Merge branch 'unstable' into stable

2019-01-31 10:23:03 +01:00 · 2019-01-31 10:23:03 +01:00 · 271746494c
parent b883d63cc5 c296dd94c2
commit 271746494c
43 changed files with 845 additions and 384 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,20 @@ The **patch** part changes incrementally at each release.

 ### Security

+## [9.8.0] - 2019-01-31
+
+### Added
+* filebeat: disable cloud_metadata processor by default
+* metricbeat: disable cloud_metadata processor by default
+* percona : new role to install Percona repositories and tools
+* redis: add variable for configure unixsocketperm
+
+### Changed
+* redmine: refactoring of redmine role with use of rbenv
+
+### Fixed
+* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
+
 ## [9.7.0] - 2019-01-17

 ### Added
@ -30,6 +44,7 @@ The **patch** part changes incrementally at each release.
 * redis: add a variable for renamed/disabled commands
 * redis: add a variable to disable the restart handler
 * redis: add a variable to force a restart (even with no change)
+* proftpd: add FTPS and SFTP support

 ### Changed
 * redis: distinction between main and master password
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@ -2,3 +2,5 @@
 elastic_stack_version: "6.x"

 filebeat_logstash_plugin: False
+
+filebeat_processors_cloud_metadata: False
--- a/filebeat/handlers/main.yml
+++ b/filebeat/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: restart filebeat
+  systemd:
+    name: filebeat
+    state: restarted
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@ -64,3 +64,19 @@
  - filebeat_logstash_plugin
  - logstash_plugin.stat.exists
  - not logstash_plugin_installed | success
+
+- name: cloud_metadata processor is disabled
+  replace:
+    dest: /etc/filebeat/filebeat.yml
+    regexp: '^(\s+)(- add_cloud_metadata:)'
+    replace: '\1# \2'
+  notify: restart filebeat
+  when: not filebeat_processors_cloud_metadata
+
+- name: cloud_metadata processor is disabled
+  lineinfile:
+    dest: /etc/filebeat/filebeat.yml
+    line: "  - add_cloud_metadata: ~"
+    insert_after: '^processors:'
+  notify: restart filebeat
+  when: filebeat_processors_cloud_metadata
--- a/metricbeat/defaults/main.yml
+++ b/metricbeat/defaults/main.yml
@ -6,3 +6,5 @@ metricbeat_elasticsearch_hosts:
  - "localhost:9200"
 metricbeat_elasticsearch_auth_username: ""
 metricbeat_elasticsearch_auth_password: ""
+
+metricbeat_processors_cloud_metadata: False
--- a/metricbeat/handlers/main.yml
+++ b/metricbeat/handlers/main.yml
@ -0,0 +1,6 @@
+---
+
+- name: restart metricbeat
+  systemd:
+    name: metricbeat
+    state: restarted
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@ -72,3 +72,19 @@
  when:
    - metricbeat_elasticsearch_auth_username != ""
    - metricbeat_elasticsearch_auth_password != ""
+
+- name: disable cloud_metadata
+  replace:
+    dest: /etc/metricbeat/metricbeat.yml
+    regexp: '^(\s+)(- add_cloud_metadata:)'
+    replace: '\1# \2'
+  notify: restart metricbeat
+  when: not metricbeat_processors_cloud_metadata
+
+- name: cloud_metadata processor is disabled
+  lineinfile:
+    dest: /etc/metricbeat/metricbeat.yml
+    line: "  - add_cloud_metadata: ~"
+    insert_after: '^processors:'
+  notify: restart metricbeat
+  when: metricbeat_processors_cloud_metadata
--- a/ntpd/defaults/main.yml
+++ b/ntpd/defaults/main.yml
@ -2,7 +2,9 @@
 ntpd_servers:
 - 'ntp.evolix.net iburst'
 ntpd_acls:
- '-4 default kod notrap nomodify nopeer noquery'
- '-6 default kod notrap nomodify nopeer noquery'
+- '-4 default ignore'
+- '-6 default ignore'
+- 'source nomodify noquery notrap'         # Debian 9 and later
+- 'ntp.evolix.net nomodify noquery notrap' # Debian 8
 - '127.0.0.1'
 - '::1'
--- a/percona/defaults/main.yml
+++ b/percona/defaults/main.yml
@ -0,0 +1,4 @@
+---
+
+percona__install_xtrabackup: True
+percona__xtrabackup_package_name: percona-xtrabackup-24
--- a/percona/files/percona-release_latest.jessie_all.deb
+++ b/percona/files/percona-release_latest.jessie_all.deb
--- a/percona/files/percona-release_latest.stretch_all.deb
+++ b/percona/files/percona-release_latest.stretch_all.deb
--- a/percona/files/percona.asc
+++ b/percona/files/percona.asc
