From 51462c724cf5eaaf1fe5e9ef31b1a3b5cd720034 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 30 Jun 2021 07:39:57 +0200 Subject: [PATCH 001/182] certbot: sync_remote excludes itself --- CHANGELOG.md | 2 ++ certbot/files/hooks/deploy/sync_remote.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e398916..bf701c3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes incrementally at each release. ### Fixed +* certbot: sync_remote excludes itself + ### Removed ### Security diff --git a/certbot/files/hooks/deploy/sync_remote.sh b/certbot/files/hooks/deploy/sync_remote.sh index 08006b38..d1721fdb 100644 --- a/certbot/files/hooks/deploy/sync_remote.sh +++ b/certbot/files/hooks/deploy/sync_remote.sh @@ -40,7 +40,7 @@ main() { rsync --archive --copy-links --delete "${RENEWED_LINEAGE}/" "${remote_host}:${remote_lineage}/" \ || error "Couldn't sync certificate on ${server}" - rsync --archive --copy-links --delete --exclude $0 --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \ + rsync --archive --copy-links --delete --exclude "$(basename "$0")" --delete-excluded "${hooks_dir}/" "${remote_host}:${remote_dir}/hooks/" \ || error "Couldn't sync hooks on ${server}" # shellcheck disable=SC2029 From 11813c31a467a805d7e99b9776124dfe0147fdc8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 30 Jun 2021 14:29:03 +0200 Subject: [PATCH 002/182] certbot: add script for manual deploy hooks execution --- CHANGELOG.md | 2 ++ certbot/files/hooks/manual-deploy.sh | 40 ++++++++++++++++++++++++++++ certbot/tasks/main.yml | 8 ++++++ 3 files changed, 50 insertions(+) create mode 100755 certbot/files/hooks/manual-deploy.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index bf701c3b..bbeebf5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release. ### Added +* certbot: add script for manual deploy hooks execution + ### Changed ### Fixed diff --git a/certbot/files/hooks/manual-deploy.sh b/certbot/files/hooks/manual-deploy.sh new file mode 100755 index 00000000..70307070 --- /dev/null +++ b/certbot/files/hooks/manual-deploy.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -u + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +main() { + if [ -z "${RENEWED_LINEAGE:-}" ]; then + error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)." + fi + if [ "${VERBOSE}" = "1" ]; then + xargs_verbose="--verbose" + else + xargs_verbose="" + fi + if found_renewed_lineage; then + find "${hooks_dir}" -mindepth 1 -maxdepth 1 -type f -executable -print0 | sort --zero-terminated --dictionary-order | xargs ${xargs_verbose} --no-run-if-empty --null --max-args=1 sh -c + else + error "Couldn't find required files in \`${RENEWED_LINEAGE}'" + fi + +} + +PROGNAME=$(basename "$0") +VERBOSE=${VERBOSE:-"0"} +QUIET=${QUIET:-"0"} + +hooks_dir="/etc/letsencrypt/renewal-hooks/deploy" + +main \ No newline at end of file diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml index e280875c..9259e027 100644 --- a/certbot/tasks/main.yml +++ b/certbot/tasks/main.yml @@ -29,6 +29,14 @@ owner: root group: root +- name: Manual deploy hook is present + copy: + src: hooks/manual-deploy.sh + dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh + mode: "0700" + owner: root + group: root + - name: "sync_remote is configured with servers" lineinfile: dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf From b0b24744d6d3049a5fd47de7fada09c5225c4df0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Jul 2021 13:59:42 +0200 Subject: [PATCH 003/182] listupgrade: upstream release 21.06.3 --- CHANGELOG.md | 2 ++ listupgrade/files/listupgrade.sh | 7 ++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbeebf5a..d58a94b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes incrementally at each release. ### Changed +* listupgrade: upstream release 21.06.3 + ### Fixed * certbot: sync_remote excludes itself diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 3c64f37e..0b682fed 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -7,7 +7,7 @@ # - 60 : current release is not in the $r_releases list # - 70 : at least an upgradable package is not in the $r_packages list -VERSION="21.06.2" +VERSION="21.06.3" show_version() { cat <"${packagesHold}" fi + local_release=$(cut -f 1 -d . Date: Fri, 2 Jul 2021 14:01:46 +0200 Subject: [PATCH 004/182] listupgrade: crontab is configurable --- CHANGELOG.md | 1 + listupgrade/defaults/main.yml | 8 +++++++- listupgrade/tasks/main.yml | 19 +++++++++++-------- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d58a94b9..38d99455 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * certbot: add script for manual deploy hooks execution +* listupgrade: crontab is configurable ### Changed diff --git a/listupgrade/defaults/main.yml b/listupgrade/defaults/main.yml index d3bdff78..a83dc54a 100644 --- a/listupgrade/defaults/main.yml +++ b/listupgrade/defaults/main.yml @@ -2,4 +2,10 @@ general_alert_email: "root@localhost" listupgrade_alert_email: Null -listupgrade_cron_enabled: true \ No newline at end of file +listupgrade_cron_enabled: true +listupgrade_cron_minute: "42" +listupgrade_cron_hour: "9" +listupgrade_cron_day: "*" +listupgrade_cron_month: "*" +listupgrade_cron_weekday: "2" +listupgrade_cron_force: false \ No newline at end of file diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 3ed23da3..fc02dfeb 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -46,14 +46,17 @@ group: root - name: Enable listupgrade cron - copy: - src: listupgrade_cron - dest: /etc/cron.d/listupgrade - mode: "0600" - owner: root - group: root - force: no - when: listupgrade_cron_enabled | bool + cron: + name: "lisupgrade.sh" + cron_file: "listupgrade" + user: root + job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}" + minute: "{{ listupgrade_cron_minute }}" + hour: "{{ listupgrade_cron_hour }}" + weekday: "{{ listupgrade_cron_weekday }}" + day: "{{ listupgrade_cron_day }}" + month: "{{ listupgrade_cron_month }}" + state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" - name: old-kernel-autoremoval script is present copy: From 27a09ce68241639cd255c42960b39d79f519d4c1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Jul 2021 14:37:22 +0200 Subject: [PATCH 005/182] listupgrade: update old-kernel-removal.sh from upstream --- listupgrade/files/old-kernel-autoremoval.sh | 43 ++++++++++++--------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/listupgrade/files/old-kernel-autoremoval.sh b/listupgrade/files/old-kernel-autoremoval.sh index 2d5df786..7e33324c 100644 --- a/listupgrade/files/old-kernel-autoremoval.sh +++ b/listupgrade/files/old-kernel-autoremoval.sh @@ -4,48 +4,53 @@ set -e +# shellcheck disable=SC2046 eval $(apt-config shell DPKG Dir::bin::dpkg/f) -test -n "$DPKG" || DPKG="/usr/bin/dpkg" +DPKG="${DPKG:-/usr/bin/dpkg}" # Detect which one of apt/aptitude we should use. +# shellcheck disable=SC2120 get_apt_binary() { - root="$1" + root="${1:-}" # apt could be a Java binary... - if [ -x $root/usr/bin/apt ] && ! $root/usr/bin/apt --version 2>&1 |grep -q "javac"; then + if [ -x "${root}/usr/bin/apt" ] && ! ${root}/usr/bin/apt --version 2>&1 | grep -q "javac"; then echo "apt" - elif [ -x $root/usr/bin/aptitude ]; then + elif [ -x "${root}/usr/bin/aptitude" ]; then echo "aptitude" # Usually in containers else echo "apt-get" fi } + +listupgrade_state_dir="${listupgrade_state_dir:-/var/lib/listupgrade}" + APT=$(get_apt_binary) list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \ | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')" -debverlist="$(echo "$list" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)" +debverlist="$(echo "${list}" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)" if [ -n "$1" ]; then installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")" fi -unamer="$(uname -r | tr '[A-Z]' '[a-z]')" -if [ -n "$unamer" ]; then - running_version="$(echo "$list" | awk "\$1 == \"$unamer\" { print \$2;exit; }")" +unamer="$(uname -r | tr '[:upper:]' '[:lower:]')" +if [ -n "${unamer}" ]; then + running_version="$(echo "${list}" | awk "\$1 == \"${unamer}\" { print \$2;exit; }")" fi # ignore the currently running version if attempting a reproducible build if [ -n "${SOURCE_DATE_EPOCH}" ]; then unamer="" running_version="" fi -latest_version="$(echo "$debverlist" | sed -n 1p)" -previous_version="$(echo "$debverlist" | sed -n 2p)" +latest_version="$(echo "${debverlist}" | sed -n 1p)" +previous_version="$(echo "${debverlist}" | sed -n 2p)" -debkernels="$(echo "$latest_version -$installed_version -$running_version" | sort -u | sed -e '/^$/ d')" +debkernels="$(echo "${latest_version} +${installed_version} +${running_version}" | sort -u | sed -e '/^$/ d')" kernels="$( (echo "$1 -$unamer"; for deb in $debkernels; do echo "$list" | awk "\$2 == \"$deb\" { print \$1; }"; done; ) \ +${unamer}"; for deb in ${debkernels}; do echo "${list}" | awk "\$2 == \"${deb}\" { print \$1; }"; done; ) \ | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u|tr '\n' '|' | sed -e 's/|$//')" @@ -54,19 +59,19 @@ List of installed kernel packages: $list # Running kernel: ${running_version:-ignored} (${unamer:-ignored}) -# Last kernel: $latest_version -# Previous kernel: $previous_version +# Last kernel: ${latest_version} +# Previous kernel: ${previous_version} # Kernel versions list to keep: -$debkernels +${debkernels} # Kernel packages (version part) to protect: -$kernels +${kernels} " echo "BEFORE" dpkg -l | grep linux-image -dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep ^linux-image-[234] | egrep -v "($kernels)" | xargs --no-run-if-empty $APT -y purge +dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge echo " AFTER" From 83e8a3d75a0aac49933db5064d1436bfdcf443ef Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Jul 2021 14:52:23 +0200 Subject: [PATCH 006/182] listupgrade: add repository URL --- listupgrade/files/listupgrade.sh | 2 ++ listupgrade/files/old-kernel-autoremoval.sh | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/listupgrade/files/listupgrade.sh b/listupgrade/files/listupgrade.sh index 0b682fed..74a673aa 100644 --- a/listupgrade/files/listupgrade.sh +++ b/listupgrade/files/listupgrade.sh @@ -1,5 +1,7 @@ #!/bin/bash +# Repository: https://gitea.evolix.org/evolix/maj.sh/ + # Exit codes : # - 30 : $skip_releases or $skip_packages is set to "all" # - 40 : current release is in $skip_releases list diff --git a/listupgrade/files/old-kernel-autoremoval.sh b/listupgrade/files/old-kernel-autoremoval.sh index 7e33324c..ceed0b99 100644 --- a/listupgrade/files/old-kernel-autoremoval.sh +++ b/listupgrade/files/old-kernel-autoremoval.sh @@ -1,7 +1,11 @@ #!/bin/sh +# Repository: https://gitea.evolix.org/evolix/maj.sh/ + # fork by reg from /etc/kernel/postinst.d/apt-auto-removal script +VERSION="21.06.3" + set -e # shellcheck disable=SC2046 From b8ac36e6739296c01a753251e7f39d8bad5a2cf2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 16:53:02 +0200 Subject: [PATCH 007/182] =?UTF-8?q?Fake=20=C2=AB=20testing=20=C2=BB=20as?= =?UTF-8?q?=20Deban=2011=20=C2=AB=20Bullseye=20=C2=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolinux-base/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 2da87162..f8b4cd6d 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,5 +1,11 @@ --- +# Force facts until Debian 11 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 11 + ansible_distribution_release: "bullseye" + when: ansible_distribution_major_version == 'testing' + - name: "System compatibility checks" assert: that: From 6bfef357296fceec044af8304049ba8044529e09 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 16:53:40 +0200 Subject: [PATCH 008/182] Add bullseye APT repositories --- apt/templates/bullseye_backports.list.j2 | 3 +++ apt/templates/bullseye_basics.list.j2 | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 apt/templates/bullseye_backports.list.j2 create mode 100644 apt/templates/bullseye_basics.list.j2 diff --git a/apt/templates/bullseye_backports.list.j2 b/apt/templates/bullseye_backports.list.j2 new file mode 100644 index 00000000..ab989dec --- /dev/null +++ b/apt/templates/bullseye_backports.list.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bullseye-backports {{ apt_backports_components | mandatory }} diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 new file mode 100644 index 00000000..5e0a0a53 --- /dev/null +++ b/apt/templates/bullseye_basics.list.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} +deb http://security.debian.org/ bullseye-security {{ apt_basics_components | mandatory }} From 2f68ae53390df40ef972704b2e17b41ddf7010e7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 17:51:50 +0200 Subject: [PATCH 009/182] Preliminary support for Bullseye --- CHANGELOG.md | 1 + apt/files/bullseye_backports_preferences | 3 + apt/tasks/basics.yml | 1 + evolinux-base/tasks/system.yml | 6 +- haproxy/defaults/main.yml | 1 + haproxy/tasks/packages_backports.yml | 4 + lxc-php/defaults/main.yml | 2 +- lxc-php/tasks/php74.yml | 4 +- mongodb/files/server-4.4.asc | 30 +++++++ mongodb/files/server-4.4.gpg | Bin 0 -> 1162 bytes mongodb/tasks/main.yml | 5 +- mongodb/tasks/main_bullseye.yml | 80 +++++++++++++++++ mongodb/templates/logrotate_bullseye.j2 | 15 ++++ mongodb/templates/mongodb_bullseye.conf.j2 | 39 +++++++++ php/handlers/main.yml | 5 ++ php/tasks/main.yml | 3 + php/tasks/main_bullseye.yml | 97 +++++++++++++++++++++ postgresql/tasks/main.yml | 4 +- tomcat/tasks/packages.yml | 7 ++ varnish/tasks/main.yml | 1 + 20 files changed, 299 insertions(+), 9 deletions(-) create mode 100644 apt/files/bullseye_backports_preferences create mode 100644 mongodb/files/server-4.4.asc create mode 100644 mongodb/files/server-4.4.gpg create mode 100644 mongodb/tasks/main_bullseye.yml create mode 100644 mongodb/templates/logrotate_bullseye.j2 create mode 100644 mongodb/templates/mongodb_bullseye.conf.j2 create mode 100644 php/tasks/main_bullseye.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 38d99455..5d9abcaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added +* Preliminary support for Debian 11 « Bullseye » * certbot: add script for manual deploy hooks execution * listupgrade: crontab is configurable diff --git a/apt/files/bullseye_backports_preferences b/apt/files/bullseye_backports_preferences new file mode 100644 index 00000000..3a667c93 --- /dev/null +++ b/apt/files/bullseye_backports_preferences @@ -0,0 +1,3 @@ +Package: * +Pin: release a=bullseye-backports +Pin-Priority: 50 diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index fee1430a..33c79129 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -19,6 +19,7 @@ - /etc/apt/sources.list.d/debian-jessie.list - /etc/apt/sources.list.d/debian-stretch.list - /etc/apt/sources.list.d/debian-buster.list + - /etc/apt/sources.list.d/debian-bullseye.list - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist | bool tags: diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 53fa243c..554bb02a 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -153,7 +153,7 @@ -- name: Install alert5 init script (buster) +- name: Install alert5 init script (buster and later) template: src: system/alert5.sh.j2 dest: /usr/share/scripts/alert5.sh @@ -163,7 +163,7 @@ - evolinux_system_alert5_init | bool - ansible_distribution_major_version is version('10', '>=') -- name: Install alert5 service (buster) +- name: Install alert5 service (buster and later) copy: src: alert5.service dest: /etc/systemd/system/alert5.service @@ -173,7 +173,7 @@ - evolinux_system_alert5_init | bool - ansible_distribution_major_version is version('10', '>=') -- name: Enable alert5 init script (buster) +- name: Enable alert5 init script (buster and later) systemd: name: alert5 daemon_reload: yes diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml index b94d2872..0745f1a9 100644 --- a/haproxy/defaults/main.yml +++ b/haproxy/defaults/main.yml @@ -34,3 +34,4 @@ haproxy_deny_ips: [] haproxy_backports_packages_stretch: haproxy libssl1.0.0 haproxy_backports_packages_buster: haproxy +haproxy_backports_packages_bullseye: haproxy diff --git a/haproxy/tasks/packages_backports.yml b/haproxy/tasks/packages_backports.yml index 9a682120..eab4fbca 100644 --- a/haproxy/tasks/packages_backports.yml +++ b/haproxy/tasks/packages_backports.yml @@ -15,6 +15,10 @@ haproxy_backports_packages: "{{ haproxy_backports_packages_buster }}" when: ansible_distribution_release == 'buster' +- set_fact: + haproxy_backports_packages: "{{ haproxy_backports_packages_bullseye }}" + when: ansible_distribution_release == 'bullseye' + - name: Prefer HAProxy package from backports template: src: haproxy_apt_preferences.j2 diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 1cceab35..ce8a935d 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -18,4 +18,4 @@ lxc_php_container_releases: php56: "jessie" php70: "stretch" php73: "buster" - php74: "buster" + php74: "bullseye" diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 2c4538e8..464e0766 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -13,8 +13,8 @@ create: yes mode: "0644" loop: - - "deb https://packages.sury.org/php/ buster main" - - "deb http://pub.evolix.net/ buster-php74/" + - "deb https://packages.sury.org/php/ bullseye main" + - "deb http://pub.evolix.net/ bullseye-php74/" - name: copy pub.evolix.net GPG key copy: diff --git a/mongodb/files/server-4.4.asc b/mongodb/files/server-4.4.asc new file mode 100644 index 00000000..9f4d9161 --- /dev/null +++ b/mongodb/files/server-4.4.