diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f07865c..d455b15a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,33 @@ The **patch** part changes incrementally at each release. ### Security +## [9.9.0] - 2019-04-16 + +### Added +* evocheck : add "x-frame-options: sameorigin" for Munin +* etc-git: ignore evobackup/.keep-* files +* lxc: /home is mounted in the container by default + +### Changed +* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles +* apt: Ensure jessie-backport from archives.debian.org is accepted +* apt: Remove jessie-update suite as it's no longer exists +* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport +* evocheck : update script from upstream +* evolinux-base: remove apt-listchanges on Stretch and later +* evomaintenance: embed version 0.5.0 +* opendkim: aligning roles with our conventions, major changes in opendkim-add.sh +* redis: higher limit of open files +* redis: set variables on inclusion, not with set_facts +* tomcat: better tomcat version management +* webapps/evoadmin-web: add dbadmin.sh to sudoers file + + +### Fixed +* spamassasin: fix sa-update.sh and ensure service is started and enabled +* tomcat-instance: deploy correct version of config files +* tomcat-instance: deploy correct version of server.xml + ## [9.8.0] - 2019-01-31 ### Added diff --git a/README.md b/README.md index 966c4a70..e2094277 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ A repository for Ansible roles used by Evolix on Debian GNU/Linux 9 (stretch) se Few roles are also be compatible with Debian GNU/Linux 8 (jessie) servers. It contains only roles, everything else is available at -https://forge.evolix.org/projects/ansible-public +https://gitea.evolix.org/evolix/ansible-public ## Branches @@ -20,7 +20,7 @@ First, check-out the repository : ``` $ cd ~/GIT/ -$ git clone https://forge.evolix.org/projects/ansible-roles +$ git clone https://gitea.evolix.org/evolix/ansible-roles ``` Then, add its path to your ansible load path : @@ -48,7 +48,7 @@ Contributions are welcome, especially bug fixes and "ansible good practices". Th Before starting anything of importance, we suggest contacting us to discuss what you'd like to add or change. -Our conventions are available in the "ansible-public":https://forge.evolix.org/projects/ansible-public repository, in the CONVENTIONS.md file. +Our conventions are available in the "ansible-public":https://gitea.evolix.org/evolix/ansible-public repository, in the CONVENTIONS.md file. ## Workflow diff --git a/apache/meta/main.yml b/apache/meta/main.yml index 497d52e9..3f717653 100644 --- a/apache/meta/main.yml +++ b/apache/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Apache - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/apt/meta/main.yml b/apt/meta/main.yml index f7a7a707..b9fd3b76 100644 --- a/apt/meta/main.yml +++ b/apt/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Add repositories to APT sources list. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 67b193d4..6acf8114 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -27,6 +27,14 @@ tags: - apt +- name: Archived backport are accepted (jessie) + lineinfile: + dest: '/etc/apt/apt.conf.d/99no-check-valid-until' + line: 'Acquire::Check-Valid-Until no;' + create: yes + state: present + when: ansible_distribution_release == "jessie" + - name: Apt update apt: update_cache: yes diff --git a/apt/templates/jessie_backports.list.j2 b/apt/templates/jessie_backports.list.j2 index cba40470..8b641265 100644 --- a/apt/templates/jessie_backports.list.j2 +++ b/apt/templates/jessie_backports.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian jessie-backports {{ apt_backports_components | mandatory }} +deb http://archive.debian.org/debian jessie-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index 684b7bb3..467e7f30 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,5 +1,4 @@ # {{ ansible_managed }} deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ jessie-updates {{ apt_basics_components | mandatory }} deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }} diff --git a/bind/meta/main.yml b/bind/meta/main.yml index f295919e..5f082615 100644 --- a/bind/meta/main.yml +++ b/bind/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of bind9. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/dhcpd/meta/main.yml b/dhcpd/meta/main.yml index 2fd68915..74b43142 100644 --- a/dhcpd/meta/main.yml +++ b/dhcpd/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of isc-dhcp-server. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/drbd/meta/main.yml b/drbd/meta/main.yml index 3f9cb96e..f07ce45d 100644 --- a/drbd/meta/main.yml +++ b/drbd/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install tools to setup DRBD replication accross servers. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index 52fc8856..f5693bf2 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -24,3 +24,5 @@ elasticsearch_plugin_head_group: "{{ elasticsearch_plugin_head_owner }}" elasticsearch_plugin_head_home: "/home/{{ elasticsearch_plugin_head_owner }}" elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www" elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp" + +elasticsearch_additional_scripts_dir: /usr/share/scripts diff --git a/elasticsearch/files/upgrade_elasticsearch_plugins.sh b/elasticsearch/files/upgrade_elasticsearch_plugins.sh new file mode 100644 index 00000000..e090633f --- /dev/null +++ b/elasticsearch/files/upgrade_elasticsearch_plugins.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# WARNING: +# This script is installed and maintained via Ansible. Don't edit directly. +# Create a fork if you need changes that can't go into the regular script. + +set -e +set -u + +PLUGIN_BIN=/usr/share/elasticsearch/bin/elasticsearch-plugin +NEED_RESTART="" + +for plugin in $(${PLUGIN_BIN} list | grep -v WARNING); do + "${PLUGIN_BIN}" remove "${plugin}" + "${PLUGIN_BIN}" install "${plugin}" + NEED_RESTART="1" +done + +if [ -n "${NEED_RESTART}" ]; then + systemctl restart elasticsearch +fi + +exit 0 diff --git a/elasticsearch/meta/main.yml b/elasticsearch/meta/main.yml index cfc69425..0f511c51 100644 --- a/elasticsearch/meta/main.yml +++ b/elasticsearch/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Evolix description: Install Elasticsearch - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/elasticsearch/tasks/additional_scripts.yml b/elasticsearch/tasks/additional_scripts.yml new file mode 100644 index 00000000..837acd6d --- /dev/null +++ b/elasticsearch/tasks/additional_scripts.yml @@ -0,0 +1,22 @@ +--- + +- include_role: + name: remount-usr + when: elasticsearch_additional_scripts_dir | search ("/usr") + +- name: "{{ elasticsearch_additional_scripts_dir }} exists" + file: + dest: "{{ elasticsearch_additional_scripts_dir }}" + mode: "0700" + owner: root + group: root + state: directory + +- name: Plugins upgrade script is installed + copy: + src: upgrade_elasticsearch_plugins.sh + dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh" + mode: "0755" + owner: "root" + group: "root" + force: yes diff --git a/elasticsearch/tasks/main.yml b/elasticsearch/tasks/main.yml index bc43bebd..361b15dc 100644 --- a/elasticsearch/tasks/main.yml +++ b/elasticsearch/tasks/main.yml @@ -12,6 +12,8 @@ - include: logs.yml +- include: additional_scripts.yml + - include: plugin_head.yml when: elasticsearch_plugin_head diff --git a/etc-git/meta/main.yml b/etc-git/meta/main.yml index 7fade98b..ef9d621e 100644 --- a/etc-git/meta/main.yml +++ b/etc-git/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Put /etc under Git version control. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index 029d102c..278cc98f 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -55,6 +55,7 @@ - "postfix/sa-blacklist.access" - "postfix/*.db" - "postfix/spamd.cidr" + - "evobackup/.keep-*" tags: - etc-git diff --git a/evoacme/README.md b/evoacme/README.md index 8f5e047d..86886859 100644 --- a/evoacme/README.md +++ b/evoacme/README.md @@ -2,7 +2,7 @@ EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates. -It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ansible-roles/repository/) +It is a project hosted at [Evolix's forge](https://gitea.evolix.org/evolix/ansible-roles/) Evoacme is open source software licensed under the AGPLv3 License. diff --git a/evoacme/files/hooks/commit b/evoacme/files/hooks/commit new file mode 100644 index 00000000..86381dce --- /dev/null +++ b/evoacme/files/hooks/commit @@ -0,0 +1,18 @@ +#!/bin/sh + +git_bin=$(command -v git) +letsencrypt_dir=/etc/letsencrypt +export GIT_DIR="/etc/.git" +export GIT_WORK_TREE="/etc" + +if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then + changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ') + + if [ "${changed_lines}" != "0" ]; then + ${git_bin} add --all ${letsencrypt_dir} + message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})" + ${git_bin} commit --message "${message}" --quiet + else + echo "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'" + fi +fi diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index c9ba8c92..e2cbb297 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -215,7 +215,6 @@ main() { [ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable" mkdir -p "${SSL_KEY_DIR}" - chown root: "${SSL_KEY_DIR}" [ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable" [ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable" diff --git a/evoacme/meta/main.yml b/evoacme/meta/main.yml index 2b9f6c70..77d83e2b 100644 --- a/evoacme/meta/main.yml +++ b/evoacme/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install evoacme ; a wrapper for Certbot (Let's Encrypt) - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 08bb980a..09edb86c 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -17,6 +17,7 @@ - reload_nginx - reload_dovecot - reload_postfix + - commit - include: conf.yml diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 2c20b04d..52e9938e 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -5,7 +5,9 @@ # powered by Evolix # Repository: https://gitea.evolix.org/evolix/evocheck -# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc +# Commit: 84d197047a718f4f5b31c39a2e1741b5963271de + +VERSION="0.14.0.beta2" # Disable LANG* export LANG=C @@ -61,7 +63,6 @@ IS_BINDCHROOT=1 IS_REPVOLATILE=1 IS_AUTOIF=1 IS_INTERFACESGW=1 -IS_TOOMUCHDEBIANSYSMAINT=1 IS_USERLOGROTATE=1 IS_MODSECURITY=1 IS_APACHECTL=1 @@ -73,6 +74,7 @@ IS_KERNELUPTODATE=1 IS_UPTIME=1 IS_MUNINRUNNING=1 IS_BACKUPUPTODATE=1 +IS_ETCGIT=1 IS_GITPERMS=1 IS_NOTUPGRADED=1 IS_TUNE2FS_M5=1 @@ -109,6 +111,8 @@ IS_EVOACME_CRON=1 IS_EVOACME_LIVELINKS=1 IS_APACHE_CONFENABLED=1 IS_MELTDOWN_SPECTRE=1 +IS_OLD_HOME_DIR=1 +IS_LSBRELEASE=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -127,110 +131,291 @@ IS_NRPEDAEMON=1 IS_ALERTBOOT=1 IS_RSYNC=1 +# Default return code : 0 = no error +RC=0 + # Source configuration file +# shellcheck disable=SC1091 test -f /etc/evocheck.cf && . /etc/evocheck.cf -# If --cron is passed, ignore some checks. -if [ "$1" = "--cron" ]; then - IS_KERNELUPTODATE=0 - IS_UPTIME=0 +# OS detection +DEBIAN_RELEASE="" +LSB_RELEASE_BIN=$(command -v lsb_release) +OPENBSD_RELEASE="" + +if [ -e /etc/debian_version ]; then + DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + if [ -x "${LSB_RELEASE_BIN}" ]; then + DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) + else + case ${DEBIAN_VERSION} in + 5) DEBIAN_RELEASE="lenny";; + 6) DEBIAN_RELEASE="squeeze";; + 7) DEBIAN_RELEASE="wheezy";; + 8) DEBIAN_RELEASE="jessie";; + 9) DEBIAN_RELEASE="stretch";; + esac + fi +elif [ "$(uname -s)" = "OpenBSD" ]; then + # use a better release name + OPENBSD_RELEASE=$(uname -r) fi # Functions + +show_version() { + cat <, + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat </dev/null | grep -q -E '^(i|h)i' || return 1 + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 done } -is_debianversion(){ - [ $(lsb_release -c -s) = $1 ] && return 0 +# logging +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" != 1 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 + else + printf "%s FAILED!\n" "${check_name}" 2>&1 + fi + fi } -is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc -is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc -is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall -is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done #----------------------------------------------------------- #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- -if [ -e /etc/debian_version ]; then +if is_debian; then + + is_debian_lenny && MINIFW_FILE=/etc/firewall.rc + is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc + is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc + is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall + is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall + + if [ "$IS_LSBRELEASE" = 1 ]; then + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi + fi if [ "$IS_DPKGWARNING" = 1 ]; then - is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ - grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ - /etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' ) - is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ - ( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' ) - test -e /etc/apt/apt.conf && echo 'IS_DPKGWARNING FAILED!' ) - is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || echo 'IS_DPKGWARNING FAILED!') + if is_debian_squeeze; then + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) + test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." + fi + elif is_debian_wheezy; then + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + test -e /etc/apt/apt.conf.d/80evolinux \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" + test -e /etc/apt/apt.conf \ + && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" + fi + elif is_debian_stretch; then + test -e /etc/apt/apt.conf.d/z-evolinux.conf \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" + fi fi if [ "$IS_UMASKSUDOERS" = 1 ]; then - is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || echo 'IS_UMASKSUDOERS FAILED!' ) + if is_debian_squeeze; then + grep -q "^Defaults.*umask=0077" /etc/sudoers \ + || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077" + fi fi # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) if [ "$IS_NRPEPOSTFIX" = 1 ]; then - is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPOSTFIX FAILED!' ) - is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || echo 'IS_NRPEPOSTFIX FAILED!' ) ) + if is_installed postfix; then + if is_debian_squeeze; then + grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ + || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + else + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + fi + fi fi # Check if mod-security config file is present if [ "$IS_MODSECURITY" = 1 ]; then - is_debianversion squeeze && is_installed libapache-mod-security && \ - (test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!') - is_debianversion wheezy && is_installed libapache2-modsecurity && \ - (test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!') + if is_debian_squeeze; then + if is_installed libapache-mod-security; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" + fi + elif is_debian_wheezy; then + if is_installed libapache2-modsecurity; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" + fi + fi fi if [ "$IS_CUSTOMSUDOERS" = 1 ]; then - grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!' + grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" fi if [ "$IS_VARTMPFS" = 1 ]; then - df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!' + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" fi if [ "$IS_SERVEURBASE" = 1 ]; then - is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!' + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" fi if [ "$IS_LOGROTATECONF" = 1 ]; then - test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!' + test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" fi if [ "$IS_SYSLOGCONF" = 1 ]; then - grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!' + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" fi if [ "$IS_DEBIANSECURITY" = 1 ]; then - grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!' + grep -q "^deb.