bbviULqiO5s7dB4Xzr2joED4u0suutYtSPnuY1fNV0DGxG -qgYvhwxcuOHVD3zBMuAfYoGSRQNsMrpzBnfytP2pF2CcS9L7maaTBxyKF7UbpqdvDDh74i+A -/J2O0TmMuraSX6r/szqCS8B5UdetjxWHpaEViIy4TiFBMIzkhhJIn4nngn8lHniRT6ex+TWp -dM/vkeO5f9ea24kCHAQQAQIABgUCTFxxnwAKCRDxppvkKcD/7nyjD/wIQDebpZRkWpthmHaP -NtpU8vn2WWtxigo4D/crBIrhWCvJGqm9P9n33AXpGGc3T6VEJGyq4lxdwBP/K5FC8a3hgCXr -dXAA+V5knfURy8kya5FBGK34YtrGXBcNv77I9GdGdum+tooYNnNJERueRkBLA4aIImB/W3NL -eL1f8vWVi4vys8Utpj8+5pg5GLstbpmzewtc2LQFstMDeCjBsrDiuZZrsp3fO6zKnizg0SOS -jTkSdXwvCma9j4mlmU2Ry9QJf3EBqyDwhe5Rcrl8TopaP75wOKD3r5npo+e95Wjvxy06PjjK -1ntAYLMuEODWiKAhQ31YYYg8v0yMvBRFLfFmtgmSoFcIiGJw7azkxJefqIhQr6SWUF2G3keQ -iD3qNjrriIqxdJQqj1XZjbwwHMKlvtvokf0xCWltpqzgW9YBcKwqr80Sp5Z2M5wjeB9TWhSu -uoG44r8dtz7GEVllGwGd+hRYbyhdaEjdgFjZtJ/T2n5ESYQ5h3V3vjJbbxVZ3fOE4ksVNEkR -5cv/h1x631SuU/287bb/ObGieYIbaIxpaQPedcPuX1+hHbLCrtZ9FAx1COzhIJbXG/2mS+2b -hTUyax9RQ4n01fgsU/C6FPeGqfyrrfijS2XKQAGsigRGm7rIjENjXM2fGqNsWGEPt9v3YoAl -vVv216XE3sCRMz4Ua4kCHAQQAQIABgUCTGAriwAKCRAedZpyap/ddM2HEADRXZZx9vRiIKFC -taquk6DZB15B+CTJSe+rhtiiRiSH8GZcifbF2ARqZF00OctbKkbBNycNV8FuxRiaZZSZN1fu -ZckgOKwMK83Llj0tHd+BTrjmOiZqrZ20l9j4CMfvoTQZLOqxbf0XKpfkx+WEf8HaJ59+2GDy -CvqYrzYW4oQLdc1wwQ1mI/6XcP5YyTPaOai7WzrRhL0ClYj6/kKrcyzUm3G91SuC/AXPGs5n -8QVINq1hidCyEjuRO29Pi9YjOIRA0YSmWwmF1Jq0CAWDlSeWZf6oZZq232UM4OnDosjp58pj -ldIf8YS8TcNLjFZUSq3ilfIJgTLZIfMj0H+YZyBRvHL8071X6xmqcQXmZb2xGOJHu/Zn1qrq -BjN7HIOrohVvVqccR5rbmQp2m763vqGCPL8nxZszGvH7v5PFCTdrfa8tlqiugadUvYW+SCn7 -RI1QMijJJjrlWolD6ZJLSiA21a9B/y8XmUluedCQ+RiJLzYBVSZhHI4j6EdavCKbTZfeUZEW -PiYbpjltZ5oOjoTzI/C7GKn/btPdY298tHPIRPJP2P4Ybi0Xzx1tsZIApFEn/uHxzxndigef -Q0EtTz/ikmVN3CAPo2i9dj1urBixB2QuoESumF2hjUHs9rZDtug6CuskojI0GAb2wPNf/U6x -ugU3APwb6c8O+66de8wHNYkCHAQQAQIABgUCTGA3OAAKCRDXiExHGOGPRLxnEADsBFKXFFK9 -8wUfiWk8b5ov+XJRvYhrOQZz7fX0iIxUaZCLaSIViyOD8RYFXr9KKuhGc7pcEvU71ccRdmN3 -SoHz+RQDrCJlRgBosEAY5hfIuqtuCEF/njo1cNSR7kjkYc5PKXpbHL2G+15X8aOBdsd/Wa0W -E6vLxMerhS5ILRbRs30W/VzcNnlb/3dhHSvJPVF9FGBeZuOahY1edZKU7xu8k+udND6lV1Xy -j25Ty0mb1WfQ6ORuqLhXPbfIycqLD2sNmpFBNVlRkRejEhJU9IiOrqkgECPjqKUMo9cnCCt1 -rVO0EZYvJGD75wl1PySqbQus1MMLep6FJsqvnUpEh/HzS6+Q3/2AL3a9JLITDm2h0TkCeX6q -o7b27aoe+J4cjiApF5E643OduBA6Ox2iauEr1t5d1J8ewFWx929EQYHnLgHtBx0CzZGUAZqU -NJEqLwfgxZaN86Kdw1xP6qKCuCdkhrsLt7gsACvSpkIEEhVxoAHqJleWF4MqozwfpsEO9BSg -L071pyc0Czw0XJlNNq2sn/GomNRvXLbYeSpqzsLdOAYxsG2l7aNRHVb81ml/OEvIuxHZE4Ae -cjxfsvnONarc5jWIA7iFgk3sLaTVejP4Y8cbn4rXn+98QwseRPBMHRPx84W0Rx+YUXQSAvVG -2GboFMP1PvnEEv0Qqq6JsdMmZYkCHAQQAQIABgUCTGWPGAAKCRATwLVmejiwsLktD/9ALTT3 -VOyGLPKCdTYn+kXo/R4x1+VpRdoLLkUnxKBzfTVqtHg6X9GAqMn4b8PIgIh+9ULPiK9OLV5k -bdko3T/cbP+Cl2iqSbVZoKuYpf/xd49oIdiJm/omruVotTDbz5vOHwxzmrSRcxXNzKrnmptr -f48dZjoDdrirUJNDlPE7yvM0IvBSwPv5R+t7gcti0/ZZFWDSEQ1fphx5q5fD47+t2Oqeyq9s -oIC1uO9xnzB7tTmQ4m1Up0mwRsf/r0JdTkcT2Q1PNOttWUY4aDncF+d8wCraPW7715C7iP/U -saAW2h+MwAVC3yMT6iu1dcufRJsgFg0iEd7G4Uxp4IcCfwSLWD1mh4NEXZ8Tis4hTnfpbICs -Go7qPAFDdPhWRw7ZGs/aLV0+E6hu0t5hE2CWaOCS7hfx8Z9W1heEuMBqDXZeSEfkiA6/sNHW -ocgNXiDXVMdyHm53xlswdbSDxDT6CPcdvzHsyNP9/pYd6+CFgTBAw60XqLrjYPr3tyTHBWgt -vFS0tmSq2h6zMht+yMu0WCoZgw4iTYKtwoE+8RE0aaqwxUcNw1w5h8TTFY0b0NyfD16pHX94 -TruaZnlnpNWZtHgYEqtobMH6SKyOsy0G+BJ/XM3jLKczi1U5osqH0yBRCWxVk0uUAOT7Y8fi -wkUSNQl8wnUbDoRSOtwCn1AQ0LRgOokCHAQQAQIABgUCTGbH+AAKCRAcAfRDyck8Wux1D/4y -7uso609rTdbQTInHqA2XUshIOCgsk9aW9Vphgs4hY0VEhhfRyajEa6RrjdYs68BuWUWO8qs8 -PKe3LhgTDv2ZmSBMdXEowYVY0CvvHhyHHZwdMl+6vRZX1uI3SHf3TKqT0eci7gNNvYnCbdMO -nXiBCM8nYUbbPOzSBKFEq3CE7EhNOvSMZwTu6pnOdH0qiVUvqNTx/hEo9qg+brPrPcLho7Yp -cGu/Kuqp30r2b/HVv4U5X5mOy/OebqzCAb8WEdWoY9V9sDo0bf4or5DZaY/JB6tozg7bQ4Zv -CTwyu4x9D1SqnySE9/wsu9xSlhni8e43o9ujv3jxABpbbOPqt00wA43wSoCbdfv4mWLsbGk4 -byKR3eWEh1XcUwRfaPk08fh0ssskKBk8C4sUMIk5oTiT+VU7IZ50gh8+XgMxrwdMcWAQH/Qs -VtsYhDGA0UTw7C1Qp8mCmeqLVw9RA11d/S47UgYlXBQiv+3LXuYfmz/sALy/ktIpz/tp5CtY -PeP3CPuFMTlKpVScL7+DbeW4pwwR3pkm1QAVaG/lb3Dqc4QpYcucetSyfdof1E7ZQtCRTR+L -BXBHkfqQT4xnqYOU8ULraaLaUGOd3y17rlYUXlHijhNtytzSbn+GPDnbteQYqZPx16IS1H/6 -buaSwB5ZRHBbfsF9O8JP9+ldLkbjaodxpIkCHAQQAQIABgUCTHblCgAKCRCvIoOqduKse+8L -EACKRmLci/pI12k8kF81SrF1TEZG4Mlqtij0vFQNTvaLJW9PSX5xE9ln/WcsLwUPf0ciV7bF -M92bdaPiiEDOzpC3MFEV8Kx/cBGPdGNx42SHbOrxzbriIt+OCFxylsqlElW+Wbo8chPtXWzi -/G39v1a/xHVxzBg4uUPFRL6zOOZ12M+l+TCijja4EKgctCb63t+x82GCW8UspmTTaEn8UT5F -STK+qp4+cQeIYBRBcHAGKyfzKJ6Chbv3MlNq+zhmg3b8NYLTKWOgpP4th1v44EeO/R8Oibnt -KJ9hqQF7a58hb2JLuoEmXXBJVk552hKD5UjKm1DrfZAapUTbWvVv9L5IdozaDph+GZzpXQ4C -Mxlwil3JVEe9sWPoT35iApFSgoWbDNYGW8M/CRiyLzYtCqcAzExJbU9KnKOV9kbebiZ8J7CZ -gxot5en0OaXrc/ALPHjYKrNmZEQ+B7dlUcN7KzFMEJHPC5Jb9xsV3Jje6T17lA+W4skejqPC -ZB1mi9D6SHTN0MYajeRLasFq7F1Vytd0H09MLkQ3i2lymE50Su7cOsMk1+KjA63C0JmMquMp -4rvuBt6Sh3qVaXDTPEUV5ZT5by7z6KCb4iYg7AB3IsCTsP9njUCZh19YE8IKxd4y1XXD+ymW -FwxcQs8Fak4HdGfmXLf7G55wI1E4GHFEwWMJ1YkCHAQQAQIABgUCVXGlUAAKCRDagoMOPMw6 -OpY6D/9xPI7IEHZCcGdZV1C5JH93KmiqARv45K0p36nAxmGH16mpFYtTOuK9oJ3ZSAZtbGp2 -oppbQX5AZHhRUvHcjwv33ME0RduosJqeMA8GT/xZKfXNGvQpn/ZG/pDyDLbL0LyEngRR1R+E -JCPNAna+op7ULQSQ/gf/HSwPI6ImnirMwXFAGOBSW0s29z0ilC/BYRlr4xt5uGwWugYnyhJK -/SSwrGBaDxB7hakk2LTeVOe18etFCno07VPoI8pUtNLBiLmySM2aK2Muy4NR+jZjU9x6oDoB -tTq40fkFln64nK82hqFoJP6kDPkzdQx5NaRiH4PAr1DOydHyXofs0MghS0UKlCZR6rkyAR2k -9r+b9+KUDEQYrHXXDqhpeCunQv9LGzTi9GmaCatNHJTwTmVk1+oydWiruYLQCQHETCzQrK2Y -FEonJnwJO8XremTXw+V3jyKZLee311I+ggQmtI5StRF7fFh7OGzdJXBVw5hI1VlISketFvAz -rllAI8Txt59l45NFNkZDZlJlJeadffen6GOXsWr5q5JfS9XlfLbGlzlrcZCG0uxGfKoYaUJM -0SNa5rvWO04pEK6AjBufkinWJBIJ1l9bz1uSkDY8g2tQWvdZrqGgih2DAXDhv+lu96U62fn6 -k+UtKx1D2Y6JI+KEdeGffuVp+4SnydvYIAH4GgSaN4kCHAQQAQgABgUCTFxxMwAKCRDxFAhM -CGEREQw7EADTPt7E7JjfPg5B5r8xEQwvWnQ09/dE9xie4ohfzCOfGVpvTquyG3xKrbw9SKhh -akS8HPLGgBvvodqvZOqPGP6eZKfAAZmlER5fAEtw42deAGhL074S4XOeuPmRPnYlzPZW8cy8 -HhcmjbuwXbhC7SJs1KtQ+sHZ6ihtTqXoqjsC1ArMOuA0Lsw9d4IOT5sXILtqnk92ynkX420i -yAiRU5RXlASnBNg5fAmMGZbW2/EGrHtfE+zzpqX0N38qKmBnE7kRgPM8OGYxYGpUl8x+M1zz -KY8BLhJx+gwCzI4L22uKwqv8dz3kzdWD1RBUUKJycCDzwrR+RI+xO9cQzaU/HOykH3HoRfIG -TmaewYDxl2vsVeHVDbGdZOmhVRzLqQIS259eRjQe6ZjdMiRJe15j+udFF/iVMgSgq93vWWNF -WB9Q7dKRZyPHjBuFuL9YP1VmxiNELX/BkQlDXcnlXHvK+KSFuEgV8RgQenmFtHy64YBC0MoS -ka4NtWkPl9EimPn3iAHNLBCfqqs83TaG9Fl8+V9se/B//AcsNoM0/3vBU/L/5F0PppPVO6fk -ELDY2V11zy7L5KcLJWm8f4YwOKCdyDYPYVTpl7xGM+30n5h3xto8Mz6f5NWVZbfxfErLU5iK -aeDdSebdqns+FUXmZYUlWJGCXEnY1aAzy/9MpRSz+mtXAokCHAQQAQgABgUCTF0/MwAKCRCH -L3AsTW4lqMf4D/9oxFxZbLh/kRIjys0wNgeiq0oBLh+KgN83Rf+vc74A2q2T9/XiopuEtk0T -ywbz3Xw9KlidyGr9Rrbl6O6aWpy0csxUOWvprE7jaTwjqZxqISNCcsPFbsWQieJ1bVv6upjE -j/wrTRh4IEC/P+K1OU0lWblbeDDEv2K8aj2uiO8g5Ckp9X8Y47Lh9VMPvSOPN6aFyX0s1DDV -fweQtoYGQOmteY/pFDP+K+FV8iBw/wjEVEWflqWUCIOAWBT4w2sJ49KDdi3RGmFk6PSp/JsU -SLGrwUU3YnRiVh2vsK0X5nukWk41jm/1XdvPzEEpMK/RYiSAzGXKvs+UUWFi8g7AHQNfJOl0 -hmB8LYFV7mQOLdbNIVTRB/ImbexKtuLDxU35CIxrJFvg7Ry3ulIZgDgFZEM0D/xu+2tBd28X -GjppOjqp2W6Zwnn4uwqBXMrggtNRVSeGASTDs8WPdwR3PxYKxx237f8J/aC3o2k08q8KbjmR -QVRLlOo1huZxmXpn+SUUKUJ0dqrrQHIEyzGtS/VSRRI+Kj4wiThPOS6zmc/vFaLjl5T69sOA -LS5TJqoGZz7j+GDK2MINkWWNM61SNyzomtdQc2PIICR7TP9zJbOvad1QDfT7kyM1JuhpvV/6 -7XIP/oxk6OfgMT7yHTF6rh+G8UUNt/ZBCYAipcFByCKDwNB5sIkCHAQQAQgABgUCTF1E2gAK -CRBTlEed01JMUcebD/9aEHlc3TtXSGHF/gxVl0zsi3mFM/wibd2n/2Zv2gRrL0Su7BunKEMc -l+7SECKbDzWC3LYucKhjgVuPHSgGakk3ANiXiDw4qFqiYil1Prf/MK8F6RWye00IIG7yZamG -+1kLA5ft7sjO/emappGvW7bicXqgoEsazImSi9ekfYhLFKHn64IR4UjynHibKjoXA+EatPnN -pT+IHnBRRHRq2uaU8ycQoxiwUT8WMPyjlIg7NT+IIYqQm7DRjSTsUoTwhdaMlH7YCbi/dX0y -SlfG0LF/5fdg+MV0h/hPqy6gq2oRouILZlfEGtvv0vBmqagmPP+m4KJ/6/Ikf5ysMtC/NlN7 -exkyj4M8Nl1U07ijha5CQCvn6DyQmy7xT/rmbJ0i1zjZauFmPf1ZaqennMkz2ndC0glSAYIh -d76mDDWGjvszrYpbO7KdJJeiO0LkoSW7fKxgabNm6x5MaPVhcynmjlC8BFbn8xuZQst13Pit -VmFtIDX+SJVFQCK0Ypuw0NhkXx4sRqkBukASSwCRrDxPPWqlg9/Ji9uKjInS7M/y3RDZqwJK -UZqLw2pdlzdAStExWfA3YAX6lI7IrpHMuoPUt+aKNyO6XBLMOGmAGo6LUP8vOvwfkFI72nWL -IgHSbB7MzHLFcMxyb4CvGjpZQzu3VDt7sDIweT4ZqWMuMIxreik+M4kCHAQQAQgABgUCTF8j -ZwAKCRB6j0notjSAvpDND/4nzSbiS1pMCum5H8dhR6odBPIRanEa8fLaltUQCfwG+CXBfuH0 -nguvR07j3oMWLZJ0YqZIfGWy+FRMAqFjkY9Wm35ddEO4fm5O7j662mJn32S7ouAWvMXeZa7i -uhz7pe5o5hxoN9dzr/jD0qNIUwWzCl8C1KC6Gm2Szhnzr4jMM6fxol3i1TIjzqcRACqIFM9k -rJdpHe18XEE0Ao/cNC4bPdPFEqFdDi+zoYXNrHqyCl0FqnWOkq9IVa6Sizy/8+ncgLt7mxpR -CeA6v/N4w55AGlxfS284QzDWUDzAoMzMibhnqoY/3p9xup1tMtOZe+2R6/AOfSa7nB3BSGDi -g3INNT37Xh3OiwYtiGoAPGnBvMdVQYeLd0ySC1cTls+HsXuhfediraNnzRRgioi+r7Ew29Dj -H4O0gWhunw0gqn5NO/0sqQyN5cW70iIjhJlXA2pJYXSLvONRzQ9GmvhYIq+UA89UmriycCBd -u12zi0NfEY85B8qqzFP1c0EJrHclHNm4SuSh/cXFlejRbIiSejp9uCHXQqELSRWzxRWOSy9T -4iARC/twBSE+rJYfCrTMLKZznBzz+FgY/NU91w+teGbKanrKLKjRJtlXanm5kMSVXpmeTnc4 -x46OO8QjHGto4hyaILX+H0+jYcTFZXV1wXPqgevaGLL5fZ2EwfdURZOMI4kCHAQQAQgABgUC -TF80rwAKCRDRXTE4ggBBc1JWD/9xj+Vpx8DaFRrmDwND90I7bFDux0MrxxGZ1NJc0WhF03+t -1rqP5aoqgXTx6UxMHTTQXRk6dNKpqRdWCiacxd9LUpUIFj8QrSE6zwWweW+5e1lCa4cIC69y -AHRN7LwdWV/s8dTbBWxPuCspDXrb3wPNmNaouw76T2Ny5Qwt13PnkaHmoNGIDju8yOpVhcAM -mRIeAHgJn5X3WkMPi9dGfKr94Vv+K1dAKzl1VQ2DHUcS8dVUTqugYcaq1NXeZ8ipacQtTy6o -4+aiY1iBJDvKdH1MxJGsS2EvcXT14r5YzOz+KTwIExlrKK98+3XI/u1L3VkUHqY9rILN03Q+ -cKxX/3dV3j9YDu3mUNL9at+cZ4FjZG/rJ0B/7frBxf9fy+7RnqKHsrr5H7jFK+mZlqyAWqLn -Lxi1kW9tliiEZ5RgqLsYQk/nvvA/hr01rAI/todTvFHV7RIByNQVrp8zBbpmSUhyGaycc3q0 -aNStTXoy6dFS5WLAirq5o0W2zKRbWF6RAZLCwYAz8BAvKfbdDNAjTeXQ1X6kEYxEmsOJL3UQ -UYLUHm8Ko8pPeaFLjMfRNZYVdQhpyLQbKxEDWwmzuAxODTHPa+bWmD2QRP6g/be8ff43L+zW -Ti+1bglSk5xCncsGp5ydPfxYhAQiizIySbmVGV0u+hVPSB+vGJTelgw8p0PMeokCHAQQAQgA -BgUCTGHuTwAKCRBwNzzxKQ25zl+FD/0TkiEx7eq83NaPbkxw4fQGgIfV+ZQHHZPHZxQmWQe5 -Nw+o6jBv4spK4iTQOgfcyZQ9vcNoxDyvFXTPxD1SA9VhJKY/pvZYgFk4chfIAwqsuLhL2B4x -fL7XRU044MIy12YG24mQ6wq4Yp4CLX0J7XTkqF4o5gZ53W2lZ8IBhGee13vY658Ie7OmSwXd -HZwLABOIck59PBOnDQmbIWHw2nO8esxPuCG7A1vJ9oX71PRYGe53310L/vqRWliGwgINI+Lc -ghnn/GIxdBNAQzvn1vrBtLvZB50Ck5WxRZdRyAh29i8IQKVt43X3CeXatFqPke30n1hudgXN -f5zu7aJAHA3TvIghig9L9uZtHUMIZzxSovTF75ACmxfqiCXxS2pxqzJacDpahog4rJ/AZbsG -3787vyhM2zjCiSZIrA2GE53M4M3TQpV8gKAZy54Gdjy2S8FcOiFARFGXVu/l6j3vf2dDrTdI -Hlr+Ta/f2eKfKhyCLT5ShZwem9O10mpDfP/Lznb4kPKygCjT24t/UdY21mvVKwAiXDtkeeSI -LhXVj+I4ddyx4xf5mrH7khCxwDiYKr/sPmzFUg6gHHPsxIMoV/8+DA/VU+x/r2thuSH2rdKp -IuPcN1fLI3R/Buy2Pv3KGHzzOHQyHv2UbfGK5ijKY/lF5Y3RWYynInUcjQLbx9g+V4kCHAQQ -AQgABgUCTGH1OQAKCRB3MfzMY+Tid/cSD/0XD2h3/YcPxSfN1Wc+CRkbtw/14V3lgDOa83Q1 -Gr6GySQZMeZ9NeBIeC03fvlfmQl4EwFebqGR7jsuRRVZ03P9I9fKoPXJhlx/hpbavP8mkAAd -Ye/ziA5xjzIi6j7GIpID9ULMvAW9nwPtL6p0ritjvkfx7EOJ1D30ID5Gn0BzyhgPUKiqLsR9 -zdP11Z4u85ja1cgkVXMl6IEMflMJ/qUonGX51sEGvAC9OfbshoASv9g1cohRJe0MAVG0arWj -KkxekFXTaChVOSuzfavExtlW2eCHy2IH4LVRT2VlOiPA+dyRZuhjBMaRr9raeYnNtB+7SLWu -XeRgMcAiwWdvKSJRIS1H1sVAlP02APy67wBeHEcMrURx0NzAZaw/7XeyPAt7+S00LJNp6qNQ -fnecBTF5LZkfKGIentqjKKN0Ns20lyMuo5TGb2mZSdhlYRixsY/z95STNhsGe3SNzgdSpbG1 -2eB8j+uaoLj9Gjd4UF0uAhfS/xqDXF3MONZX+IjKbGnVx1MMwg/ECPjtfRu0nzm2o3jpYQgU -XlnM/kAjGDcHgWsWyWdKVeMB+bXOwGPl6wDmcAkaj2GoUJP2B2bDnd6QHmtBQSD0jiRmqoXb -ARisPDuTJ7VywYSND/zTkYfBpXh9YLikxYS+Vl+NtLuvILXsyOt9FV5pxNOoWKVbj3X03okC -HAQQAQgABgUCTGdOLwAKCRCzRk+JaqFZSNlnEADIAMz9GZZwdKchx9VqWzsHKetF7ASrZuv0 -5DSzfPH9lxJQZskWDRnLLtTzpSkrMDqueu7bgKE5XIoRcPgIfKoBI/iJBZPQaoxN9aRyxrNa -HM/F3AF2H0hc3fqUyi5+s58C5/El8Bc8oq1ePKGrOWFAFoNTYIvQJ3CNbXfw3tm56TGVKKws -SMiH+9xk2fIBj1m8mSpAwZKo6CMjlVU3Mz3h7DNiEa0yCiESl3USCIBO1dmIRs08DNn+MZyE -oeXSXM+eJtw+GpWGwDflnwOlKDlDj42y4K6pH6BubyfXe9ylb5DI19TV1X3wtvsqyhE+nPuT -4V6j8Bli1YKm/KhwjkXw7KggkStS+6TMlT6EF9f7JiLbDjAqhCZ0eBvgCm/p0/TNL0lBwrf5 -90vD8QpXfnxAprdGR8O9ZEyviUqpw4JRnlRiH7TMBHVDiNCJ0eX53oyFd/TuDSTcvfyp3i2J -GO38NQfoO0u880bpRbCiBsLcZfEAByaXp2hV/9oPEvBP+95GwbnMAR8PlmL8EDzygDElweDc -F11FvcD6pgKQdXPubxeM6vJgcrFEozzW0mLZxXLUlv0n64YUMy/7JVoETPIEFJqAKwsMvaJy -OHJH7ycbs2dTeWNT3KDigSM49VE8ERd7XzyncZUbRk3ZkhGgRAE0Fe1prHPDx86PClBV76hm -hIkCHAQQAQgABgUCTGy/igAKCRDkT4AW02MPibaTD/442P0Qwf27NHs5RV+n/M2CKeG4sZmB -epDU0XjnqjTZJYYcMtKvVJ3EPvB8qh3Y69d+pCy92pE9x+4TXj+59pSYxSaZFacW+3s1884K -BQYe4256NjbVnxQEIStYtS4wRL1xjYBoNnPu1hq+vj+zArQ1pCWjCcM9Wzpl2tUPu7Lat7Os -qB7HnDvgDB/HUbNgpni6EmfrWN3YlbGthnBXfGvAf3nyPwuM++GKs7a7R/6+it/dnPdke3Tb -/aJKAC8YXlUSo4mEqpuBzz4Sk+5wBv+xS0h2GF4z+mnwsMY7ChqlyX1eLqfx+WWdO7V5CuPM -sHMp0WxsCw4x8NPhzBzEPFlYSvYlS2z5M/RMie0g5JuXvs/ajDHZItZYJoVbeRAIVZ5q3ru4 -jR2tuSLQNo8qoqll+u7qA01zeEh3heov+FZXqoe8I1z7XOS6i7ZP745+zdbyRhi2beqEQ6XB -7ub3jSSOUPM+x+LKxXC7bbhKLlAat5256wZnTTKRVNEUuoCFPtUR8FwzwRXl9AOl1Ekmqdfq -M1F9TKYq3dPATHCxw/vV1QrCaIbqdJBAtf7ZLHH9B0sAZ8kudVPQeB+Ghr4KYaSPyX8Vstx6 -tl+qTyuVlkWd26OZo1mFUc9kPej7cjiXtf/XOp2mI73piU4bfTAOBHAopiNiKe25M/75bGso -bAWSh4kCHAQQAQgABgUCTG8qxQAKCRB8Vqz+lHiX2Nc0EACkkjvmLuJz2Wp9Lq0fvdjBhGCp -95dZFpvcBFJfX0rzifUEmbWRp9fiU9P2SJaCy392PL0gEhEi4P7Aos1rRfyXjGhxcy+TYSUA -HaP/jQF59XED6t2ElW8+NnZNQ3NE1NnZ2ivcig09GdxvfV/Ivi3dAjYXslsd0um4pVCEEBlc -lWw9lWRfm1V9/Zmz+/83CNuc6yVGmch9lckcq/1zxqcBE38WyP/cR6nvvuiC4NY9W6e3LobD -eLkagJqFtsThM06Hy2mI3pDsC33nu0Za1tOV1ihJCUTxArZBDqUYWBN7C7hfx6/+IO+as+2Z -hi8bav8mjY9j7chXREqnmJq5uTXGyI0LDuTABn+Sfr8861zPeev56GhS3/gBIsvhEik+Hym1 -1qnvlFhICo6Gq8qtXiJ9KQE+XI/bWZgFuflJdDLWT7V+DUw5+Rdqo3Qay0vHvsto+EMQLCiL -8qLdw3eE5/lVOn9vHPccypGq5saMyS2hdS7yF8x+laj9xfIwMyp3CKTJ892K/NOh+dEhAo4J -ZNw5tHCviE2KVRxDWNjjBOcrpONkp8o/OPe5bxCXVnV5F9oZqHCfWtXc+MTlI4dkk2dPRB3P -JNUnKbSgX4x63th/m6oAB1JJ5DE1iT+fdDre4zBpSI3ILCxegWL4ve+hLHUWS/ubfkJtlO5z -4w4wiLmfPokCHAQQAQgABgUCTG/44AAKCRCdC15bHuyPDso6EADTyj6fKEvSzHFo4caqYOVX -d5kZir9ss0hzplt/csBDosMdW+wO+wxzt7jXXtfPlA0OGoFqCVEtxUGQG4qYHSbCKPd9PEHS -ruWlcqNFAqRBi6k0phM8GeKbE0+B1u0qiyEvuG8IuP+1DlXla3yG4yEUWqprBMjl46OnTd7u -ZKS24zOqnS4Hx9fId3s7bW1JwrVmodbx2rdHDyZKXqCpwXFJsVWe3cbh/h2lXYalDKzwbdcm -rgDZUJp75YxlxerMiTG9Xc/4e+XOs30DKGy2cHAMitswtjXm7ZKZ8yL5pmbmDeP99XASwByB -7Mm6KuvQSA+8ByLmkvu9XBrRq5WUG9Cx3m0Shxy7e74w5/u4LJkqrmr1wdw+gZIvWG3UuTWR -kqJw6rEoiv8WTjJSWE5rTFVaN6YH2OuOFsTWNaUH1bc01HpEKivhk3ZiOOg2Bhxbt7i7oYJc -Y+UHCbC3PwwktM3wEnANz9UMoIFxn/2OHdIWl09t50iaDErTmtgbfkENDdsXEcLA7qs+8vpr -8qY+M7ycCuRat7Vu2dqopwpkhRpKtddoMNYZ5/51vFcSuz9BdCk+y+q06Ri494UPVFJsHTvn -gjtEcxsJopZn4pddzk8g2z69BBWRv31c8xiV5X5QTf9zmRUFD06pux6dn1CUI4zoul5kW0ah -LwQysmqgG40apYkCHAQQAQgABgUCVZLuEQAKCRDroMbHHAAlb97dEAC8oQamwtIj/SWT2PJS -Kl3bdPdQaYI8+9ZL9xXLYyhOl8aduFVMlJ7rqkWSdwg/AGnp8nh/pQiaGsnRweqFoSte3poC -QkNmRR3pgsZ1qqWMxqVrE37R51MSGRBEZq50diQ0sG63tzX7GSnsHXyxDjVfR4J0/ohZzyXn -UubBB8X/C72E8CaxrFAzyrLY0zqJBMzub+b2zg5Ac0V+GK45Iz4duftmvnWf6d9aOvXsPqe9 -/BPbix8l8lCWUjfAPh0sSskI48mIi+jK6rm7+JmsF+9zIoVxlnnlFcmDxMGtapUl73BzpCKI -tbplOogAKpA9/2pcSvf2JO26cjQm2gN7BHGfApB4qYFHb90fmSt7XUQEwxyCbsQyhS7Tb6bN -wI8mTqajGoRZydB8WZVjRgsnnCHa9ecY3Hs1IrTMKM3gl7Kmm1tzbtAK+NMSH0mxPG3dmTbv -NIkjOcgGTYo4r9Qt4Q6rV0zfm43dZs7AP6nECRYyMggEoHHBDh1PaPUjoUsJ4Q/b0R8yvNNC -8defastUYtUkepBJ90FzlIJeMLf/1t/1cYX0or5wfp7DPAGxTx3+5EtyKC2Vk3JltR5QkLaj -blZ2PIq8TTtdDprXJuOtucF33p3SwXRjA59DrxEofOf1B2cAcxvb42QgZ0ToJmfeTz9TfGDS -adTRh+oqbbjogv0A8okCHAQQAQoABgUCTF22EQAKCRBdMo0IKqqxQBAND/sHFnas21+PsxN5 -Uo2Gr6ieI6NqP2347xT3ZAugQFDhobNJkdXexShpW/PAAxN8/JdndFtuF3nNCy6gSt9c+eLx -uZ1srzyE9nZeXne59TDI4+ubXhuu/oXIfj0n2j7m53st6+RI5JJ3SuI9kJTOhIYA+7AHBpZp -XUu+m8sS+Jhyy3h7tqJw4IrwwOfW9/WEwhp3Yb2zDoEBe2Na5whcjFRtCJkJub4YwL3L/D5G -w31dFnTFQV9C8BNmyPfoHiTWRQovejmORLdNOzaHKy9a0c4fF6C92j4s9wR3KM/eaVJxM5bD -NvP78usX8LQY5A6C/3+e7kRo1gzDoDhgYii3gDm5hItXXU0V6sTcFWWVSPGwrm+628G3VWmm -1b57mxWn6+7Yzw01R/CyqEzovFG+M1BZrJn2JqJ8Y4pM7T0oRpi0/Ee9Dqiw4+v5I8wKCTag -713ZLx2IdMQxIsMnmBq/819ZqjKkYpAbgteov/foku+Y8RvymE+afjxcE+aYQpYOyMPNRMRp -Dq6CKkVErPNpI758Eav7UqUi5KyfMQ6tMh09F+mKBZvAVE7AGIbrQWhHlTCOYdSRA7uFtgSX -TUQlMSsj/2xkorXaPoFqShOr1hiWIG78zduIGT5FxSG06j8h7j2h6W7nCj0rYaOzDNOBM9yt -3il8eu9SeAgl2cEosRL/4IkCHAQQAQoABgUCTF5RxAAKCRA5FLUy9N++mdKJD/9Lclk6nEQu -xlcgA/0ugEKmWn5JsNnq8ZUl78nZP6fKY0syx9v4bMA+ICQrokfwY4o6dMxcj2Us6JUp/FBV -Z5lo2T2iPE+ucxobFslNdpZtzOQGOsOJ0N7qirafFXJ7ACtydbnCUaPfzkPYwwplHFqT+yQH -k4RxBysHWw9a9YoBMl9KFjIwZ7Q8v0x4ywySwfRAKEzFp+ESP+hDwhlOqTBKFL1/P54lmbhG -JHDCNbwxGLIjiAeCjomyoxpg5YdSZVyWttmsy1rxMV+ndERK5vELfZYqdlhL0quVPzd1L+g0 -m2iA4QdeGfqrCxex7olq1su60PFrMee2wFzH8YEYY70nCi6/JRTb/Vk0wNqgyNjKY434EzHn -liuyhFvsTkQy+ciegx1lQixRxJfVnyz1BkHNDd37qL9lbzPwVqLhhh7jkjW8koPbExQGjVcH -St2HCGDcAxyOJK9sG5a2GxPn1K/SzHXWwhVCSQN7sJSkpNmRNgjpJdOTnEtsfRC7keUEG853 -cKtWtqJw38/ye6RbXXHM9y4oiLkSWLneGH3sQFtbmdtjubLQNXE7rfuUHarwCnVHV5FaeAn9 -FNBoo9MCAZL1cuxe7CR/awAuH/JAkuZOanj2jFwvqeyfNgsB/LIlHIBTLPwVXDOZ3E7+KUMJ -lQ45DOfhGPOSzv3QTL4gP6lcvIkCHAQQAQoABgUCTGWvlAAKCRAyJH+7QK0fpgPsD/9gJRwY -37FXgq6tqiUO+q8H1m+VQ4y64cKNA/SMOGxV04h7o5tC3B9D/ZghAyfQ71Li88PIk8n7PAV0 -Wnbv+V/9kawa7C7Bfq4OJOGzMU0Y0JPd6LnupBtq+jtE9H1TLneCiBu05bjeLSQde438Or9w -SV0sLwqKncwqRJY8iIjz9O44X+6+6p4CqdMYmsZV9nGM+cES6uytQ/sB/mh5PutZahslWurz -ouec1uqTY4uuGNwOz+MJvYUNPyajcgtpH8JNQ0phlUvV+nAOJuiNXBHw8MbxNzTdLfsdtdpy -zRH6NAMN3QHrtEGAQ8XgFnCtu6BEPpgOQIB1pMw9OiRMhkcu9uCNCY5p9NMhL1tEx92DkSyW -lmFIF/h1Ohd4yaxnn9jwTVxxhdAxqK0rIORy+sHUSuc5LrtItNe+AnTvQeY7MRgZwJuCCohQ -L3OLXULZajB98g6cZQJmNmtdUeqMY/QymIOH8IoY3SCOws4h4QZSSVxNczo2Ag5R5QKSpBA6 -jjsFo/VHUX0wB/KbJTb1Hl2vtID20kR7MfzACFTI9AEbwvG6CX7oWsnciom7bHEiyHWR4Olp -tlpQk2RQ4T3RG8r9kDgJuX6KmDH6uI9CdYTuBxQgIfpEm+tfSki3LVfnOKgkRDqAJciBv+ua -qeW7KSjNDpBC4u8pn9tyX8RhpYUP7IkCHAQQAQoABgUCTGwP9AAKCRB4U9pNSYga09OUD/9X -xTiFFzcuev5k8MtYx7+T30Z549gFnOx6GdFgCK7GzW7ZjnofKt8e0NIQmzzCf0g1vxdulqeZ -7Oh8iFrxpPZyOKJoO2BDKS9VnYEANQf+quUJPTdyhGqdMSDQGbSEqjLF3oNp/+jdIIMjuo3Q -nShdK/BJPcluN7AoOFLQ3QH4Q5fEbtwc+bEJL9TfFqAhUhcY3TYnqWtsMRW3tkrgCvcp0Bo7 -LMSJB6jH4Dx5q60Am4V1Zz7C9wxtZeZP+P0h0YYWCbOmQWhzT2aCRYDrp1o3SsuatHm/bPkv -rliBzslW8i5Hh3gv5Atn/P5bhMaXtJiGepkat/MGw1hP8BYaSb/mmy9XbdMlfDijcsAF2+w6 -w1b782oCGXgz2ISqPLsFYWccS4GOAwSytep22iwsWpIx2JNNndg4GVfgBxx3QIhci7EVN5Pv -/586PwxTetIZmQ+FNNHcAzqBzi3oe6J8o7HlMEHjG6Dps/D2clTNHtD0vSk5ECfhSC3W8OAD -VSuB8NxZVfI2UfnyCsdjyDLUu06fMR4gNW+zlSHI1FJBSVuU8CCQOtMPJ5fHPq3hEc0DFyLx -8fPE02n8It0wm5RrdUkgOjiVK2n251SyAwSM6zATCFOIt6zdZWx6T/HrJw5wzI+wgsZHibVt -i0vOA0GsAXzobE5yyhhWTnhqJgW2vKNHjYkCIgQQAQoADAUCTGLdPgWDCWYBgAAKCRDM0u2U -0hc56aYKD/4gPLkcER4nlKdsMN5x4MuUjBbv/+Hab1+hSDxEiA0Ya2Lt3J64y03fz7J1RzIB -djH2QGhdvuZtEohiad44DUdLNGJ98q7PPll2KPeuuth+bDa3P4h8ynVbCJRSmIkSVCRG90eE -AibHWOgTNOmn48Rwq5zMEgwNvmgsX7ZRm7Mwggt24LIK93iBMqH7WqS1CujF+WqQygpk671e -GUIWSUc/iBmaHZ/yoElL5cSBSPHm+ePyQsPSN7ooaWfodXXTADpQN4d5Tl1WzwZT8G5cRVLP -4CZ4sqbzJ9EKWFMlohcf3ibT4r8H5ij8btgq0TvNcoMvCbO2P94KChQWxQSwJRftJ9/GPPo1 -7zK7pXGK1QMZNMYhvbYSdcbxG/AsmC4qJb4NVdrrxBiEye41+M+nQiT7g2GbbJ9gBCv8k7lH -iw3B+KfNoAkQ2v2CaVMrguQuzxCs8Zpl7iKuFG+d3SGqnn8rRrRPE5AOlSk6bOr22jLyGsns -URt6Mvh5QyVrk0G/6YW/5IMIVNuS/i12m6ireKvpPBkUIkNlS938vNqZ4LnsZ/+gBlZqmY8H -sZEt6Wfq7efDBw8z1FLRW58xOqCY0vh4tteFJkcY1LgzK5GUddIHfYcO/Y6p/3/Vq1/ao4VJ -Jq+HSIsqrdW1nF3EDSbwyy96uAdxuhfZLxSgRugCKyyOk4kCNwQTAQgAIQIbAwIeAQIXgAUC -Sgdo4AULCQgHAwUVCgkICwUWAgMBAAAKCRBEl1J4uGErXaQAD/9wcX8JM24NI9mCjnHOGOuV -eo/1Z9sefzYvhlbbTWvJsEdt5eaL0FRl+kErHtwNyEqvOTAmt860GrpekjkFYQObCsmDOiEy -i+vJBScub9YK6TJSOQJ7f7zyIwzHgvilktujiS+/YDqd1IEyxD3QxQ9PTdjcQX/Z7enfBeei -sBFfgRwbH32p5EtdwovrmBYtgyXUqp+lSg9kG3vvdj0bt/Fkq7Es1eEW8Sp9QqaBpo2fuzNS -rojYfZu68coreRIV/nhuA7/ehjiVXlvzi3su+0ybJwGZXLXaM7kxXoYm5i8NDxp4p+7laXe2 -J6HUuIQM5ea4NuPu9BKIpKGxqNXQE+n4tmX3lp6QwXuZShwOXjSFsKxXvipKI4sAkxPfrPFa -xzz/EDqUf9lzCBZ5nl6+OLv+GyTz6Meq1NGIX1N7u6XBPtdCujVbKzXd5PbEk0Y00skLFcQ4 -9FwAwDFw1XIPljQ6WttsQlV6k0yoVJZc6HHovnV1zGDviSyUdegDX9uKBmgGG8ApliPLvZ6r -haU4yHykFHBMPfwBNBwrmthTShdPS7xh4bz5xYlay9wm2CzIVB6muK8PIyTrRfouuFivJuYA -zoEcPBbubalC3OCocLl2xv+Qb5G7cz2hTDx9JZXUD18IeG2A2mcLeGp1zTc1qz/7h9qa0TLe -fWpC75exhIgXVrkCDQRKB2tdARAAqsQbw2Qd1WfbJr9U1KRdwTKm2OsDODftgNv0zmfaiYCN -iOKEsrsJdtonmaisMi+Z+5/wrf3Q0bV54qmwOMTlCVvqnpxwbVik8VVGWgUcLJYYK5Lkn0dz -rtZs6AaT/sbFewir8q6m3ADbq9hTXxt9uUfe5Z/D4sdbhgbWtQa/DeJwWZr6VeyCHcY8BhR0 -FXYmYDZ0c1rmbZZBt+vIF4UNTNU4x6me9va6QPW0nWTEjae9ExGSPwm1B4hQd63Nop6E2Vqu -ahdJqKVRYYmD/IqVXOxAhFRA/w9vqF95aV2BB/ZrF0FTA8iCEbFy3oNrZfq8KlJRCtcUH2qf -igMndOt8P65omM1DQhlvterVgm2PCb1GmwLEbMi+HtLntziFozYGLTlAMcUJt7Pyu/iinzx6 -Sc4U108dmNTJLxqSZtvJFaRyHml9x7oP2gWjpuyVgo1KuEXKq2Z96S+sxE/YtPyB/cBpazZ+ -+o/i7PLhxKa1RTIA8NgkDelWeNalvYzjNkB+tXeH0UnxtBTC+PW8dyUP8OmmM/2V1Dzcj9Tm -Ky/G04TFQyL1NjvFjzXyIUO5WpdEbSs04h5J3KM6YZJlicqB2aKAUslOi9wUIpKRK+UZBTSj -886jynsu+HA1Ob6tcTSlwtj95RV7nBTiTM6MpPuxTmZ2DR/vLE6c7yE+XgrOx9EAEQEAAYkC -HwQYAQgACQUCSgdrXQIbDAAKCRBEl1J4uGErXVFeD/9Q2vtN0FeOiveLwN4KAFbMLZP97bT/ -sRJkQQUZoawfbINwzGDuFrZSsWipoBLam6BnMH6OfHkUOrCToZROHYagW/nv/WTjBTX8lJt8 -SFhHh4ONPBaxF90z/YrpWlNcs/z/rqu+sm1KgCA9mkheENGOj3t97udZNfA1N4NZu67Lo6HZ -yUUCK+eJtX6BS2HgMGokHuGha/LokTor1lkl52Y3CVfds9YDrJmlSQVhxI/S6/IajLwKFyHd -pMiK/o8q3mYuZ7JKCBOooNnRpa4myUrBetf1p6xZqbhEAALMFJc7/8NXxesqvG7RQJ7VWyYO -5BhgzPutqTUOVZskc3r4cvaB7CT1CsKPdW+af/I8q/C7dhTWWthirPN4DCdcTIlK9ECpba+m -S7MQG/3ta7+/3lT3yyMKlhLkAaUlUNa/VbzUHOlVA1txJk6jcuEzWIzebEtoT/aYJZwNE+jL -CFOC75HTGlxp7/8ngHCXn1rcBS9TQJ7CGX31HhbmNak0LtzhAS4B+fWQLrFfShTREcYD+31z -yLns4jIKY8dehPner0Y8RX31/0eQOknRwRSl6uceu/6liJT23KHYzT3FPGHuK2QH6AHnORGS -g6FmBsbXSzosQOKWE3sO0dzjPIE6DRKwZIJmqQKvHqeAvPsC0U7JBWlKl0eMoIuDjp9qFDKz -BWcdiQ== -=iUyJ ------END PGP PUBLIC KEY BLOCK----- diff --git a/php/tasks/config_apache.yml b/php/tasks/config_apache.yml index 4ddc8448..addab08c 100644 --- a/php/tasks/config_apache.yml +++ b/php/tasks/config_apache.yml @@ -33,7 +33,7 @@ ; Put customized values here. ; default_charset = "ISO-8859-1" mode: "0644" - force: no + force: false - name: "Set custom values for PHP to enable Symfony" community.general.ini_file: diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 506a1077..e7084d9b 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -17,10 +17,10 @@ dest: "{{ php_cli_custom_ini_file }}" content: | ; Put customized values here. - force: no + force: false # This task is not merged with the above copy -# because "force: no" prevents any fix after the fact +# because "force: false" prevents any fix after the fact - name: "Permissions for custom php.ini for CLI" ansible.builtin.file: dest: "{{ php_cli_custom_ini_file }}" diff --git a/php/tasks/config_fpm.yml b/php/tasks/config_fpm.yml index 9fc1cc33..690c050e 100644 --- a/php/tasks/config_fpm.yml +++ b/php/tasks/config_fpm.yml @@ -32,10 +32,10 @@ dest: "{{ php_fpm_custom_ini_file }}" content: | ; Put customized values here. - force: no + force: false notify: "restart {{ php_fpm_service_name }}" -- name: Set default PHP FPM values +- name: Set default pool (www) config values community.general.ini_file: dest: "{{ php_fpm_default_pool_file }}" section: www @@ -57,7 +57,9 @@ - { option: "pm.status_path", value: "/fpm_status" } - { option: "request_terminate_timeout", value: "60s" } notify: "restart {{ php_fpm_service_name }}" - when: ansible_distribution_major_version is version('9', '>=') + when: + - ansible_distribution_major_version is version('9', '>=') + - php_fpm_override_default_pool - name: Custom PHP FPM values ansible.builtin.copy: @@ -66,7 +68,7 @@ ; Put customized values here. ; default_charset = "ISO-8859-1" mode: "0644" - force: no + force: false notify: "restart {{ php_fpm_service_name }}" - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index ef4d3c7e..d529ec53 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -4,7 +4,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini" } @@ -19,7 +19,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini" } @@ -36,7 +36,7 @@ ansible.builtin.file: src: "{{ item.src }}" dest: "{{ item.dest }}" - force: yes + force: true state: link loop: - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini" } diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index 1f04b661..d38efe13 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -6,6 +6,14 @@ state: present when: ansible_distribution_major_version is version('10', '<') +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: copy pub.evolix.org GPG key ansible.builtin.copy: src: pub_evolix.asc @@ -49,7 +57,8 @@ ansible.builtin.template: src: sury.sources.j2 dest: /etc/apt/sources.list.d/sury.sources - state: present + mode: "0644" + force: true register: sury_sources when: ansible_distribution_major_version is version('12', '>=') diff --git a/policy_pam/defaults/main.yml b/policy_pam/defaults/main.yml new file mode 100644 index 00000000..fb8075ac --- /dev/null +++ b/policy_pam/defaults/main.yml @@ -0,0 +1,37 @@ +--- + +# PAM -- pam_pwquality +# Ensure password meet a given quality/complexity requirement +policy_pam_pwquality: false + +# Configuration settings for pam_pwquality +# For more in depth info, see man pam_pwquality(8) + +# Minimum password lengh/credit +policy_pam_pwquality_minlen: 16 + +# Credits values for char types +# Value : Interger N with : +# N >= 0 - Maximum credit given for each char type in the password +# N < 0 - Minimum number of chars of given type in the password +# digit chars +policy_pam_pwquality_dcredit: -1 +# uppercase chars +policy_pam_pwquality_ucredit: 0 +# lowercase chars +policy_pam_pwquality_lcredit: -1 +# other chars +policy_pam_pwquality_ocredit: -1 + + +# PAM -- pam_pwhistory +# Prevent old password re-use +policy_pam_pwhistory: false + +# How many old passwords to retain +policy_pam_pwhistory_length: 5 + +# How (days) old the password should be before allowing user to change it's password +# It is to prevent circumvention of pam_pwhistory +# Set to 0 to disable +policy_pam_password_min_days: 0 \ No newline at end of file diff --git a/policy_pam/meta/main.yml b/policy_pam/meta/main.yml new file mode 100644 index 00000000..5da132b9 --- /dev/null +++ b/policy_pam/meta/main.yml @@ -0,0 +1,27 @@ +--- +galaxy_info: + author: Evolix + company: Evolix + description: Add repositories to APT sources list. + + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: "2.10" + + platforms: + - name: Debian + versions: + - bullseye + - buster + - stretch + + galaxy_tags: [] + # Be sure to remove the '[]' above if you add dependencies + # to this list. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml new file mode 100644 index 00000000..a2746011 --- /dev/null +++ b/policy_pam/tasks/main.yml @@ -0,0 +1,104 @@ +--- + +# System compatibility check. +# Untested on old (Jessie & older) Debian versions +- name: "System compatibility check" + ansible.builtin.assert: + that: + - ansible_distribution == "Debian" + - ansible_distribution_major_version is version_compare('9', '>=') + msg: pam_policy is only compatible with Debian >= 9 + +# yescrypt, Debian 11 default hashing alg isn't present on Debian 10 and lower +- name: "Set hashing alg (sha512 - Debian <= 10)" + ansible.builtin.set_fact: + pam_policy_hashing_alg: 'sha512' + when: + ansible_distribution_major_version is version_compare('10', '<=') + +- name: "Set hashing alg (yescrypt - Debian >= 11 )" + ansible.builtin.set_fact: + pam_policy_hashing_alg: 'yescrypt' + when: + ansible_distribution_major_version is version_compare('11', '>=') + + +# PAM -- pam_pwquality + +- name: libpam-pwquality is installed + ansible.builtin.apt: + state: present + name: + - libpam-pwquality + - cracklib-runtime + when: policy_pam_pwquality + +- name: Enable pam_pwquality + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+requisite\s+pam_pwquality.so' + line: "password requisite pam_pwquality.so retry=3" + insertafter: '(the "Primary" block)' + when: policy_pam_pwquality + +- name: Disable pam_pwquality + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+requisite\s+pam_pwquality.so' + state: absent + when: policy_pam_pwquality is false + +- name: Configure pam_pwquality + ansible.builtin.replace: + dest: /etc/security/pwquality.conf + regexp: "^#? ?{{ item.name }} = .*" + replace: "{{ item.name }} = {{ item.value }}" + with_items: + - { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" } + - { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" } + - { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" } + - { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" } + - { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" } + when: policy_pam_pwquality + + + +# PAM -- pam_pwhistory + +- name: Enable pam_pwhistory + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+required\s+pam_pwhistory.so' + line: "password required pam_pwhistory.so remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}" + insertbefore: 'pam_unix.so' + when: policy_pam_pwhistory + +- name: Disable pam_pwhistory + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+required\s+pam_pwhistory.so' + state: absent + when: policy_pam_pwhistory is false + +# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes +- name: Change PASS_MIN_DAYS + ansible.builtin.replace: + dest: /etc/login.defs + replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}' + regexp: '^PASS_MIN_DAYS(\s+).*' + + +# PAM -- pam_unix +- name: Update pam_unix if previous modules were enabled + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: 'pam_unix.so obscure' + line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ pam_policy_hashing_alg }}" + when: policy_pam_pwhistory or policy_pam_pwquality + +- name: Update pam_unix if previous modules are all disabled + ansible.builtin.lineinfile: + dest: /etc/pam.d/common-password + regexp: 'pam_unix.so obscure' + line: "password [success=1 default=ignore] pam_unix.so obscure {{ pam_policy_hashing_alg }}" + when: policy_pam_pwhistory is false and policy_pam_pwquality is false \ No newline at end of file diff --git a/postfix/files/spam.sh b/postfix/files/spam.sh index 10d5e62a..29dc0b40 100644 --- a/postfix/files/spam.sh +++ b/postfix/files/spam.sh @@ -1,87 +1,99 @@ #!/bin/bash #set -x - umask 022 -tmp_file=$(mktemp) +tmp_dir="/tmp/spam_sh" +mkdir -p "${tmp_dir}" +data_url="http://antispam00.evolix.org/spam" +rc=0 -tmp=$(mktemp -d) +function is_installed { + dpkg -l "${1}" 2>&1 | grep -v "no packages found matching" | grep -q ^ii +} -if [ -f $tmp_file ] ; - then rm $tmp_file ; -fi +function is_new { + # Check whether a file name provided as argument has been changed remotely + cd "${tmp_dir}" + wget -q -t 3 "${data_url}/${1}.md5" -O "${1}.md5.new" + if ! [ -e "${1}.md5" ] || ! cmp -s "$1.md5" "${1}.md5.new"; then + return 0 + fi + return 1 +} -sleep $[ $RANDOM / 1024 ] +function download { + cd "${tmp_dir}" + wget -q -t 3 "${data_url}/${1}" -O "${1}" + wget -q -t 3 "${data_url}/${1}.md5" -O "${1}.md5" +} + +function check_integrity { + cd "$tmp_dir" + md5sum -c "${1}.md5" > /dev/null && [ -e "${1}" ] +} + +function cleanup { + rm -f /etc/postfix/header_kill.db + rm -f /etc/postfix/header_kill_local.db + rm -f "$tmp_dir"/*.md5.new +} # Postfix -cd $tmp - -wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file -cp $tmp_file /etc/postfix/client.access -rm $tmp_file - -wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file -cp $tmp_file /etc/postfix/sender.access -rm $tmp_file - -wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file -cp $tmp_file /etc/postfix/recipient.access -rm $tmp_file - -wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file -cp $tmp_file /etc/postfix/header_kill -rm $tmp_file - -wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access -wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file -if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then - cp sa-blacklist.access /etc/postfix/sa-blacklist.access -fi -rm sa-blacklist.access -rm $tmp_file - -/usr/sbin/postmap hash:/etc/postfix/client.access -/usr/sbin/postmap hash:/etc/postfix/sender.access -/usr/sbin/postmap hash:/etc/postfix/recipient.access -/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access - -wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr -wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file -if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then - cp spamd.cidr /etc/postfix/spamd.cidr -fi -rm spamd.cidr -rm $tmp_file - +postfix_dbs="client.access sender.access recipient.access header_kill sa-blacklist.access spamd.cidr" +for db in ${postfix_dbs}; do + if is_new "${db}"; then + download "${db}" + if check_integrity "${db}"; then + cp "${tmp_dir}/${db}" /etc/postfix/ + if [ "${db}" != "header_kill" ]; then + /usr/sbin/postmap -r "/etc/postfix/${db}" + fi + else + >&2 echo "Integrity check failed for new ${db}." + rc=1 + fi + fi +done # SpamAssassin -cd $tmp -wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf -wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file -if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then - dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin - dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null - if [ -d /etc/spamassassin/sa-update-hooks.d ]; then +sa_db="evolix_rules.cf" +if is_installed spamassassin; then + if is_new "${sa_db}"; then + download "${sa_db}" + if check_integrity "${sa_db}"; then + cp "${tmp_dir}/${sa_db}" /etc/spamassassin/ + /etc/init.d/spamassassin reload > /dev/null + if [ -d /etc/spamassassin/sa-update-hooks.d ]; then run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d + fi + else + >&2 echo "Integrity check failed for ${sa_db}." + rc=1 fi + fi fi -# ClamAV -cd $tmp -wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb -wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file -dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb -if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then - dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/ -fi -wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb -wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file -dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb -if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then - dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/ -fi -dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null -rm $tmp_file +cleanup -rm -rf $tmp +exit "${rc}" + +# Commenté car fichiers plus maintenus (cf. Reg) +## ClamAV +#cd $tmp +#wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb +#wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file +#dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb +#if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then +# dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/ +#fi +#wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb +#wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file +#dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb +#if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then +# dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/ +#fi +#dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null +#rm $tmp_file +# +#rm -rf $tmp diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index f8ea1b0b..36327b3e 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -13,7 +13,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart postfix when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) tags: diff --git a/postfix/tasks/packmail-spam.yml b/postfix/tasks/packmail-spam.yml new file mode 100644 index 00000000..114be769 --- /dev/null +++ b/postfix/tasks/packmail-spam.yml @@ -0,0 +1,39 @@ +--- +- name: "mount /usr in rw" + ansible.builtin.command: + cmd: 'mount -o remount,rw /usr' + changed_when: False + tags: postfix + +- name: copy spam.sh script + ansible.builtin.copy: + src: spam.sh + dest: /usr/share/scripts/spam.sh + mode: "0700" + tags: postfix + +- name: Check if cron is installed + ansible.builtin.shell: + cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" + executable: /bin/bash + check_mode: no + failed_when: False + changed_when: False + register: is_cron_installed + tags: postfix + +- name: enable spam.sh cron + ansible.builtin.lineinfile: + dest: /etc/cron.d/spam + line: "42 * * * * root /usr/share/scripts/spam.sh" + create: yes + state: present + mode: "0640" + when: is_cron_installed.rc == 0 + tags: postfix + +- name: update antispam list + ansible.builtin.command: + cmd: /usr/share/scripts/spam.sh + changed_when: False + tags: postfix diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index be0b075e..6562e0d3 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -18,11 +18,11 @@ group: www-data mode: '0755' -- name: make sure a service Mailgraph is running +- name: make sure a service Mailgraph is running and enabled ansible.builtin.systemd: name: mailgraph.service + enabled: yes state: started - enabled: true - name: create packmail main.cf ansible.builtin.template: @@ -31,7 +31,7 @@ owner: root group: root mode: "0644" - force: yes + force: true notify: restart postfix when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) tags: @@ -50,7 +50,7 @@ ansible.builtin.copy: src: filter dest: "/etc/postfix/{{ item }}" - force: no + force: false loop: - virtual - client.access @@ -99,42 +99,5 @@ tags: - postfix -- ansible.builtin.include_role: - name: evolix/remount-usr - tags: - - postfix +- ansible.builtin.include: packmail-spam.yml -- name: copy spam.sh script - ansible.builtin.copy: - src: spam.sh - dest: /usr/share/scripts/spam.sh - mode: "0700" - tags: - - postfix - -- name: Check if cron is installed - ansible.builtin.shell: - cmd: "set -o pipefail && dpkg -l cron 2>/dev/null | grep -q -E '^(i|h)i'" - executable: /bin/bash - check_mode: no - failed_when: False - changed_when: False - register: is_cron_installed - -- name: enable spam.sh cron - ansible.builtin.lineinfile: - dest: /etc/cron.d/spam - line: "42 * * * * root /usr/share/scripts/spam.sh" - create: yes - state: present - mode: "0640" - when: is_cron_installed.rc == 0 - tags: - - postfix - -- name: update antispam list - ansible.builtin.command: - cmd: /usr/share/scripts/spam.sh - changed_when: False - tags: - - postfix diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index 5d298f1d..b9464669 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -24,7 +24,7 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_una {% if postfix_slow_transport_include == True %} # Slow transports configuration -minimal_backoff_time = 2h +minimal_backoff_time = 15m maximal_backoff_time = 6h maximal_queue_lifetime = 4d queue_run_delay = 100s diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index b803389e..65c95866 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -120,6 +120,9 @@ virtual_mailbox_base = / #par defaut, = all #inet_interfaces = all +# Envois seulement en IPv4 +inet_protocols = ipv4 + # Adresse IP externe du firewall/proxy si derriere NAT ou proxy # evite principalement les boucles si MX secondaire et MX primaire indisponible #par defaut, = @@ -410,16 +413,19 @@ broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client -# Amavis and OpenDKIM +# Amavis content_filter = smtp-amavis:[127.0.0.1]:10024 smtp-amavis_destination_concurrency_failed_cohort_limit = 0 +smtp-amavis_destination_concurrency_negative_feedback = 0 +smtp-amavis_destination_concurrency_limit = 2 + +# OpenDKIM smtpd_milters = inet:[127.0.0.1]:8891 non_smtpd_milters = inet:[127.0.0.1]:8891 -smtp-amavis_destination_concurrency_failed_cohort_limit = 0 {% if postfix_slow_transport_include == True %} # Slow transports configuration -minimal_backoff_time = 2h +minimal_backoff_time = 15m maximal_backoff_time = 6h maximal_queue_lifetime = 4d queue_run_delay = 100s diff --git a/postgresql/tasks/config.yml b/postgresql/tasks/config.yml index 87091b8f..2f735df0 100644 --- a/postgresql/tasks/config.yml +++ b/postgresql/tasks/config.yml @@ -9,7 +9,7 @@ ansible.builtin.copy: src: postgresql.service.override.conf dest: /etc/systemd/system/postgresql@.service.d/override.conf - force: yes + force: true mode: "0644" notify: - reload systemd diff --git a/postgresql/tasks/locales.yml b/postgresql/tasks/locales.yml index 30d21001..7446b485 100644 --- a/postgresql/tasks/locales.yml +++ b/postgresql/tasks/locales.yml @@ -8,7 +8,7 @@ state: present loop: - "fr_FR.UTF-8" - become: yes + become: true notify: reconfigure locales - name: set default locale diff --git a/postgresql/tasks/logrotate.yml b/postgresql/tasks/logrotate.yml index 55adc5bd..dbe66bb8 100644 --- a/postgresql/tasks/logrotate.yml +++ b/postgresql/tasks/logrotate.yml @@ -3,4 +3,4 @@ ansible.builtin.copy: src: logrotate_postgresql dest: /etc/logrotate.d/postgresql-common - force: no + force: false diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index a4d1ef49..a78c249b 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -29,7 +29,7 @@ - block: - name: Create nrpe user - become: yes + become: true become_user: postgres community.postgresql.postgresql_user: name: nrpe diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index e9f25307..7df2a722 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -8,11 +8,19 @@ - ansible.builtin.meta: flush_handlers +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + - name: Add PGDG GPG key ansible.builtin.copy: src: postgresql.asc dest: "{{ apt_keyring_dir }}/postgresql.asc" - force: yes + force: true mode: "0644" owner: root group: root @@ -35,7 +43,7 @@ - name: Update APT cache