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFzteqwBEADSirbLWsjgkQmdWr06jXPN8049MCqXQIZ2ovy9uJPyLkHgOCta +8dmX+8Fkk5yNOLScjB1HUGJxAWJG+AhldW1xQGeo6loDfTW1mlfetq/zpW7CKbUp +qve9eYYulneAy/81M/UoUZSzHqj6XY39wzJCH20H+Qx3WwcqXgSU7fSFXyJ4EBYs +kWybbrAra5v29LUTBd7OvvS+Swovdh4T31YijUOUUL/gJkBI9UneVyV7/8DdUoVJ +a8ym2pZ6ALy+GZrWBHcCKD/rQjEkXJnDglu+FSUI50SzaC9YX31TTzEMJijiPi6I +MIZJMXLH7GpCIDcvyrLWIRYVJAQRoYJB4rmp42HTyed4eg4RnSiFrxVV5xQaDnSl +/8zSOdVMBVewp8ipv34VeRXgNTgRkhA2JmL+KlALMkPo7MbRkJF01DiOOsIdz3Iu +43oYg3QYmqxZI6kZNtXpUMnJeuRmMQJJN8yc9ZdOA9Ll2TTcIql8XEsjGcM7IWM9 +CP6zGwCcbrv72Ka+h/bGaLpwLbpkr5I8PjjSECn9fBcgnVX6HfKH7u3y11+Va1nh +a8ZEE1TuOqRxnVDQ+K4iwaZFgFYsBMKo2ghoU2ZbZxu14vs6Eksn6UFsm8DpPwfy +jtLtdje8jrbYAqAy5zIMLoW+I6Rb5sU3Olh9nI7NW4T5qQeemBcuRAwB4QARAQAB +tDdNb25nb0RCIDQuNCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u +Z29kYi5jb20+iQI+BBMBAgAoBQJc7XqsAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRBlZAjjkM+x9SKmD/9BzdjFAgBPPkUnD5pJQgsBQKUEkDsu +cht6Q0Y4M635K7okpqJvXtZV5Mo+ajWZjUeHn4wPdVgzF2ItwVLRjjak3tIZfe3+ +ME5Y27Aej3LeqQC3Q5g6SnpeZwVEhWzU35CnyhQecP4AhDG3FO0gKUn3GkEgmsd6 +rnXAQLEw3VUYO8boxqBF3zjmFLIIaODYNmO1bLddJgvZlefUC62lWBBUs6Z7PBnl +q7qBQFhz9qV9zXZwCT2/vgGLg5JcwVdcJXwAsQSr1WCVd7Y79+JcA7BZiSg9FAQd +4t2dCkkctoUKgXsAH5fPwErGNj5L6iUnhFODPvdDJ7l35UcIZ2h74lqfEh+jh8eo +UgxkcI2y2FY/lPapcPPKe0FHzCxG2U/NRdM+sqrIfp9+s88Bj+Eub7OhW4dF3AlL +bh/BGHL9R8xAJRDLv8v7nsKkZWUnJaskeDFCKX3rjcTyTRWTG7EuMCmCn0Ou1hKc +R3ECvIq0pVfVh+qk0hu+A5Dvj6k3QDcTfse+KfSAJkYvRKiuRuq5KgYcX3YSzL6K +aZitMyu18XsQxKavpIGzaDhWyrVAig3XXF//zxowYVwuOikr5czgqizu87cqjpyn +S0vVG4Q3+LswH4xVTn3UWadY/9FkM167ecouu4g3op29VDi7hCKsMeFvFP6OOIls +G4vQ/QbzucK77Q== +=eD3N +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/mongodb/files/server-4.4.gpg b/mongodb/files/server-4.4.gpg new file mode 100644 index 0000000000000000000000000000000000000000..f1b1730e67131b5c9f15b1ec84d5fc10f79887ee GIT binary patch literal 1162 zcmV;51a}rbItQkJuoVlK!$dr{Jpr7@-9K( zI4fH5*_ZplWRskYIJBIM9Y;`NaRFjR_y}cnZE-+nsOnk+eKob3SKhX-^QCUWDYYr8 z_q} z8JgAvcLFFs>q0RkT$#gyTfP+~2MmgZEtR8Z)9RFV{dIfi2^^&+MZ|3S^z#R33NK1C-Fnn^+n0YIe$ zkUK7N8+t=VI5VyJE4n16qHkW-RpiP(YBiaSM~9z`4|P~G7h)~JQqhh!q~6jQeeM1* zPFUNp9*=U~sQ|Y_m^w;&US|bFg>2N{kf+KN9&r8ugfX`i?I0;h_ZmSUn#X#sb-+Ne zFx^!cJI3h7phe#}<`l9BXyDj3W3_CzT_y|JmFLt8t)*BHRI{dgJQ?Myx`9AgbM~cu z&314JJ-@yIi-VF}!B<=*d;qZotJPqYceXqC;#>o;S&1k;6a*dO-JJ?a9JYlDfqMWS zm(RdT#x_1n>Ln+HQ-ePDLnpa+}7Q$bO%Gv(EvK;Vy5pp<9PV+zCr=AHf)M{YT6|B@oNM%ln?fq-A9% zC95QOF+wSQ>y5aO?~kcBKsOV9 z$G$1_fF?#SM5wMt>bWWg9A9=4%)W|gn5{D_wefop#HO#LfwO2hR?4+NiVfFXU;ob< zFkxISIw>pV%;2gl?(?@Qj-01UOVt~MH~70SAB=r cR5-hYBCIjtZxsHHIEic=') + when: ansible_distribution_release == "buster" + +- include: main_bullseye.yml + when: ansible_distribution_major_version is version('11', '>=') diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml new file mode 100644 index 00000000..03094278 --- /dev/null +++ b/mongodb/tasks/main_bullseye.yml @@ -0,0 +1,80 @@ +--- + +# https://wiki.debian.org/DebianRepository/UseThirdParty +- name: Add MongoDB GPG key for version 4.4 + copy: + src: server-4.4.gpg + dest: /usr/share/keyrings/mongodb-server-4.4.gpg + force: yes + +- name: enable APT sources list + apt_repository: + repo: deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main + state: present + filename: mongodb-org-4.4 + update_cache: yes + +- name: Install packages + apt: + name: mongodb-org + update_cache: yes + state: present + register: _mongodb_install_package + +- name: MongoDB service in enabled and started + systemd: + name: mongod + enabled: yes + state: started + when: _mongodb_install_package.changed + +- name: install dependency for monitoring + apt: + name: python-pymongo + state: present + +- name: Custom configuration + template: + src: mongodb_bullseye.conf.j2 + dest: "/etc/mongod.conf" + force: "{{ mongodb_force_config | bool | ternary('yes', 'no') }}" + notify: restart mongod + +- name: Configure logrotate + template: + src: logrotate_bullseye.j2 + dest: /etc/logrotate.d/mongodb + force: yes + backup: no + +- name: Munin plugins are present + copy: + src: "munin/{{ item }}" + dest: '/usr/local/share/munin/plugins/{{ item }}' + force: yes + with_items: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node + +- name: Enable core Munin plugins + file: + src: '/usr/local/share/munin/plugins/{{ item }}' + dest: /etc/munin/plugins/{{ item }} + state: link + with_items: + - mongo_btree + - mongo_collections + - mongo_conn + - mongo_docs + - mongo_lock + - mongo_mem + - mongo_ops + - mongo_page_faults + notify: restart munin-node diff --git a/mongodb/templates/logrotate_bullseye.j2 b/mongodb/templates/logrotate_bullseye.j2 new file mode 100644 index 00000000..8239e880 --- /dev/null +++ b/mongodb/templates/logrotate_bullseye.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +/var/log/mongodb/mongod.log { + daily + missingok + rotate 365 + dateext + compress + delaycompress + notifempty + sharedscripts + postrotate + pidof mongod | xargs kill -USR1 + endscript +} diff --git a/mongodb/templates/mongodb_bullseye.conf.j2 b/mongodb/templates/mongodb_bullseye.conf.j2 new file mode 100644 index 00000000..b61479bd --- /dev/null +++ b/mongodb/templates/mongodb_bullseye.conf.j2 @@ -0,0 +1,39 @@ +# mongodb.conf - {{ ansible_managed }} + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: /var/lib/mongodb + journal: + enabled: true +# engine: +# mmapv1: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: file + logRotate: reopen + logAppend: true + path: /var/log/mongodb/mongodb.log + +# network interfaces +net: + port: {{ mongodb_port }} + bindIp: {{ mongodb_bind }} + +#security: + +#operationProfiling: + +#replication: + +#sharding: + +## Enterprise-Only Options: + +#auditLog: + +#snmp: diff --git a/php/handlers/main.yml b/php/handlers/main.yml index 1aade6c1..973c0069 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -14,3 +14,8 @@ service: name: php7.3-fpm state: restarted + +- name: restart php7.4-fpm + service: + name: php7.4-fpm + state: restarted diff --git a/php/tasks/main.yml b/php/tasks/main.yml index e9687e67..5cf46bec 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -12,3 +12,6 @@ - include: main_buster.yml when: ansible_distribution_release == "buster" + +- include: main_bullseye.yml + when: ansible_distribution_release == "bullseye" diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml new file mode 100644 index 00000000..7584305d --- /dev/null +++ b/php/tasks/main_bullseye.yml @@ -0,0 +1,97 @@ +--- + +- name: "Set variables (Debian 10 or later)" + set_fact: + php_cli_defaults_ini_file: /etc/php/7.4/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/7.4/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/7.4/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/7.4/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/7.4/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_debian_default_pool_file: /etc/php/7.4/fpm/pool.d/www.conf + php_fpm_default_pool_file: /etc/php/7.4/fpm/pool.d/www-evolinux-defaults.conf + php_fpm_default_pool_custom_file: /etc/php/7.4/fpm/pool.d/www-evolinux-zcustom.conf + php_fpm_default_pool_socket: /var/run/php/php7.4-fpm.sock + php_fpm_service_name: php7.4-fpm + +# Packages + +- name: "Set package list (Debian 9 or later)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-sqlite3 + - php-gettext + - php-curl + - php-ssh2 + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 9 or later)" + apt: + name: '{{ php_stretch_packages }}' + state: present + +- name: "Install mod_php packages (Debian 9 or later)" + apt: + name: + - libapache2-mod-php + - php + state: present + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 9 or later)" + apt: + name: + - php-fpm + - php + state: present + when: php_fpm_enable + +# Configuration + +- name: Enforce permissions on PHP directory + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/7.4 + +- include: config_cli.yml +- name: Enforce permissions on PHP