@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQGiBEsm3aERBACyB1E9ixebIMRGtmD45c6c/wi2IVIa6O3G1f6cyHH4ump6ejOi
+AX63hhEs4MUCGO7KnON1hpjuNN7MQZtGTJC0iX97X2Mk+IwB1KmBYN9sS/OqhA5C
+itj2RAkug4PFHR9dy21v0flj66KjBS3GpuOadpcrZ/k0g7Zi6t7kDWV0hwCgxCa2
+f/ESC2MN3q3j9hfMTBhhDCsD/3+iOxtDAUlPMIH50MdK5yqagdj8V/sxaHJ5u/zw
+YQunRlhB9f9QUFfhfnjRn8wjeYasMARDctCde5nbx3Pc+nRIXoB4D1Z1ZxRzR/lb
+7S4i8KRr9xhommFnDv/egkx+7X1aFp1f2wN2DQ4ecGF4EAAVHwFz8H4eQgsbLsa6
+7DV3BACj1cBwCf8tckWsvFtQfCP4CiBB50Ku49MU2Nfwq7durfIiePF4IIYRDZgg
+kHKSfP3oUZBGJx00BujtTobERraaV7lIRIwETZao76MqGt9K1uIqw4NT/jAbi9ce
+rFaOmAkaujbcB11HYIyjtkAGq9mXxaVqCC3RPWGr+fqAx/akBLQ2UGVyY29uYSBN
+eVNRTCBEZXZlbG9wbWVudCBUZWFtIDxteXNxbC1kZXZAcGVyY29uYS5jb20+iGAE
+ExECACAFAksm3aECGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAcTL3NzS79
+Kpk/AKCQKSEgwX9r8jR+6tAnCVpzyUFOQwCfX+fw3OAoYeFZB3eu2oT8OBTiVYu5
+Ag0ESybdoRAIAKKUV8rbqlB8qwZdWlmrwQqg3o7OpoAJ53/QOIySDmqy5TmNEPLm
+lHkwGqEqfbFYoTbOCEEJi2yFLg9UJCSBM/sfPaqb2jGP7fc0nZBgUBnFuA9USX72
+O0PzVAF7rCnWaIz76iY+AMI6xKeRy91TxYo/yenF1nRSJ+rExwlPcHgI685GNuFG
+chAExMTgbnoPx1ka1Vqbe6iza+FnJq3f4p9luGbZdSParGdlKhGqvVUJ3FLeLTqt
+caOn5cN2ZsdakE07GzdSktVtdYPT5BNMKgOAxhXKy11IPLj2Z5C33iVYSXjpTelJ
+b2qHvcg9XDMhmYJyE3O4AWFh2no3Jf4ypIcABA0IAJO8ms9ov6bFqFTqA0UW2gWQ
+cKFN4Q6NPV6IW0rV61ONLUc0VFXvYDtwsRbUmUYkB/L/R9fHj4lRUDbGEQrLCoE+
+/HyYvr2rxP94PT6Bkjk/aiCCPAKZRj5CFUKRpShfDIiow9qxtqv7yVd514Qqmjb4
+eEihtcjltGAoS54+6C3lbjrHUQhLwPGqlAh8uZKzfSZq0C06kTxiEqsG6VDDYWy6
+L7qaMwOqWdQtdekKiCk8w/FoovsMYED2qlWEt0i52G+0CjoRFx2zNsN3v4dWiIhk
+ZSL00Mx+g3NA7pQ1Yo5Vhok034mP8L2fBLhhWaK3LG63jYvd0HLkUFhNG+xjkpeI
+SQQYEQIACQUCSybdoQIbDAAKCRAcTL3NzS79KlacAJ0aAkBQapIaHNvmAhtVjLPN
+wke4ZgCePe3sPPF49lBal7QaYPdjqapa1SQ=
+=qcCk
+-----END PGP PUBLIC KEY BLOCK-----
--- a/percona/tasks/main.yml
+++ b/percona/tasks/main.yml
@ -0,0 +1,45 @@
+---
+
+- set_fact:
+    percona__apt_config_package_file: "percona-release_latest.{{ ansible_distribution_release }}_all.deb"
+
+- name: Add Percona's official GPG key
+  apt_key:
+    data: "{{ lookup('file', 'percona.asc') }}"
+
+- name: Check if percona-release is installed
+  command: "dpkg -l percona-release"
+  failed_when: False
+  changed_when: False
+  register: percona__apt_config_package_installed
+
+- name: Percona APT config package is available
+  copy:
+    src: "{{ percona__apt_config_package_file }}"
+    dest: "/root/{{ percona__apt_config_package_file }}"
+  when: not percona__apt_config_package_installed
+
+# - include_role:
+#     name: remount-usr
+
+- name: Percona APT config package is installed from deb file
+  apt:
+    deb: "/root/{{ percona__apt_config_package_file }}"
+    state: present
+  register: percona__apt_config_deb
+  when: not percona__apt_config_package_installed
+
+- name: Percona APT config package is installed from repository
+  apt:
+    name: percona-release
+    state: latest
+  register: percona__apt_config_deb
+  when: percona__apt_config_package_installed
+
+- name: APT cache is up-to-date
+  apt:
+    update_cache: yes
+  when: percona__apt_config_deb | changed
+
+- include: xtrabackup.yml
+  when: percona__install_xtrabackup
--- a/percona/tasks/xtrabackup.yml
+++ b/percona/tasks/xtrabackup.yml
@ -0,0 +1,16 @@
+---
+
+- name: Percona Tools is enabled
+  command: percona-release enable tools release
+  # changed_when: 
+  # register: percona__release_enable_tools
+
+- name: APT cache is up-to-date
+  apt:
+    update_cache: yes
+  # when: percona__release_enable_tools | changed
+
+- name: Percona XtraBackup package is installed
+  apt:
+    name: "{{ percona__xtrabackup_package_name }}"
+    state: present
--- a/proftpd/defaults/main.yml
+++ b/proftpd/defaults/main.yml
@ -2,6 +2,13 @@
 proftpd_hostname: "{{ ansible_hostname }}"
 proftpd_fqdn: "{{ ansible_fqdn }}"
 proftpd_default_address: []
-proftpd_port: "21"
+proftpd_ftp_enable: True
+proftpd_port: 21
+proftpd_ftps_enable: False
+proftpd_ftps_port: 990
+proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+proftpd_sftp_enable: False
+proftpd_sftp_port: 2222
 proftpd_accounts: []
 proftpd_accounts_final: []
--- a/proftpd/tasks/accounts.yml
+++ b/proftpd/tasks/accounts.yml
@ -25,7 +25,7 @@
  tags:
    - proftpd