ansible.builtin.apt: update_cache: yes - when: elastic_sources is changed + when: postgresql_sources is changed - name: Add APT preference file ansible.builtin.template: diff --git a/postgresql/templates/postgresql.pref.j2 b/postgresql/templates/postgresql.pref.j2 index 5d252e05..3bf16cb2 100644 --- a/postgresql/templates/postgresql.pref.j2 +++ b/postgresql/templates/postgresql.pref.j2 @@ -1,3 +1,8 @@ Package: postgresql-{{ postgresql_version }} postgresql-client-common postgresql-common libpq5 ptop Pin: release a={{ ansible_distribution_release }}-pgdg Pin-Priority: 999 + +Package: * +Pin: release a={{ ansible_distribution_release }}-pgdg +Pin-Priority: 1 + diff --git a/proftpd/tasks/main.yml b/proftpd/tasks/main.yml index ce292ad5..26dcfb85 100644 --- a/proftpd/tasks/main.yml +++ b/proftpd/tasks/main.yml @@ -76,7 +76,7 @@ ansible.builtin.copy: src: vpasswd dest: /etc/proftpd/vpasswd - force: no + force: false notify: restart proftpd tags: - proftpd diff --git a/rabbitmq/tasks/main.yml b/rabbitmq/tasks/main.yml index f485bc1f..d78c70fd 100644 --- a/rabbitmq/tasks/main.yml +++ b/rabbitmq/tasks/main.yml @@ -10,7 +10,7 @@ owner: rabbitmq group: rabbitmq mode: "0600" - force: no + force: false - name: Create rabbitmq.config ansible.builtin.copy: @@ -19,7 +19,7 @@ owner: rabbitmq group: rabbitmq mode: "0600" - force: no + force: false - name: Adjust ulimit ansible.builtin.lineinfile: diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index f491a68c..d181b07c 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -23,7 +23,7 @@ owner: root group: root mode: "0755" - force: yes + force: true when: ansible_distribution_major_version is version('11', '<=') - name: check_rabbitmq (Python 3 version) is installed @@ -33,7 +33,7 @@ owner: root group: root mode: "0755" - force: yes + force: true when: ansible_distribution_major_version is version('11', '>=') - name: check_rabbitmq is available for NRPE diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 4362c5db..abd39e12 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -13,6 +13,7 @@ - libxslt1-dev - zlib1g-dev - pkg-config + - libyaml-dev state: present tags: - rbenv @@ -33,9 +34,9 @@ dest: '{{ rbenv_root }}' version: '{{ rbenv_version }}' accept_hostkey: yes - force: yes + force: true become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -48,7 +49,7 @@ create: yes loop: '{{ rbenv_default_gems }}' become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -57,7 +58,7 @@ path: '{{ rbenv_root }}/plugins' state: directory become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -67,10 +68,10 @@ dest: '{{ rbenv_root }}/plugins/{{ item.name }}' version: '{{ item.version }}' accept_hostkey: yes - force: yes + force: true loop: "{{ rbenv_plugins }}" become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -82,7 +83,7 @@ export PATH="{{ rbenv_root }}/bin:$PATH" eval "$(rbenv init -)" become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -94,7 +95,7 @@ check_mode: False register: ruby_installed become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -103,7 +104,7 @@ cmd: /bin/bash -lc "TMPDIR=~/tmp rbenv install {{ rbenv_ruby_version }}" when: ruby_installed.rc != 0 become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -115,7 +116,7 @@ failed_when: False check_mode: False become_user: "{{ username }}" - become: yes + become: true tags: - rbenv @@ -124,6 +125,6 @@ cmd: /bin/bash -lc "rbenv global {{ rbenv_ruby_version }} && rbenv rehash" when: ruby_selected.rc != 0 become_user: "{{ username }}" - become: yes + become: true tags: - rbenv diff --git a/redis/tasks/default-munin.yml b/redis/tasks/default-munin.yml index 44c45011..bdbe47d2 100644 --- a/redis/tasks/default-munin.yml +++ b/redis/tasks/default-munin.yml @@ -13,15 +13,7 @@ - name: Create plugin directory ansible.builtin.file: - name: /usr/local/share/munin/ - state: directory - mode: "0755" - tags: - - redis - -- name: Create plugin directory - ansible.builtin.file: - name: /usr/local/share/munin/plugins/ + name: /usr/local/lib/munin/plugins/ state: directory mode: "0755" tags: @@ -30,7 +22,7 @@ - name: Copy redis munin plugin ansible.builtin.copy: src: munin_redis - dest: /usr/local/share/munin/plugins/redis_ + dest: /usr/local/lib/munin/plugins/redis_ mode: "0755" notify: restart munin-node tags: @@ -38,7 +30,7 @@ - name: Enable redis munin plugin ansible.builtin.file: - src: /usr/local/share/munin/plugins/redis_ + src: /usr/local/lib/munin/plugins/redis_ dest: "/etc/munin/plugins/redis_{{ plugin_name }}" state: link loop: @@ -63,20 +55,18 @@ changed_when: False check_mode: no -- name: Add redis password for munin (if no more than 1 config block) - community.general.ini_file: - dest: /etc/munin/plugin-conf.d/munin-node - section: 'redis_*' - option: env.password - value: '{{ redis_password }}' - notify: restart munin-node +- name: Configure redis plugin for munin + ansible.builtin.template: + src: templates/munin-plugin-default.conf.j2 + dest: '/etc/munin/plugin-conf.d/z-evolinux-redis' + mode: "0740" when: - redis_password is not none - redis_password | length > 0 - (munin_redis_blocs_in_config.stdout | int) <= 1 + notify: restart munin-node tags: redis - - name: Warn if multiple instance in munin-plugins configuration ansible.builtin.debug: msg: "WARNING - It seems you have multiple redis sections in your munin-node configuration - Munin config NOT changed" diff --git a/redis/tasks/instance-munin.yml b/redis/tasks/instance-munin.yml index 3d2274e7..8d0adf7e 100644 --- a/redis/tasks/instance-munin.yml +++ b/redis/tasks/instance-munin.yml @@ -13,15 +13,7 @@ - name: Create plugin directory ansible.builtin.file: - name: /usr/local/share/munin/ - state: directory - mode: "0755" - tags: - - redis - -- name: Create plugin directory - ansible.builtin.file: - name: /usr/local/share/munin/plugins/ + name: /usr/local/lib/munin/plugins/ state: directory mode: "0755" tags: @@ -30,7 +22,7 @@ - name: Copy redis munin plugin ansible.builtin.copy: src: munin_redis - dest: /usr/local/share/munin/plugins/redis_ + dest: /usr/local/lib/munin/plugins/redis_ mode: "0755" notify: restart munin-node tags: @@ -38,7 +30,7 @@ - name: Enable redis munin plugin ansible.builtin.file: - src: /usr/local/share/munin/plugins/redis_ + src: /usr/local/lib/munin/plugins/redis_ dest: "/etc/munin/plugins/{{ redis_instance_name }}_redis_{{ plugin_name }}" state: link loop: @@ -58,7 +50,7 @@ - name: Configure redis plugin for munin ansible.builtin.template: src: templates/munin-plugin-instances.conf.j2 - dest: '/etc/munin/plugin-conf.d/evolinux.redis_{{ redis_instance_name }}' + dest: '/etc/munin/plugin-conf.d/z-evolinux-redis_{{ redis_instance_name }}' mode: "0740" notify: restart munin-node tags: redis diff --git a/redis/tasks/nrpe.yml b/redis/tasks/nrpe.yml index 61400b99..a786c78f 100644 --- a/redis/tasks/nrpe.yml +++ b/redis/tasks/nrpe.yml @@ -12,7 +12,7 @@ ansible.builtin.copy: src: check_redis.pl dest: /usr/local/lib/nagios/plugins/check_redis - force: yes + force: true mode: "0755" owner: root group: root @@ -87,7 +87,7 @@ ansible.builtin.copy: src: check_redis_instances.sh dest: /usr/local/lib/nagios/plugins/check_redis_instances - force: yes + force: true mode: "0755" owner: root group: root diff --git a/redis/templates/munin-plugin-default.conf.j2 b/redis/templates/munin-plugin-default.conf.j2 new file mode 100644 index 00000000..674c257d --- /dev/null +++ b/redis/templates/munin-plugin-default.conf.j2 @@ -0,0 +1,6 @@ +# Ansible managed + +{% if redis_password %} +[redis_*] +env.password {{ redis_password | replace("#", "\#") }} +{% endif %} diff --git a/redmine/tasks/release.yml b/redmine/tasks/release.yml index 4f1430a5..5c07e6a0 100644 --- a/redmine/tasks/release.yml +++ b/redmine/tasks/release.yml @@ -62,7 +62,7 @@ args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" - become: yes + become: true tags: - redmine @@ -72,7 +72,7 @@ args: chdir: "/home/{{ redmine_user }}/www" become_user: "{{ redmine_user }}" - become: yes + become: true tags: - redmine diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 433b9ef8..a264406c 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -140,6 +140,11 @@ ^www\.parismatch\.com$ ^www\.liberation\.fr$ +# Nextcloud +^www\.nextcloud\.com$ +^www\.edri\.org$ +^www\.eff\.org$ + # Others #.