cli directory + file: + dest: /etc/php/7.4/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable + +- name: Enforce permissions on PHP fpm directory + file: + dest: /etc/php/7.4/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable + +- name: Enforce permissions on PHP apache2 directory + file: + dest: /etc/php/7.4/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml index fbe22989..1783a763 100644 --- a/postgresql/tasks/main.yml +++ b/postgresql/tasks/main.yml @@ -5,10 +5,10 @@ when: ansible_distribution_release == "jessie" - include: packages_stretch.yml - when: ansible_distribution_major_version is version('9', '=') + when: ansible_distribution_release == "stretch" - include: packages_buster.yml - when: ansible_distribution_major_version is version('10', '=') + when: ansible_distribution_release == "buster" - include: packages_bullseye.yml when: ansible_distribution_major_version is version('11', '>=') diff --git a/tomcat/tasks/packages.yml b/tomcat/tasks/packages.yml index 900dffd0..9b7995cc 100644 --- a/tomcat/tasks/packages.yml +++ b/tomcat/tasks/packages.yml @@ -21,6 +21,13 @@ - ansible_distribution_release == "buster" - tomcat_version is not defined +- name: Set Tomcat version to 10 on Debian 11 if missing + set_fact: + tomcat_version: 10 + when: + - ansible_distribution_release == "bullseye" + - tomcat_version is not defined + - name: Install packages apt: name: diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 95a720c8..75268841 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -52,6 +52,7 @@ - config - update-config +# TODO: verify if it's still necessary for Debian 11 - name: Override Varnish systemd unit (Buster and later) template: src: varnish.conf.buster.j2 From 4a158ac819b2d6cd6cbfb1d92a2761e9810c7334 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:11:08 +0200 Subject: [PATCH 010/182] Reduce verbosity --- apache/tasks/server_status.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 2ca77951..efd2b00e 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -33,6 +33,7 @@ - debug: var: apache_serverstatus_suffix + verbosity: 1 - name: replace server-status suffix in default site index replace: From 52d06a39878e4a4bd073db318577bd3afc77ef90 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:11:50 +0200 Subject: [PATCH 011/182] temporary bulseye-detect role Overrides some facts to add compatibility with unreleased Debian version --- bullseye-detect/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 bullseye-detect/tasks/main.yml diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml new file mode 100644 index 00000000..07b898e3 --- /dev/null +++ b/bullseye-detect/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +# Force facts until Debian 11 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 11 + ansible_distribution: "Debian" + ansible_distribution_release: "bullseye" + when: "ansible_lsb.codename == 'bullseye'" \ No newline at end of file From 008cb6a3c97fb5889d6fb3559776004d1856ba43 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:12:27 +0200 Subject: [PATCH 012/182] quote numeric values --- evolinux-base/tasks/kernel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 76965f47..b49968f1 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -26,7 +26,7 @@ - name: Disable net.ipv4.tcp_timestamps sysctl: name: net.ipv4.tcp_timestamps - value: 0 + value: '0' sysctl_file: "{{ evolinux_kernel_sysctl_path }}" state: present reload: yes From 380c50b999071c14166173ebaa0326cd2503a51f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:12:58 +0200 Subject: [PATCH 013/182] evolinux-base: increase minimum Ansible version to 2.9 --- evolinux-base/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/meta/main.yml b/evolinux-base/meta/main.yml index 84c001c1..83ed8538 100644 --- a/evolinux-base/meta/main.yml +++ b/evolinux-base/meta/main.yml @@ -14,6 +14,7 @@ galaxy_info: - jessie - stretch - buster + - bullseye galaxy_tags: [] # List tags for your role here, one per line. A tag is From 5e09906c8f1fc35c3cbbebccc643f7c1b9da492f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:13:37 +0200 Subject: [PATCH 014/182] fixup! temporary bulseye-detect role --- evolinux-base/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index f8b4cd6d..2da87162 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -1,11 +1,5 @@ --- -# Force facts until Debian 11 is released because Ansible is dumb -- set_fact: - ansible_distribution_major_version: 11 - ansible_distribution_release: "bullseye" - when: ansible_distribution_major_version == 'testing' - - name: "System compatibility checks" assert: that: From 51d4ec1bb29a0f41fb40aa908be38926f460c12b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:14:33 +0200 Subject: [PATCH 015/182] php: remove php-gettext for 7.4 --- CHANGELOG.md | 2 ++ lxc-php/tasks/php74.yml | 2 +- php/tasks/main_bullseye.yml | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d9abcaf..8b96ed2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release. ### Removed +* php: remove php-gettext for 7.4 + ### Security ## [10.6.0] 2021-06-28 diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml index 464e0766..9438dcc7 100644 --- a/lxc-php/tasks/php74.yml +++ b/lxc-php/tasks/php74.yml @@ -40,7 +40,7 @@ - name: "{{ lxc_php_version }} - Install PHP packages" lxc_container: name: "{{ lxc_php_version }}" - container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-zip composer libphp-phpmailer" - name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" template: diff --git a/php/tasks/main_bullseye.yml b/php/tasks/main_bullseye.yml index 7584305d..bdeffe56 100644 --- a/php/tasks/main_bullseye.yml +++ b/php/tasks/main_bullseye.yml @@ -28,7 +28,6 @@ # php-mcrypt is no longer packaged for PHP 7.2 - php-pgsql - php-sqlite3 - - php-gettext - php-curl - php-ssh2 - php-zip From c5bb8f06ae12930cf51a9497744a7f66b49050f9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:17:17 +0200 Subject: [PATCH 016/182] mysql: use python3 with Debian 11 and later --- CHANGELOG.md | 1 + mysql-oracle/tasks/users.yml | 10 ++++++++++ mysql/tasks/users_jessie.yml | 13 +++++++++++-- mysql/tasks/users_stretch.yml | 13 +++++++++++-- redmine/tasks/packages.yml | 21 +++++++++++++++++++-- webapps/nextcloud/tasks/main.yml | 19 ++++++++++++++++++- 6 files changed, 70 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b96ed2e..c04a50c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release. ### Changed * listupgrade: upstream release 21.06.3 +* mysql: use python3 with Debian 11 and later ### Fixed diff --git a/mysql-oracle/tasks/users.yml b/mysql-oracle/tasks/users.yml index da1ca05f..e5a7e3da 100644 --- a/mysql-oracle/tasks/users.yml +++ b/mysql-oracle/tasks/users.yml @@ -5,6 +5,16 @@ apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') tags: - mysql diff --git a/mysql/tasks/users_jessie.yml b/mysql/tasks/users_jessie.yml index 99dd2d04..3a56a63d 100644 --- a/mysql/tasks/users_jessie.yml +++ b/mysql/tasks/users_jessie.yml @@ -6,13 +6,22 @@ when: mysql_variant == "mariadb" # dependency for mysql_user and mysql_db - - name: python-mysqldb is installed (Ansible dependency) apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') tags: - - mysql + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - mysql - name: create a password for mysqladmin command: "apg -n 1 -m 16 -M lcN" diff --git a/mysql/tasks/users_stretch.yml b/mysql/tasks/users_stretch.yml index 574399af..2b9bec6b 100644 --- a/mysql/tasks/users_stretch.yml +++ b/mysql/tasks/users_stretch.yml @@ -1,13 +1,22 @@ --- # dependency for mysql_user and mysql_db - - name: python-mysqldb is installed (Ansible dependency) apt: name: python-mysqldb state: present + when: ansible_distribution_major_version is version('10', '<=') tags: - - mysql + - mysql + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - mysql - name: create a password for mysqladmin command: "apg -n 1 -m 16 -M lcN" diff --git a/redmine/tasks/packages.yml b/redmine/tasks/packages.yml index b2be8faa..0c65df44 100644 --- a/redmine/tasks/packages.yml +++ b/redmine/tasks/packages.yml @@ -1,5 +1,5 @@ --- -- name: Install dependancy +- name: Install dependency apt: name: - libpam-systemd @@ -14,7 +14,24 @@ - libmagickwand-dev - libmagickcore-dev - libmariadbclient-dev - - python-mysqldb state: present tags: - redmine + +# dependency for mysql_user and mysql_db +- name: python-mysqldb is installed (Ansible dependency) + apt: + name: python-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - redmine + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') + tags: + - redmine \ No newline at end of file diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 2c525114..c63291f1 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -16,7 +16,24 @@ - php-apcu - php-redis - php-bcmath - - python-mysqldb + tags: + - nextcloud + +# dependency for mysql_user and mysql_db +- name: python-mysqldb is installed (Ansible dependency) + apt: + name: python-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '<=') + tags: + - nextcloud + +# dependency for mysql_user and mysql_db +- name: python3-mysqldb is installed (Ansible dependency) + apt: + name: python3-mysqldb + state: present + when: ansible_distribution_major_version is version('10', '>') tags: - nextcloud From 2c441f176ae7d101403c39b6772310676260997c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:19:31 +0200 Subject: [PATCH 017/182] mysql: mariadb-client-10.5 on Debian 11 --- CHANGELOG.md | 1 + mysql-oracle/tasks/utils.yml | 16 ++++++++++++---- mysql/tasks/utils.yml | 16 ++++++++++++---- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c04a50c2..a0ff32ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release. ### Changed * listupgrade: upstream release 21.06.3 +* mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later ### Fixed diff --git a/mysql-oracle/tasks/utils.yml b/mysql-oracle/tasks/utils.yml index e7573afe..e0520cee 100644 --- a/mysql-oracle/tasks/utils.yml +++ b/mysql-oracle/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "mytop is installed (jessie)" +- name: "mytop is installed (Debian 9)" apt: name: mytop state: present @@ -32,7 +32,7 @@ # name: mysql-utilities # when: ansible_distribution_major_version is version('9', '>=') -- name: "mytop dependencies are installed (stretch)" +- name: "mytop dependencies are installed (Buster)" apt: name: - libconfig-inifiles-perl @@ -46,13 +46,21 @@ - mysql when: ansible_distribution_release == "stretch" -- name: "Install dependencies for mytop (Debian 10 or later)" +- name: "Install dependencies for mytop (Debian 10)" apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl - libterm-readkey-perl - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_release == "buster" + +- name: "Install dependencies for mytop (Debian 11 or later)" + apt: + name: + - mariadb-client-10.5 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version is version('11', '>=') - include_role: name: evolix/remount-usr diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index b4abf059..f1a9cb24 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -17,7 +17,7 @@ # mytop -- name: "Install mytop (jessie)" +- name: "Install mytop (Debian 9)" apt: name: mytop state: present @@ -27,7 +27,7 @@ - mysql when: ansible_distribution_release == "jessie" -- name: "Install dependencies for mytop (stretch)" +- name: "Install dependencies for mytop (Debian 9)" apt: name: - mariadb-client-10.1 @@ -35,13 +35,21 @@ - libterm-readkey-perl when: ansible_distribution_release == "stretch" -- name: "Install dependencies for mytop (Debian 10 or later)" +- name: "Install dependencies for mytop (Debian 10)" apt: name: - mariadb-client-10.3 - libconfig-inifiles-perl - libterm-readkey-perl - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_release == "buster" + +- name: "Install dependencies for mytop (Debian 11 or later)" + apt: + name: + - mariadb-client-10.5 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version is version('11', '>=') - name: Read debian-sys-maint password shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' From f673ea85d1c4dbb9deef7a737e5161596d3da7f5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:22:54 +0200 Subject: [PATCH 018/182] Force Debian version to buster for Evolix repository --- CHANGELOG.md | 1 + apt/templates/evolix_public.list.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0ff32ad..9364cc4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. ### Changed +* evolinux-base: force Debian version to buster for Evolix repository (temporary) * listupgrade: upstream release 21.06.3 * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..25156cd0 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,8 @@ # {{ ansible_managed }} +{% if ansible_distribution_release == 'bullseye' %} +# Force previous Debian version (temporary) +deb http://pub.evolix.net/ buster/ +{% else %} deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +{% endif %} From c5ab0c0ff9191878a0dcf27e97c0d661fea57b9f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:24:40 +0200 Subject: [PATCH 019/182] squid: remove obsolete variable on Squid 4 --- CHANGELOG.md | 2 ++ squid/tasks/main.yml | 7 +++++++ squid/templates/evolinux-custom.conf.j2 | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9364cc4b..be32015f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,8 @@ The **patch** part changes incrementally at each release. * listupgrade: upstream release 21.06.3 * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later +* ntpd: Add leapfile configuration setting to ntpd on debian 10+ +* squid: remove obsolete variable on Squid 4 ### Fixed diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 9e00dcb0..4a3cab4d 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -22,6 +22,13 @@ - squidclient state: present +- name: Fetch packages + package_facts: + manager: auto + +- debug: + var: ansible_facts.packages[squid_daemon_name] + - name: "Set alternative config file (Debian 9 or later)" copy: src: default_squid diff --git a/squid/templates/evolinux-custom.conf.j2 b/squid/templates/evolinux-custom.conf.j2 index cc465dc7..27c97cc2 100644 --- a/squid/templates/evolinux-custom.conf.j2 +++ b/squid/templates/evolinux-custom.conf.j2 @@ -1,4 +1,4 @@ http_port 8888 transparent cache deny all -ignore_expect_100 on +{% if ansible_facts.packages[squid_daemon_name][0]['version'] is version (4, '<') %}ignore_expect_100 on{% endif %} tcp_outgoing_address {{ squid_address }} From e8a8e8581923aae6c5d680409100517c6438754a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 1 May 2021 22:25:38 +0200 Subject: [PATCH 020/182] redis: instance service for Debian 11 --- CHANGELOG.md | 5 +++ .../redis-server@bullseye.service.j2 | 45 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 redis/templates/redis-server@bullseye.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index be32015f..b5ca4ab5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,8 +13,13 @@ The **patch** part changes incrementally at each release. ### Added * Preliminary support for Debian 11 « Bullseye » +* apache: new variable for mpm mode (+ updated default config accordingly) * certbot: add script for manual deploy hooks execution +* evolinux-base: add default motd template +* kvm-host: add migrate-vm script * listupgrade: crontab is configurable +* mysql: variable to disable myadd script overwrite (default: True) +* redis: instance service for Debian 11 ### Changed diff --git a/redis/templates/redis-server@bullseye.service.j2 b/redis/templates/redis-server@bullseye.service.j2 new file mode 100644 index 00000000..623eb919 --- /dev/null +++ b/redis/templates/redis-server@bullseye.service.j2 @@ -0,0 +1,45 @@ +[Unit] +Description=Advanced key-value store +After=network.target +Documentation=http://redis.io/documentation, man:redis-server(1) + +[Service] +Type=notify +ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf --supervised systemd --daemonize no +PIDFile=/run/redis-%i/redis-server.pid +TimeoutStopSec=0 +Restart=always +User=redis-%i +Group=redis-%i +RuntimeDirectory=redis-%i +RuntimeDirectoryMode=2755 + +UMask=007 +PrivateTmp=yes +LimitNOFILE=65535 +PrivateDevices=yes +ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }} +ReadOnlyDirectories=/ +ReadWritePaths=-{{ redis_data_dir_prefix }}-%i +ReadWritePaths=-{{ redis_log_dir_prefix }}-%i +ReadWritePaths=-{{ redis_pid_dir_prefix }}-%i +ReadWritePaths=-{{ redis_socket_dir_prefix }}-%i + +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +MemoryDenyWriteExecute=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictRealtime=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +# redis-server can write to its own config file when in cluster mode so we +# permit writing there by default. If you are not using this feature, it is +# recommended that you replace the following lines with "ProtectSystem=full". +ProtectSystem=true +ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i + +[Install] +WantedBy=multi-user.target \ No newline at end of file From c80c354d65cd21374508db211046ea7c1ad196d4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 00:33:26 +0200 Subject: [PATCH 021/182] fix keyrings permissions --- mongodb/tasks/main_bullseye.