- name: Allow FTP account
+- name: Allow FTP account (FTP)
  lineinfile:
    dest: /etc/proftpd/conf.d/z-evolinux.conf
    state: present
@ -33,5 +33,30 @@
    insertbefore: "DenyAll"
  with_items: "{{ proftpd_accounts_final }}"
  notify: restart proftpd
+  when: proftpd_ftp_enable
+  tags:
+    - proftpd
+
+- name: Allow FTP account (FTPS)
+  lineinfile:
+    dest: /etc/proftpd/conf.d/ftps.conf
+    state: present
+    line: "\tAllowUser {{ item.name }}"
+    insertbefore: "DenyAll"
+  with_items: "{{ proftpd_accounts_final }}"
+  notify: restart proftpd
+  when: proftpd_ftps_enable
+  tags:
+    - proftpd
+
+- name: Allow FTP account (SFTP)
+  lineinfile:
+    dest: /etc/proftpd/conf.d/sftp.conf
+    state: present
+    line: "\tAllowUser {{ item.name }}"
+    insertbefore: "DenyAll"
+  with_items: "{{ proftpd_accounts_final }}"
+  notify: restart proftpd
+  when: proftpd_sftp_enable
  tags:
    - proftpd
--- a/proftpd/tasks/main.yml
+++ b/proftpd/tasks/main.yml
@ -15,13 +15,36 @@
  tags:
    - proftpd

- name: local jail is installed
+- name: FTP jail is installed
  template:
    src: evolinux.conf.j2
    dest: /etc/proftpd/conf.d/z-evolinux.conf
    mode: "0644"
    force: no
  notify: restart proftpd
+  when: proftpd_ftp_enable
+  tags:
+    - proftpd
+
+- name: FTPS jail is installed
+  template:
+    src: ftps.conf.j2
+    dest: /etc/proftpd/conf.d/ftps.conf
+    mode: "0644"
+    force: no
+  notify: restart proftpd
+  when: proftpd_ftps_enable
+  tags:
+    - proftpd
+
+- name: SFTP jail is installed
+  template:
+    src: sftp.conf.j2
+    dest: /etc/proftpd/conf.d/sftp.conf
+    mode: "0644"
+    force: no
+  notify: restart proftpd
+  when: proftpd_sftp_enable
  tags:
    - proftpd

--- a/proftpd/templates/ftps.conf.j2
+++ b/proftpd/templates/ftps.conf.j2
@ -0,0 +1,33 @@
+<IfModule !mod_tls.c>
+    LoadModule mod_tls.c
+</IfModule>
+
+<VirtualHost 0.0.0.0>
+    TLSEngine                               on
+    TLSLog                                  /var/log/proftpd/ftps.log
+    TLSProtocol                             TLSv1
+    
+    TLSRSACertificateFile                   {{ proftpd_ftps_cert }}
+    TLSRSACertificateKeyFile                {{ proftpd_ftps_key }}
+    
+    #TLSOptions                             AllowClientRenegotiations
+    
+    TLSOptions                              AllowPerUser
+    TLSVerifyClient                         off
+    TLSRequired                             off
+    
+    TLSRenegotiate                          required off
+    TLSOptions                              NoSessionReuseRequired
+    
+    RequireValidShell                       off
+    Port                                    {{ proftpd_ftps_port }}
+    AuthUserFile                            /etc/proftpd/vpasswd
+    DefaultRoot                             ~
+    
+    PassivePorts                            60000 61000
+    
+    <Limit LOGIN>
+        AllowGroup ftpusers
+        DenyAll
+    </Limit>
+</VirtualHost>
--- a/proftpd/templates/sftp.conf.j2
+++ b/proftpd/templates/sftp.conf.j2
@ -0,0 +1,28 @@
+<IfModule !mod_tls.c>
+    LoadModule mod_tls.c
+</IfModule>
+
+<IfModule !mod_sftp.c>
+    LoadModule mod_sftp.c
+</IfModule>
+
+<VirtualHost 0.0.0.0>
+    SFTPEngine   on
+    Port         {{ proftpd_sftp_port }}
+    DefaultRoot  ~
+    
+    SFTPLog      /var/log/proftpd/sftp.log
+    
+    SFTPAuthMethods password
+    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
+    SFTPHostKey /etc/ssh/ssh_host_rsa_key
+    
+    RequireValidShell off
+    
+    AuthUserFile /etc/proftpd/vpasswd
+    
+    <Limit LOGIN>
+        AllowGroup ftpusers
+        DenyAll
+    </Limit>
+</VirtualHost>
--- a/redis/defaults/main.yml
+++ b/redis/defaults/main.yml
@ -5,6 +5,7 @@ redis_conf_path: /etc/redis/redis.conf
 redis_port: 6379
 redis_bind_interface: 127.0.0.1
 redis_unixsocket: '/var/run/redis/redis.sock'
+redis_unixsocketperm: 770
 redis_pidfile: "/var/run/redis/{{ redis_daemon }}.pid"
 redis_timeout: 300

--- a/redis/templates/redis.conf.j2
+++ b/redis/templates/redis.conf.j2
@ -5,6 +5,7 @@ bind {{ redis_bind_interface }}

 {% if redis_unixsocket %}
 unixsocket {{ redis_unixsocket }}
+unixsocketperm {{ redis_unixsocketperm }}
 {% endif %}