+\.amazon.com$ .+\.twitter\.com$ @@ -170,4 +175,4 @@ ^www\.dailymotion\.com$ .+\.123rf\.com$ .+\.gouv\.fr$ -^ifconfig\.me$ \ No newline at end of file +^ifconfig\.me$ diff --git a/squid/files/whitelist-evolinux.conf b/squid/files/whitelist-evolinux.conf index c445e835..9378808f 100644 --- a/squid/files/whitelist-evolinux.conf +++ b/squid/files/whitelist-evolinux.conf @@ -134,6 +134,11 @@ http://www.leparisien.fr/.* http://www.parismatch.com/.* http://www.liberation.fr/.* +# Nextcloud +http://www.nextcloud.com/.* +http://www.edri.org/.* +http://www.eff.org/.* + # Others #http://.*.amazon.com/.* http://.*.twitter.com/.* diff --git a/squid/tasks/logrotate_jessie.yml b/squid/tasks/logrotate_jessie.yml index 345cd053..a0cfdff1 100644 --- a/squid/tasks/logrotate_jessie.yml +++ b/squid/tasks/logrotate_jessie.yml @@ -24,7 +24,7 @@ ansible.builtin.template: src: logrotate_jessie.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} - force: yes + force: true when: squid_logrotate_md5.rc == 0 tags: - squid diff --git a/squid/tasks/logrotate_stretch.yml b/squid/tasks/logrotate_stretch.yml index df264068..965256d4 100644 --- a/squid/tasks/logrotate_stretch.yml +++ b/squid/tasks/logrotate_stretch.yml @@ -24,7 +24,7 @@ ansible.builtin.template: src: logrotate_stretch.j2 dest: /etc/logrotate.d/{{ squid_daemon_name }} - force: yes + force: true when: squid_logrotate_md5.rc == 0 tags: - squid diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 0a200188..2f0e94aa 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -46,7 +46,7 @@ ansible.builtin.copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf - force: no + force: false notify: "reload squid3" when: ansible_distribution_release == "jessie" @@ -69,14 +69,14 @@ dest: /etc/squid/evolinux-whitelist-custom.conf content: | # Put customized values here. - force: no + force: false when: ansible_distribution_major_version is version('9', '>=') - name: "evolinux acl for local proxy (Debian 9 or later)" ansible.builtin.template: src: evolinux-acl.conf.j2 dest: /etc/squid/evolinux-acl.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -87,7 +87,7 @@ dest: /etc/squid/evolinux-acl.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') @@ -96,7 +96,7 @@ ansible.builtin.copy: src: evolinux-httpaccess.conf dest: /etc/squid/evolinux-httpaccess.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -107,7 +107,7 @@ dest: /etc/squid/evolinux-httpaccess.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') @@ -116,7 +116,7 @@ ansible.builtin.template: src: evolinux-custom.conf.j2 dest: /etc/squid/evolinux-custom.conf - force: no + force: false notify: "reload squid" when: - squid_localproxy_enable | bool @@ -127,7 +127,7 @@ dest: /etc/squid/evolinux-custom.conf content: | # Put customized values here. - force: no + force: false when: - not (squid_localproxy_enable | bool) - ansible_distribution_major_version is version('9', '>=') diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index 7e262f23..da07eb81 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -21,7 +21,7 @@ src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf mode: "0644" - force: yes + force: true register: _squid_systemd_override - name: "Systemd daemon is reloaded and Squid restarted" diff --git a/supervisord/tasks/main.yml b/supervisord/tasks/main.yml index 7b61ccbb..8d30c649 100644 --- a/supervisord/tasks/main.yml +++ b/supervisord/tasks/main.yml @@ -10,7 +10,7 @@ src: http.conf dest: /etc/supervisor/conf.d/ mode: "0644" - force: no + force: false notify: restart supervisor when: supervisord_enable_http | bool tags: diff --git a/timesyncd/defaults/main.yml b/timesyncd/defaults/main.yml new file mode 100644 index 00000000..a321fbfa --- /dev/null +++ b/timesyncd/defaults/main.yml @@ -0,0 +1,3 @@ +--- +timesyncd_ntp_servers: + - 'ntp.evolix.net' diff --git a/timesyncd/handlers/main.yml b/timesyncd/handlers/main.yml new file mode 100644 index 00000000..904e3471 --- /dev/null +++ b/timesyncd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart timesyncd + ansible.builtin.service: + name: systemd-timesyncd.service + state: restarted diff --git a/timesyncd/tasks/main.yml b/timesyncd/tasks/main.yml new file mode 100644 index 00000000..a6d70f15 --- /dev/null +++ b/timesyncd/tasks/main.yml @@ -0,0 +1,41 @@ +--- + +- name: Verify that at least 1 NTP server is provided + ansible.builtin.assert: + that: timesyncd_ntp_servers | length > 0 + msg: The variable timesyncd_ntp_servers must contain at least 1 element + +- name: Install systemd-timesyncd package + ansible.builtin.apt: + name: systemd-timesyncd + state: present + tags: + - timesyncd + +- name: Remove other NTP packages + ansible.builtin.apt: + name: + - openntpd + - ntp + state: absent + tags: + - timesyncd + +- name: Ensure /etc/systemd/timesyncd.conf.d directory exists + ansible.builtin.file: + path: /etc/systemd/timesyncd.conf.d + state: directory + mode: "755" + owner: root + group: root + tags: + - timesyncd + +- name: Copy timesyncd config + ansible.builtin.template: + src: timesyncd.conf.j2 + dest: /etc/systemd/timesyncd.conf.d/evolix.conf + mode: "0644" + notify: Restart timesyncd + tags: + - timesyncd diff --git a/timesyncd/templates/timesyncd.conf.j2 b/timesyncd/templates/timesyncd.conf.j2 new file mode 100644 index 00000000..8aebc1be --- /dev/null +++ b/timesyncd/templates/timesyncd.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +[Time] +NTP="{{ timesyncd_ntp_servers | join(' ') }}" diff --git a/tomcat-instance/tasks/bootstrap.yml b/tomcat-instance/tasks/bootstrap.yml index 818ddceb..c53a4a14 100644 --- a/tomcat-instance/tasks/bootstrap.yml +++ b/tomcat-instance/tasks/bootstrap.yml @@ -21,7 +21,7 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false - name: Templating of server.xml file ansible.builtin.template: @@ -30,7 +30,7 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false - name: Copy config file ansible.builtin.copy: @@ -39,6 +39,6 @@ mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" - force: no + force: false with_fileglob: - "tomcat{{ tomcat_version }}/*" diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 6e76eb3b..976c6386 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -11,7 +11,7 @@ ansible.builtin.get_url: url: https://www.internic.net/domain/named.cache dest: /etc/unbound/root.hints - force: yes + force: true mode: "0644" notify: reload unbound tags: diff --git a/userlogrotate/files/userlogpurge b/userlogrotate/files/userlogpurge new file mode 100644 index 00000000..93efb080 --- /dev/null +++ b/userlogrotate/files/userlogpurge @@ -0,0 +1,6 @@ +#!/usr/bin/bash +# Purge des logs utilisateurs +# Ne pas activer sans l'accord du client. + +find /home/*/log/ -type f -mtime +365 -delete + diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index dfa51738..2a76eaaf 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -1,58 +1,132 @@ #!/bin/bash +# Userlogrotate rotates logs in custom paths. +# The difference with logrotate is that it sets +# the owner:group according to the location of each log. + +CONF_PATH="/etc/evolinux/userlogrotate.conf" # optional file + +# Default conf +DELETE_AFTER_RETENTION_DAYS="false" # values: true | false +RETENTION_DAYS=365 # only applies if $RETENTION_DAYS == "true" +SYSTEM_LOGS_SEARCH_PATHS=( # will chown root:$user + /home/*/log +) +APPLICATIVE_LOGS_SEARCH_PATHS=( # will chown $user:$user + /home/*/www/{,current/}log +) +SYSTEM_LOG_NAMES=(access.log access-*.log error.log php.log) +APPLICATIVE_LOG_NAMES=(production.log delayed_job.log development.log test.log) +DRY_RUN=false # do echo instead of executing, values: true | false + +############################################################ + DATE="$(/bin/date +"%Y-%m-%d")" -HOMEPREFIX="/home" + +if [ -f "${CONF_PATH}" ]; then + source "${CONF_PATH}" +fi rotate () { - mv $1 $1.