diff --git a/CHANGELOG.md b/CHANGELOG.md index 50816488..e50f96b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,22 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.06] 2022-06-03 + +### Added + +* certbot: add hapee (HAProxy Enterprise Edition) deploy hook +* evolinux-base: add dir-check script +* evolinux-base: add update-evobackup-canary script +* mysql: add post-backup-hook to evomariabackup +* mysql: use dir-check inside evomariabackup + +### Changed + +* docker: Allow "live-restore" to be toggled with docker_conf_live_restore +* evocheck: upstream release 22.06 +* mysql: add "set crypt_use_gpgme=no" Mutt option, for mysqltuner + ## [22.05.1] 2022-05-12 ### Added diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 index 94b0995d..55f32b8d 100644 --- a/apt/templates/bullseye_basics.list.j2 +++ b/apt/templates/bullseye_basics.list.j2 @@ -2,4 +2,4 @@ deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} -deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} \ No newline at end of file +deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} diff --git a/certbot/files/hooks/deploy/hapee.sh b/certbot/files/hooks/deploy/hapee.sh new file mode 100644 index 00000000..a8acdea9 --- /dev/null +++ b/certbot/files/hooks/deploy/hapee.sh @@ -0,0 +1,93 @@ +#!/bin/sh + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +daemon_found_and_running() { + test -n "$(pidof hapee-lb)" && test -n "${hapee_bin}" +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +config_check() { + ${hapee_bin} -c -f "${hapee_config_file}" > /dev/null 2>&1 +} +concat_files() { + # shellcheck disable=SC2174 + mkdir --mode=700 --parents "${hapee_cert_dir}" + chown root: "${hapee_cert_dir}" + + debug "Concatenating certificate files to ${hapee_cert_file}" + cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${hapee_cert_file}" + chmod 600 "${hapee_cert_file}" + chown root: "${hapee_cert_file}" +} +cert_and_key_mismatch() { + hapee_cert_md5=$(openssl x509 -noout -modulus -in "${hapee_cert_file}" | openssl md5) + hapee_key_md5=$(openssl rsa -noout -modulus -in "${hapee_cert_file}" | openssl md5) + + test "${hapee_cert_md5}" != "${hapee_key_md5}" +} +detect_hapee_cert_dir() { + # get last field or line wich defines the crt directory + config_cert_dir=$(grep -r -o -E -h '^\s*bind .* crt /etc/\S+' "${hapee_config_file}" | head -1 | awk '{ print $(NF)}') + if [ -n "${config_cert_dir}" ]; then + debug "Cert directory is configured with ${config_cert_dir}" + echo "${config_cert_dir}" + elif [ -d "/etc/haproxy/ssl" ]; then + debug "No configured cert directory found, but /etc/haproxy/ssl exists" + echo "/etc/haproxy/ssl" + elif [ -d "/etc/ssl/haproxy" ]; then + debug "No configured cert directory found, but /etc/ssl/haproxy exists" + echo "/etc/ssl/haproxy" + else + error "Cert directory not found." + fi +} +main() { + if [ -z "${RENEWED_LINEAGE}" ]; then + error "This script must be called only by certbot!" + fi + + if daemon_found_and_running; then + readonly hapee_config_file="/etc/hapee-2.4/hapee-lb.cfg" + readonly hapee_cert_dir=$(detect_hapee_cert_dir) + + if found_renewed_lineage; then + hapee_cert_file="${hapee_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" + failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" + + concat_files + + if cert_and_key_mismatch; then + mv "${hapee_cert_file}" "${failed_cert_file}" + error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" + fi + + if config_check; then + debug "HAPEE detected... reloading" + systemctl reload hapee-2.4-lb.service + else + error "HAPEE config is broken, you must fix it !" + fi + else + error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" + fi + else + debug "HAPEE is not running or missing. Skip." + fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly hapee_bin="/opt/hapee-2.4/sbin/hapee-lb" + +main diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml index 5b64f342..3f713930 100644 --- a/docker-host/defaults/main.yml +++ b/docker-host/defaults/main.yml @@ -9,6 +9,9 @@ docker_conf_use_iptables: False # Disable the possibility for containers processes to gain new privileges docker_conf_no_newprivileges: False +# Toggle live restore (need to be disabled in swarm mode) +docker_conf_live_restore: True + # Disable all default network connectivity docker_conf_disable_default_networking: False diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 index c73268d9..08dcb1b2 100644 --- a/docker-host/templates/daemon.json.j2 +++ b/docker-host/templates/daemon.json.j2 @@ -5,7 +5,7 @@ "data-root": "{{ docker_home }}", {# Keep containers running while docker daemon downtime #} - "live-restore": true, + "live-restore": {{ docker_conf_live_restore | to_json }},, {# Turn on user namespace remaping #} "userns-remap": "default", diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index cf901bb0..6bba06c1 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.05" +VERSION="22.06" readonly VERSION # base functions @@ -19,7 +19,8 @@ Copyright 2009-2022 Evolix , Gregory Colpart , Jérémy Lecour , Tristan Pilat , - Victor Laborie + Victor Laborie , + Alexis Ben Miloud--Josselin , and others. evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, @@ -235,7 +236,7 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then @@ -337,6 +338,8 @@ check_alert5boot() { else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi @@ -350,6 +353,9 @@ check_alert5minifw() { if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi @@ -571,7 +577,7 @@ check_network_interfaces() { # Verify if all if are in auto check_autoif() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi @@ -589,6 +595,16 @@ check_interfacesgw() { number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" } +# Verification de l’état du service networking +check_networking_service() { + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then + if systemctl is-enabled networking.service > /dev/null; then + if ! systemctl is-active networking.service > /dev/null; then + failed "IS_NETWORKING_SERVICE" "networking.service is not active" + fi + fi + fi +} # Verification de la mise en place d'evobackup check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) @@ -955,7 +971,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") @@ -1577,6 +1593,7 @@ main() { test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw + test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate diff --git a/evolinux-base/files/dir-check.sh b/evolinux-base/files/dir-check.sh new file mode 100644 index 00000000..9d586cef --- /dev/null +++ b/evolinux-base/files/dir-check.sh @@ -0,0 +1,329 @@ +#!/bin/sh + +PROGNAME="dir-check" +REPOSITORY="https://gitea.evolix.org/evolix/ansible-roles" + +VERSION="22.06.1" +readonly VERSION + +show_version() { + cat <, + Jérémy Lecour + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU Affero General Public License v3.0 for details. +END +} +show_help() { + cat <> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_info() { + level="INFO" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_warning() { + level="WARNING" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_error() { + level="ERROR" + msg=$1 + if ! is_quiet; then + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi + fi +} +log_fatal() { + level="FATAL" + msg=$1 + if is_log_file; then + log_line "${level}" "${msg}" >> "${log_file}" + if tty -s; then + printf "%s\n" "${msg}" >&2 + fi + else + log_line "${level}" "${msg}" >&2 + fi +} + +data_command() { + echo "du --bytes" +} +list_files_with_size() { + path=$1 + # shellcheck disable=SC2014,SC2046 + find "${path}" -type f -exec $(data_command) {} \; | sort -k2 +} +prepare_data() { + list_files_with_size "${final_dir}" > "${data_file}" + "${checksum_bin}" "${data_file}" > "${checksum_file}" +} +check_data() { + if [ -f "${checksum_file}" ]; then + # subshell to scope the commands to "parent_dir" + "${checksum_bin}" --status --check "${checksum_file}" + last_rc=$? + if [ ${last_rc} -ne 0 ]; then + log_error "Verification failed with checksum file \`${checksum_file}' (inside \`${parent_dir}')." + exit 1 + fi + else + log_warning "Couldn't find checksum file \`${checksum_file}' (inside \`${parent_dir}'). Skip verification." + fi + if [ -f "${data_file}" ]; then + while read -r data_line; do + expected_size=$(echo "${data_line}" | cut -f1) + file=$(echo "${data_line}" | cut -f2) + + if [ -f "${file}" ]; then + actual_size=$($(data_command) "${file}" | cut -f1) + + if [ "${actual_size}" != "${expected_size}" ]; then + log_error "File \`${file}' has actual size of ${actual_size} instead of ${expected_size}." + rc=1 + fi + else + log_error "Couldn't find file \`${file}'." + rc=1 + fi + done < "${data_file}" + if [ ${rc} -eq 0 ]; then + log_info "Directory \`${final_dir}' is consistent with data stored in \`${data_file}' (inside \`${parent_dir}')." + fi + else + log_fatal "Couldn't find data file \`${data_file}' (inside \`${parent_dir}')." + exit 1 + fi +} + +main() { + if [ -z "${dir}" ]; then + log_fatal "dir option is empty" + exit 1 + elif [ -e "${dir}" ] && [ ! -d "${dir}" ]; then + log_fatal "Directory \`${dir}' exists but is not a directory" + exit 1 + fi + + checksum_cmd="sha256sum" + checksum_bin=$(command -v ${checksum_cmd}) + if [ -z "${checksum_bin}" ]; then + log_fatal "Couldn't find \`${checksum_cmd}'.\nUse 'apt install ${checksum_cmd}'." + exit 1 + fi + + parent_dir=$(dirname "${dir}") + final_dir=$(basename "${dir}") + + data_file="${PROGNAME}.db" + checksum_file="${data_file}.${checksum_cmd}" + + cwd=${PWD} + cd "${parent_dir}" || log_error "Impossible to change to \`${parent_dir}'" + + if [ -z "${action}" ]; then + log_fatal "Missing --check or --prepare option." + echo "" >&2 + show_help >&2 + exit 1 + fi + + case ${action} in + check) + check_data + ;; + prepare) + prepare_data + ;; + *) + log_fatal "Unknown action \`${action}'." + rc=1 + ;; + esac + + if [ -d "${cwd}" ]; then + cd "${cwd}" || log_error "Impossible to change back to \`${cwd}'" + else + log_error "Previous working directory \`${cwd}' is not a directory." + fi +} + +# Declare variables + +verbose="" +quiet="" +action="" +dir="" +rc=0 + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + -d|--dir) + # with value separated by space + if [ -n "$2" ]; then + dir="$2" + shift + else + log_fatal 'ERROR: "--dir" requires a non-empty option argument.' + fi + ;; + --dir=?*) + # with value speparated by = + dir=${1#*=} + ;; + --dir=) + # without value + log_fatal '"--dir" requires a non-empty option argument.' + ;; + + -l|--log) + # with value separated by space + if [ -n "$2" ]; then + log_file="$2" + shift + else + log_fatal 'ERROR: "--log" requires a non-empty option argument.' + fi + ;; + --log=?*) + # with value speparated by = + log_file=${1#*=} + ;; + --log=) + # without value + log_fatal '"--log" requires a non-empty option argument.' + ;; + + --prepare) + action="prepare" + ;; + + --check) + action="check" + ;; + + -v|--verbose) + verbose=1 + ;; + + --quiet) + quiet=1 + verbose=0 + ;; + + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if tty -s; then + printf 'Unknown option : %s\n' "$1" >&2 + echo "" >&2 + show_usage >&2 + exit 1 + else + log_fatal "Unknown option : $1" + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +# Default values + +verbose=${verbose:-0} +quiet=${quiet:-0} +action=${action:-} +log_file=${log_file:-} + +set -u + +main + +exit ${rc} \ No newline at end of file diff --git a/evolinux-base/files/update-evobackup-canary.sh b/evolinux-base/files/update-evobackup-canary.sh new file mode 100644 index 00000000..20fc1a57 --- /dev/null +++ b/evolinux-base/files/update-evobackup-canary.