*security" /etc/apt/sources.list \ + || failed "IS_DEBIANSECURITY" fi if [ "$IS_APTITUDEONLY" = 1 ]; then - is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!' - is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!' + if is_debian_squeeze || is_debian_wheezy; then + test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" + fi fi if [ "$IS_APTITUDE" = 1 ]; then - is_debianversion jessie && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!' - is_debianversion stretch && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!' + if is_debian_jessie || is_debian_stretch; then + test -e /usr/bin/aptitude && failed "IS_APTITUDE" + fi fi if [ "$IS_APTGETBAK" = 1 ]; then - is_debianversion jessie && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!' - is_debianversion stretch && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!' + if is_debian_jessie || is_debian_stretch; then + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" + fi fi if [ "$IS_APTICRON" = 1 ]; then @@ -238,133 +423,216 @@ if [ -e /etc/debian_version ]; then test -e /etc/cron.d/apticron || status="fail" test -e /etc/cron.daily/apticron && status="fail" test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" - ( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!' + + if is_debian_squeeze || is_debian_wheezy; then + test "$status" = "fail" && failed "IS_APTICRON" + fi fi if [ "$IS_USRRO" = 1 ]; then - grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!' + grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO" fi if [ "$IS_TMPNOEXEC" = 1 ]; then - mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!' + mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" fi if [ "$IS_MOUNT_FSTAB" = 1 ]; then # Test if lsblk available, if not skip this test... - if test -x "$(command -v lsblk)"; then - for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do - grep -Eq "$mountPoint\W" /etc/fstab || echo 'IS_MOUNT_FSTAB FAILED!' + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do + grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB" done fi fi if [ "$IS_LISTCHANGESCONF" = 1 ]; then - if is_debianversion stretch; then - is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!' + if is_debian_stretch; then + if is_installed apt-listchanges; then + failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch" + fi else - test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' + if [ -e "/etc/apt/listchanges.conf" ]; then + lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) + if [ "$lines" != 2 ]; then + failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" + fi + else + failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing" + fi fi fi if [ "$IS_CUSTOMCRONTAB" = 1 ]; then - grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!' + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" fi if [ "$IS_SSHALLOWUSERS" = 1 ]; then - grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!' + grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS" fi if [ "$IS_DISKPERF" = 1 ]; then - test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!' + test -e /root/disk-perf.txt || failed "IS_DISKPERF" fi if [ "$IS_TMOUTPROFILE" = 1 ]; then - grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!' + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" fi if [ "$IS_ALERT5BOOT" = 1 ]; then - grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!' + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ]; then - grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!' + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then - /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!' + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" fi if [ "$IS_NRPEPERMS" = 1 ]; then - test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!' + if [ -d /etc/nagios ]; then + actual=$(stat --format "%a" /etc/nagios) + expected="750" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" + fi fi if [ "$IS_MINIFWPERMS" = 1 ]; then - ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' + if [ -f "$MINIFW_FILE" ]; then + actual=$(stat --format "%a" $MINIFW_FILE) + expected="600" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" + fi fi if [ "$IS_NRPEDISKS" = 1 ]; then - NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) - DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) - [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!' + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" fi if [ "$IS_NRPEPID" = 1 ]; then - is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!') + if ! is_debian_squeeze; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" + fi fi if [ "$IS_GRSECPROCS" = 1 ]; then - uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' ) + if uname -a | grep -q grsec; then + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" + fi fi if [ "$IS_APACHEMUNIN" = 1 ]; then - test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) ) - test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) ) + if test -e /etc/apache2/apache2.conf; then + if is_debian_stretch; then + { test -h /etc/apache2/mods-enabled/status.load \ + && test -h /etc/munin/plugins/apache_accesses \ + && test -h /etc/munin/plugins/apache_processes \ + && test -h /etc/munin/plugins/apache_volume; } \ + || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" + else + pattern="/server-status-[[:alnum:]]{4,}" + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" + fi + fi fi # Verification mytop + Munin si MySQL if [ "$IS_MYSQLUTILS" = 1 ]; then - is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' ) + MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} + if is_installed mysql-server; then + # You can configure MYSQL_ADMIN in evocheck.cf + if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then + failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf" + fi + if ! test -x /usr/bin/mytop; then + if ! test -x /usr/local/bin/mytop; then + failed "IS_MYSQLUTILS" "mytop binary missing" + fi + fi + if ! grep -qs debian-sys-maint /root/.mytop; then + failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop" + fi + fi fi # Verification de la configuration du raid soft (mdadm) if [ "$IS_RAIDSOFT" = 1 ]; then - test -e /proc/mdstat && grep -q md /proc/mdstat && \ - ( grep -q "^AUTOCHECK=true" /etc/default/mdadm \ - && grep -q "^START_DAEMON=true" /etc/default/mdadm \ - && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!') + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" + fi fi # Verification du LogFormat de AWStats if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then - is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' ) + if is_installed apache2.2-common awstats; then + grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ + || failed "IS_AWSTATSLOGFORMAT" + fi fi # Verification de la présence de la config logrotate pour Munin if [ "$IS_MUNINLOGROTATE" = 1 ]; then - ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!' + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" fi # Verification de la présence de metche #if [ "$IS_METCHE" = 1 ]; then - # is_installed metche || echo 'IS_METCHE FAILED!' + # is_installed metche || failed "IS_METCHE" #fi # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then - squidconffile=/etc/squid*/squid.conf - is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf - is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' ) + if is_debian_stretch; then + squidconffile="/etc/squid/evolinux-custom.conf" + else + squidconffile="/etc/squid*/squid.conf" + fi + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + # shellcheck disable=SC2086 + http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ") + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE"; + } || failed "IS_SQUID" + fi fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then if [ -f "$MINIFW_FILE" ]; then rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") if [ "$rulesNumber" -lt 2 ]; then - echo 'IS_EVOMAINTENANCE_FW FAILED!' + failed "IS_EVOMAINTENANCE_FW" fi fi fi @@ -372,265 +640,410 @@ if [ -e /etc/debian_version ]; then # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf - is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ - && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ - && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!') + if is_installed apache2.2; then + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" + fi fi # Verification de la conf log2mail if [ "$IS_LOG2MAILRUNNING" = 1 ]; then - is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING') + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING' + fi fi if [ "$IS_LOG2MAILAPACHE" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then conf=/etc/log2mail/config/apache else conf=/etc/log2mail/config/default fi - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || echo 'IS_LOG2MAILAPACHE FAILED!' ) + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/apache2/error.log" $conf \ + || failed "IS_LOG2MAILAPACHE" + fi fi if [ "$IS_LOG2MAILMYSQL" = 1 ]; then - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || echo 'IS_LOG2MAILMYSQL FAILED!' ) + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ + || failed "IS_LOG2MAILMYSQL" + fi fi if [ "$IS_LOG2MAILSQUID" = 1 ]; then - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \ - /etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' ) + if is_pack_web && is_installed log2mail; then + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ + || failed "IS_LOG2MAILSQUID" + fi fi # Verification si bind est chroote if [ "$IS_BINDCHROOT" = 1 ]; then - if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then - if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then - if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then - echo 'IS_BINDCHROOT FAILED!' + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" fi - else - echo 'IS_BINDCHROOT FAILED!' fi fi fi # Verification de la présence du depot volatile if [ "$IS_REPVOLATILE" = 1 ]; then - test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!') - test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!') + if is_debian_lenny; then + grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \ + || failed "IS_REPVOLATILE" + fi + if is_debian_squeeze; then + grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \ + || failed "IS_REPVOLATILE" + fi fi # /etc/network/interfaces should be present, we don't manage systemd-network yet if [ "$IS_NETWORK_INTERFACES" = 1 ]; then if ! test -f /etc/network/interfaces; then - echo "IS_NETWORK_INTERFACES FAILED!" IS_AUTOIF=0 IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" fi fi # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then - is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do - grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break) - done - is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do - grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break) - done + if is_debian_stretch; then + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + else + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ") + fi + for interface in $interfaces; do + if ! grep -q "^auto $interface" /etc/network/interfaces; then + failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto" + test "${VERBOSE}" = 1 || break + fi + done fi # Network conf verification if [ "$IS_INTERFACESGW" = 1 ]; then number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) - test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!' + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) - test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!' + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" fi # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!' + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" fi # Verification de la presence du userlogrotate if [ "$IS_USERLOGROTATE" = 1 ]; then - is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!') + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" + fi fi # Verification de la syntaxe de la conf d'Apache if [ "$IS_APACHECTL" = 1 ]; then - is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!') + if is_installed apache2.2-common; then + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" + fi fi # Check if there is regular files in Apache sites-enabled. if [ "$IS_APACHESYMLINK" = 1 ]; then - is_installed apache2.2-common && \ - (stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && echo 'IS_APACHESYMLINK FAILED!') + if is_installed apache2.2-common; then + stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + fi fi # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). if [ "$IS_APACHEIPINALLOW" = 1 ]; then # Note: Replace "exit 1" by "print" in Perl code to debug it. - is_installed apache2.2-common && \ - (grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || echo 'IS_APACHEIPINALLOW FAILED!') + if is_installed apache2.2-common; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ + || failed "IS_APACHEIPINALLOW" + fi fi # Check if default Apache configuration file for munin is absent (or empty or commented). if [ "$IS_MUNINAPACHECONF" = 1 ]; then - if is_debianversion squeeze || is_debianversion wheezy; then + if is_debian_squeeze || is_debian_wheezy; then muninconf="/etc/apache2/conf.d/munin" else muninconf="/etc/apache2/conf-available/munin.conf" fi - is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!') + if is_installed apache2.2-common; then + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" + fi fi # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then - is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' ) + if is_debian_lenny && is_pack_samba; then + if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then + priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") + test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" + fi + fi fi # Verification si le système doit redémarrer suite màj kernel. if [ "$IS_KERNELUPTODATE" = 1 ]; then - if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then - echo 'IS_KERNELUPTODATE FAILED!' + if is_installed linux-image*; then + # shellcheck disable=SC2012 + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then + failed "IS_KERNELUPTODATE" + fi fi fi # Check if the server is running for more than a year. if [ "$IS_UPTIME" = 1 ]; then - if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then - echo 'IS_UPTIME FAILED!' + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ "$limit" -gt "$last_reboot_at" ]; then + failed "IS_UPTIME" + fi fi fi # Check if munin-node running and RRD files are up to date. if [ "$IS_MUNINRUNNING" = 1 ]; then - pgrep munin-node >/dev/null || echo 'IS_MUNINRUNNING FAILED!' - [ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && echo 'IS_MUNINRUNNING FAILED!' - grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && echo 'IS_MUNINRUNNING FAILED!' + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") + + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi + + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi fi # Check if files in /home/backup/ are up-to-date if [ "$IS_BACKUPUPTODATE" = 1 ]; then - [ -d /home/backup/ ] && for file in /home/backup/*; do - if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then - echo 'IS_BACKUPUPTODATE FAILED!' - break; + if [ -d /home/backup/ ]; then + if [ -n "$(ls -A /home/backup/)" ]; then + for file in /home/backup/*; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "/home/backup/ is empty" fi - done + else + failed "IS_BACKUPUPTODATE" "/home/backup/ is missing" + fi + fi + + if [ "$IS_ETCGIT" = 1 ]; then + (cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository" fi # Check if /etc/.git/ has read/write permissions for root only. if [ "$IS_GITPERMS" = 1 ]; then - test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || echo 'IS_GITPERMS FAILED!' + if test -d /etc/.git; then + expected="700" + actual=$(stat -c "%a" /etc/.git/) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" + fi fi # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) - if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ - || grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then + last_upgrade=0 + upgraded=false + for log in /var/log/dpkg.log*; do + if zgrep -qsm1 upgrade "$log"; then + # There is at least one upgrade + upgraded=true + break + fi + done + if $upgraded; then + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") + fi + if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ + || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then # Manual upgrade process limit=$(date +%s -d "now - 180 days") else # Regular process limit=$(date +%s -d "now - 90 days") fi - if [ -f /var/log/evolinux/00_prepare_system.log ]; then - install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) - else - install_date=0 + install_date=0 + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) + fi + # Check install_date if the system never received an upgrade + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" + else + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" fi - [ $install_date -lt $limit ] && [ $last_upgrade -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!' fi # Check if reserved blocks for root is at least 5% on every mounted partitions. if [ "$IS_TUNE2FS_M5" = 1 ]; then + min=5 parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') for part in $parts; do blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") # If buggy partition, skip it. - if [ -z $blockCount ]; then + if [ -z "$blockCount" ]; then continue fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") - percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))") - if [ "$percentage" -lt 5 ]; then - echo 'IS_TUNE2FS_M5 FAILED!' - # Set debug to 1, to displays which partitions has less than 5% - debug=0 - if [ "$debug" -eq 1 ]; then - echo "Partition $part has less than 5% reserved blocks!" - fi + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)" fi done fi if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then - if is_debianversion stretch; then - (grep -q ^evolinux-sudo: /etc/group \ - && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || echo 'IS_EVOLINUXSUDOGROUP FAILED!' + if is_debian_stretch; then + if grep -q "^evolinux-sudo:" /etc/group; then + grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" + fi fi fi if [ "$IS_USERINADMGROUP" = 1 ]; then - if is_debianversion stretch; then - for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do - groups $user |grep -q adm || echo 'IS_USERINADMGROUP FAILED!' + if is_debian_stretch; then + users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') + for user in $users; do + if ! groups "$user" | grep -q adm; then + failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + test "${VERBOSE}" = 1 || break + fi done fi fi if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then - if (test -d /etc/apache2 && is_debianversion stretch); then - (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ + if is_debian_stretch && test -d /etc/apache2; then + { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf) || echo 'IS_APACHE2EVOLINUXCONF FAILED!' + && test -f /etc/apache2/ipaddr_whitelist.conf; + } || failed "IS_APACHE2EVOLINUXCONF" fi fi if [ "$IS_BACKPORTSCONF" = 1 ]; then - if is_debianversion stretch; then - grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + if is_debian_stretch; then + grep -qsE "^[^#].