$DATE - touch $1 - chown $2 $1 - chmod g+r $1 + if [ ${DRY_RUN} == "false" ]; then + mv $1 $1.${DATE} + touch $1 + chown $2 $1 + chmod g+r $1 + else + echo "Move $1 to $1.${DATE}" + echo "Change $1 owner to $2" + fi } user_for() { - homedir="$(echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#")" - stat -L -c '%G' $homedir + stat -L -c '%U' $1 } -for log in access.log access-*.log error.log; do - for i in $(ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.); do - USER="$(user_for $i)" - rotate $i root:$USER - done +group_for() { + stat -L -c '%G' $1 +} + + +delete_old() { + if [ ${DELETE_AFTER_RETENTION_DAYS} == "true" ]; then + if [ ${DRY_RUN} == "false" ]; then + find $1/ -ctime +${RETENTION_DAYS} -delete # slash is needed! + else + echo "Delete files:" + find $1/ -ctime +${RETENTION_DAYS} + fi + fi +} + +compress() { + if [ ${DRY_RUN} == "false" ]; then + gzip "$1" + else + echo "Gzipping $1" + fi +} + +for path in ${SYSTEM_LOGS_SEARCH_PATHS[@]}; do + for log_name in ${SYSTEM_LOG_NAMES[@]}; do + log_paths=$(ls -1 -d ${path}/${log_name} 2>/dev/null | grep -v \.bak\.) + for file in ${log_paths}; do + user="$(user_for "${file}")" + group="$(group_for "${file}")" + rotate "${file}" "${group}":"${user}" + delete_old "$(dirname "${file}")" + done + done done -for log in production.log delayed_job.log development.log test.log; do - for i in $(ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.); do - USER="$(user_for $i)" - rotate $i $USER:$USER - done +for path in ${APPLICATIVE_LOGS_SEARCH_PATHS[@]}; do + for log_name in ${APPLICATIVE_LOG_NAMES[@]}; do + log_paths=$(ls -1 -d ${path}/${log_name} 2>/dev/null | grep -v \.bak\.) + for file in ${log_paths}; do + user="$(user_for "${file}")" + group="$(group_for "${file}")" + rotate "${file}" "${group}":"${user}" + delete_old "$(dirname "${file}")" + done + done done -test -x /usr/sbin/apache2ctl && if /etc/init.d/apache2 status > /dev/null ; then \ - /etc/init.d/apache2 reload > /dev/null; \ -fi; +if [ -x /usr/sbin/apache2ctl ] && /etc/init.d/apache2 status > /dev/null ; then + if [ ${DRY_RUN} == "false" ]; then + /etc/init.d/apache2 reload > /dev/null + else + echo "Reloading Apache" + fi +fi -test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 +if [ -x /usr/sbin/nginx ]; then + if [ ${DRY_RUN} == "false" ]; then + invoke-rc.d nginx rotate >/dev/null 2>&1 + else + echo "Reloading Nginx" + fi +fi # Zipping is done after web server reload, so that the file descriptor is released. # Else, an error is raised (gzip file size changed while zipping) # and logs written during the zipping process might be lost. -for log in access.log*[!\.gz] access-*.log*[!\.gz] error.log*[!\.gz]; do - for i in $(ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.); do - if test -f "$i"; then - gzip "$i" - fi - done +for path in ${SYSTEM_LOGS_SEARCH_PATHS[@]}; do + for log_name in ${SYSTEM_LOG_NAMES[@]}; do + to_compress_paths=$(ls -1 -d ${path}/${log_name}*[!\.gz] 2>/dev/null | grep -v \.bak\.) + for file in ${to_compress_paths}; do + compress "${file}" + done + done done -for log in production.log*[!\.gz] delayed_job.log*[!\.gz] development.log*[!\.gz] test.log*[!\.gz]; do - for i in $(ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.); do - if test -f "$i"; then - gzip "$i" - fi - done +for path in ${APPLICATIVE_LOGS_SEARCH_PATHS[@]}; do + for log_name in ${APPLICATIVE_LOG_NAMES[@]}; do + compressed_paths=$(ls -1 -d ${path}/${log_name}*[!\.gz] 2>/dev/null | grep -v \.bak\.) + for file in ${compressed_paths}; do + compress "${file}" + done + done done -exit 0 \ No newline at end of file +exit 0 diff --git a/userlogrotate/tasks/main.yml b/userlogrotate/tasks/main.yml index 4f9c5fc7..a82ce2d9 100644 --- a/userlogrotate/tasks/main.yml +++ b/userlogrotate/tasks/main.yml @@ -6,6 +6,13 @@ register: find_logrotate check_mode: no +- name: "Is userlogpurge active ?" + ansible.builtin.find: + paths: ["/etc/cron.weekly", "/etc/cron.daily"] + patterns: ["userlogpurge"] + register: find_logpurge + check_mode: no + - name: "Update userlogrotate" ansible.builtin.copy: src: userlogrotate @@ -14,6 +21,14 @@ loop: "{{ find_logrotate.files }}" when: find_logrotate.files | length>0 +- name: "Update userlogpurge" + ansible.builtin.copy: + src: userlogpurge + dest: "{{ item.path }}" + mode: "0755" + loop: "{{ find_logpurge.files }}" + when: find_logpurge.files | length>0 + - name: "Install userlogrotate (jessie)" ansible.builtin.copy: src: userlogrotate_jessie @@ -32,3 +47,11 @@ - ansible_distribution_major_version is version('9', '>=') - find_logrotate.files | length==0 +- name: "Install userlogpurge" + ansible.builtin.copy: + src: userlogpurge + dest: /etc/cron.weekly/userlogpurge.disabled + mode: "0755" + when: + - find_logpurge.files | length==0 + diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index ec8a251e..560e241f 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -16,8 +16,10 @@ varnish_thread_pool_max: 5000 varnish_jail: "unix,user=vcache" varnish_additional_options: "" +varnish_systemd_override_template: Null + varnish_config_file: /etc/varnish/default.vcl -varnish_update_config: True +varnish_update_config: true varnish_secret_file: /etc/varnish/secret -varnish_tmp_dir: /var/tmp-vcache \ No newline at end of file +varnish_tmp_dir: /var/tmp-vcache diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 6cdb92db..68f3fc74 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -80,6 +80,7 @@ when: - varnish_package_facts['version'] is version('4', '>=') - varnish_package_facts['version'] is version('6', '<') + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -91,6 +92,7 @@ when: - varnish_package_facts['version'] is version('6', '>=') - varnish_package_facts['version'] is version('7', '<') + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -101,6 +103,7 @@ varnish_systemd_override_template: override.conf.varnish7.j2 when: - varnish_package_facts['version'] is version('7', '>=') + - varnish_systemd_override_template is none or varnish_systemd_override_template | length == 0 tags: - varnish - config @@ -110,7 +113,7 @@ ansible.builtin.template: src: "{{ varnish_systemd_override_template }}" dest: /etc/systemd/system/varnish.service.d/override.conf - force: yes + force: true notify: - reload systemd - restart varnish @@ -136,7 +139,7 @@ src: "{{ item }}" dest: "{{ varnish_config_file }}" mode: "0644" - force: yes + force: true when: varnish_update_config | bool loop: "{{ query('first_found', templates) }}" vars: @@ -169,7 +172,7 @@ ansible.builtin.template: src: "{{ item }}" dest: /etc/varnish/conf.d/ - force: yes + force: true mode: "0644" with_fileglob: - "templates/varnish/conf.d/*.vcl" diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index 87a05092..b46a8954 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -8,7 +8,7 @@ ansible.builtin.template: src: vrrp.service.j2 dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}" - force: yes + force: true register: vrrp_systemd_unit - name: enable and start systemd unit diff --git a/webapps/nextcloud/tasks/archive.yml b/webapps/nextcloud/tasks/archive.yml index 47defe79..f4e1cf26 100644 --- a/webapps/nextcloud/tasks/archive.yml +++ b/webapps/nextcloud/tasks/archive.yml @@ -4,7 +4,7 @@ ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}" - force: no + force: false tags: - nextcloud @@ -12,7 +12,7 @@ ansible.builtin.get_url: url: "{{ nextcloud_releases_baseurl }}{{ nextcloud_archive_name }}.sha256" dest: "{{ nextcloud_home }}/{{ nextcloud_archive_name }}.sha256" - force: no + force: false tags: - nextcloud diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 01cc037c..fdc5b7a6 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -32,3 +32,11 @@ - "{{ nextcloud_home }}/data" tags: - nextcloud + +- name: Mount up Ceph volume by UUID + ansible.posix.mount: + path: "{{ nextcloud_data }}" + src: "{{ nextcloud_data_uuid }}" + fstype: ext4 + opts: defaults,noexec,nosuid,nodev,relatime,lazytime + state: present