 {% if redis_password %}
--- a/redmine/defaults/main.yml
+++ b/redmine/defaults/main.yml
@ -3,6 +3,7 @@ puma_env: 'production'
 puma_worker: 2
 puma_min_thread: 0
 puma_max_thread: 4
+redmine_version: "4.0.1"
 redmine_db_name: "{{ redmine_user }}"
 redmine_db_host: "localhost"
 redmine_db_username: "{{ redmine_user }}"
--- a/redmine/files/Gemfile.local
+++ b/redmine/files/Gemfile.local
@ -1,2 +0,0 @@
-gem "puma"
-gem "xpath", "< 3.0.0"
--- a/redmine/files/logrotate
+++ b/redmine/files/logrotate
@ -0,0 +1,8 @@
+/var/log/redmine/*.log {
+    daily
+    rotate 7
+    missingok
+    notifempty
+    compress
+    create 640 root adm
+}
--- a/redmine/files/profile
+++ b/redmine/files/profile
@ -12,7 +12,7 @@ fi

 # set PATH so it includes gems bin
 if [ -d "$HOME/bin" ] ; then
-    export PATH="$HOME/.gems/ruby/2.1.0/bin:$PATH"
+    export PATH="$HOME/www/.gem/ruby/2.3.0/bin:$PATH"
 fi