*backports" /etc/apt/sources.list \ + && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" + if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then + grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ + || failed "IS_BACKPORTSCONF" "backports must have preferences" + fi fi fi if [ "$IS_BIND9MUNIN" = 1 ]; then - if is_debianversion stretch && is_installed bind9; then - (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || echo 'IS_BIND9MUNIN FAILED!' + if is_debian_stretch && is_installed bind9; then + { test -L /etc/munin/plugins/bind9 \ + && test -e /etc/munin/plugin-conf.d/bind9; + } || failed "IS_BIND9MUNIN" fi fi if [ "$IS_BIND9LOGROTATE" = 1 ]; then - if is_debianversion stretch && is_installed bind9; then - test -e /etc/logrotate.d/bind9 || echo 'IS_BIND9LOGROTATE FAILED!' + if is_debian_stretch && is_installed bind9; then + test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" fi fi if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then - if lspci | grep -q 'NetXtreme II'; then - (is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || echo 'IS_BROADCOMFIRMWARE FAILED!' + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci is missing" fi fi if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then - lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || echo 'IS_HARDWARERAIDTOOL FAILED!') - lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || echo 'IS_HARDWARERAIDTOOL FAILED!') + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci is missing" + fi fi if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then - if is_debianversion stretch; then - (systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || echo 'IS_LOG2MAILSYSTEMDUNIT FAILED!' + if is_debian_stretch; then + { systemctl -q is-active log2mail.service \ + && test -f /etc/systemd/system/log2mail.service \ + && ! test -f /etc/init.d/log2mail; + } || failed "IS_LOG2MAILSYSTEMDUNIT" fi fi if [ "$IS_LISTUPGRADE" = 1 ]; then - (test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || echo 'IS_LISTUPGRADE FAILED!' + { test -f /etc/cron.d/listupgrade \ + && test -x /usr/share/scripts/listupgrade.sh; + } || failed "IS_LISTUPGRADE" fi if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then - (test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ - && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || echo 'IS_MARIADBEVOLINUXCONF FAILED!' + if is_debian_stretch; then + if is_installed mariadb-server; then + { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ + && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; + } || failed "IS_MARIADBEVOLINUXCONF" + fi fi fi @@ -638,16 +1051,16 @@ if [ -e /etc/debian_version ]; then if (is_installed "mysql-server" || is_installed "mariadb-server"); then # You could change the default path in /etc/evocheck.cf SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} - test -f "$SQL_BACKUP_PATH" || echo 'IS_SQL_BACKUP FAILED!' + test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})" fi fi if [ "$IS_POSTGRES_BACKUP" = 1 ]; then if is_installed "postgresql-9*"; then - # If you use something like barman, you should deactivate this check + # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} - test -f "$POSTGRES_BACKUP_PATH" || echo 'IS_POSTGRES_BACKUP FAILED!' + test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})" fi fi @@ -656,16 +1069,19 @@ if [ -e /etc/debian_version ]; then # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then - if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then - echo 'IS_MONGO_BACKUP FAILED!' + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" + break fi fi done else - echo 'IS_MONGO_BACKUP FAILED!' + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" fi fi fi @@ -674,7 +1090,7 @@ if [ -e /etc/debian_version ]; then if is_installed slapd; then # You could change the default path in /etc/evocheck.cf LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} - test -f "$LDAP_BACKUP_PATH" || echo 'IS_LDAP_BACKUP FAILED!' + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" fi fi @@ -682,7 +1098,7 @@ if [ -e /etc/debian_version ]; then if is_installed redis-server; then # You could change the default path in /etc/evocheck.cf REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} - test -f "$REDIS_BACKUP_PATH" || echo 'IS_REDIS_BACKUP FAILED!' + test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})" fi fi @@ -690,114 +1106,128 @@ if [ -e /etc/debian_version ]; then if is_installed elasticsearch; then # You could change the default path in /etc/evocheck.cf ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"} - test -d "$ELASTIC_BACKUP_PATH" || echo 'IS_ELASTIC_BACKUP FAILED!' + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" fi fi if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then - (systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || echo 'IS_MARIADBSYSTEMDUNIT FAILED!' + if is_debian_stretch && is_installed mariadb-server; then + { systemctl -q is-active mariadb.service \ + && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf; + } || failed "IS_MARIADBSYSTEMDUNIT" fi fi if [ "$IS_MYSQLMUNIN" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then + if is_debian_stretch && is_installed mariadb-server; then for file in mysql_bytes mysql_queries mysql_slowqueries \ - mysql_threads mysql_connections mysql_files_tables \ - mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ - mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ - mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ - mysql_sorts mysql_tmp_tables; do + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do if [[ ! -L /etc/munin/plugins/$file ]]; then - echo 'IS_MYSQLMUNIN FAILED!' - break + failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing" + test "${VERBOSE}" = 1 || break fi done fi fi if [ "$IS_MYSQLNRPE" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then - (test -f ~nagios/.my.cnf \ - && [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \ - && [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || echo 'IS_MYSQLNRPE FAILED!' + if is_debian_stretch && is_installed mariadb-server; then + nagios_file="~nagios/.my.cnf" + { test -f $nagios_file \ + && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ + && [ "$(stat -c %a $nagios_file)" = "600" ] \ + && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; + } || failed "IS_MYSQLNRPE" fi fi if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed php; then - (test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || echo 'IS_PHPEVOLINUXCONF FAILED!' + if is_debian_stretch && is_installed php; then + { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini; + } || failed "IS_PHPEVOLINUXCONF" fi fi if [ "$IS_SQUIDLOGROTATE" = 1 ]; then - if is_debianversion stretch && is_installed squid; then - grep -q monthly /etc/logrotate.d/squid || echo 'IS_SQUIDLOGROTATE FAILED!' + if is_debian_stretch && is_installed squid; then + grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE" fi fi if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed squid; then - (grep -q "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ + if is_debian_stretch && is_installed squid; then + { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ && test -f /etc/squid/evolinux-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-custom.conf \ && test -f /etc/squid/evolinux-acl.conf \ && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!' + && test -f /etc/squid/evolinux-custom.conf; + } || failed "IS_SQUIDEVOLINUXCONF" fi fi if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then # Do it only if thereis blkid binary - if [ -x "$(which blkid)" ]; then + BLKID_BIN=$(command -v blkid) + if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do + parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + for part in $parts; do echo "$part" >> "$tmpFile" done tmpOutput=$(sort < "$tmpFile" | uniq -d) # If there is no duplicate, uniq will have no output # So, if $tmpOutput is not null, there is a duplicate if [ -n "$tmpOutput" ]; then - echo 'IS_DUPLICATE_FS_LABEL FAILED!' - # For debug, you may echo the contents of $tmpOutput - # echo $tmpOutput + # shellcheck disable=SC2086 + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi - rm $tmpFile + rm "$tmpFile" + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found" fi fi if [ "$IS_EVOLIX_USER" = 1 ]; then - getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!' + grep -q "evolix:" /etc/passwd && failed "IS_EVOLIX_USER" fi if [ "$IS_EVOACME_CRON" = 1 ]; then if [ -f "/usr/local/sbin/evoacme" ]; then # Old cron file, should be deleted - test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!' + test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme" # evoacme cron file should be present - test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!' + test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing" fi fi if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then - if [ -x "$(which evoacme)" ]; then + EVOACME_BIN=$(command -v evoacme) + if [ -x "$EVOACME_BIN" ]; then # Sometimes evoacme is installed but no certificates has been generated numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) - if [ $numberOfLinks -gt 0 ]; then + if [ "$numberOfLinks" -gt 0 ]; then for live in /etc/letsencrypt/*/live; do - actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11) - actualCertDate=$(cut -d'/' -f5 <<< $actualLink) - liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9) - certDir=${liveDir%%/live} - lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) - lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) - if [[ "$actualCertDate" != "$lastCertDate" ]]; then - echo 'IS_EVOACME_LIVELINKS FAILED!' - break + actualLink=$(readlink -f "$live") + actualVersion=$(basename "$actualLink") + + certDir=$(dirname "$live") + certName=$(basename "$certDir") + # shellcheck disable=SC2012 + lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) + lastVersion=$(basename "$lastCertDir") + + if [[ "$lastVersion" != "$actualVersion" ]]; then + failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated" + test "${VERBOSE}" = 1 || break fi done fi @@ -808,11 +1238,10 @@ if [ -e /etc/debian_version ]; then # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debianversion jessie || is_debianversion stretch; then + if is_debian_jessie || is_debian_stretch; then if [ -f /etc/apache2/apache2.conf ]; then - test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!' - grep -q 'Include conf.d' /etc/apache2/apache2.conf && \ - echo 'IS_APACHE_CONFENABLED FAILED!' + test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED" + grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED" fi fi fi @@ -820,113 +1249,135 @@ if [ -e /etc/debian_version ]; then if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debianversion stretch; then + if is_debian_stretch; then for vuln in meltdown spectre_v1 spectre_v2; do - test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!' + test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ + || failed "IS_MELTDOWN_SPECTRE" done # For Jessie this is quite complicated to verify and we need to use kernel config file - elif is_debianversion jessie; then - if grep -q BOOT_IMAGE= /proc/cmdline; then + elif is_debian_jessie; then + if grep -q "BOOT_IMAGE=" /proc/cmdline; then kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelVer=${kernelPath##*/vmlinuz-} kernelConfig="config-${kernelVer}" # Sometimes autodetection of kernel config file fail, so we test if the file really exists. - if [ -f /boot/$kernelConfig ]; then - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' - grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + if [ -f "/boot/${kernelConfig}" ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched" + grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ + || failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched" fi fi fi fi + + if [ "$IS_OLD_HOME_DIR" = 1 ]; then + homeDir=${homeDir:-/home} + for dir in "$homeDir"/*; do + statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") + # There is at least one dir matching + if [[ -n "$statResult" ]]; then + failed "IS_OLD_HOME_DIR" "$statResult" + test "${VERBOSE}" = 1 || break + fi + done + fi fi -if [ `uname -s` == "OpenBSD" ]; then +if is_openbsd; then if [ "$IS_SOFTDEP" = 1 ]; then - grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!' + grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP" fi if [ "$IS_WHEEL" = 1 ]; then - grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!' + grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" fi if [ "$IS_SUDOADMIN" = 1 ]; then - grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!' + grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN" fi if [ "$IS_PKGMIRROR" = 1 ]; then - grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!' + grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \ + || failed "IS_PKGMIRROR" fi if [ "$IS_HISTORY" = 1 ]; then f=/root/.profile - grep -q "^HISTFILE=\$HOME/.histfile" $f \ - && grep -q "^export HISTFILE" $f \ - && grep -q "^HISTSIZE=1000" $f \ - && grep -q "^export HISTSIZE" $f \ - || echo 'IS_HISTORY FAILED!' + { grep -q "^HISTFILE=\$HOME/.histfile" $f \ + && grep -q "^export HISTFILE" $f \ + && grep -q "^HISTSIZE=1000" $f \ + && grep -q "^export HISTSIZE" $f; + } || failed "IS_HISTORY" fi if [ "$IS_VIM" = 1 ]; then - which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!' + command -v vim > /dev/null 2>&1 || failed "IS_VIM" fi if [ "$IS_TTYC0SECURE" = 1 ]; then - grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!' + grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" fi if [ "$IS_CUSTOMSYSLOG" = 1 ]; then - grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!' + grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" fi if [ "$IS_NOINETD" = 1 ]; then - grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!' + grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" fi if [ "$IS_SUDOMAINT" = 1 ]; then f=/etc/sudoers - grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ - && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \ - || echo 'IS_SUDOMAINT FAILED!' + { grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ + && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f; + } || failed "IS_SUDOMAINT" fi if [ "$IS_POSTGRESQL" = 1 ]; then - pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!' + pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed" fi if [ "$IS_NRPE" = 1 ]; then - ( pkg info | grep -qE "nagios-plugins-[0-9.]" \ - && pkg info | grep -q nagios-plugins-ntp \ - && pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!' + { pkg info | grep -qE "nagios-plugins-[0-9.]" \ + && pkg info | grep -q nagios-plugins-ntp \ + && pkg info | grep -q nrpe; + } || failed "IS_NRPE" "NRPE is not installed" fi # if [ "$IS_NRPEDISKS" = 1 ]; then -# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) +# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) # DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) -# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!' +# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" # fi # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix) # # if [ "$IS_NRPEPOSTFIX" = 1 ]; then -# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' ) +# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" ) # fi if [ "$IS_NRPEDAEMON" = 1 ]; then - grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!' + grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \ + || failed "IS_NREPEDAEMON" fi if [ "$IS_ALERTBOOT" = 1 ]; then - grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!' + grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \ + || failed "IS_ALERTBOOT" fi if [ "$IS_RSYNC" = 1 ]; then - pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!' + pkg info | grep -q rsync || failed "IS_RSYNC" fi if [ "$IS_CRONPATH" = 1 ]; then - grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!' + grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \ + || failed "IS_CRONPATH" fi #TODO @@ -935,61 +1386,89 @@ if [ `uname -s` == "OpenBSD" ]; then fi if [ "$IS_TMP_1777" = 1 ]; then - ls -ld /tmp | grep -q drwxrwxrwt || echo 'IS_TMP_1777 FAILED!' + actual=$(stat --format "%a" /tmp) + expected="1777" + test "$expected" = "$actual" || failed "IS_TMP_1777" fi if [ "$IS_ROOT_0700" = 1 ]; then - ls -ld /root | grep -q drwx------ || echo 'IS_ROOT_0700 FAILED!' + actual=$(stat --format "%a" /root) + expected="700" + test "$expected" = "$actual" || failed "IS_ROOT_0700" fi if [ "$IS_USRSHARESCRIPTS" = 1 ]; then - ls -ld /usr/share/scripts | grep -q drwx------ || echo 'IS_USRSHARESCRIPTS FAILED!' + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then - is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) - is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' ) + if is_debian_stretch; then + if grep -q "^PermitRoot" /etc/ssh/sshd_config; then + grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" + fi + else + grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" + fi fi if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then - if ! is_debianversion stretch; then + if is_debian_stretch; then + users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') + else if [ -f /etc/sudoers.d/evolinux ]; then sudoers="/etc/sudoers.d/evolinux" else sudoers="/etc/sudoers" fi - for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do - grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!' - done - else - for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do - grep -q "^trap.*sudo.*evomaintenance.sh" /home/$i/.*profile || echo 'IS_EVOMAINTENANCEUSERS FAILED!' - done + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) fi + for user in $users; do + user_home=$(getent passwd "$user" | cut -d: -f6) + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi + fi + done fi # Verification de la configuration d'evomaintenance if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then f=/etc/evomaintenance.cf - ( test -e $f \ - && test $(stat -c "%a" $f) = "600" \ - && grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \ - && grep "^PGDB" $f |grep -qv "your-db" \ - && grep "^PGTABLE" $f |grep -qv "your-table" \ - && grep "^PGHOST" $f |grep -qv "your-pg-host" \ - && grep "^FROM" $f |grep -qv "jdoe@example.com" \ - && grep "^FULLFROM" $f |grep -qv "John Doe " \ - && grep "^URGENCYFROM" $f |grep -qv "mama.doe@example.com" \ - && grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f |grep -qv "example.com" ) || echo 'IS_EVOMAINTENANCECONF FAILED!' + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com"; + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then - for f in /etc/ssl/private/*; do - perms=$(stat -L -c "%a" $f) - if [ ${perms: -1} != "0" ]; then - echo 'IS_PRIVKEYWOLRDREADABLE FAILED!' - break - fi - done + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi fi + +exit ${RC} diff --git a/evocheck/meta/main.yml b/evocheck/meta/main.yml index 46e2ad59..35c76d72 100644 --- a/evocheck/meta/main.yml +++ b/evocheck/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: description: Install evocheck company: Evolix - issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues + issue_tracker_url: https://gitea.evolix.org/evolix/evocheck/issues license: GPLv2 diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 2b6aed3c..58265332 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Evolix usual customizations for a Debian installation. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8d2bab84..bf0e0eea 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -113,16 +113,25 @@ # TODO: use ini_file when Ansible > 2.1 (no_extra_spaces: yes) -- name: Configure Listchanges +- name: Configure Listchanges on Jessie lineinfile: dest: /etc/apt/listchanges.conf regexp: '^{{ item.option }}\s*=' line: "{{ item.option }}={{ item.value }}" with_items: - - { option: "confirm", value: "1" } - - { option: "which", value: "both" } + - { option: "confirm", value: "1" } + - { option: "which", value: "both" } when: - - evolinux_packages_listchanges - - ansible_distribution_release == "jessie" + - evolinux_packages_listchanges + - ansible_distribution == "Debian" + - ansible_distribution_release == "jessie" + +- name: apt-listchanges is absent on Stretch and later + apt: + name: apt-listchanges + state: absent + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '>=') - meta: flush_handlers diff --git a/evolinux-todo/meta/main.yml b/evolinux-todo/meta/main.yml index 041e58cc..b1936540 100644 --- a/evolinux-todo/meta/main.yml +++ b/evolinux-todo/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: description: Install evolinux-todo company: Evolix - issue_tracker_url: https://forge.evolix.org/projects/evocheck/issues + issue_tracker_url: https://gitea.evolix.org/evolix/evocheck/issues license: GPLv2 diff --git a/evolinux-users/meta/main.yml b/evolinux-users/meta/main.yml index 9bae9e73..8e019209 100644 --- a/evolinux-users/meta/main.yml +++ b/evolinux-users/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Creates evolinux users accounts. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 1d22d711..723c9648 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -4,82 +4,404 @@ # Dependencies (all OS): git postgresql-client # Dependencies (Debian): sudo -# version 0.4.1 -# Copyright 2007-2018 Gregory Colpart , Jérémy Lecour , Evolix +# version 0.5.0 +# Copyright 2007-2019 Evolix , Gregory Colpart , +# Jérémy Lecour and others. + +VERSION="0.5.0" + +show_version() { + cat <, Gregory Colpart , + Jérémy Lecour and others. + +evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public Licence for details. +END +} + +show_help() { + cat <> "${LOGFILE}" + fi + fi + fi +} + +hook_db() { + SQL_DETAILS=$(echo "${MESSAGE}" | sed "s/'/''/g") + PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_DETAILS}')" + + if [ "${VERBOSE}" = "1" ]; then + printf "\n********** DB query **************\n%s\n***********************************\n" "${PG_QUERY}" + fi + if [ "${DRY_RUN}" != "1" ] && [ -x "${PSQL_BIN}" ]; then + echo "${PG_QUERY}" | ${PSQL_BIN} "${PGDB}" "${PGTABLE}" -h "${PGHOST}" + fi +} + +format_mail() { + cat <> "${LOGFILE}" + fi +} + +# load configuration if present. test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf -[ -n "${HOSTNAME}" ] || HOSTNAME=$(get_fqdn) -[ -n "${EVOMAINTMAIL}" ] || EVOMAINTMAIL=evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM} -[ -n "${LOGFILE}" ] || LOGFILE=/var/log/evomaintenance.log +HOSTNAME=${HOSTNAME:-$(get_fqdn)} +EVOMAINTMAIL=${EVOMAINTMAIL:-"evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM}"} +LOGFILE=${LOGFILE:-"/var/log/evomaintenance.log"} +HOOK_COMMIT=${HOOK_COMMIT:-"1"} +HOOK_DB=${HOOK_DB:-"1"} +HOOK_MAIL=${HOOK_MAIL:-"1"} +DRY_RUN=${DRY_RUN:-"0"} +VERBOSE=${VERBOSE:-"0"} +AUTO=${AUTO:-"0"} +EVOCHECK=${EVOCHECK:-"0"} +GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20} + +# initialize variables +MESSAGE="" +# GIT_COMMITS_SHORT="" +GIT_COMMITS="" + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + -m|--message) + # message options, with value speparated by space + if [ -n "$2" ]; then + MESSAGE=$2 + shift + else + printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2 + exit 1 + fi + ;; + --message=?*) + # message options, with value speparated by = + MESSAGE=${1#*=} + ;; + --message=) + # message options, without value + printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2 + exit 1 + ;; + --no-commit) + # disable commit hook + HOOK_COMMIT=0 + ;; + --commit) + # enable commit hook + HOOK_COMMIT=1 + ;; + --no-db) + # disable DB hook + HOOK_DB=0 + ;; + --db) + # enable DB hook + HOOK_DB=1 + ;; + --no-mail) + # disable mail hook + HOOK_MAIL=0 + ;; + --mail) + # enable mail hook + HOOK_MAIL=1 + ;; + --no-auto) + # use "manual" mode + AUTO=0 + ;; + --auto) + # use "auto" mode + AUTO=1 + ;; + -n|--dry-run) + # disable actual commands + DRY_RUN=1 + ;; + -v|--verbose) + # print verbose information + VERBOSE=1 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done + # Treat unset variables as an error when substituting. # Only after this line, because some config variables might be missing. set -u -REAL_HOSTNAME=$(get_fqdn) -if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then - HOSTNAME_TEXT="${HOSTNAME}" -else - HOSTNAME_TEXT="${HOSTNAME} (${REAL_HOSTNAME})" -fi - +# Gather information +HOSTNAME_TEXT=$(get_complete_hostname) # TTY=$(get_tty) # WHO=$(get_who) IP=$(get_ip) @@ -90,109 +412,231 @@ USER=$(logname) PATH=${PATH}:/usr/sbin SENDMAIL_BIN=$(command -v sendmail) +readonly SENDMAIL_BIN +if [ -z "${SENDMAIL_BIN}" ]; then + echo "No \`sendmail' command has been found, can't send mail." 2>&1 +fi + GIT_BIN=$(command -v git) +readonly GIT_BIN +if [ -z "${GIT_BIN}" ]; then + echo "No \`git' command has been found, can't commit changes" 2>&1 +fi + +PSQL_BIN=$(command -v psql) +readonly PSQL_BIN +if [ -z "${PSQL_BIN}" ]; then + echo "No \`psql' command has been found, can't save to the database." 2>&1 +fi + +EVOCHECK_BIN="/usr/share/scripts/evocheck.sh" GIT_REPOSITORIES="/etc /etc/bind" -# git statuses +# initialize variable GIT_STATUSES="" - -if test -x "${GIT_BIN}"; then +# git statuses +if [ -x "${GIT_BIN}" ]; then # loop on possible directories managed by GIT for dir in ${GIT_REPOSITORIES}; do - # tell Git where to find the repository and the work tree (no need to `cd …` there) - export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" - # If the repository and the work tree exist, try to commit changes - if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then - CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') - if [ "${CHANGED_LINES}" != "0" ]; then - STATUS=$(${GIT_BIN} status --short | tail -n 10) - # append diff data, without empty lines - GIT_STATUSES=$(printf "%s\n%s\n%s\n" "${GIT_STATUSES}" "${GIT_DIR} (last 10 lines)" "${STATUS}" | sed -e '/^$/d') - fi + RESULT=$(get_repository_status "${dir}") + if [ -n "${RESULT}" ]; then + # append diff data, without empty lines + GIT_STATUSES=$(printf "%s\n%s\n" "${GIT_STATUSES}" "${RESULT}" | sed -e '/^$/d') fi - # unset environment variables to prevent accidental influence on other git commands - unset GIT_DIR GIT_WORK_TREE + unset RESULT done - if [ -n "${GIT_STATUSES}" ]; then - echo "/!\ There are some uncommited changes. If you proceed, everything will be commited." - echo "${GIT_STATUSES}" - echo "" - fi fi -# get input from stdin -echo "> Please, enter details about your maintenance" -read TEXTE +# find out if running in interactive mode, or not +if [ -t 0 ]; then + INTERACTIVE=1 +else + INTERACTIVE=0 +fi +readonly INTERACTIVE -if [ "${TEXTE}" = "" ]; then +if [ "${INTERACTIVE}" = "1" ] && [ "${EVOCHECK}" = "1" ]; then + get_evocheck +fi +if [ -n "${GIT_STATUSES}" ] && [ "${INTERACTIVE}" = "1" ]; then + printf "/!\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" +fi + +if [ -z "${MESSAGE}" ]; then + if [ "${INTERACTIVE}" = "1" ]; then + printf "> Please, enter details about your maintenance:\n" + fi + read -r MESSAGE +fi + +if [ -z "${MESSAGE}" ]; then echo "no value..." exit 1 fi -# recapitulatif -BLOB=$(cat < Press to submit, or to cancel." -read enter - -# write log -echo "----------- $(get_now) ---------------" >> "${LOGFILE}" -echo "${BLOB}" >> "${LOGFILE}" - -# git commit -GIT_COMMITS="" - -if test -x "${GIT_BIN}"; then - # loop on possible directories managed by GIT - for dir in ${GIT_REPOSITORIES}; do - # tell Git where to find the repository and the work tree (no need to `cd …` there) - export GIT_DIR="${dir}/.git" GIT_WORK_TREE="${dir}" - # If the repository and the work tree exist, try to commit changes - if test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then - CHANGED_LINES=$(${GIT_BIN} status --porcelain | wc -l | tr -d ' ') - if [ "${CHANGED_LINES}" != "0" ]; then - ${GIT_BIN} add --all - ${GIT_BIN} commit --message "${TEXTE}" --author="${USER} <${USER}@evolix.net>" --quiet - # Add the SHA to the log file if something has been committed - SHA=$(${GIT_BIN} rev-parse --short HEAD) - STATS=$(${GIT_BIN} show --stat | tail -1) - # append commit data, without empty lines - GIT_COMMITS=$(printf "%s\n%s : %s –%s" "${GIT_COMMITS}" "${GIT_DIR}" "${SHA}" "${STATS}" | sed -e '/^$/d') - fi +if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then + if [ "${HOOK_COMMIT}" = "1" ] || [ "${HOOK_MAIL}" = "1" ] || [ "${HOOK_DB}" = "1" ]; then + printf "\nActions to execute:\n" + if [ "${HOOK_COMMIT}" = "1" ]; then + printf "* commit changes in repositories\n" fi - # unset environment variables to prevent accidental influence on other git commands - unset GIT_DIR GIT_WORK_TREE - done - if [ -n "${GIT_COMMITS}" ]; then - echo "${GIT_COMMITS}" >> "${LOGFILE}" + if [ "${HOOK_MAIL}" = "1" ]; then + printf "* send mail to %s\n" "${EVOMAINTMAIL}" + fi + if [ "${HOOK_DB}" = "1" ]; then + printf "* save metadata to the database\n" + fi + echo "" + + answer="" + while :; do + printf "> Let's continue? [Y,n,i,?] " + read -r answer + case $answer in + [Yy]|"" ) + # force "auto" mode, but keep hooks settings + AUTO=1 + break + ;; + [Nn] ) + # force "auto" mode, and disable all hooks + HOOK_COMMIT=0 + HOOK_MAIL=0 + HOOK_DB=0 + AUTO=1 + break + ;; + [Ii] ) + # force "manual" mode + AUTO=0 + break + ;; + * ) + printf "y - yes, execute actions and exit\n" + printf "n - no, don't execute actions and exit\n" + printf "i - switch to interactive mode\n" + printf "? - print this help\n" + ;; + esac + done fi fi -# insert into PG -# SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/\\\\\\'/g ; s@/@\\\\\/@g ; s@\\&@et@g"` -SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"` +if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then + # Commit hook + if [ -n "${GIT_STATUSES}" ] && [ "${HOOK_COMMIT}" = "1" ]; then + printf "/!\ There are some uncommited changes.\n%s\n\n" "${GIT_STATUSES}" -PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')" -echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} + y="Y"; n="n" + answer="" + while :; do + printf "> Do you want to commit the changes? [%s] " "${y},${n}" + read -r answer + case $answer in + [Yy] ) + hook_commit; + break + ;; + [Nn] ) + break + ;; + "" ) + if [ "${HOOK_COMMIT}" = "1" ]; then + hook_commit + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done + fi -# send mail -MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") -MAIL_GIT_COMMITS=$(echo "${GIT_COMMITS}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") + # Mail hook + if [ "${HOOK_MAIL}" = "1" ]; then + y="Y"; n="n" + else + y="y"; n="N" + fi + answer="" + while :; do + printf "> Do you want to send an email to <%s>? [%s] " "${EVOMAINTMAIL}" "${y},${n},e" + read -r answer + case $answer in + [Yy] ) + hook_mail; + break + ;; + [Nn] ) + break + ;; + [Ee] ) + printf "> To: [%s] " "${EVOMAINTMAIL}" + read -r mail_recipient + if [ -n "${mail_recipient}" ]; then + EVOMAINTMAIL="${mail_recipient}" + fi + ;; + "" ) + if [ "${HOOK_MAIL}" = "1" ]; then + hook_mail + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done -cat /usr/share/scripts/evomaintenance.tpl | \ - sed -e "s/__TO__/${EVOMAINTMAIL}/ ; s/__HOSTNAME__/${HOSTNAME_TEXT}/ ; s/__USER__/${USER}/ ; s/__BEGIN_DATE__/${BEGIN_DATE}/ ; s/__END_DATE__/${END_DATE}/ ; s/__GIT_COMMITS__/${MAIL_GIT_COMMITS}/ ; s/__TEXTE__/${MAIL_TEXTE}/ ; s/__IP__/${IP}/ ; s/__FULLFROM__/${FULLFROM}/ ; s/__FROM__/${FROM}/ ; s/__URGENCYFROM__/${URGENCYFROM}/ ; s/__URGENCYTEL__/${URGENCYTEL}/" | \ - ${SENDMAIL_BIN} -oi -t -f ${FROM} + # Database hook + if [ "${HOOK_DB}" = "1" ]; then + y="Y"; n="n" + else + y="y"; n="N" + fi + answer="" + while :; do + printf "> Do you want to insert your message into the database? [%s] " "${y},${n}" + read -r answer + case $answer in + [Yy] ) + hook_db; + break + ;; + [Nn] ) + break + ;; + "" ) + if [ "${HOOK_DB}" = "1" ]; then + hook_db + fi + break + ;; + * ) + echo "answer with a valid choice" + ;; + esac + done +fi + +# Log hook +hook_log + +if [ "${INTERACTIVE}" = "0" ] || [ "${AUTO}" = "1" ]; then + if [ "${HOOK_COMMIT}" = "1" ]; then + hook_commit + fi + if [ "${HOOK_MAIL}" = "1" ]; then + hook_mail + fi + if [ "${HOOK_DB}" = "1" ]; then + hook_db + fi +fi exit 0 diff --git a/evomaintenance/meta/main.yml b/evomaintenance/meta/main.yml index 3b27a2fe..cb592aea 100644 --- a/evomaintenance/meta/main.yml +++ b/evomaintenance/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: description: Install evomaintenance company: Evolix - issue_tracker_url: https://forge.evolix.org/projects/evomaintenance/issues + issue_tracker_url: https://gitea.evolix.org/evolix/evomaintenance/issues license: GPLv2 diff --git a/fail2ban/meta/main.yml b/fail2ban/meta/main.yml index 87587a65..5b80af79 100644 --- a/fail2ban/meta/main.yml +++ b/fail2ban/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install Fail2ban and a few filters. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 4c3999bc..088e85d4 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -27,6 +27,12 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto action = %(action_mwl)s +[sshd] +port = ssh,2222 +logpath = %(sshd_log)s +backend = %(sshd_backend)s +maxretry = 10 + {% if fail2ban_wordpress %} [wordpress-hard] enabled = true diff --git a/filebeat/meta/main.yml b/filebeat/meta/main.yml index 37aa6319..97898e88 100644 --- a/filebeat/meta/main.yml +++ b/filebeat/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Filebeat. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/haproxy/meta/main.yml b/haproxy/meta/main.yml index e443f4e5..32b06065 100644 --- a/haproxy/meta/main.yml +++ b/haproxy/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of HAProxy - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/java/meta/main.yml b/java/meta/main.yml index c5b91643..9f4d9ab5 100644 --- a/java/meta/main.yml +++ b/java/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Evolix description: Installation of Java - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/jenkins/meta/main.yml b/jenkins/meta/main.yml index 0f0b5b69..5666a334 100644 --- a/jenkins/meta/main.yml +++ b/jenkins/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Evolix description: Install Jenkins - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/kibana/meta/main.yml b/kibana/meta/main.yml index dce2560a..4b8408f6 100644 --- a/kibana/meta/main.yml +++ b/kibana/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Kibana. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/kvm-host/meta/main.yml b/kvm-host/meta/main.yml index 5ad103ad..1d6d1c36 100644 --- a/kvm-host/meta/main.yml +++ b/kvm-host/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install tools to set-up a KVM host - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/ldap/meta/main.yml b/ldap/meta/main.yml index d96a2e56..aace73c2 100644 --- a/ldap/meta/main.yml +++ b/ldap/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of ldap. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/listupgrade/meta/main.yml b/listupgrade/meta/main.yml index 7b9588bd..29c56478 100644 --- a/listupgrade/meta/main.yml +++ b/listupgrade/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and configuration of the listupgrade script - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/logstash/meta/main.yml b/logstash/meta/main.yml index 62a4cf71..dff3c72e 100644 --- a/logstash/meta/main.yml +++ b/logstash/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Logstash. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/lxc/templates/default.conf b/lxc/templates/default.conf index bf3501d3..94e7c1d6 100644 --- a/lxc/templates/default.conf +++ b/lxc/templates/default.conf @@ -11,7 +11,7 @@ lxc.network.type = {{lxc_network_type}} {% if lxc_mount_part %} # Mount {{lxc_mount_part}} into containers. -# lxc.mount.entry = {{lxc_mount_part}} {{lxc_mount_part |replace('/', '')}} none bind 0 0 +lxc.mount.entry = {{lxc_mount_part}} {{lxc_mount_part |replace('/', '')}} none bind 0 0 {% endif %} # Only one tty is enough. diff --git a/memcached/meta/main.yml b/memcached/meta/main.yml index 9d85a45e..6e4ba6d8 100644 --- a/memcached/meta/main.yml +++ b/memcached/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of memcached. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/metricbeat/meta/main.yml b/metricbeat/meta/main.yml index 5440675d..880790f5 100644 --- a/metricbeat/meta/main.yml +++ b/metricbeat/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Metricbeat. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 6c4a6d90..85246940 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -1,4 +1,4 @@ -# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall +# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall # For fun, we keep last change from first CVS repository: # version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ diff --git a/minifirewall/meta/main.yml b/minifirewall/meta/main.yml index d965ef24..b8cca373 100644 --- a/minifirewall/meta/main.yml +++ b/minifirewall/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and configuration of Minifirewall - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index 33b13744..49852e42 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -2,7 +2,7 @@ # minifirewall is shellscripts for easy firewalling on a standalone server # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel -# See https://forge.evolix.org/projects/minifirewall +# See https://gitea.evolix.org/evolix/minifirewall # Copyright (c) 2007-2015 Evolix # This program is free software; you can redistribute it and/or diff --git a/monit/meta/main.yml b/monit/meta/main.yml index 6392e883..4a22e18c 100644 --- a/monit/meta/main.yml +++ b/monit/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Monit. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/munin/meta/main.yml b/munin/meta/main.yml index 2717b3cc..7b95e655 100644 --- a/munin/meta/main.yml +++ b/munin/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of Munin with a selection of plugins - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/mysql-oracle/meta/main.yml b/mysql-oracle/meta/main.yml index 8cb59054..963a0494 100644 --- a/mysql-oracle/meta/main.yml +++ b/mysql-oracle/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install and configure MySQL 5.7 (with Oracle packages) - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/mysql/meta/main.yml b/mysql/meta/main.yml index a8204bf9..82be1e3c 100644 --- a/mysql/meta/main.yml +++ b/mysql/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: your description - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/nagios-nrpe/meta/main.yml b/nagios-nrpe/meta/main.yml index 56c1ea31..acdb111c 100644 --- a/nagios-nrpe/meta/main.yml +++ b/nagios-nrpe/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and custom configuration of Nagios NRPE server. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/networkd-to-ifconfig/meta/main.yml b/networkd-to-ifconfig/meta/main.yml index e5cd8119..7040a19e 100644 --- a/networkd-to-ifconfig/meta/main.yml +++ b/networkd-to-ifconfig/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Switch back from systemd "networkd" to plain old /etc/network/interfaces. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/newrelic/meta/main.yml b/newrelic/meta/main.yml index b355644e..0436c6ae 100644 --- a/newrelic/meta/main.yml +++ b/newrelic/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of NewRelic tools. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/nginx/meta/main.yml b/nginx/meta/main.yml index fc0efc9b..39382693 100644 --- a/nginx/meta/main.yml +++ b/nginx/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Nginx - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index eeffa686..5662ba51 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -35,6 +35,7 @@ server { location /munin/ { alias /var/cache/munin/www/; + add_header X-Frame-Options "SAMEORIGIN"; } location ^~ /munin-cgi/munin-cgi-graph/ { diff --git a/nodejs/meta/main.yml b/nodejs/meta/main.yml index 066f81dd..fa8e2dd2 100644 --- a/nodejs/meta/main.yml +++ b/nodejs/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of NodeJS from NPM repositories - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/opendkim/files/opendkim-add.sh b/opendkim/files/opendkim-add.sh index fa663a59..4e11f8cc 100644 --- a/opendkim/files/opendkim-add.sh +++ b/opendkim/files/opendkim-add.sh @@ -1,52 +1,37 @@ #!/bin/sh - -dpkg -l |grep -e 'opendkim-tools' -e 'opendkim' -q - -if [ "$?" -ne 0 ]; then - echo "Require opendkim-tools and opendkim" - exit 1 -fi - if [ "$#" -ne 1 ]; then echo "Usage : $0 example.com" >&2 exit 1 fi +servername="$(cat /etc/hostname)" domain="$(echo "$1"|xargs)" -mkdir -pm 0750 "/etc/opendkim/keys/${domain}" -chown opendkim:opendkim "/etc/opendkim/keys/${domain}" - -if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then - cd "/etc/opendkim/keys/${domain}" +if [ ! -f "/etc/ssl/private/dkim-${servername}.private" ]; then echo "Generate DKIM keys ..." - sudo -u opendkim opendkim-genkey -r -d "${domain}" - chmod 640 /etc/opendkim/keys/${domain}/* -fi - -grep -q "${domain}" /etc/opendkim/TrustedHosts -if [ "$?" -ne 0 ]; then - echo "Add ${domain} to TrustedHosts ..." - echo "${domain}" >> /etc/opendkim/TrustedHosts + opendkim-genkey -D /etc/ssl/private/ -r -d "${domain}" -s "dkim-${servername}" + chown opendkim:opendkim "/etc/ssl/private/dkim-${servername}.private" + chmod 640 "/etc/ssl/private/dkim-${servername}.private" + mv "/etc/ssl/private/dkim-${servername}.txt" "/etc/ssl/certs/" fi grep -q "${domain}" /etc/opendkim/KeyTable if [ "$?" -ne 0 ]; then echo "Add ${domain} to KeyTable ..." - echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable + echo "dkim-${servername}._domainkey.${domain} ${domain}:dkim-${servername}:/etc/ssl/private/dkim-${servername}.private" >> /etc/opendkim/KeyTable fi grep -q "${domain}" /etc/opendkim/SigningTable if [ "$?" -ne 0 ]; then echo "Add ${domain} to SigningTable ..." - echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable + echo "*@${domain} dkim-${servername}._domainkey.${domain}" >> /etc/opendkim/SigningTable fi systemctl reload opendkim if [ "$?" -eq 0 ]; then echo "OpenDKIM successfully reloaded" - echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt" + echo "Public key is in : /etc/ssl/certs/dkim-${servername}.txt" exit 0 else echo "An error has occurred while opendkim reload, please FIX configuration !" >&2 diff --git a/opendkim/files/opendkim.conf b/opendkim/files/opendkim.conf index c8c4d385..37536b93 100644 --- a/opendkim/files/opendkim.conf +++ b/opendkim/files/opendkim.conf @@ -5,7 +5,6 @@ OversignHeaders From TrustAnchorFile /usr/share/dns/root.key Selector default Canonicalization relaxed/relaxed -ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogResults Yes diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 7196ef46..1769870a 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -6,19 +6,17 @@ with_items: - opendkim - opendkim-tools + - ssl-cert + - dns-root-data tags: - opendkim -- name: create keys directory - file: - name: "{{ item }}" - state: directory - owner: opendkim - group: opendkim - mode: "0750" - with_items: - - '/etc/opendkim' - - '/etc/opendkim/keys' +- name: Add user opendkim in ssl-cert group + user: + name: opendkim + groups: ssl-cert + state: present + append: yes tags: - opendkim @@ -58,6 +56,15 @@ tags: - opendkim + +- name: Set folder permissions to 0750 + file: + path: "/etc/opendkim/" + mode: "0750" + force: yes + tags: + - opendkim + - name: ensure opendkim is started and enabled systemd: name: opendkim diff --git a/packweb-apache/meta/main.yml b/packweb-apache/meta/main.yml index c86b3a03..0afeb1e0 100644 --- a/packweb-apache/meta/main.yml +++ b/packweb-apache/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of Evolix "Pack Web" meta-role - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/php/files/sury.preferences b/php/files/sury.preferences index 9c644b5d..cc4901c2 100644 --- a/php/files/sury.preferences +++ b/php/files/sury.preferences @@ -1,4 +1,4 @@ -Package: php* libapache2-mod-php* +Package: php* libapache2-mod-php* libpcre2* libzip4* Pin: origin packages.sury.org Pin-Priority: 999 diff --git a/php/meta/main.yml b/php/meta/main.yml index c861cb82..7f5ff289 100644 --- a/php/meta/main.yml +++ b/php/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of php-fpm. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/php/tasks/sury_post.yml b/php/tasks/sury_post.yml index 325b78e8..e26fbf8d 100644 --- a/php/tasks/sury_post.yml +++ b/php/tasks/sury_post.yml @@ -1,52 +1,52 @@ --- -- name: Symlink Evolix CLI config files from 7.2 to 7.0 +- name: Symlink Evolix CLI config files from 7.3 to 7.0 file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes state: link with_items: - - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/z-evolinux-defaults.ini" } - - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.2/cli/conf.d/zzz-evolinux-custom.ini" } + - { src: "{{ php_cli_defaults_ini_file }}", dest: "/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_cli_custom_ini_file }}", dest: "/etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini" } -- name: Enforce permissions on PHP 7.2/cli directory +- name: Enforce permissions on PHP 7.3/cli directory file: - dest: /etc/php/7.2/cli + dest: /etc/php/7.3/cli mode: "0755" -- name: Symlink Evolix Apache config files from 7.2 to 7.0 +- name: Symlink Evolix Apache config files from 7.3 to 7.0 file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes state: link with_items: - - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/z-evolinux-defaults.ini" } - - { src: "{{ php_apache_custom_ini_file }}", dest: "/etc/php/7.2/apache2/conf.d/zzz-evolinux-custom.ini" } + - { src: "{{ php_apache_defaults_ini_file }}", dest: "/etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_apache_custom_ini_file }}", dest: "/etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini" } when: php_apache_enable -- name: Enforce permissions on PHP 7.2/cli directory +- name: Enforce permissions on PHP 7.3/cli directory file: - dest: /etc/php/7.2/apache2 + dest: /etc/php/7.3/apache2 mode: "0755" when: php_apache_enable -- name: Symlink Evolix FPM config files from 7.2 to 7.0 +- name: Symlink Evolix FPM config files from 7.3 to 7.0 file: src: "{{ item.src }}" dest: "{{ item.dest }}" force: yes state: link with_items: - - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/z-evolinux-defaults.ini" } - - { src: "{{ php_fpm_custom_ini_file }}", dest: "/etc/php/7.2/fpm/conf.d/zzz-evolinux-custom.ini" } - - { src: "{{ php_fpm_defaults_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/z-evolinux-defaults.conf" } - - { src: "{{ php_fpm_custom_conf_file }}", dest: "/etc/php/7.2/fpm/pool.d/zzz-evolinux-custom.conf" } + - { src: "{{ php_fpm_defaults_ini_file }}", dest: "/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini" } + - { src: "{{ php_fpm_custom_ini_file }}", dest: "/etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini" } + - { src: "{{ php_fpm_defaults_conf_file }}", dest: "/etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf" } + - { src: "{{ php_fpm_custom_conf_file }}", dest: "/etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf" } when: php_fpm_enable -- name: Enforce permissions on PHP 7.2/cli directory +- name: Enforce permissions on PHP 7.3/cli directory file: - dest: /etc/php/7.2/fpm + dest: /etc/php/7.3/fpm mode: "0755" when: php_fpm_enable diff --git a/postfix/meta/main.yml b/postfix/meta/main.yml index 3c7b219a..c86b3d0b 100644 --- a/postfix/meta/main.yml +++ b/postfix/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Postfix. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/postgresql/meta/main.yml b/postgresql/meta/main.yml index a9375725..53ee0fcb 100644 --- a/postgresql/meta/main.yml +++ b/postgresql/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of PostgreSQL - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/proftpd/meta/main.yml b/proftpd/meta/main.yml index d08211b1..1632f33a 100644 --- a/proftpd/meta/main.yml +++ b/proftpd/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of ProFTPd - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/rabbitmq/meta/main.yml b/rabbitmq/meta/main.yml index c60e933d..3d60006f 100644 --- a/rabbitmq/meta/main.yml +++ b/rabbitmq/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of RabbitMq - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/rbenv/meta/main.yml b/rbenv/meta/main.yml index 790cc08f..5da4ee43 100644 --- a/rbenv/meta/main.yml +++ b/rbenv/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of Rbenv, Ruby and some default gems. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/redis/files/redis-server@.service b/redis/files/redis-server@.service index 203f4b74..d8f8f5f4 100644 --- a/redis/files/redis-server@.service +++ b/redis/files/redis-server@.service @@ -13,6 +13,7 @@ ExecStop=/usr/bin/redis-cli -s /run/redis/%i/redis.sock shutdown Restart=always User=redis-%i Group=redis-%i +LimitNOFILE=65535 [Install] WantedBy=multi-user.target diff --git a/redis/meta/main.yml b/redis/meta/main.yml index dda81c39..339e926c 100644 --- a/redis/meta/main.yml +++ b/redis/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Redis. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index f3cd8f4c..fabe6118 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -1,4 +1,16 @@ --- + +# - name: "Set variables for the instance '{{ redis_instance_name }}'" +# set_fact: +# redis_daemon: "redis-server@{{ redis_instance_name }}" +# redis_conf_path: "/etc/redis/redis-{{ redis_instance_name }}.conf" +# redis_unixsocket: "/var/run/redis/{{ redis_instance_name }}/redis.sock" +# redis_pidfile: "/var/run/redis/{{ redis_instance_name }}/{{ redis_daemon }}.pid" +# redis_logfile: "/var/log/redis/{{ redis_instance_name }}/redis-server.log" +# redis_dbdir: "/var/lib/redis/{{ redis_instance_name }}" +# tags: +# - redis + - name: Systemd template for redis instances is installed copy: src: 'redis-server@.service' @@ -15,18 +27,7 @@ tags: - redis -- name: Set variables for the instance - set_fact: - redis_daemon: "redis-server@{{ redis_instance_name }}" - redis_conf_path: "/etc/redis/redis-{{ redis_instance_name }}.conf" - redis_unixsocket: "/var/run/redis/{{ redis_instance_name }}/redis.sock" - redis_pidfile: "/var/run/redis/{{ redis_instance_name }}/{{ redis_daemon }}.pid" - redis_logfile: "/var/log/redis/{{ redis_instance_name }}/redis-server.log" - redis_dbdir: "/var/lib/redis/{{ redis_instance_name }}" - tags: - - redis - -- name: Redis instance configuration file is present. +- name: "Redis instance '{{ redis_instance_name }}' configuration file is present" template: src: redis.conf.j2 dest: "{{ redis_conf_path }}" @@ -34,7 +35,7 @@ tags: - redis -- name: Redis instance group is present +- name: "Redis instance '{{ redis_instance_name }}' group is present" group: name: "redis-{{ redis_instance_name }}" state: present @@ -42,7 +43,7 @@ tags: - redis -- name: Redis instance user is present +- name: "Redis instance '{{ redis_instance_name }}' user is present" user: name: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" @@ -52,7 +53,7 @@ tags: - redis -- name: Ensure redis base folders will be accessible for all instances +- name: "Ensure redis base folders will be accessible for all instances" file: dest: "{{ item }}" state: directory @@ -63,7 +64,7 @@ - "/var/lib/redis" - "/var/log/redis" -- name: Instances directories are present +- name: "Instances '{{ redis_instance_name }}' directories are present" file: dest: "{{ item }}" state: directory @@ -76,7 +77,7 @@ tags: - redis -- name: Redis systemd unit is enabled and started +- name: "Redis '{{ redis_instance_name }}' systemd unit is enabled and started" systemd: name: "{{ redis_daemon }}" enabled: yes diff --git a/redis/tasks/main.yml b/redis/tasks/main.yml index c749b4f2..b0dce043 100644 --- a/redis/tasks/main.yml +++ b/redis/tasks/main.yml @@ -29,6 +29,13 @@ - redis - include: instances.yml + vars: + redis_daemon: "redis-server@{{ redis_instance_name }}" + redis_conf_path: "/etc/redis/redis-{{ redis_instance_name }}.conf" + redis_unixsocket: "/var/run/redis/{{ redis_instance_name }}/redis.sock" + redis_pidfile: "/var/run/redis/{{ redis_instance_name }}/{{ redis_daemon }}.pid" + redis_logfile: "/var/log/redis/{{ redis_instance_name }}/redis-server.log" + redis_dbdir: "/var/lib/redis/{{ redis_instance_name }}" when: redis_instance_name is defined - name: Redis is configured. diff --git a/spamassasin/files/sa-update.sh b/spamassasin/files/sa-update.sh index b138c285..2dc28005 100644 --- a/spamassasin/files/sa-update.sh +++ b/spamassasin/files/sa-update.sh @@ -12,7 +12,7 @@ test -x /etc/init.d/spamassassin || exit 0 # of spamassassin --lint (which will typically get emailed to root) # and abort. die_with_lint() { - su debian-spamd -c "spamassassin --lint -D 2>&1" + su - debian-spamd -c "spamassassin --lint -D 2>&1" exit 1 } @@ -20,7 +20,7 @@ do_compile() { # Compile, if rules have previously been compiled, and it's possible if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \ -a -d /var/lib/spamassassin/compiled ]; then - su debian-spamd -c "sa-compile --quiet" + su - debian-spamd -c "sa-compile --quiet" # Fixup perms -- group and other should be able to # read and execute, but never write. Works around # sa-compile's failure to obey umask. @@ -43,12 +43,12 @@ reload() { # Update umask 022 -su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys" +su - debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys" case $? in 0) # got updates! - su debian-spamd -c "spamassassin --lint" || die_with_lint + su - debian-spamd -c "spamassassin --lint" || die_with_lint do_compile reload echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \ diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 81e7f132..3d2efe0f 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -71,3 +71,11 @@ changed_when: false tags: - spamassassin + +- name: ensure SpamAssasin is started and enabled + systemd: + name: spamassassin + state: started + enabled: True + tags: + - spamassassin diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index ac0d9f6c..22d75b9d 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -153,6 +153,7 @@ ^pkg\.jenkins-ci\.org$ ^mirrors\.jenkins\.io$ ^jenkins\.mirror\.isppower\.de$ +^ftp-.*\.osuosl\.org$ ^ftp\.icm\.edu\.pl$ ^apt\.newrelic\.com$ ^.*\.cloudfront\.net$ diff --git a/squid/meta/main.yml b/squid/meta/main.yml index 873aa74a..1c6287ea 100644 --- a/squid/meta/main.yml +++ b/squid/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installatin and configuration of Squid as an outgoing proxy. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/ssl/meta/main.yml b/ssl/meta/main.yml index 11377af9..19ef50ef 100644 --- a/ssl/meta/main.yml +++ b/ssl/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Deployment of SSL certificate, key and dhparams - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/tomcat-instance/files/catalina.properties b/tomcat-instance/files/tomcat7/catalina.properties similarity index 100% rename from tomcat-instance/files/catalina.properties rename to tomcat-instance/files/tomcat7/catalina.properties diff --git a/tomcat-instance/files/context.xml b/tomcat-instance/files/tomcat7/context.xml similarity index 100% rename from tomcat-instance/files/context.xml rename to tomcat-instance/files/tomcat7/context.xml diff --git a/tomcat-instance/files/logging.properties b/tomcat-instance/files/tomcat7/logging.properties similarity index 100% rename from tomcat-instance/files/logging.properties rename to tomcat-instance/files/tomcat7/logging.properties diff --git a/tomcat-instance/files/tomcat-users.xml b/tomcat-instance/files/tomcat7/tomcat-users.xml similarity index 100% rename from tomcat-instance/files/tomcat-users.xml rename to tomcat-instance/files/tomcat7/tomcat-users.xml diff --git a/tomcat-instance/files/web.xml b/tomcat-instance/files/tomcat7/web.xml similarity index 100% rename from tomcat-instance/files/web.xml rename to tomcat-instance/files/tomcat7/web.xml diff --git a/tomcat-instance/files/tomcat8/catalina.properties b/tomcat-instance/files/tomcat8/catalina.properties new file mode 100644 index 00000000..34a004ec --- /dev/null +++ b/tomcat-instance/files/tomcat8/catalina.properties @@ -0,0 +1,152 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,\ +org.apache.jasper.,org.apache.naming.,org.apache.tomcat. + +# +# +# List of comma-separated paths defining the contents of the "common" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank,the JVM system loader will be used as Catalina's "common" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# +# Note: Values are enclosed in double quotes ("...") in case either the +# ${catalina.base} path or the ${catalina.home} path contains a comma. +# Because double quotes are used for quoting, the double quote character +# may not appear in a path. +common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar","${catalina.base}/common/classes","${catalina.base}/common/*.jar","${catalina.home}/common/classes","${catalina.home}/common/*.jar" + +# +# List of comma-separated paths defining the contents of the "server" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute. +# If left as blank, the "common" loader will be used as Catalina's "server" +# loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# +# Note: Values may be enclosed in double quotes ("...") in case either the +# ${catalina.base} path or the ${catalina.home} path contains a comma. +# Because double quotes are used for quoting, the double quote character +# may not appear in a path. +server.loader="${catalina.base}/server/classes","${catalina.base}/server/*.jar","${catalina.home}/server/classes","${catalina.home}/server/*.jar" + +# +# List of comma-separated paths defining the contents of the "shared" +# classloader. Prefixes should be used to define what is the repository type. +# Path may be relative to the CATALINA_BASE path or absolute. If left as blank, +# the "common" loader will be used as Catalina's "shared" loader. +# Examples: +# "foo": Add this folder as a class repository +# "foo/*.jar": Add all the JARs of the specified folder as class +# repositories +# "foo/bar.jar": Add bar.jar as a class repository +# Please note that for single jars, e.g. bar.jar, you need the URL form +# starting with file:. +# +# Note: Values may be enclosed in double quotes ("...") in case either the +# ${catalina.base} path or the ${catalina.home} path contains a comma. +# Because double quotes are used for quoting, the double quote character +# may not appear in a path. +shared.loader="${catalina.base}/shared/classes","${catalina.base}/shared/*.jar","${catalina.home}/shared/classes","${catalina.home}/shared/*.jar" + +# Default list of JAR files that should not be scanned using the JarScanner +# functionality. This is typically used to scan JARs for configuration +# information. JARs that do not contain such information may be excluded from +# the scan to speed up the scanning process. This is the default list. JARs on +# this list are excluded from all scans. The list must be a comma separated list +# of JAR file names. +# The list of JARs to skip may be over-ridden at a Context level for individual +# scan types by configuring a JarScanner with a nested JarScanFilter. +# The JARs listed below include: +# - Tomcat Bootstrap JARs +# - Tomcat API JARs +# - Catalina JARs +# - Jasper JARs +# - Tomcat JARs +# - Common non-Tomcat JARs +# - Test JARs (JUnit, Cobertura and dependencies) +tomcat.util.scan.StandardJarScanFilter.jarsToSkip=\ +bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ +annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\ +jaspic-api.jar,\ +catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-storeconfig.jar,\ +catalina-tribes.jar,\ +jasper.jar,jasper-el.jar,ecj-*.jar,\ +tomcat-api.jar,tomcat-util.jar,tomcat-util-scan.jar,tomcat-coyote.jar,\ +tomcat-dbcp.jar,tomcat-jni.jar,tomcat-websocket.jar,\ +tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ +tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ +tomcat-jdbc.jar,\ +tools.jar,\ +commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ +commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ +commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ +commons-math*.jar,commons-pool*.jar,\ +jstl.jar,taglibs-standard-spec-*.jar,\ +geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ +ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ +jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\ +xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ +junit.jar,junit-*.jar,hamcrest-*.jar,easymock-*.jar,cglib-*.jar,\ +objenesis-*.jar,ant-launcher.jar,\ +cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\ +jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\ +xom-*.jar + +# Default list of JAR files that should be scanned that overrides the default +# jarsToSkip list above. This is typically used to include a specific JAR that +# has been excluded by a broad file name pattern in the jarsToSkip list. +# The list of JARs to scan may be over-ridden at a Context level for individual +# scan types by configuring a JarScanner with a nested JarScanFilter. +tomcat.util.scan.StandardJarScanFilter.jarsToScan=\ +log4j-web*.jar,log4j-taglib*.jar,log4javascript*.jar,slf4j-taglib*.jar + +# String cache configuration. +tomcat.util.buf.StringCache.byte.enabled=true +#tomcat.util.buf.StringCache.char.enabled=true +#tomcat.util.buf.StringCache.trainThreshold=500000 +#tomcat.util.buf.StringCache.cacheSize=5000 + +# Allow for changes to HTTP request validation +# WARNING: Using this option will expose the server to CVE-2016-6816 +#tomcat.util.http.parser.HttpParser.requestTargetAllow=| diff --git a/tomcat-instance/files/tomcat8/context.xml b/tomcat-instance/files/tomcat8/context.xml new file mode 100644 index 00000000..64de61ff --- /dev/null +++ b/tomcat-instance/files/tomcat8/context.xml @@ -0,0 +1,30 @@ + + + + + + + + WEB-INF/web.xml + ${catalina.base}/conf/web.xml + + + + diff --git a/tomcat-instance/files/tomcat8/jaspic-providers.xml b/tomcat-instance/files/tomcat8/jaspic-providers.xml new file mode 100644 index 00000000..cdebf872 --- /dev/null +++ b/tomcat-instance/files/tomcat8/jaspic-providers.xml @@ -0,0 +1,23 @@ + + + + + diff --git a/tomcat-instance/files/tomcat8/logging.properties b/tomcat-instance/files/tomcat8/logging.properties new file mode 100644 index 00000000..236aefe4 --- /dev/null +++ b/tomcat-instance/files/tomcat8/logging.properties @@ -0,0 +1,56 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler + +.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +1catalina.org.apache.juli.AsyncFileHandler.level = FINE +1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs +1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina. + +2localhost.org.apache.juli.AsyncFileHandler.level = FINE +2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs +2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost. + +java.util.logging.ConsoleHandler.level = FINE +java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO +org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler + +# For example, set the org.apache.catalina.util.LifecycleBase logger to log +# each component that extends LifecycleBase changing state: +#org.apache.catalina.util.LifecycleBase.level = FINE + +# To see debug messages in TldLocationsCache, uncomment the following line: +#org.apache.jasper.compiler.TldLocationsCache.level = FINE + +# To see debug messages for HTTP/2 handling, uncomment the following line: +#org.apache.coyote.http2.level = FINE + +# To see debug messages for WebSocket handling, uncomment the following line: +#org.apache.tomcat.websocket.level = FINE diff --git a/tomcat-instance/files/tomcat8/tomcat-users.xml b/tomcat-instance/files/tomcat8/tomcat-users.xml new file mode 100644 index 00000000..aef66d0f --- /dev/null +++ b/tomcat-instance/files/tomcat8/tomcat-users.xml @@ -0,0 +1,44 @@ + + + + + + + diff --git a/tomcat-instance/files/tomcat8/web.xml b/tomcat-instance/files/tomcat8/web.xml new file mode 100644 index 00000000..acaeaa50 --- /dev/null +++ b/tomcat-instance/files/tomcat8/web.xml @@ -0,0 +1,4681 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + org.apache.catalina.servlets.DefaultServlet + + debug + 0 + + + listings + false + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jsp + org.apache.jasper.servlet.JspServlet + + fork + false + + + xpoweredBy + false + + 3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + / + + + + + jsp + *.jsp + *.jspx + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 30 + + + + + + + + + + + + + 123 + application/vnd.lotus-1-2-3 + + + 3dml + text/vnd.in3d.3dml + + + 3ds + image/x-3ds + + + 3g2 + video/3gpp2 + + + 3gp + video/3gpp + + + 7z + application/x-7z-compressed + + + aab + application/x-authorware-bin + + + aac + audio/x-aac + + + aam + application/x-authorware-map + + + aas + application/x-authorware-seg + + + abs + audio/x-mpeg + + + abw + application/x-abiword + + + ac + application/pkix-attr-cert + + + acc + application/vnd.americandynamics.acc + + + ace + application/x-ace-compressed + + + acu + application/vnd.acucobol + + + acutc + application/vnd.acucorp + + + adp + audio/adpcm + + + aep + application/vnd.audiograph + + + afm + application/x-font-type1 + + + afp + application/vnd.ibm.modcap + + + ahead + application/vnd.ahead.space + + + ai + application/postscript + + + aif + audio/x-aiff + + + aifc + audio/x-aiff + + + aiff + audio/x-aiff + + + aim + application/x-aim + + + air + application/vnd.adobe.air-application-installer-package+zip + + + ait + application/vnd.dvb.ait + + + ami + application/vnd.amiga.ami + + + anx + application/annodex + + + apk + application/vnd.android.package-archive + + + appcache + text/cache-manifest + + + application + application/x-ms-application + + + apr + application/vnd.lotus-approach + + + arc + application/x-freearc + + + art + image/x-jg + + + asc + application/pgp-signature + + + asf + video/x-ms-asf + + + asm + text/x-asm + + + aso + application/vnd.accpac.simply.aso + + + asx + video/x-ms-asf + + + atc + application/vnd.acucorp + + + atom + application/atom+xml + + + atomcat + application/atomcat+xml + + + atomsvc + application/atomsvc+xml + + + atx + application/vnd.antix.game-component + + + au + audio/basic + + + avi + video/x-msvideo + + + avx + video/x-rad-screenplay + + + aw + application/applixware + + + axa + audio/annodex + + + axv + video/annodex + + + azf + application/vnd.airzip.filesecure.azf + + + azs + application/vnd.airzip.filesecure.azs + + + azw + application/vnd.amazon.ebook + + + bat + application/x-msdownload + + + bcpio + application/x-bcpio + + + bdf + application/x-font-bdf + + + bdm + application/vnd.syncml.dm+wbxml + + + bed + application/vnd.realvnc.bed + + + bh2 + application/vnd.fujitsu.oasysprs + + + bin + application/octet-stream + + + blb + application/x-blorb + + + blorb + application/x-blorb + + + bmi + application/vnd.bmi + + + bmp + image/bmp + + + body + text/html + + + book + application/vnd.framemaker + + + box + application/vnd.previewsystems.box + + + boz + application/x-bzip2 + + + bpk + application/octet-stream + + + btif + image/prs.btif + + + bz + application/x-bzip + + + bz2 + application/x-bzip2 + + + c + text/x-c + + + c11amc + application/vnd.cluetrust.cartomobile-config + + + c11amz + application/vnd.cluetrust.cartomobile-config-pkg + + + c4d + application/vnd.clonk.c4group + + + c4f + application/vnd.clonk.c4group + + + c4g + application/vnd.clonk.c4group + + + c4p + application/vnd.clonk.c4group + + + c4u + application/vnd.clonk.c4group + + + cab + application/vnd.ms-cab-compressed + + + caf + audio/x-caf + + + cap + application/vnd.tcpdump.pcap + + + car + application/vnd.curl.car + + + cat + application/vnd.ms-pki.seccat + + + cb7 + application/x-cbr + + + cba + application/x-cbr + + + cbr + application/x-cbr + + + cbt + application/x-cbr + + + cbz + application/x-cbr + + + cc + text/x-c + + + cct + application/x-director + + + ccxml + application/ccxml+xml + + + cdbcmsg + application/vnd.contact.cmsg + + + cdf + application/x-cdf + + + cdkey + application/vnd.mediastation.cdkey + + + cdmia + application/cdmi-capability + + + cdmic + application/cdmi-container + + + cdmid + application/cdmi-domain + + + cdmio + application/cdmi-object + + + cdmiq + application/cdmi-queue + + + cdx + chemical/x-cdx + + + cdxml + application/vnd.chemdraw+xml + + + cdy + application/vnd.cinderella + + + cer + application/pkix-cert + + + cfs + application/x-cfs-compressed + + + cgm + image/cgm + + + chat + application/x-chat + + + chm + application/vnd.ms-htmlhelp + + + chrt + application/vnd.kde.kchart + + + cif + chemical/x-cif + + + cii + application/vnd.anser-web-certificate-issue-initiation + + + cil + application/vnd.ms-artgalry + + + cla + application/vnd.claymore + + + class + application/java + + + clkk + application/vnd.crick.clicker.keyboard + + + clkp + application/vnd.crick.clicker.palette + + + clkt + application/vnd.crick.clicker.template + + + clkw + application/vnd.crick.clicker.wordbank + + + clkx + application/vnd.crick.clicker + + + clp + application/x-msclip + + + cmc + application/vnd.cosmocaller + + + cmdf + chemical/x-cmdf + + + cml + chemical/x-cml + + + cmp + application/vnd.yellowriver-custom-menu + + + cmx + image/x-cmx + + + cod + application/vnd.rim.cod + + + com + application/x-msdownload + + + conf + text/plain + + + cpio + application/x-cpio + + + cpp + text/x-c + + + cpt + application/mac-compactpro + + + crd + application/x-mscardfile + + + crl + application/pkix-crl + + + crt + application/x-x509-ca-cert + + + cryptonote + application/vnd.rig.cryptonote + + + csh + application/x-csh + + + csml + chemical/x-csml + + + csp + application/vnd.commonspace + + + css + text/css + + + cst + application/x-director + + + csv + text/csv + + + cu + application/cu-seeme + + + curl + text/vnd.curl + + + cww + application/prs.cww + + + cxt + application/x-director + + + cxx + text/x-c + + + dae + model/vnd.collada+xml + + + daf + application/vnd.mobius.daf + + + dart + application/vnd.dart + + + dataless + application/vnd.fdsn.seed + + + davmount + application/davmount+xml + + + dbk + application/docbook+xml + + + dcr + application/x-director + + + dcurl + text/vnd.curl.dcurl + + + dd2 + application/vnd.oma.dd2+xml + + + ddd + application/vnd.fujixerox.ddd + + + deb + application/x-debian-package + + + def + text/plain + + + deploy + application/octet-stream + + + der + application/x-x509-ca-cert + + + dfac + application/vnd.dreamfactory + + + dgc + application/x-dgc-compressed + + + dib + image/bmp + + + dic + text/x-c + + + dir + application/x-director + + + dis + application/vnd.mobius.dis + + + dist + application/octet-stream + + + distz + application/octet-stream + + + djv + image/vnd.djvu + + + djvu + image/vnd.djvu + + + dll + application/x-msdownload + + + dmg + application/x-apple-diskimage + + + dmp + application/vnd.tcpdump.pcap + + + dms + application/octet-stream + + + dna + application/vnd.dna + + + doc + application/msword + + + docm + application/vnd.ms-word.document.macroenabled.12 + + + docx + application/vnd.openxmlformats-officedocument.wordprocessingml.document + + + dot + application/msword + + + dotm + application/vnd.ms-word.template.macroenabled.12 + + + dotx + application/vnd.openxmlformats-officedocument.wordprocessingml.template + + + dp + application/vnd.osgi.dp + + + dpg + application/vnd.dpgraph + + + dra + audio/vnd.dra + + + dsc + text/prs.lines.tag + + + dssc + application/dssc+der + + + dtb + application/x-dtbook+xml + + + dtd + application/xml-dtd + + + dts + audio/vnd.dts + + + dtshd + audio/vnd.dts.hd + + + dump + application/octet-stream + + + dv + video/x-dv + + + dvb + video/vnd.dvb.file + + + dvi + application/x-dvi + + + dwf + model/vnd.dwf + + + dwg + image/vnd.dwg + + + dxf + image/vnd.dxf + + + dxp + application/vnd.spotfire.dxp + + + dxr + application/x-director + + + ecelp4800 + audio/vnd.nuera.ecelp4800 + + + ecelp7470 + audio/vnd.nuera.ecelp7470 + + + ecelp9600 + audio/vnd.nuera.ecelp9600 + + + ecma + application/ecmascript + + + edm + application/vnd.novadigm.edm + + + edx + application/vnd.novadigm.edx + + + efif + application/vnd.picsel + + + ei6 + application/vnd.pg.osasli + + + elc + application/octet-stream + + + emf + application/x-msmetafile + + + eml + message/rfc822 + + + emma + application/emma+xml + + + emz + application/x-msmetafile + + + eol + audio/vnd.digital-winds + + + eot + application/vnd.ms-fontobject + + + eps + application/postscript + + + epub + application/epub+zip + + + es3 + application/vnd.eszigno3+xml + + + esa + application/vnd.osgi.subsystem + + + esf + application/vnd.epson.esf + + + et3 + application/vnd.eszigno3+xml + + + etx + text/x-setext + + + eva + application/x-eva + + + evy + application/x-envoy + + + exe + application/octet-stream + + + exi + application/exi + + + ext + application/vnd.novadigm.ext + + + ez + application/andrew-inset + + + ez2 + application/vnd.ezpix-album + + + ez3 + application/vnd.ezpix-package + + + f + text/x-fortran + + + f4v + video/x-f4v + + + f77 + text/x-fortran + + + f90 + text/x-fortran + + + fbs + image/vnd.fastbidsheet + + + fcdt + application/vnd.adobe.formscentral.fcdt + + + fcs + application/vnd.isac.fcs + + + fdf + application/vnd.fdf + + + fe_launch + application/vnd.denovo.fcselayout-link + + + fg5 + application/vnd.fujitsu.oasysgp + + + fgd + application/x-director + + + fh + image/x-freehand + + + fh4 + image/x-freehand + + + fh5 + image/x-freehand + + + fh7 + image/x-freehand + + + fhc + image/x-freehand + + + fig + application/x-xfig + + + flac + audio/flac + + + fli + video/x-fli + + + flo + application/vnd.micrografx.flo + + + flv + video/x-flv + + + flw + application/vnd.kde.kivio + + + flx + text/vnd.fmi.flexstor + + + fly + text/vnd.fly + + + fm + application/vnd.framemaker + + + fnc + application/vnd.frogans.fnc + + + for + text/x-fortran + + + fpx + image/vnd.fpx + + + frame + application/vnd.framemaker + + + fsc + application/vnd.fsc.weblaunch + + + fst + image/vnd.fst + + + ftc + application/vnd.fluxtime.clip + + + fti + application/vnd.anser-web-funds-transfer-initiation + + + fvt + video/vnd.fvt + + + fxp + application/vnd.adobe.fxp + + + fxpl + application/vnd.adobe.fxp + + + fzs + application/vnd.fuzzysheet + + + g2w + application/vnd.geoplan + + + g3 + image/g3fax + + + g3w + application/vnd.geospace + + + gac + application/vnd.groove-account + + + gam + application/x-tads + + + gbr + application/rpki-ghostbusters + + + gca + application/x-gca-compressed + + + gdl + model/vnd.gdl + + + geo + application/vnd.dynageo + + + gex + application/vnd.geometry-explorer + + + ggb + application/vnd.geogebra.file + + + ggt + application/vnd.geogebra.tool + + + ghf + application/vnd.groove-help + + + gif + image/gif + + + gim + application/vnd.groove-identity-message + + + gml + application/gml+xml + + + gmx + application/vnd.gmx + + + gnumeric + application/x-gnumeric + + + gph + application/vnd.flographit + + + gpx + application/gpx+xml + + + gqf + application/vnd.grafeq + + + gqs + application/vnd.grafeq + + + gram + application/srgs + + + gramps + application/x-gramps-xml + + + gre + application/vnd.geometry-explorer + + + grv + application/vnd.groove-injector + + + grxml + application/srgs+xml + + + gsf + application/x-font-ghostscript + + + gtar + application/x-gtar + + + gtm + application/vnd.groove-tool-message + + + gtw + model/vnd.gtw + + + gv + text/vnd.graphviz + + + gxf + application/gxf + + + gxt + application/vnd.geonext + + + gz + application/x-gzip + + + h + text/x-c + + + h261 + video/h261 + + + h263 + video/h263 + + + h264 + video/h264 + + + hal + application/vnd.hal+xml + + + hbci + application/vnd.hbci + + + hdf + application/x-hdf + + + hh + text/x-c + + + hlp + application/winhlp + + + hpgl + application/vnd.hp-hpgl + + + hpid + application/vnd.hp-hpid + + + hps + application/vnd.hp-hps + + + hqx + application/mac-binhex40 + + + htc + text/x-component + + + htke + application/vnd.kenameaapp + + + htm + text/html + + + html + text/html + + + hvd + application/vnd.yamaha.hv-dic + + + hvp + application/vnd.yamaha.hv-voice + + + hvs + application/vnd.yamaha.hv-script + + + i2g + application/vnd.intergeo + + + icc + application/vnd.iccprofile + + + ice + x-conference/x-cooltalk + + + icm + application/vnd.iccprofile + + + ico + image/x-icon + + + ics + text/calendar + + + ief + image/ief + + + ifb + text/calendar + + + ifm + application/vnd.shana.informed.formdata + + + iges + model/iges + + + igl + application/vnd.igloader + + + igm + application/vnd.insors.igm + + + igs + model/iges + + + igx + application/vnd.micrografx.igx + + + iif + application/vnd.shana.informed.interchange + + + imp + application/vnd.accpac.simply.imp + + + ims + application/vnd.ms-ims + + + in + text/plain + + + ink + application/inkml+xml + + + inkml + application/inkml+xml + + + install + application/x-install-instructions + + + iota + application/vnd.astraea-software.iota + + + ipfix + application/ipfix + + + ipk + application/vnd.shana.informed.package + + + irm + application/vnd.ibm.rights-management + + + irp + application/vnd.irepository.package+xml + + + iso + application/x-iso9660-image + + + itp + application/vnd.shana.informed.formtemplate + + + ivp + application/vnd.immervision-ivp + + + ivu + application/vnd.immervision-ivu + + + jad + text/vnd.sun.j2me.app-descriptor + + + jam + application/vnd.jam + + + jar + application/java-archive + + + java + text/x-java-source + + + jisp + application/vnd.jisp + + + jlt + application/vnd.hp-jlyt + + + jnlp + application/x-java-jnlp-file + + + joda + application/vnd.joost.joda-archive + + + jpe + image/jpeg + + + jpeg + image/jpeg + + + jpg + image/jpeg + + + jpgm + video/jpm + + + jpgv + video/jpeg + + + jpm + video/jpm + + + js + application/javascript + + + jsf + text/plain + + + json + application/json + + + jsonml + application/jsonml+json + + + jspf + text/plain + + + kar + audio/midi + + + karbon + application/vnd.kde.karbon + + + kfo + application/vnd.kde.kformula + + + kia + application/vnd.kidspiration + + + kml + application/vnd.google-earth.kml+xml + + + kmz + application/vnd.google-earth.kmz + + + kne + application/vnd.kinar + + + knp + application/vnd.kinar + + + kon + application/vnd.kde.kontour + + + kpr + application/vnd.kde.kpresenter + + + kpt + application/vnd.kde.kpresenter + + + kpxx + application/vnd.ds-keypoint + + + ksp + application/vnd.kde.kspread + + + ktr + application/vnd.kahootz + + + ktx + image/ktx + + + ktz + application/vnd.kahootz + + + kwd + application/vnd.kde.kword + + + kwt + application/vnd.kde.kword + + + lasxml + application/vnd.las.las+xml + + + latex + application/x-latex + + + lbd + application/vnd.llamagraphics.life-balance.desktop + + + lbe + application/vnd.llamagraphics.life-balance.exchange+xml + + + les + application/vnd.hhe.lesson-player + + + lha + application/x-lzh-compressed + + + link66 + application/vnd.route66.link66+xml + + + list + text/plain + + + list3820 + application/vnd.ibm.modcap + + + listafp + application/vnd.ibm.modcap + + + lnk + application/x-ms-shortcut + + + log + text/plain + + + lostxml + application/lost+xml + + + lrf + application/octet-stream + + + lrm + application/vnd.ms-lrm + + + ltf + application/vnd.frogans.ltf + + + lvp + audio/vnd.lucent.voice + + + lwp + application/vnd.lotus-wordpro + + + lzh + application/x-lzh-compressed + + + m13 + application/x-msmediaview + + + m14 + application/x-msmediaview + + + m1v + video/mpeg + + + m21 + application/mp21 + + + m2a + audio/mpeg + + + m2v + video/mpeg + + + m3a + audio/mpeg + + + m3u + audio/x-mpegurl + + + m3u8 + application/vnd.apple.mpegurl + + + m4a + audio/mp4 + + + m4b + audio/mp4 + + + m4r + audio/mp4 + + + m4u + video/vnd.mpegurl + + + m4v + video/mp4 + + + ma + application/mathematica + + + mac + image/x-macpaint + + + mads + application/mads+xml + + + mag + application/vnd.ecowin.chart + + + maker + application/vnd.framemaker + + + man + text/troff + + + mar + application/octet-stream + + + mathml + application/mathml+xml + + + mb + application/mathematica + + + mbk + application/vnd.mobius.mbk + + + mbox + application/mbox + + + mc1 + application/vnd.medcalcdata + + + mcd + application/vnd.mcd + + + mcurl + text/vnd.curl.mcurl + + + mdb + application/x-msaccess + + + mdi + image/vnd.ms-modi + + + me + text/troff + + + mesh + model/mesh + + + meta4 + application/metalink4+xml + + + metalink + application/metalink+xml + + + mets + application/mets+xml + + + mfm + application/vnd.mfmp + + + mft + application/rpki-manifest + + + mgp + application/vnd.osgeo.mapguide.package + + + mgz + application/vnd.proteus.magazine + + + mid + audio/midi + + + midi + audio/midi + + + mie + application/x-mie + + + mif + application/x-mif + + + mime + message/rfc822 + + + mj2 + video/mj2 + + + mjp2 + video/mj2 + + + mk3d + video/x-matroska + + + mka + audio/x-matroska + + + mks + video/x-matroska + + + mkv + video/x-matroska + + + mlp + application/vnd.dolby.mlp + + + mmd + application/vnd.chipnuts.karaoke-mmd + + + mmf + application/vnd.smaf + + + mmr + image/vnd.fujixerox.edmics-mmr + + + mng + video/x-mng + + + mny + application/x-msmoney + + + mobi + application/x-mobipocket-ebook + + + mods + application/mods+xml + + + mov + video/quicktime + + + movie + video/x-sgi-movie + + + mp1 + audio/mpeg + + + mp2 + audio/mpeg + + + mp21 + application/mp21 + + + mp2a + audio/mpeg + + + mp3 + audio/mpeg + + + mp4 + video/mp4 + + + mp4a + audio/mp4 + + + mp4s + application/mp4 + + + mp4v + video/mp4 + + + mpa + audio/mpeg + + + mpc + application/vnd.mophun.certificate + + + mpe + video/mpeg + + + mpeg + video/mpeg + + + mpega + audio/x-mpeg + + + mpg + video/mpeg + + + mpg4 + video/mp4 + + + mpga + audio/mpeg + + + mpkg + application/vnd.apple.installer+xml + + + mpm + application/vnd.blueice.multipass + + + mpn + application/vnd.mophun.application + + + mpp + application/vnd.ms-project + + + mpt + application/vnd.ms-project + + + mpv2 + video/mpeg2 + + + mpy + application/vnd.ibm.minipay + + + mqy + application/vnd.mobius.mqy + + + mrc + application/marc + + + mrcx + application/marcxml+xml + + + ms + text/troff + + + mscml + application/mediaservercontrol+xml + + + mseed + application/vnd.fdsn.mseed + + + mseq + application/vnd.mseq + + + msf + application/vnd.epson.msf + + + msh + model/mesh + + + msi + application/x-msdownload + + + msl + application/vnd.mobius.msl + + + msty + application/vnd.muvee.style + + + mts + model/vnd.mts + + + mus + application/vnd.musician + + + musicxml + application/vnd.recordare.musicxml+xml + + + mvb + application/x-msmediaview + + + mwf + application/vnd.mfer + + + mxf + application/mxf + + + mxl + application/vnd.recordare.musicxml + + + mxml + application/xv+xml + + + mxs + application/vnd.triscape.mxs + + + mxu + video/vnd.mpegurl + + + n-gage + application/vnd.nokia.n-gage.symbian.install + + + n3 + text/n3 + + + nb + application/mathematica + + + nbp + application/vnd.wolfram.player + + + nc + application/x-netcdf + + + ncx + application/x-dtbncx+xml + + + nfo + text/x-nfo + + + ngdat + application/vnd.nokia.n-gage.data + + + nitf + application/vnd.nitf + + + nlu + application/vnd.neurolanguage.nlu + + + nml + application/vnd.enliven + + + nnd + application/vnd.noblenet-directory + + + nns + application/vnd.noblenet-sealer + + + nnw + application/vnd.noblenet-web + + + npx + image/vnd.net-fpx + + + nsc + application/x-conference + + + nsf + application/vnd.lotus-notes + + + ntf + application/vnd.nitf + + + nzb + application/x-nzb + + + oa2 + application/vnd.fujitsu.oasys2 + + + oa3 + application/vnd.fujitsu.oasys3 + + + oas + application/vnd.fujitsu.oasys + + + obd + application/x-msbinder + + + obj + application/x-tgif + + + oda + application/oda + + + + odb + application/vnd.oasis.opendocument.database + + + + odc + application/vnd.oasis.opendocument.chart + + + + odf + application/vnd.oasis.opendocument.formula + + + odft + application/vnd.oasis.opendocument.formula-template + + + + odg + application/vnd.oasis.opendocument.graphics + + + + odi + application/vnd.oasis.opendocument.image + + + + odm + application/vnd.oasis.opendocument.text-master + + + + odp + application/vnd.oasis.opendocument.presentation + + + + ods + application/vnd.oasis.opendocument.spreadsheet + + + + odt + application/vnd.oasis.opendocument.text + + + oga + audio/ogg + + + ogg + audio/ogg + + + ogv + video/ogg + + + + ogx + application/ogg + + + omdoc + application/omdoc+xml + + + onepkg + application/onenote + + + onetmp + application/onenote + + + onetoc + application/onenote + + + onetoc2 + application/onenote + + + opf + application/oebps-package+xml + + + opml + text/x-opml + + + oprc + application/vnd.palm + + + org + application/vnd.lotus-organizer + + + osf + application/vnd.yamaha.openscoreformat + + + osfpvg + application/vnd.yamaha.openscoreformat.osfpvg+xml + + + otc + application/vnd.oasis.opendocument.chart-template + + + otf + application/x-font-otf + + + + otg + application/vnd.oasis.opendocument.graphics-template + + + + oth + application/vnd.oasis.opendocument.text-web + + + oti + application/vnd.oasis.opendocument.image-template + + + + otp + application/vnd.oasis.opendocument.presentation-template + + + + ots + application/vnd.oasis.opendocument.spreadsheet-template + + + + ott + application/vnd.oasis.opendocument.text-template + + + oxps + application/oxps + + + oxt + application/vnd.openofficeorg.extension + + + p + text/x-pascal + + + p10 + application/pkcs10 + + + p12 + application/x-pkcs12 + + + p7b + application/x-pkcs7-certificates + + + p7c + application/pkcs7-mime + + + p7m + application/pkcs7-mime + + + p7r + application/x-pkcs7-certreqresp + + + p7s + application/pkcs7-signature + + + p8 + application/pkcs8 + + + pas + text/x-pascal + + + paw + application/vnd.pawaafile + + + pbd + application/vnd.powerbuilder6 + + + pbm + image/x-portable-bitmap + + + pcap + application/vnd.tcpdump.pcap + + + pcf + application/x-font-pcf + + + pcl + application/vnd.hp-pcl + + + pclxl + application/vnd.hp-pclxl + + + pct + image/pict + + + pcurl + application/vnd.curl.pcurl + + + pcx + image/x-pcx + + + pdb + application/vnd.palm + + + pdf + application/pdf + + + pfa + application/x-font-type1 + + + pfb + application/x-font-type1 + + + pfm + application/x-font-type1 + + + pfr + application/font-tdpfr + + + pfx + application/x-pkcs12 + + + pgm + image/x-portable-graymap + + + pgn + application/x-chess-pgn + + + pgp + application/pgp-encrypted + + + pic + image/pict + + + pict + image/pict + + + pkg + application/octet-stream + + + pki + application/pkixcmp + + + pkipath + application/pkix-pkipath + + + plb + application/vnd.3gpp.pic-bw-large + + + plc + application/vnd.mobius.plc + + + plf + application/vnd.pocketlearn + + + pls + audio/x-scpls + + + pml + application/vnd.ctc-posml + + + png + image/png + + + pnm + image/x-portable-anymap + + + pnt + image/x-macpaint + + + portpkg + application/vnd.macports.portpkg + + + pot + application/vnd.ms-powerpoint + + + potm + application/vnd.ms-powerpoint.template.macroenabled.12 + + + potx + application/vnd.openxmlformats-officedocument.presentationml.template + + + ppam + application/vnd.ms-powerpoint.addin.macroenabled.12 + + + ppd + application/vnd.cups-ppd + + + ppm + image/x-portable-pixmap + + + pps + application/vnd.ms-powerpoint + + + ppsm + application/vnd.ms-powerpoint.slideshow.macroenabled.12 + + + ppsx + application/vnd.openxmlformats-officedocument.presentationml.slideshow + + + ppt + application/vnd.ms-powerpoint + + + pptm + application/vnd.ms-powerpoint.presentation.macroenabled.12 + + + pptx + application/vnd.openxmlformats-officedocument.presentationml.presentation + + + pqa + application/vnd.palm + + + prc + application/x-mobipocket-ebook + + + pre + application/vnd.lotus-freelance + + + prf + application/pics-rules + + + ps + application/postscript + + + psb + application/vnd.3gpp.pic-bw-small + + + psd + image/vnd.adobe.photoshop + + + psf + application/x-font-linux-psf + + + pskcxml + application/pskc+xml + + + ptid + application/vnd.pvi.ptid1 + + + pub + application/x-mspublisher + + + pvb + application/vnd.3gpp.pic-bw-var + + + pwn + application/vnd.3m.post-it-notes + + + pya + audio/vnd.ms-playready.media.pya + + + pyv + video/vnd.ms-playready.media.pyv + + + qam + application/vnd.epson.quickanime + + + qbo + application/vnd.intu.qbo + + + qfx + application/vnd.intu.qfx + + + qps + application/vnd.publishare-delta-tree + + + qt + video/quicktime + + + qti + image/x-quicktime + + + qtif + image/x-quicktime + + + qwd + application/vnd.quark.quarkxpress + + + qwt + application/vnd.quark.quarkxpress + + + qxb + application/vnd.quark.quarkxpress + + + qxd + application/vnd.quark.quarkxpress + + + qxl + application/vnd.quark.quarkxpress + + + qxt + application/vnd.quark.quarkxpress + + + ra + audio/x-pn-realaudio + + + ram + audio/x-pn-realaudio + + + rar + application/x-rar-compressed + + + ras + image/x-cmu-raster + + + rcprofile + application/vnd.ipunplugged.rcprofile + + + rdf + application/rdf+xml + + + rdz + application/vnd.data-vision.rdz + + + rep + application/vnd.businessobjects + + + res + application/x-dtbresource+xml + + + rgb + image/x-rgb + + + rif + application/reginfo+xml + + + rip + audio/vnd.rip + + + ris + application/x-research-info-systems + + + rl + application/resource-lists+xml + + + rlc + image/vnd.fujixerox.edmics-rlc + + + rld + application/resource-lists-diff+xml + + + rm + application/vnd.rn-realmedia + + + rmi + audio/midi + + + rmp + audio/x-pn-realaudio-plugin + + + rms + application/vnd.jcp.javame.midlet-rms + + + rmvb + application/vnd.rn-realmedia-vbr + + + rnc + application/relax-ng-compact-syntax + + + roa + application/rpki-roa + + + roff + text/troff + + + rp9 + application/vnd.cloanto.rp9 + + + rpss + application/vnd.nokia.radio-presets + + + rpst + application/vnd.nokia.radio-preset + + + rq + application/sparql-query + + + rs + application/rls-services+xml + + + rsd + application/rsd+xml + + + rss + application/rss+xml + + + rtf + application/rtf + + + rtx + text/richtext + + + s + text/x-asm + + + s3m + audio/s3m + + + saf + application/vnd.yamaha.smaf-audio + + + sbml + application/sbml+xml + + + sc + application/vnd.ibm.secure-container + + + scd + application/x-msschedule + + + scm + application/vnd.lotus-screencam + + + scq + application/scvp-cv-request + + + scs + application/scvp-cv-response + + + scurl + text/vnd.curl.scurl + + + sda + application/vnd.stardivision.draw + + + sdc + application/vnd.stardivision.calc + + + sdd + application/vnd.stardivision.impress + + + sdkd + application/vnd.solent.sdkm+xml + + + sdkm + application/vnd.solent.sdkm+xml + + + sdp + application/sdp + + + sdw + application/vnd.stardivision.writer + + + see + application/vnd.seemail + + + seed + application/vnd.fdsn.seed + + + sema + application/vnd.sema + + + semd + application/vnd.semd + + + semf + application/vnd.semf + + + ser + application/java-serialized-object + + + setpay + application/set-payment-initiation + + + setreg + application/set-registration-initiation + + + sfd-hdstx + application/vnd.hydrostatix.sof-data + + + sfs + application/vnd.spotfire.sfs + + + sfv + text/x-sfv + + + sgi + image/sgi + + + sgl + application/vnd.stardivision.writer-global + + + sgm + text/sgml + + + sgml + text/sgml + + + sh + application/x-sh + + + shar + application/x-shar + + + shf + application/shf+xml + + + + sid + image/x-mrsid-image + + + sig + application/pgp-signature + + + sil + audio/silk + + + silo + model/mesh + + + sis + application/vnd.symbian.install + + + sisx + application/vnd.symbian.install + + + sit + application/x-stuffit + + + sitx + application/x-stuffitx + + + skd + application/vnd.koan + + + skm + application/vnd.koan + + + skp + application/vnd.koan + + + skt + application/vnd.koan + + + sldm + application/vnd.ms-powerpoint.slide.macroenabled.12 + + + sldx + application/vnd.openxmlformats-officedocument.presentationml.slide + + + slt + application/vnd.epson.salt + + + sm + application/vnd.stepmania.stepchart + + + smf + application/vnd.stardivision.math + + + smi + application/smil+xml + + + smil + application/smil+xml + + + smv + video/x-smv + + + smzip + application/vnd.stepmania.package + + + snd + audio/basic + + + snf + application/x-font-snf + + + so + application/octet-stream + + + spc + application/x-pkcs7-certificates + + + spf + application/vnd.yamaha.smaf-phrase + + + spl + application/x-futuresplash + + + spot + text/vnd.in3d.spot + + + spp + application/scvp-vp-response + + + spq + application/scvp-vp-request + + + spx + audio/ogg + + + sql + application/x-sql + + + src + application/x-wais-source + + + srt + application/x-subrip + + + sru + application/sru+xml + + + srx + application/sparql-results+xml + + + ssdl + application/ssdl+xml + + + sse + application/vnd.kodak-descriptor + + + ssf + application/vnd.epson.ssf + + + ssml + application/ssml+xml + + + st + application/vnd.sailingtracker.track + + + stc + application/vnd.sun.xml.calc.template + + + std + application/vnd.sun.xml.draw.template + + + stf + application/vnd.wt.stf + + + sti + application/vnd.sun.xml.impress.template + + + stk + application/hyperstudio + + + stl + application/vnd.ms-pki.stl + + + str + application/vnd.pg.format + + + stw + application/vnd.sun.xml.writer.template + + + sub + text/vnd.dvb.subtitle + + + sus + application/vnd.sus-calendar + + + susp + application/vnd.sus-calendar + + + sv4cpio + application/x-sv4cpio + + + sv4crc + application/x-sv4crc + + + svc + application/vnd.dvb.service + + + svd + application/vnd.svd + + + svg + image/svg+xml + + + svgz + image/svg+xml + + + swa + application/x-director + + + swf + application/x-shockwave-flash + + + swi + application/vnd.aristanetworks.swi + + + sxc + application/vnd.sun.xml.calc + + + sxd + application/vnd.sun.xml.draw + + + sxg + application/vnd.sun.xml.writer.global + + + sxi + application/vnd.sun.xml.impress + + + sxm + application/vnd.sun.xml.math + + + sxw + application/vnd.sun.xml.writer + + + t + text/troff + + + t3 + application/x-t3vm-image + + + taglet + application/vnd.mynfc + + + tao + application/vnd.tao.intent-module-archive + + + tar + application/x-tar + + + tcap + application/vnd.3gpp2.tcap + + + tcl + application/x-tcl + + + teacher + application/vnd.smart.teacher + + + tei + application/tei+xml + + + teicorpus + application/tei+xml + + + tex + application/x-tex + + + texi + application/x-texinfo + + + texinfo + application/x-texinfo + + + text + text/plain + + + tfi + application/thraud+xml + + + tfm + application/x-tex-tfm + + + tga + image/x-tga + + + thmx + application/vnd.ms-officetheme + + + tif + image/tiff + + + tiff + image/tiff + + + tmo + application/vnd.tmobile-livetv + + + torrent + application/x-bittorrent + + + tpl + application/vnd.groove-tool-template + + + tpt + application/vnd.trid.tpt + + + tr + text/troff + + + tra + application/vnd.trueapp + + + trm + application/x-msterminal + + + tsd + application/timestamped-data + + + tsv + text/tab-separated-values + + + ttc + application/x-font-ttf + + + ttf + application/x-font-ttf + + + ttl + text/turtle + + + twd + application/vnd.simtech-mindmapper + + + twds + application/vnd.simtech-mindmapper + + + txd + application/vnd.genomatix.tuxedo + + + txf + application/vnd.mobius.txf + + + txt + text/plain + + + u32 + application/x-authorware-bin + + + udeb + application/x-debian-package + + + ufd + application/vnd.ufdl + + + ufdl + application/vnd.ufdl + + + ulw + audio/basic + + + ulx + application/x-glulx + + + umj + application/vnd.umajin + + + unityweb + application/vnd.unity + + + uoml + application/vnd.uoml+xml + + + uri + text/uri-list + + + uris + text/uri-list + + + urls + text/uri-list + + + ustar + application/x-ustar + + + utz + application/vnd.uiq.theme + + + uu + text/x-uuencode + + + uva + audio/vnd.dece.audio + + + uvd + application/vnd.dece.data + + + uvf + application/vnd.dece.data + + + uvg + image/vnd.dece.graphic + + + uvh + video/vnd.dece.hd + + + uvi + image/vnd.dece.graphic + + + uvm + video/vnd.dece.mobile + + + uvp + video/vnd.dece.pd + + + uvs + video/vnd.dece.sd + + + uvt + application/vnd.dece.ttml+xml + + + uvu + video/vnd.uvvu.mp4 + + + uvv + video/vnd.dece.video + + + uvva + audio/vnd.dece.audio + + + uvvd + application/vnd.dece.data + + + uvvf + application/vnd.dece.data + + + uvvg + image/vnd.dece.graphic + + + uvvh + video/vnd.dece.hd + + + uvvi + image/vnd.dece.graphic + + + uvvm + video/vnd.dece.mobile + + + uvvp + video/vnd.dece.pd + + + uvvs + video/vnd.dece.sd + + + uvvt + application/vnd.dece.ttml+xml + + + uvvu + video/vnd.uvvu.mp4 + + + uvvv + video/vnd.dece.video + + + uvvx + application/vnd.dece.unspecified + + + uvvz + application/vnd.dece.zip + + + uvx + application/vnd.dece.unspecified + + + uvz + application/vnd.dece.zip + + + vcard + text/vcard + + + vcd + application/x-cdlink + + + vcf + text/x-vcard + + + vcg + application/vnd.groove-vcard + + + vcs + text/x-vcalendar + + + vcx + application/vnd.vcx + + + vis + application/vnd.visionary + + + viv + video/vnd.vivo + + + vob + video/x-ms-vob + + + vor + application/vnd.stardivision.writer + + + vox + application/x-authorware-bin + + + vrml + model/vrml + + + vsd + application/vnd.visio + + + vsf + application/vnd.vsf + + + vss + application/vnd.visio + + + vst + application/vnd.visio + + + vsw + application/vnd.visio + + + vtu + model/vnd.vtu + + + vxml + application/voicexml+xml + + + w3d + application/x-director + + + wad + application/x-doom + + + wav + audio/x-wav + + + wax + audio/x-ms-wax + + + + wbmp + image/vnd.wap.wbmp + + + wbs + application/vnd.criticaltools.wbs+xml + + + wbxml + application/vnd.wap.wbxml + + + wcm + application/vnd.ms-works + + + wdb + application/vnd.ms-works + + + wdp + image/vnd.ms-photo + + + weba + audio/webm + + + webm + video/webm + + + webp + image/webp + + + wg + application/vnd.pmi.widget + + + wgt + application/widget + + + wks + application/vnd.ms-works + + + wm + video/x-ms-wm + + + wma + audio/x-ms-wma + + + wmd + application/x-ms-wmd + + + wmf + application/x-msmetafile + + + + wml + text/vnd.wap.wml + + + + wmlc + application/vnd.wap.wmlc + + + + wmls + text/vnd.wap.wmlscript + + + + wmlsc + application/vnd.wap.wmlscriptc + + + wmv + video/x-ms-wmv + + + wmx + video/x-ms-wmx + + + wmz + application/x-msmetafile + + + woff + application/x-font-woff + + + wpd + application/vnd.wordperfect + + + wpl + application/vnd.ms-wpl + + + wps + application/vnd.ms-works + + + wqd + application/vnd.wqd + + + wri + application/x-mswrite + + + wrl + model/vrml + + + wsdl + application/wsdl+xml + + + wspolicy + application/wspolicy+xml + + + wtb + application/vnd.webturbo + + + wvx + video/x-ms-wvx + + + x32 + application/x-authorware-bin + + + x3d + model/x3d+xml + + + x3db + model/x3d+binary + + + x3dbz + model/x3d+binary + + + x3dv + model/x3d+vrml + + + x3dvz + model/x3d+vrml + + + x3dz + model/x3d+xml + + + xaml + application/xaml+xml + + + xap + application/x-silverlight-app + + + xar + application/vnd.xara + + + xbap + application/x-ms-xbap + + + xbd + application/vnd.fujixerox.docuworks.binder + + + xbm + image/x-xbitmap + + + xdf + application/xcap-diff+xml + + + xdm + application/vnd.syncml.dm+xml + + + xdp + application/vnd.adobe.xdp+xml + + + xdssc + application/dssc+xml + + + xdw + application/vnd.fujixerox.docuworks + + + xenc + application/xenc+xml + + + xer + application/patch-ops-error+xml + + + xfdf + application/vnd.adobe.xfdf + + + xfdl + application/vnd.xfdl + + + xht + application/xhtml+xml + + + xhtml + application/xhtml+xml + + + xhvml + application/xv+xml + + + xif + image/vnd.xiff + + + xla + application/vnd.ms-excel + + + xlam + application/vnd.ms-excel.addin.macroenabled.12 + + + xlc + application/vnd.ms-excel + + + xlf + application/x-xliff+xml + + + xlm + application/vnd.ms-excel + + + xls + application/vnd.ms-excel + + + xlsb + application/vnd.ms-excel.sheet.binary.macroenabled.12 + + + xlsm + application/vnd.ms-excel.sheet.macroenabled.12 + + + xlsx + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + + + xlt + application/vnd.ms-excel + + + xltm + application/vnd.ms-excel.template.macroenabled.12 + + + xltx + application/vnd.openxmlformats-officedocument.spreadsheetml.template + + + xlw + application/vnd.ms-excel + + + xm + audio/xm + + + xml + application/xml + + + xo + application/vnd.olpc-sugar + + + xop + application/xop+xml + + + xpi + application/x-xpinstall + + + xpl + application/xproc+xml + + + xpm + image/x-xpixmap + + + xpr + application/vnd.is-xpr + + + xps + application/vnd.ms-xpsdocument + + + xpw + application/vnd.intercon.formnet + + + xpx + application/vnd.intercon.formnet + + + xsl + application/xml + + + xslt + application/xslt+xml + + + xsm + application/vnd.syncml+xml + + + xspf + application/xspf+xml + + + xul + application/vnd.mozilla.xul+xml + + + xvm + application/xv+xml + + + xvml + application/xv+xml + + + xwd + image/x-xwindowdump + + + xyz + chemical/x-xyz + + + xz + application/x-xz + + + yang + application/yang + + + yin + application/yin+xml + + + z + application/x-compress + + + Z + application/x-compress + + + z1 + application/x-zmachine + + + z2 + application/x-zmachine + + + z3 + application/x-zmachine + + + z4 + application/x-zmachine + + + z5 + application/x-zmachine + + + z6 + application/x-zmachine + + + z7 + application/x-zmachine + + + z8 + application/x-zmachine + + + zaz + application/vnd.zzazz.deck+xml + + + zip + application/zip + + + zir + application/vnd.zul + + + zirz + application/vnd.zul + + + zmm + application/vnd.handheld-entertainment+xml + + + + + + + + + + + + + + + + + + index.html + index.htm + index.jsp + + + diff --git a/tomcat-instance/meta/main.yml b/tomcat-instance/meta/main.yml index 015c77eb..1197f736 100644 --- a/tomcat-instance/meta/main.yml +++ b/tomcat-instance/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Evolix description: Configuration of a Tomcat instance. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/tomcat-instance/tasks/bootstrap.yml b/tomcat-instance/tasks/bootstrap.yml index 82a1e34d..c177aea9 100644 --- a/tomcat-instance/tasks/bootstrap.yml +++ b/tomcat-instance/tasks/bootstrap.yml @@ -14,29 +14,31 @@ - 'temp' - 'lib' -- name: Templating of config file +- name: Templating of env file template: - src: 'templates/{{ item }}.j2' - dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/{{ item }}" + src: 'templates/env.j2' + dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/env" + mode: "0660" + owner: "{{ tomcat_instance_name }}" + group: "{{ tomcat_instance_name }}" + force: no + +- name: Templating of server.xml file + template: + src: 'templates/server.xml-tomcat{{ tomcat_version }}.j2' + dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/server.xml" mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" force: no - with_items: - - server.xml - - env - name: Copy config file copy: src: "{{ item }}" - dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/{{ item }}" + dest: "{{ tomcat_instance_root }}/{{ tomcat_instance_name }}/conf/{{ item | basename }}" mode: "0660" owner: "{{ tomcat_instance_name }}" group: "{{ tomcat_instance_name }}" force: no - with_items: - - catalina.properties - - logging.properties - - context.xml - - tomcat-users.xml - - web.xml + with_fileglob: + - "tomcat{{ tomcat_version }}/*" diff --git a/tomcat-instance/templates/server.xml.j2 b/tomcat-instance/templates/server.xml-tomcat7.j2 similarity index 100% rename from tomcat-instance/templates/server.xml.j2 rename to tomcat-instance/templates/server.xml-tomcat7.j2 diff --git a/tomcat-instance/templates/server.xml-tomcat8.j2 b/tomcat-instance/templates/server.xml-tomcat8.j2 new file mode 100644 index 00000000..9bd6b0ca --- /dev/null +++ b/tomcat-instance/templates/server.xml-tomcat8.j2 @@ -0,0 +1,169 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml index e555e2cd..74440548 100644 --- a/tomcat/defaults/main.yml +++ b/tomcat/defaults/main.yml @@ -1,2 +1,3 @@ --- tomcat_instance_root: '/srv/tomcat' +tomat_version: 8 diff --git a/tomcat/files/tomcat_stretch.service b/tomcat/files/tomcat_stretch.service deleted file mode 100644 index 88d5b059..00000000 --- a/tomcat/files/tomcat_stretch.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Tomcat %u. -After=network.target - -[Service] -WorkingDirectory=%h -Environment="CATALINA_BASE=%h" -EnvironmentFile=%h/conf/env -UMask=0002 -ExecStart=/usr/share/tomcat8/bin/startup.sh -ExecStop=/usr/share/tomcat8/bin/shutdown.sh -Type=forking - -[Install] -WantedBy=default.target diff --git a/tomcat/meta/main.yml b/tomcat/meta/main.yml index 747c9e55..28ecbd53 100644 --- a/tomcat/meta/main.yml +++ b/tomcat/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of a Tomcat. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/tomcat/tasks/main.yml b/tomcat/tasks/main.yml index 661c9651..545c0813 100644 --- a/tomcat/tasks/main.yml +++ b/tomcat/tasks/main.yml @@ -1,8 +1,4 @@ --- -- include: packages_jessie.yml - when: ansible_distribution_release == "jessie" - -- include: packages_stretch.yml - when: ansible_distribution_major_version | version_compare('9', '>=') +- include: packages.yml - include: nagios.yml diff --git a/tomcat/tasks/packages_jessie.yml b/tomcat/tasks/packages.yml similarity index 63% rename from tomcat/tasks/packages_jessie.yml rename to tomcat/tasks/packages.yml index 6e618e24..29307736 100644 --- a/tomcat/tasks/packages_jessie.yml +++ b/tomcat/tasks/packages.yml @@ -4,9 +4,9 @@ name: "{{ item }}" state: present with_items: - - 'tomcat7' - - 'tomcat7-user' - - 'libpam-systemd' + - "tomcat{{ tomcat_version }}" + - "tomcat{{ tomcat_version }}-user" + - "libpam-systemd" - name: Create tomcat root dir file: @@ -17,13 +17,13 @@ mode: "0755" - name: Copy systemd unit - copy: - src: 'tomcat_jessie.service' + template: + src: 'tomcat.service.j2' dest: "/etc/systemd/user/tomcat.service" mode: "0755" -- name: Disable default tomcat7 service +- name: Disable default tomcat service service: - name: tomcat7 + name: "tomcat{{ tomcat_version }}" state: stopped enabled: false diff --git a/tomcat/tasks/packages_stretch.yml b/tomcat/tasks/packages_stretch.yml deleted file mode 100644 index abce4aae..00000000 --- a/tomcat/tasks/packages_stretch.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: Install packages - apt: - name: "{{ item }}" - state: present - with_items: - - 'tomcat8' - - 'tomcat8-user' - - 'libpam-systemd' - -- name: Create tomcat root dir - file: - path: "{{ tomcat_instance_root }}" - state: directory - owner: 'root' - group: 'root' - mode: "0755" - -- name: Copy systemd unit - copy: - src: 'tomcat_stretch.service' - dest: "/etc/systemd/user/tomcat.service" - mode: "0755" - -- name: Disable default tomcat8 service - service: - name: tomcat8 - state: stopped - enabled: false diff --git a/tomcat/files/tomcat_jessie.service b/tomcat/templates/tomcat.service.j2 similarity index 61% rename from tomcat/files/tomcat_jessie.service rename to tomcat/templates/tomcat.service.j2 index 0a5a22d9..e82bfca9 100644 --- a/tomcat/files/tomcat_jessie.service +++ b/tomcat/templates/tomcat.service.j2 @@ -7,8 +7,8 @@ WorkingDirectory=%h Environment="CATALINA_BASE=%h" EnvironmentFile=%h/conf/env UMask=0002 -ExecStart=/usr/share/tomcat7/bin/startup.sh -ExecStop=/usr/share/tomcat7/bin/shutdown.sh +ExecStart=/usr/share/tomcat{{ tomcat_version }}/bin/startup.sh +ExecStop=/usr/share/tomcat{{ tomcat_version }}/bin/shutdown.sh Type=forking [Install] diff --git a/varnish/meta/main.yml b/varnish/meta/main.yml index 28d227e1..855101e1 100644 --- a/varnish/meta/main.yml +++ b/varnish/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation and basic configuration of Varnish - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/vrrpd/meta/main.yml b/vrrpd/meta/main.yml index 1b4656db..222df302 100644 --- a/vrrpd/meta/main.yml +++ b/vrrpd/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install Evolix's patched vrrpd and adjust sysctl params. - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/webapps/evoadmin-web/meta/main.yml b/webapps/evoadmin-web/meta/main.yml index 82440b08..3fbe0627 100644 --- a/webapps/evoadmin-web/meta/main.yml +++ b/webapps/evoadmin-web/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Installation of evoadmin-web - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2 diff --git a/webapps/evoadmin-web/templates/sudoers.j2 b/webapps/evoadmin-web/templates/sudoers.j2 index 4dfd71c1..7926b5f3 100644 --- a/webapps/evoadmin-web/templates/sudoers.j2 +++ b/webapps/evoadmin-web/templates/sudoers.j2 @@ -1,3 +1,3 @@ User_Alias EVOADMIN = www-evoadmin -Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh +Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh, {{ evoadmin_scripts_dir | mandatory }}/dbadmin.sh EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB diff --git a/webapps/wordpress/meta/main.yml b/webapps/wordpress/meta/main.yml index 73c6e08f..2adf765b 100644 --- a/webapps/wordpress/meta/main.yml +++ b/webapps/wordpress/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Evolix description: Install Wordpress site - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues license: GPLv2