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +PROGNAME="update-evobackup-canary" +REPOSITORY="https://gitea.evolix.org/evolix/evobackup" + +VERSION="22.05" +readonly VERSION + +# base functions + +show_version() { + cat <, + Jérémy Lecour , + and others. + +${REPOSITORY} + +${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat <> "${canary_file}" +} + +# parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + -V|--version) + show_version + exit 0 + ;; + + -w|--who) + # with value separated by space + if [ -n "$2" ]; then + who=$2 + shift + else + printf 'ERROR: "-w|--who" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --who=?*) + # with value speparated by = + who=${1#*=} + ;; + --who=) + # without value + printf 'ERROR: "--who" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + -f|--file) + # with value separated by space + if [ -n "$2" ]; then + canary_file=$2 + shift + else + printf 'ERROR: "-f|--file" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --file=?*) + # with value speparated by = + canary_file=${1#*=} + ;; + --file=) + # without value + printf 'ERROR: "--file" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + + --) + # End of all options. + shift + break + ;; + -?*) + # ignore unknown options + printf 'WARN: Unknown option : %s\n' "$1" >&2 + exit 1 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + +export LC_ALL=C + +set -u + +main diff --git a/evolinux-base/tasks/provider_vmware.yml b/evolinux-base/tasks/provider_vmware.yml new file mode 100644 index 00000000..dbf93d0e --- /dev/null +++ b/evolinux-base/tasks/provider_vmware.yml @@ -0,0 +1,17 @@ +--- +- name: Check if the virtual machine on VMWare Host + shell: "dmidecode | grep -q 'VMware'" + check_mode: no + register: vmware_provider + failed_when: False + changed_when: False + tags: + - packages + +- name: OpenVM Tools are installed for vmware + apt: + state: present + name: open-vm-tools + tags: + - packages + when: vmware_provider.rc == 0 diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index 084f8b35..6c9e27b0 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -26,4 +26,28 @@ mode: "0700" owner: root group: root - force: no \ No newline at end of file + force: no + +- name: update-evobackup-canary script is present + copy: + src: "update-evobackup-canary.sh" + dest: /usr/local/bin/update-evobackup-canary + force: True + owner: root + group: root + mode: "0755" + +# TODO: delete when this has been run once on all our servers +- name: update-evobackup-canary is removed from sbin + file: + path: /usr/local/sbin/update-evobackup-canary + state: absent + +- name: dir-check script is present + copy: + src: "dir-check.sh" + dest: /usr/local/bin/dir-check + force: True + owner: root + group: root + mode: "0755" \ No newline at end of file diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 6588c469..e14d73f2 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,7 +10,7 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-active alert5 | grep -q "^active$" + systemctl is-enabled alert5 | grep -q "^enabled$" fi } diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml index 4a838ee9..483f8715 100644 --- a/minifirewall/tasks/main.yml +++ b/minifirewall/tasks/main.yml @@ -56,6 +56,11 @@ include: install.legacy.yml when: minifirewall_install_mode == 'legacy' +- name: Debug minifirewall_update_config + debug: + var: minifirewall_update_config | bool + verbosity: 1 + - name: Config tasks (modern mode) include: config.yml when: @@ -77,6 +82,11 @@ - name: Activation tasks include: activate.yml +- name: Debug minifirewall_tail_included + debug: + var: minifirewall_tail_included | bool + verbosity: 1 + - name: Tail tasks (modern mode) include: tail.yml when: @@ -91,6 +101,11 @@ # Restart? +- name: Debug minifirewall_restart_force + debug: + var: minifirewall_restart_force | bool + verbosity: 1 + - name: Force restart minifirewall (modern mode) command: /etc/init.d/minifirewall restart register: minifirewall_init_restart diff --git a/mysql-oracle/files/mysqltuner.cron.sh b/mysql-oracle/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql-oracle/files/mysqltuner.cron.sh +++ b/mysql-oracle/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html diff --git a/mysql/files/evomariabackup.sh b/mysql/files/evomariabackup.sh index 0e3de84b..dd46a9ec 100644 --- a/mysql/files/evomariabackup.sh +++ b/mysql/files/evomariabackup.sh @@ -1,12 +1,12 @@ #!