 # For systemctl --user
@ -20,4 +20,3 @@ export XDG_RUNTIME_DIR=/run/user/$UID

 # Ruby vars
 export RAILS_ENV=production
-export BUNDLE_GEMFILE="$HOME/www/Gemfile"
--- a/redmine/files/puma.service
+++ b/redmine/files/puma.service
@ -7,7 +7,7 @@ WorkingDirectory=%h/www
 UMask=0027
 PIDFile=%h/ruby.pid
 ExecStartPre=/bin/mkdir -m 0750 -p %h/run
-ExecStart=/usr/bin/bundle exec puma --bind unix://%h/run/puma.sock?umask=0007 --pidfile %h/run/puma.pid --dir %h/www --config /etc/puma/%u.rb
+ExecStart=%h/.rbenv/bin/rbenv exec bundle exec puma --bind unix://%h/run/puma.sock?umask=0007 --pidfile %h/run/puma.pid --dir %h/www --config %h/config/puma.rb
 ExecReload=/bin/kill -USR2 $MAINPID
 KillMode=process
 #Restart=on-failure
--- a/redmine/files/syslog.conf
+++ b/redmine/files/syslog.conf
@ -0,0 +1,4 @@
+# Send Redmine messages to a dedicated logdir
+$template Redmine, "/var/log/redmine/%PROGRAMNAME:%.log"
+if $programname startswith 'redmine_' then ?Redmine
+&~
--- a/redmine/handlers/main.yml
+++ b/redmine/handlers/main.yml
@ -0,0 +1,10 @@
+---
+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
+
+- name: reload nginc
+  service:
+    name: nginx
+    state: reloaded
--- a/redmine/meta/main.yml
+++ b/redmine/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - nginx
--- a/redmine/tasks/config.yml
+++ b/redmine/tasks/config.yml
@ -0,0 +1,59 @@
+---
+- name: Create systemd config dir
+  file:
+    state: directory
+    dest: "/home/{{ redmine_user }}/{{ item }}"
+    mode: "0750"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+  with_items:
+  - ".config"
+  - ".config/systemd"
+  - ".config/systemd/user"
+  tags:
+    - redmine
+
+- name: Deploy systemd unit
+  copy:
+    src: puma.service
+    dest: "/home/{{ redmine_user }}/.config/systemd/user/puma.service"
+    mode: "0644"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+  tags:
+    - redmine
+
+- name: Set user .profile
+  copy:
+    src: profile
+    dest: "/home/{{ redmine_user }}/.profile"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0640"
+  tags:
+    - redmine
+
+- name: Create config directory
+  file:
+    path: "/home/{{ redmine_user }}/config"
+    state: directory
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  tags:
+    - redmine
+
+- name: Copy configurations file
+  template:
+    src: "{{ item }}.j2"
+    dest: "/home/{{ redmine_user }}/config/{{ item }}"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0640"
+  with_items:
+    - 'configuration.yml'
+    - 'database.yml'
+    - 'additional_environment.rb'
+    - 'puma.rb'
+  tags:
+    - redmine
--- a/redmine/tasks/main.yml
+++ b/redmine/tasks/main.yml
@ -1,319 +1,13 @@
 ---
- name: Install dependancy
-  apt:
-    name: "{{ item }}"
-    state: present
-  with_items:
-    - libpam-systemd
-    - ruby
-    - ruby-dev
-    - bundler
-    - imagemagick
-    - git-core
-    - git-svn
-    - gcc
-    - build-essential
-    - libxml2-dev
-    - libxslt1-dev
-    - libssl-dev
-    - libmagickwand-dev
-    - libmagickcore-dev
-    - libmysqlclient-dev
-    - python-mysqldb
-  tags:
-    - redmine
-
-#- name:
-#  lineinfile:
-#  with_items:
-#  - 'https://github.com/.*'
-#  - 'http://rubygems.org/.*'
-#  - 'http://.*.rubygems.org/.*'
-#  tags:
-#  - redmine
-
- name: Deploy systemd unit
-  copy:
-    src: puma.service
-    dest: /etc/systemd/user/puma.service
-    mode: "0644"
-  tags:
-    - redmine
-
- name: Create puma config dir
-  file:
-    path: /etc/puma
-    state: directory
-    mode: "0755"
-    owner: root
-  tags:
-    - redmine
-
- name: Create redmine group
-  group:
-    name: "{{ redmine_user }}"
-    state: present
-  tags:
-    - redmine
-
- name: Add www-data to redmine group
-  user:
-    name: www-data
-    groups: "{{ redmine_user }}"
-    append: yes
-  tags:
-    - redmine
-
- name: Create redmine user
-  user:
-    name: "{{ redmine_user }}"
-    state: present
-    group: "{{ redmine_user }}"
-    createhome: yes
-    home: "/home/{{ redmine_user }}"
-    shell: /bin/bash
-  tags:
-    - redmine
-
- name: Create required directory
-  file:
-    path: "{{ item }}"
-    state: directory
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0750"
-  with_items:
-    - "/home/{{ redmine_user }}"
-    - "/home/{{ redmine_user }}/files"
-    - "/home/{{ redmine_user }}/log"
-  tags:
-    - redmine
-
- name: Touch Nginx logs file
-  file:
-    path: "/home/{{ redmine_user }}/log/{{ item }}"
-    state: touch
-    owner: "root"
-    group: "{{ redmine_user }}"
-    mode: "0640"
-  changed_when: false
-  with_items:
-    - nginx_access.log
-    - nginx_error.log
-  tags:
-    - redmine
-
- name: Enable systemd user mode
-  command: "loginctl enable-linger {{ redmine_user }}"
-  changed_when: false
-
- name: Set user .profile
-  copy:
-    src: profile
-    dest: "/home/{{ redmine_user }}/.profile"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0640"
-  tags:
-    - redmine
-
- name: Update or clone Redmine git
-  git:
-    repo: 'https://github.com/redmine/redmine.git'
-    dest: "/home/{{ redmine_user }}/www"
-    version: '3.4-stable'
-    umask: "027"
-    update: yes
-  become_user: "{{ redmine_user }}"
-  become: yes
-  register: redmine_git_task
-  tags:
-    - redmine
-
- name: Deploy custom Gemfile
-  copy:
-    src: Gemfile.local
-    dest: "/home/{{ redmine_user }}/www"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0640"
-  register: redmine_local_gemfile_task
-  tags:
-    - redmine
-
- name: Get actual Mysql password
-  shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'"
-  register: redmine_get_mysql_password
-  check_mode: no
-  changed_when: False
-  failed_when: false
-  tags:
-    - redmine
-
- name: Generate Mysql password
-  shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'
-  register: redmine_generate_mysql_password
-  check_mode: no
-  changed_when: False
-  when: redmine_get_mysql_password.stdout == ""
-  tags:
-  - redmine
-
- name: Set Mysql password
-  set_fact:
-    redmine_db_pass: "{{ redmine_generate_mysql_password.stdout | default(redmine_get_mysql_password.stdout) }}"
-  tags:
-    - redmine
-
- name: Create Mysql database
-  mysql_db:
-    name: "{{ redmine_db_name }}"
-    config_file: "/root/.my.cnf"
-    state: present
-  tags:
-    - redmine
-
- name: Create Mysql user
-  mysql_user:
-    name: "{{ redmine_db_username }}"
-    password: '{{ redmine_db_pass }}'
-    priv: "{{ redmine_user }}.*:ALL"
-    config_file: "/root/.my.cnf"
-    update_password: always
-    state: present
-  tags:
-    - redmine
-
- name: Store credentials in my.cnf
-  ini_file:
-    dest: "/home/{{ redmine_user }}/.my.cnf"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0600"
-    section: client
-    option: '{{ item.option }}'
-    value: '{{ item.value }}'
-  with_items:
-    - { option: 'host', value: "{{ redmine_db_host }}" }
-    - { option: 'user', value: "{{ redmine_db_username }}" }
-    - { option: 'database', value: "{{ redmine_db_name }}" }
-    - { option: 'password', value: '{{ redmine_db_pass }}' }
-  tags:
-    - redmine
-
- name: Copy configurations file
-  template:
-    src: "{{ item }}.j2"
-    dest: "/home/{{ redmine_user }}/www/config/{{ item }}"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0640"
-  with_items:
-    - 'configuration.yml'
-    - 'database.yml'
-    - 'additional_environment.rb'
-  tags:
-    - redmine
-
- name: Install Redmine plugins
-  include: plugins.yml
-  with_items: "{{ redmine_plugins }}"
-  tags:
-    - redmine
-
- name: Install Redmine themes
-  include: themes.yml
-  with_items: "{{ redmine_themes }}"
-  tags:
-    - redmine
-
- name: Update local gems with bundle
-  bundler:
-    state: present
-    gemfile: "/home/{{ redmine_user }}/www/Gemfile"
-    gem_path: "/home/{{ redmine_user }}/.gems"
-    user_install: yes
-  become_user: "{{ redmine_user }}"
-  become: yes
-  when: redmine_git_task.changed or redmine_local_gemfile_task.changed or redmine_plugin_install.changed
-  tags:
-    - redmine
-
- name: Migrate database with rake
-  shell: bundle exec rake -qf ~/www/Rakefile db:migrate
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  when: redmine_git_task.changed
-  tags:
-    - redmine
-
- name: Populate Mysql database
-  shell: bundle exec rake -qf ~/www/Rakefile redmine:load_default_data REDMINE_LANG=fr && touch ~/.populated
-  args:
-    creates: "/home/{{ redmine_user }}/.populated"
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  tags:
-    - redmine
-
- name: Migrate plugins
-  shell: bundle exec rake -qf ~/www/Rakefile redmine:plugins:migrate
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  when: redmine_plugin_install.changed
-  tags:
-    - redmine
-
- name: Generate secret token
-  shell: bundle exec rake -qf ~/www/Rakefile generate_secret_token
-  args:
-    creates: "/home/{{ redmine_user }}/www/config/initializers/secret_token.rb"
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  tags:
-    - redmine
-
- name: Copy puma config
-  template:
-    src: puma.rb.j2
-    dest: "/etc/puma/{{ redmine_user }}.rb"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0640"
-  register: redmine_puma_config_task
-  tags:
-  - redmine
-
- name: Start puma service
-  systemd:
-    name: puma
-    daemon_reload: yes
-    enabled: yes
-    state: started
-    user: yes
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  tags:
-    - redmine
-
- name: Reload puma service
-  systemd:
-    name: puma
-    daemon_reload: yes
-    state: reloaded
-    user: yes
-  become_user: "{{ redmine_user }}"
-  become_method: sudo
-  become_flags: '-iu {{ redmine_user }}'
-  become: yes
-  when: redmine_puma_config_task.changed
+- include: packages.yml
+- include: syslog.yml
+- include: user.yml
+- include_role:
+    name: rbenv
+  vars:
+    - username: "{{ redmine_user }}"
+- include: config.yml
+- include: mysql.yml
+- include: source.yml
+- include: release.yml
+- include: nginx.yml
--- a/redmine/tasks/mysql.yml
+++ b/redmine/tasks/mysql.yml
@ -0,0 +1,62 @@
+---
+- name: Get actual Mysql password
+  shell: "grep password /home/{{ redmine_user }}/.my.cnf | awk '{ print $3 }'"
+  register: redmine_get_mysql_password
+  check_mode: no
+  changed_when: False
+  failed_when: false
+  tags:
+    - redmine
+
+- name: Generate Mysql password
+  shell: perl -e 'print map{("a".."z","A".."Z",0..9)[int(rand(62))]}(1..16)'
+  register: redmine_generate_mysql_password
+  check_mode: no
+  changed_when: False
+  when: redmine_get_mysql_password.stdout == ""
+  tags:
+  - redmine
+
+- name: Set Mysql password
+  set_fact:
+    redmine_db_pass: "{{ redmine_generate_mysql_password.stdout | default(redmine_get_mysql_password.stdout) }}"
+  tags:
+    - redmine
+
+- name: Create Mysql database
+  mysql_db:
+    name: "{{ redmine_db_name }}"
+    config_file: "/root/.my.cnf"
+    state: present
+    collation: "utf8_general_ci"
+  register: redmine_mysql_create
+  tags:
+    - redmine
+
+- name: Store credentials in my.cnf
+  ini_file:
+    dest: "/home/{{ redmine_user }}/.my.cnf"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0600"
+    section: client
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - { option: 'host', value: "{{ redmine_db_host }}" }
+    - { option: 'user', value: "{{ redmine_db_username }}" }
+    - { option: 'database', value: "{{ redmine_db_name }}" }
+    - { option: 'password', value: '{{ redmine_db_pass }}' }
+  tags:
+    - redmine
+
+- name: Create Mysql user
+  mysql_user:
+    name: "{{ redmine_db_username }}"
+    password: '{{ redmine_db_pass }}'
+    priv: "{{ redmine_user }}.*:ALL"
+    config_file: "/root/.my.cnf"
+    update_password: always
+    state: present
+  tags:
+    - redmine
--- a/redmine/tasks/nginx.yml
+++ b/redmine/tasks/nginx.yml
@ -0,0 +1,26 @@
+---
+- name: Add www-data to Redmine group
+  user:
+    name: www-data
+    groups: "{{ redmine_user }}"
+    append: True
+  tags:
+    - redmine
+
+- name: Copy nginx vhost
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/sites-available/{{ redmine_user }}.conf"
+    mode: "0644"
+  notify: reload nginx
+  tags:
+    - redmine
+
+- name: Enable nginx vhost
+  file:
+    src: "/etc/nginx/sites-available/{{ redmine_user }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ redmine_user }}.conf"