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 03094278..a2ef6038 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -6,6 +6,7 @@ src: server-4.4.gpg dest: /usr/share/keyrings/mongodb-server-4.4.gpg force: yes + mode: "0644" - name: enable APT sources list apt_repository: From a60189eb3eaf8b7683be4edbb860ea83a5d0751d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 00:33:46 +0200 Subject: [PATCH 022/182] better bullseye compatibility workaround --- bullseye-detect/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml index 07b898e3..6f97db0a 100644 --- a/bullseye-detect/tasks/main.yml +++ b/bullseye-detect/tasks/main.yml @@ -5,4 +5,4 @@ ansible_distribution_major_version: 11 ansible_distribution: "Debian" ansible_distribution_release: "bullseye" - when: "ansible_lsb.codename == 'bullseye'" \ No newline at end of file + when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'" \ No newline at end of file From 613a11d11986c56b4d580ed9c6ca2003a31a947f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:11:39 +0200 Subject: [PATCH 023/182] elasticsearch: 7.x by default --- elasticsearch/defaults/main.yml | 2 +- elasticsearch/files/elastic.gpg | Bin 0 -> 1220 bytes elasticsearch/tasks/packages.yml | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 elasticsearch/files/elastic.gpg diff --git a/elasticsearch/defaults/main.yml b/elasticsearch/defaults/main.yml index eb254807..2b891953 100644 --- a/elasticsearch/defaults/main.yml +++ b/elasticsearch/defaults/main.yml @@ -1,5 +1,5 @@ --- -elastic_stack_version: "6.x" +elastic_stack_version: "7.x" elasticsearch_cluster_name: Null elasticsearch_cluster_members: Null diff --git a/elasticsearch/files/elastic.gpg b/elasticsearch/files/elastic.gpg new file mode 100644 index 0000000000000000000000000000000000000000..2508ddc9bcb7cd2aa56d7aafe3de18669a0c8ba4 GIT binary patch literal 1220 zcmV;#1Uvhg0SyFFHy+9X2msd(*3Bk-TRxz5yfbYI%AtFYZxxFfH_{Gf##e%#+8#K1 z2#`Yq=EfB4GKIH$YTfyb2-X7)PTj}Yu%IRvFMzLd#|X(4-iBBB zNn%0m_TsC~ZB39y)A$x$Gg-&m{Vx<_HJ4a{ZYHBI6Vn<+ja$J$Z_bLEys?>&bcNL; z&iOETLb2qn0l~6m{w3DBcZMam&+X_d%)$f>mbr5v?^aLd4eK<%vZ3A8g1>2wYKDT% zhMz|Kd|`1VLXf(=Nh@R3mUT`0stZf0#Y{~ z$^sh$1`7!Y2Ll2I6$k1I9H1eiT7XwUM)$J*jKM;X&4Bpd635J@=#!Hzn^VO=5Quvp{Lfq6q zKg&p0;T}I;59QwR-t5EW@5CLNH;5-rRCA2IXH6P(hi}L@X)0mz2KKe4NV8?e5O%lc zG)BnX7|uU=8Bbd&MQu|Y=9z<}i))c&r_2}RnR55M?U&ta@R=cELAe191X4F1$^i%f z=^zo-#-+gyRdXc zz2n7GMpEdJar9zpjUZbc6l7{|xO!!`xo8!AoNmFz0-sj0HUw=dA#e6HD}!XnSWEL` zA8pG7!o|;p6vcp*u(ONlxL7}sQDvVE4K(#n)-y>g(5x^M1f=~y?oNzGoTWB(01*KI z0f_-01Q-DV00{*GQa2vT0vikf3JDO>eP(RfjzY9^a|i%|J%j{y(rSrVw=BfFYevql zG+kA$kbdHS`Q-&WqYyQTP)_K9ZsMpc7hQ=>tLG<^3ur{;f(6+7Fy4RLGEDX8LCa~) z#*I`to_7j0N+R^$<0x)ZuUeB4{f#5)xw|3?%vnI!4EyLjXv~*twTU;f9zz)uB?<8& ztY~<6jbCu5(xwZ*zVs{%xg-_ro>xOx{G=XH<4nM0#RsGZOZKNlp^$qBqms55p)+lM iS#cuoS7K;^5fneD@Z}j9PJvY2_Z1%;Su+QnobN%rVK31D literal 0 HcmV?d00001 diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index da154593..b1d5cb9a 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -31,7 +31,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes @@ -52,4 +52,4 @@ name: elasticsearch enabled: yes tags: - - elasticsearch + - elasticsearch From d40fad662f15b993286480feccf17c4e6a503084 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:12:37 +0200 Subject: [PATCH 024/182] kibana: 7.x by default --- kibana/defaults/main.yml | 2 +- kibana/files/elastic.gpg | Bin 0 -> 1220 bytes kibana/files/elasticsearch.key | 31 ------------------------------- kibana/tasks/main.yml | 2 ++ 4 files changed, 3 insertions(+), 32 deletions(-) create mode 100644 kibana/files/elastic.gpg delete mode 100644 kibana/files/elasticsearch.key diff --git a/kibana/defaults/main.yml b/kibana/defaults/main.yml index e167c21f..7107398c 100644 --- a/kibana/defaults/main.yml +++ b/kibana/defaults/main.yml @@ -1,5 +1,5 @@ --- -elastic_stack_version: "5.x" +elastic_stack_version: "7.x" kibana_server_host: "127.0.0.1" kibana_server_basepath: "" diff --git a/kibana/files/elastic.gpg b/kibana/files/elastic.gpg new file mode 100644 index 0000000000000000000000000000000000000000..2508ddc9bcb7cd2aa56d7aafe3de18669a0c8ba4 GIT binary patch literal 1220 zcmV;#1Uvhg0SyFFHy+9X2msd(*3Bk-TRxz5yfbYI%AtFYZxxFfH_{Gf##e%#+8#K1 z2#`Yq=EfB4GKIH$YTfyb2-X7)PTj}Yu%IRvFMzLd#|X(4-iBBB zNn%0m_TsC~ZB39y)A$x$Gg-&m{Vx<_HJ4a{ZYHBI6Vn<+ja$J$Z_bLEys?>&bcNL; z&iOETLb2qn0l~6m{w3DBcZMam&+X_d%)$f>mbr5v?^aLd4eK<%vZ3A8g1>2wYKDT% zhMz|Kd|`1VLXf(=Nh@R3mUT`0stZf0#Y{~ z$^sh$1`7!Y2Ll2I6$k1I9H1eiT7XwUM)$J*jKM;X&4Bpd635J@=#!Hzn^VO=5Quvp{Lfq6q zKg&p0;T}I;59QwR-t5EW@5CLNH;5-rRCA2IXH6P(hi}L@X)0mz2KKe4NV8?e5O%lc zG)BnX7|uU=8Bbd&MQu|Y=9z<}i))c&r_2}RnR55M?U&ta@R=cELAe191X4F1$^i%f z=^zo-#-+gyRdXc zz2n7GMpEdJar9zpjUZbc6l7{|xO!!`xo8!AoNmFz0-sj0HUw=dA#e6HD}!XnSWEL` zA8pG7!o|;p6vcp*u(ONlxL7}sQDvVE4K(#n)-y>g(5x^M1f=~y?oNzGoTWB(01*KI z0f_-01Q-DV00{*GQa2vT0vikf3JDO>eP(RfjzY9^a|i%|J%j{y(rSrVw=BfFYevql zG+kA$kbdHS`Q-&WqYyQTP)_K9ZsMpc7hQ=>tLG<^3ur{;f(6+7Fy4RLGEDX8LCa~) z#*I`to_7j0N+R^$<0x)ZuUeB4{f#5)xw|3?%vnI!4EyLjXv~*twTU;f9zz)uB?<8& ztY~<6jbCu5(xwZ*zVs{%xg-_ro>xOx{G=XH<4nM0#RsGZOZKNlp^$qBqms55p)+lM iS#cuoS7K;^5fneD@Z}j9PJvY2_Z1%;Su+QnobN%rVK31D literal 0 HcmV?d00001 diff --git a/kibana/files/elasticsearch.key b/kibana/files/elasticsearch.key deleted file mode 100644 index 1b50dcca..00000000 --- a/kibana/files/elasticsearch.key +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.14 (GNU/Linux) - -mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD -A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 -CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ -j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd -1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD -2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg -KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy -Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC -F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 -nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ -7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm -TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe -8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ -eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl -zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT -RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ -1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ -Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt -KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww -EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 -c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J -TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j -6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 -vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM -cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ -qPDlGRlOgVTd9xUfHFkzB52c70E= -=92oX ------END PGP PUBLIC KEY BLOCK----- diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 1ed342e0..8ebbe752 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -129,3 +129,5 @@ - include: proxy_nginx.yml when: kibana_proxy_nginx | bool + tags: + - kibana From 6b87ead5b40171d2e3e2891b2ea906892ec12d26 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:13:12 +0200 Subject: [PATCH 025/182] update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5ca4ab5..87242546 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,10 @@ The **patch** part changes incrementally at each release. ### Changed +* elasticsearch: 7.x by default +* evolinux-base: copy GPG key instead of using apt-key * evolinux-base: force Debian version to buster for Evolix repository (temporary) +* kibana: 7.x by default * listupgrade: upstream release 21.06.3 * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later From 9c8dd743c8c94e79dc6a275f4efe4ab896005f1f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:14:06 +0200 Subject: [PATCH 026/182] Use python3 packages on Debian 11 and later --- CHANGELOG.md | 1 + docker-host/tasks/main.yml | 13 ++++++++++++- lxc/tasks/main.yml | 13 ++++++++++++- mongodb/tasks/main_bullseye.yml | 2 +- postgresql/tasks/nrpe.yml | 9 ++++++++- rabbitmq/tasks/nrpe.yml | 9 ++++++++- 6 files changed, 