/bin/sh -VERSION="21.11" +VERSION="22.06" show_version() { cat <, +Copyright 2004-2022 Evolix , Éric Morino , Jérémy Lecour and others. @@ -20,19 +20,20 @@ show_help() { cat </dev/null 2>&1 @@ -355,6 +387,35 @@ compress() { log_info "END compression phase" fi } +post_backup_hook() { + if [ -x "${post_backup_hook}" ]; then + + if ! is_quiet; then + log_debug "Execution of \`${post_backup_hook}'" + log_info "BEGIN hook phase" + fi + + ( + export BACKUP_DIR="${backup_dir}" + if is_log_file; then + export LOG_FILE="${log_file}" + fi + "${post_backup_hook}" + ) + hook_rc=$? + + if [ ${hook_rc} -ne 0 ]; then + log_fatal "An error occured while executing post backup hook \`${post_backup_hook}'" + exit 1 + elif ! is_quiet; then + log_info "END hook phase" + fi + else + log_fatal "Post backup hook \`${post_backup_hook}' is missing or not executable" + exit 1 + fi +} + main() { kill_or_clean_lockfile "${lock_file}" # shellcheck disable=SC2064 @@ -362,11 +423,19 @@ main() { new_lock_file "${lock_file}" if [ "${do_backup}" = "1" ] && [ -n "${backup_dir}" ]; then - backup "${backup_dir}" + backup + fi + + if [ "${do_dircheck}" = "1" ] && [ -n "${backup_dir}" ]; then + dircheck_prepare fi if [ "${do_compress}" = "1" ] && [ -n "${compress_file}" ]; then - compress "${backup_dir}" "${compress_file}" + compress + fi + + if [ -n "${post_backup_hook}" ]; then + post_backup_hook fi } @@ -377,11 +446,12 @@ log_file="" verbose="" quiet="" max_age="" -max_age="" do_backup="" backup_dir="" +do_dircheck="" do_compress="" compress_file="" +post_backup_hook="" # Parse options # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a @@ -440,6 +510,14 @@ while :; do log_fatal '"--backup-dir" requires a non-empty option argument.' ;; + --dir-check) + do_dircheck=1 + ;; + + --no-dir-check) + do_dircheck=0 + ;; + --compress) do_compress=1 ;; @@ -508,6 +586,24 @@ while :; do log_fatal '"--log-file" requires a non-empty option argument.' ;; + --post-backup-hook) + # with value separated by space + if [ -n "$2" ]; then + post_backup_hook="$2" + shift + else + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + fi + ;; + --post-backup-hook=?*) + # with value speparated by = + post_backup_hook=${1#*=} + ;; + --post-backup-hook=) + # without value + log_fatal '"--post-backup-hook" requires a non-empty option argument.' + ;; + -v|--verbose) verbose=1 ;; @@ -549,6 +645,7 @@ verbose=${verbose:-0} quiet=${quiet:-0} max_age="${max_age:-86400}" do_backup="${do_backup:-1}" +do_dircheck="${do_dircheck:-0}" do_compress="${do_compress:-0}" main \ No newline at end of file diff --git a/mysql/files/mysqltuner.cron.sh b/mysql/files/mysqltuner.cron.sh index 5424aa90..ada4a0f8 100644 --- a/mysql/files/mysqltuner.cron.sh +++ b/mysql/files/mysqltuner.cron.sh @@ -44,7 +44,7 @@ Bien à vous, -- Rapport automatique Evolix EOT - mutt -x -e 'set send_charset="utf-8"' -H $template \ + mutt -x -e 'set send_charset="utf-8"' -e "set crypt_use_gpgme=no" -H $template \ -a /var/www/mysqlreport_${instance}.html < $body done chmod 644 /var/www/mysqlreport*html diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 397abc0d..d9d90836 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -74,7 +74,7 @@ myhostname = {{ ansible_fqdn }} # Liste des noms de domaine (ou IP) consideres comme local #par defaut, = $myhostname, localhost.$mydomain, localhost -mydestination = $myhostname +mydestination = $myhostname localhost.localdomain localhost # Indique le domaine apparaissant dans le courrier envoye #par defaut, = $myhostname diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index e5af6a7f..7f94281b 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install evoadmin-mail package apt: - name: evoadmin-mail + deb: /tmp/evoadmin-mail.deb state: present tags: - evoadmin-mail