+    state: link
+  notify: reload nginx
+  tags:
+    - redmine
--- a/redmine/tasks/packages.yml
+++ b/redmine/tasks/packages.yml
@ -0,0 +1,21 @@
+---
+- name: Install dependancy
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - libpam-systemd
+    - imagemagick
+    - git-core
+    - git-svn
+    - gcc
+    - build-essential
+    - libxml2-dev
+    - libxslt1-dev
+    - libssl-dev
+    - libmagickwand-dev
+    - libmagickcore-dev
+    - libmariadbclient-dev
+    - python-mysqldb
+  tags:
+    - redmine
--- a/redmine/tasks/plugins.yml
+++ b/redmine/tasks/plugins.yml
@ -1,28 +0,0 @@
---
- name: Copy/Update plugin from archive
-  unarchive:
-    src: "{{ item.zip }}"
-    dest: "/home/{{ redmine_user }}/www/plugins/"
-    remote_src: yes
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0750"
-  register: redmine_plugin_install
-  when: item.zip is defined
-
- name: Copy/Update plugin from git repository
-  git:
-    repo: "{{ item.git }}"
-    dest: "/home/{{ redmine_user }}/www/plugins/{{ item.git | basename | splitext | first }}"
-    version: "{{ item.tree | default('master') }}"
-  register: redmine_plugin_install
-  when: item.git is defined
-
- name: Fix rights on plugin dir
-  file:
-    path: "/home/{{ redmine_user }}/www/plugins/{{ item.git | basename | splitext | first }}"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "u=rwX,g=rX,o="
-    recurse: True
-  when: item.git is defined
--- a/redmine/tasks/release.yml
+++ b/redmine/tasks/release.yml
@ -0,0 +1,123 @@
+---
+- name: Get id of user
+  command: "id -u {{ redmine_user }}"
+  register: redmine_command_user_id
+  changed_when: False
+  check_mode: False
+  tags:
+    - redmine
+
+- name: Define user environment
+  set_fact:
+    user_env:
+      XDG_RUNTIME_DIR: "/run/user/{{ redmine_command_user_id.stdout }}"
+      RAILS_ENV: production
+  tags:
+    - redmine
+
+- name: Stop puma service
+  systemd:
+    name: puma
+    daemon_reload: yes
+    state: stopped
+    user: yes
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  tags:
+    - redmine
+
+- name: Create mysqldump directory
+  file:
+    path: "/home/{{ redmine_user }}/mysqldump"
+    state: directory
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  tags:
+    - redmine
+
+- name: Dump mysql database
+  mysql_db:
+    state: dump
+    config_file: "/home/{{ redmine_user }}/.my.cnf"
+    name: "{{ redmine_db_name }}"
+    target: "/home/{{ redmine_user }}/mysqldump/{{ ansible_date_time.iso8601_basic_short }}.sql.gz"
+  tags:
+    - redmine
+
+- name: Change www link
+  file:
+    state: link
+    src: "/home/{{ redmine_user }}/releases/{{ redmine_version }}"
+    dest: "/home/{{ redmine_user }}/www"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+  tags:
+    - redmine
+
+- name: Update Gemfile.lock
+  command: "~/.rbenv/bin/rbenv exec bundle lock"
+  args:
+    chdir: "/home/{{ redmine_user }}/www"
+  become_user: "{{ redmine_user }}"
+  become: yes
+  tags:
+    - redmine
+
+- name: Update local gems with bundle
+  command: "~/.rbenv/bin/rbenv exec bundle install --deployment"
+  args:
+    chdir: "/home/{{ redmine_user }}/www"
+  become_user: "{{ redmine_user }}"
+  become: yes
+  tags:
+    - redmine
+
+- name: Generate secret token
+  command: "~/.rbenv/bin/rbenv exec bundle exec rake -q generate_secret_token"
+  args:
+    chdir: "/home/{{ redmine_user }}/www"
+    creates: "/home/{{ redmine_user }}/www/config/initializers/secret_token.rb"
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  tags:
+    - redmine
+
+- name: Migrate database with rake
+  command: "~/.rbenv/bin/rbenv exec bundle exec rake -q db:migrate"
+  args:
+    chdir: "/home/{{ redmine_user }}/www/"
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  tags:
+    - redmine
+
+- name: Populate Mysql database
+  command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:load_default_data REDMINE_LANG=fr"
+  args:
+    chdir: "/home/{{ redmine_user }}/www/"
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  when: redmine_mysql_create.changed
+  tags:
+    - redmine
+
+- name: Migrate plugins
+  command: "~/.rbenv/bin/rbenv exec bundle exec rake -q redmine:plugins:migrate"
+  args:
+    chdir: "/home/{{ redmine_user }}/www/"
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  tags:
+    - redmine
+
+- name: Start puma service
+  systemd:
+    name: puma
+    daemon_reload: yes
+    state: started
+    user: yes
+  become_user: "{{ redmine_user }}"
+  environment: "{{ user_env }}"
+  tags:
+    - redmine
--- a/redmine/tasks/source.yml
+++ b/redmine/tasks/source.yml
@ -0,0 +1,98 @@
+---
+- name: Create releases directory
+  file:
+    path: "/home/{{ redmine_user }}/{{ item }}"
+    state: directory
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  with_items:
+  - "releases"
+  - "releases/{{ redmine_version }}"
+  tags:
+    - redmine
+
+- name: Download Redmine archive
+  unarchive:
+    src: "https://redmine.org/releases/redmine-{{ redmine_version }}.tar.gz"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}"
+    remote_src: True
+    extra_opts: --strip-components=1
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+  tags:
+    - redmine
+
+- name: Link config files
+  file:
+    state: link
+    src: "/home/{{ redmine_user }}/config/{{ item }}"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/config/{{ item }}"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+  with_items:
+    - 'configuration.yml'
+    - 'database.yml'
+    - 'additional_environment.rb'
+  tags:
+    - redmine
+
+- name: Copy/Update plugin from archive
+  unarchive:
+    src: "{{ item.zip }}"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/"
+    remote_src: yes
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  when: item.zip is defined
+  with_items: "{{ redmine_plugins }}"
+  tags:
+    - redmine
+
+- name: Copy/Update plugin from git repository
+  git:
+    repo: "{{ item.git }}"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/plugins/{{ item.git | basename | splitext | first }}"