42 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87242546..e1de215f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. ### Changed +* Use python3 modules for Debian 11 and later * elasticsearch: 7.x by default * evolinux-base: copy GPG key instead of using apt-key * evolinux-base: force Debian version to buster for Evolix repository (temporary) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index d3a41a28..796c800d 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -40,9 +40,20 @@ apt: name: - docker-ce - - python-docker update_cache: yes +- name: python-docker is installed + apt: + name: python-docker + state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-docker is installed + apt: + name: python3-docker + state: present + when: ansible_distribution_major_version is version('10', '>') + - name: Copy Docker daemon configuration file template: src: daemon.json.j2 diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index a3a31cf5..74ba69ae 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -5,7 +5,18 @@ - lxc - debootstrap - xz-utils - - python-lxc + +- name: python-lxc is installed + apt: + name: python-lxc + state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-lxc is installed + apt: + name: python3-lxc + state: present + when: ansible_distribution_major_version is version('10', '>') - name: Install additional packages on Buster apt: diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index a2ef6038..e8415b03 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -31,7 +31,7 @@ - name: install dependency for monitoring apt: - name: python-pymongo + name: python3-pymongo state: present - name: Custom configuration diff --git a/postgresql/tasks/nrpe.yml b/postgresql/tasks/nrpe.yml index 740c7b08..9c22e293 100644 --- a/postgresql/tasks/nrpe.yml +++ b/postgresql/tasks/nrpe.yml @@ -9,10 +9,17 @@ register: postgresql_nrpe_password changed_when: False -- name: Install python dependencies for postgresql_user +- name: python-psycopg2 is installed (Ansible dependency) apt: name: python-psycopg2 state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-psycopg2 is installed (Ansible dependency) + apt: + name: python3-psycopg2 + state: present + when: ansible_distribution_major_version is version('10', '>') - name: Is nrpe present ? stat: diff --git a/rabbitmq/tasks/nrpe.yml b/rabbitmq/tasks/nrpe.yml index c4c700df..75b37043 100644 --- a/rabbitmq/tasks/nrpe.yml +++ b/rabbitmq/tasks/nrpe.yml @@ -1,9 +1,16 @@ --- -- name: check_rabbitmq dependencies +- name: python-requests is installed (check_rabbitmq dependency) apt: name: python-requests state: present + when: ansible_distribution_major_version is version('10', '<=') + +- name: python3-requests is installed (check_rabbitmq dependency) + apt: + name: python3-requests + state: present + when: ansible_distribution_major_version is version('10', '>') - include_role: name: evolix/remount-usr From 8a784c39abc72230a545bd05c8516e7505f3680c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:15:38 +0200 Subject: [PATCH 027/182] mongodb: create munin plugins directory if missing --- CHANGELOG.md | 1 + mongodb/tasks/main_bullseye.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1de215f..a06493ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. * evolinux-base: add default motd template * kvm-host: add migrate-vm script * listupgrade: crontab is configurable +* mongodb: create munin plugins directory if missing * mysql: variable to disable myadd script overwrite (default: True) * redis: instance service for Debian 11 diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index e8415b03..eed10eb4 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -48,6 +48,12 @@ force: yes backup: no +- name: Munin plugins local directory exists + file: + dest: /usr/local/share/munin/plugins/ + state: directory + mode: "0755" + - name: Munin plugins are present copy: src: "munin/{{ item }}" From 5c1ae6ed0c2185706f7cbc4d825900b566fdfd82 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 01:22:57 +0200 Subject: [PATCH 028/182] spamassassin: change dependency on evomaintenance Fail with an error if evomaintenance config is missing instead of trying to install a package that doesn't exist anymore. --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a06493ae..c484d724 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ The **patch** part changes incrementally at each release. * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later * ntpd: Add leapfile configuration setting to ntpd on debian 10+ +* spamassassin: change dependency on evomaintenance * squid: remove obsolete variable on Squid 4 ### Fixed From a5658b7f2621e9364cb27534c468bd6e64846598 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 May 2021 12:36:00 +0200 Subject: [PATCH 029/182] packweb-apache: install phpMyAdmin from buster-backports --- CHANGELOG.md | 3 +++ packweb-apache/templates/phpmyadmin_apt_preferences.j2 | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c484d724..09213e22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,8 @@ The **patch** part changes incrementally at each release. ### Changed * Use python3 modules for Debian 11 and later +* apt: store keys in /etc/apt/trusted.gpg.d in ascii format +* certbot: sync_remote.sh is configurable * elasticsearch: 7.x by default * evolinux-base: copy GPG key instead of using apt-key * evolinux-base: force Debian version to buster for Evolix repository (temporary) @@ -33,6 +35,7 @@ The **patch** part changes incrementally at each release. * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later * ntpd: Add leapfile configuration setting to ntpd on debian 10+ +* packweb-apache: install phpMyAdmin from buster-backports * spamassassin: change dependency on evomaintenance * squid: remove obsolete variable on Squid 4 diff --git a/packweb-apache/templates/phpmyadmin_apt_preferences.j2 b/packweb-apache/templates/phpmyadmin_apt_preferences.j2 index 02578c0d..3a2d2833 100644 --- a/packweb-apache/templates/phpmyadmin_apt_preferences.j2 +++ b/packweb-apache/templates/phpmyadmin_apt_preferences.j2 @@ -1,3 +1,3 @@ Package: phpmyadmin php-twig Pin: release a=buster-backports -Pin-Priority: 999 \ No newline at end of file +Pin-Priority: 999 From 58cd1fedfad116f7b5ec297cdfe03822b81e09a4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 4 May 2021 12:39:47 +0200 Subject: [PATCH 030/182] fix path for first_found lookup --- metricbeat/tasks/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 640a8902..17d4a7d7 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -121,13 +121,13 @@ src: "{{ item }}" dest: /etc/metricbeat/metricbeat.yml force: "{{ metricbeat_force_config }}" - loop: "{{ query('first_found', templates) }}" - vars: - templates: - - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2" - - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2" - - "templates/metricbeat/metricbeat.default.yml.j2" - - "templates/metricbeat.default.yml.j2" - notify: restart metricbeat - when: metricbeat_update_config | bool + loop: "{{ query('first_found', templates) }}" + vars: + templates: + - "templates/metricbeat/metricbeat.{{ inventory_hostname }}.yml.j2" + - "templates/metricbeat/metricbeat.{{ host_group | default('all') }}.yml.j2" + - "templates/metricbeat/metricbeat.default.yml.j2" + - "templates/metricbeat.default.yml.j2" + notify: restart metricbeat + when: metricbeat_update_config | bool when: metricbeat_use_config_template | bool From b5bcd666c68b1b2877740d4a9884dad16092302b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Jul 2021 21:23:14 +0200 Subject: [PATCH 031/182] fix apt gpg keys after rebase from unstable --- elasticsearch/tasks/packages.yml | 2 +- mongodb/tasks/main_bullseye.yml | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index b1d5cb9a..b1291d4a 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -31,7 +31,7 @@ - name: Elastic sources list is available apt_repository: - repo: "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" + repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main" filename: elastic state: present update_cache: yes diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index eed10eb4..63b2193b 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,16 +1,24 @@ --- # https://wiki.debian.org/DebianRepository/UseThirdParty -- name: Add MongoDB GPG key for version 4.4 +- name: MongoDB embedded GPG key is absent + apt_key: + id: "B8612B5D" + keyring: /etc/apt/trusted.gpg + state: absent + +- name: Add MongoDB GPG key copy: - src: server-4.4.gpg - dest: /usr/share/keyrings/mongodb-server-4.4.gpg + src: server-4.4.asc + dest: /etc/apt/trusted.gpg.d/mongodb-server-4.4.asc force: yes mode: "0644" + owner: root + group: root - name: enable APT sources list apt_repository: - repo: deb [signed-by=/usr/share/keyrings/mongodb-server-4.4.gpg] http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main + repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main state: present filename: mongodb-org-4.4 update_cache: yes From 5905751a824657ac74c3932cfcba30a9c2801683 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Jul 2021 23:45:42 +0200 Subject: [PATCH 032/182] squid: must be started in foreground mode for systemd --- CHANGELOG.md | 1 + squid/files/systemd-override.conf | 4 ---- squid/tasks/systemd.yml | 4 ++-- squid/templates/systemd-override.conf.j2 | 8 ++++++++ 4 files changed, 11 insertions(+), 6 deletions(-) delete mode 100644 squid/files/systemd-override.conf create mode 100644 squid/templates/systemd-override.