+    version: "{{ item.tree | default('master') }}"
+    umask: "027"
+  become_user: "{{ redmine_user }}"
+  when: item.git is defined
+  with_items: "{{ redmine_plugins }}"
+  tags:
+    - redmine
+
+- name: Copy/Update theme from archive
+  unarchive:
+    src: "{{ item.zip }}"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes"
+    remote_src: yes
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  when: item.zip is defined
+  with_items: "{{ redmine_themes }}"
+  tags:
+    - redmine
+
+- name: Copy/Update theme from git repository
+  git:
+    repo: "{{ item.git }}"
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/public/themes/{{ item.git | basename | splitext | first }}"
+    version: "{{ item.tree | default('master') }}"
+    umask: "027"
+  become_user: "{{ redmine_user }}"
+  when: item.git is defined
+  with_items: "{{ redmine_themes }}"
+  tags:
+    - redmine
+
+- name: Deploy custom Gemfile
+  template:
+    src: Gemfile.local.j2
+    dest: "/home/{{ redmine_user }}/releases/{{ redmine_version }}/Gemfile.local"
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0640"
+  tags:
+    - redmine
--- a/redmine/tasks/syslog.yml
+++ b/redmine/tasks/syslog.yml
@ -0,0 +1,27 @@
+---
+- name: Create log directory
+  file:
+    state: directory
+    dest: /var/log/redmine
+    owner: root
+    group: adm
+    mode: "0750"
+  tags:
+    - redmine
+
+- name: Copy syslog configuration
+  copy:
+    src: syslog.conf
+    dest: /etc/rsyslog.d/redmine.conf
+    mode: "0644"
+  notify: restart rsyslog
+  tags:
+    - redmine
+
+- name: Copy logrotate configuration
+  copy:
+    src: logrotate
+    dest: /etc/logrotate.d/redmine
+    mode: "0644"
+  tags:
+    - redmine
--- a/redmine/tasks/themes.yml
+++ b/redmine/tasks/themes.yml
@ -1,26 +0,0 @@
---
- name: Copy/Update theme from archive
-  unarchive:
-    src: "{{ item.zip }}"
-    dest: "/home/{{ redmine_user }}/www/public/themes/"
-    remote_src: yes
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0750"
-  when: item.zip is defined
-
- name: Copy/Update theme from git repository
-  git:
-    repo: "{{ item.git }}"
-    dest: "/home/{{ redmine_user }}/www/public/themes/{{ item.git | basename | splitext | first }}"
-    version: "{{ item.tree | default('master') }}"
-  when: item.git is defined
-
- name: Fix rights on theme dir
-  file:
-    path: "/home/{{ redmine_user }}/www/public/themes/{{ item.git | basename | splitext | first }}"
-    owner: "{{ redmine_user }}"
-    group: "{{ redmine_user }}"
-    mode: "0750"
-    recurse: True
-  when: item.git is defined
--- a/redmine/tasks/user.yml
+++ b/redmine/tasks/user.yml
@ -0,0 +1,44 @@
+---
+- name: Create redmine group
+  group:
+    name: "{{ redmine_user }}"
+    state: present
+  tags:
+    - redmine
+
+- name: Create redmine user
+  user:
+    name: "{{ redmine_user }}"
+    state: present
+    group: "{{ redmine_user }}"
+    createhome: yes
+    home: "/home/{{ redmine_user }}"
+    shell: /bin/bash
+  tags:
+    - redmine
+
+- name: Add redmine user to Redis group
+  user:
+    name: "{{ redmine_user }}"
+    groups: "redis-{{ redmine_user }}"
+    append: True
+  when: redmine_redis_path is defined
+  tags:
+    - redmine
+
+- name: Create required directory
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ redmine_user }}"
+    group: "{{ redmine_user }}"
+    mode: "0750"
+  with_items:
+    - "/home/{{ redmine_user }}"
+    - "/home/{{ redmine_user }}/files"
+  tags:
+    - redmine
+
+- name: Enable systemd user mode
+  command: "loginctl enable-linger {{ redmine_user }}"
+  changed_when: false
--- a/redmine/templates/Gemfile.local.j2
+++ b/redmine/templates/Gemfile.local.j2
@ -0,0 +1,5 @@
+gem "syslogger"
+{% if redmine_redis_path is defined %}
+gem "redis-rails"
+gem "redis-rack-cache"
+{% endif %}
--- a/redmine/templates/additional_environment.rb.j2
+++ b/redmine/templates/additional_environment.rb.j2
@ -1,2 +1,13 @@
-config.paths['log'] = "/home/{{ redmine_user }}/log/redmine.log"
-config.log_level = :warn
+config.log_level = :info
+config.logger = Syslogger.new("redmine_{{ redmine_user }}")
+{% if redmine_redis_path is defined %}
+config.session_store :redis_store,
+  servers: { path: '{{ redmine_redis_path }}', db: 0, namespace: "session" }
+config.cache_store = :redis_store,
+  "redis://{{ redmine_redis_path }}/cache_rails",
+  { expires_in: 90.minutes }
+config.action_dispatch.rack_cache = {
+  metastore: "redis://{{ redmine_redis_path }}/cache_metastore",
+  entitystore: "redis://{{ redmine_redis_path }}/cache_entitystore"
+}
+{% endif %}
--- a/redmine/templates/nginx.conf.j2
+++ b/redmine/templates/nginx.conf.j2
@ -0,0 +1,44 @@
+upstream puma_{{ redmine_user }} {
+        server          unix:/home/{{ redmine_user }}/run/puma.sock fail_timeout=0;
+}
+server {
+        server_name     {{ redmine_domain }};
+
+        listen          0.0.0.0:80;
+        listen          [::]:80;
+        listen          0.0.0.0:443 ssl http2;
+        listen          [::]:443 ssl http2;
+
+        if ( $scheme = http ) {
+            return      301 https://$server_name$request_uri;
+        }
+
+        include /etc/nginx/ssl/{{ redmine_user }}[.]conf;
+        root            /home/{{ redmine_user }}/www/public;
+        access_log      /var/log/nginx/{{ redmine_user }}_access.log;
+        error_log       /var/log/nginx/{{ redmine_user }}_error.log;
+        error_page      503 @maintenance;
+        client_max_body_size 50M;
+
+        include /etc/nginx/snippets/letsencrypt[.]conf;
+
+        location / {
+                if (!-f /home/{{ redmine_user }}/run/puma.pid) {
+                        return 503;
+                }
+                try_files $uri @puma;
+        }
+
+        location @maintenance {
+                rewrite ^(.*)$    /500.html break;
+        }
+
+        location @puma {
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-For $remote_addr;
+                proxy_set_header Host $http_host;
+                proxy_redirect off;
+                proxy_read_timeout 30;
+                proxy_pass http://puma_{{ redmine_user }};
+        }
+}