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 09213e22..b75809f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ The **patch** part changes incrementally at each release. * ntpd: Add leapfile configuration setting to ntpd on debian 10+ * packweb-apache: install phpMyAdmin from buster-backports * spamassassin: change dependency on evomaintenance +* squid: must be started in foreground mode for systemd * squid: remove obsolete variable on Squid 4 ### Fixed diff --git a/squid/files/systemd-override.conf b/squid/files/systemd-override.conf deleted file mode 100644 index eab76a17..00000000 --- a/squid/files/systemd-override.conf +++ /dev/null @@ -1,4 +0,0 @@ -# systemd override for Squid -[Service] -ExecStart= -ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml index 82b8760c..ac9eb7e9 100644 --- a/squid/tasks/systemd.yml +++ b/squid/tasks/systemd.yml @@ -16,8 +16,8 @@ mode: "0755" - name: "Squid systemd unit service is present" - copy: - src: systemd-override.conf + template: + src: systemd-override.conf.j2 dest: /etc/systemd/system/squid.service.d/override.conf force: yes register: _squid_systemd_override diff --git a/squid/templates/systemd-override.conf.j2 b/squid/templates/systemd-override.conf.j2 new file mode 100644 index 00000000..ee3ff666 --- /dev/null +++ b/squid/templates/systemd-override.conf.j2 @@ -0,0 +1,8 @@ +# systemd override for Squid +[Service] +ExecStart= +{% if ansible_distribution_major_version is version('11', '>=') %} +ExecStart=/usr/sbin/squid --foreground -sYC -f /etc/squid/evolinux-defaults.conf +{% else %} +ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf +{% endif %} From 04e41b5dc9d3a254e5a58b1178a14a25392b636a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 3 Jul 2021 08:52:50 +0200 Subject: [PATCH 033/182] squid: improve default whitelist --- CHANGELOG.md | 2 +- squid/files/evolinux-whitelist-defaults.conf | 58 ++++++++++---------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38d99455..a03d0c98 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,7 +18,7 @@ The **patch** part changes incrementally at each release. ### Changed * listupgrade: upstream release 21.06.3 - +* squid: improve default whitelist (more specific patterns) ### Fixed * certbot: sync_remote excludes itself diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 83b5e827..fea90344 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -1,20 +1,19 @@ ### Evolix & System -^.*\.evolix\.(net|org|com|fr)$ -^.*\.debian\.org$ +(\.)?evolix\.(net|org|com|fr)$ +(\.)?debian\.org$ ^www\.backports\.org$ -^backports\.debian\.org$ ^www\.kernel\.org$ ^hwraid\.le-vert\.net$ -^.*\.clamav\.net$ +.+\.clamav\.net$ ^spamassassin\.apache\.org$ -^.*sa-update.*$ +.+\.sa-update\..+ ^pear\.php\.net$ ^repo\.mysql\.com$ ^deb\.nodesource\.com$ ^dl\.yarnpkg\.com$ # Let's Encrypt -^.*\.letsencrypt.org$ +.+\.letsencrypt.org$ # Other OCSP endpoint ^ocsp\.usertrust\.com$ @@ -22,9 +21,9 @@ ### CMS / Wordpress / Drupal / ... # Wordpress -^.*\.akismet\.com$ -^.*\.wordpress\.(org|com)$ -^.*\.gravatar\.com$ +.+\.akismet\.com$ +.+\.wordpress\.(org|com)$ +.+\.gravatar\.com$ ^www\.wordpress-fr\.net$ ^pixel\.wp\.com$ ^wp-updates\.com$ @@ -63,11 +62,11 @@ ^www\.weblogalot\.com$ # Wordpress plugins -^.*\.wpml\.org$ +.+\.wpml\.org$ ^www\.wpcube\.co\.uk$ -^.*\.wp-rocket\.me$ +.+\.wp-rocket\.me$ ^www\.yithemes\.com$ -^.*\.yoast\.com$ +.+\.yoast\.com$ ^yarpp\.org$ ^repository\.kreaturamedia\.com$ ^api\.wp-events-plugin\.com$ @@ -87,7 +86,7 @@ ^amasty\.com$ # Joomla -^.*\.joomla\.org$ +.+\.joomla\.org$ ^getk2\.org$ ^miwisoft\.com$ ^mijosoft\.com$ @@ -97,13 +96,13 @@ ^download\.nonumber\.nl$ # Prestashop -^.*\.prestashop\.com$ +.+\.prestashop\.com$ ^www\.presta-module\.com$ ^www\.presteamshop\.com$ # Others -^.*.drupal\.org$ -^.*\.dotclear\.(net|org)$ +.+\.drupal\.org$ +.+\.dotclear\.(net|org)$ ^www\.phpbb\.com$ ^www\.typolight\.org$ ^www\.spip\.net$ @@ -113,8 +112,8 @@ # Google -^.*\.googleapis\.com$ -^.*\.google-analytics\.com$ +.+\.googleapis\.com$ +.+\.google-analytics\.com$ ^blogsearch\.google\.(com|fr)$ ^csi\.gstatic\.com$ ^maps\.google\..*$ @@ -123,8 +122,8 @@ ^fonts\.googleapis\.com$ # Facebook -^.*\.facebook\.com$ -^.*\.fbcdn\.net$ +.+\.facebook\.com$ +.+\.fbcdn\.net$ # Maxmind ^geolite\.maxmind\.com$ @@ -138,15 +137,15 @@ ^www\.liberation\.fr$ # Others -#^.*\.amazon.com$ -^.*\.twitter\.com$ -^.*\.feedburner\.com$ -^.*\.openx\.(org|com|net)$ +#.+\.amazon.com$ +.+\.twitter\.com$ +.+\.feedburner\.com$ +.+\.openx\.(org|com|net)$ ^geoip-api\.meteor\.com$ ^www\.bing\.com$ ^www\.telize\.com$ -^.*\.ident\.me$ -^.*\.icanhazip\.com$ +.+\.ident\.me$ +.+\.icanhazip\.com$ ^www\.express-mailing\.com$ ^bot\.whatismyipaddress\.com$ ^ipecho\.net$ @@ -158,12 +157,13 @@ ^ftp-.*\.osuosl\.org$ ^ftp\.icm\.edu\.pl$ ^apt\.newrelic\.com$ -^.*\.cloudfront\.net$ +.+\.cloudfront\.net$ ^api\.mailjet\.com$ ^bfmbusiness\.bfmtv\.com$ ^api\.pinterest\.com$ ^api\.openweathermap\.org$ ^www\.lefigaro\.fr$ ^www\.dailymotion\.com$ -^.*\.123rf\.com$ -^.*.gouv\.fr$ +.+\.123rf\.com$ +.+\.gouv\.fr$ +^ifconfig\.me$ \ No newline at end of file From 3721c2ab38f9e79c5efd138032802a9eaacfbac1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 3 Jul 2021 08:52:50 +0200 Subject: [PATCH 034/182] squid: improve default whitelist --- CHANGELOG.md | 2 +- squid/files/evolinux-whitelist-defaults.conf | 58 ++++++++++---------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b75809f9..56086961 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,9 +37,9 @@ The **patch** part changes incrementally at each release. * ntpd: Add leapfile configuration setting to ntpd on debian 10+ * packweb-apache: install phpMyAdmin from buster-backports * spamassassin: change dependency on evomaintenance +* squid: improve default whitelist (more specific patterns) * squid: must be started in foreground mode for systemd * squid: remove obsolete variable on Squid 4 - ### Fixed * certbot: sync_remote excludes itself diff --git a/squid/files/evolinux-whitelist-defaults.conf b/squid/files/evolinux-whitelist-defaults.conf index 83b5e827..fea90344 100644 --- a/squid/files/evolinux-whitelist-defaults.conf +++ b/squid/files/evolinux-whitelist-defaults.conf @@ -1,20 +1,19 @@ ### Evolix & System -^.*\.evolix\.(net|org|com|fr)$ -^.*\.debian\.org$ +(\.)?evolix\.(net|org|com|fr)$ +(\.)?debian\.org$ ^www\.backports\.org$ -^backports\.debian\.org$ ^www\.kernel\.org$ ^hwraid\.le-vert\.net$ -^.*\.clamav\.net$ +.+\.clamav\.net$ ^spamassassin\.apache\.org$ -^.*sa-update.*$ +.+\.sa-update\..+ ^pear\.php\.net$ ^repo\.mysql\.com$ ^deb\.nodesource\.com$ ^dl\.yarnpkg\.com$ # Let's Encrypt -^.*\.letsencrypt.org$ +.+\.letsencrypt.org$ # Other OCSP endpoint ^ocsp\.usertrust\.com$ @@ -22,9 +21,9 @@ ### CMS / Wordpress / Drupal / ... # Wordpress -^.*\.akismet\.com$ -^.*\.wordpress\.(org|com)$ -^.*\.gravatar\.com$ +.+\.akismet\.com$ +.+\.wordpress\.(org|com)$ +.+\.gravatar\.com$ ^www\.wordpress-fr\.net$ ^pixel\.wp\.com$ ^wp-updates\.com$ @@ -63,11 +62,11 @@ ^www\.weblogalot\.com$ # Wordpress plugins -^.*\.wpml\.org$ +.+\.wpml\.org$ ^www\.wpcube\.co\.uk$ -^.*\.wp-rocket\.me$ +.+\.wp-rocket\.me$ ^www\.yithemes\.com$ -^.*\.yoast\.com$ +.+\.yoast\.com$ ^yarpp\.org$ ^repository\.kreaturamedia\.com$ ^api\.wp-events-plugin\.com$ @@ -87,7 +86,7 @@ ^amasty\.com$ # Joomla -^.*\.joomla\.org$ +.+\.joomla\.org$ ^getk2\.org$ ^miwisoft\.com$ ^mijosoft\.com$ @@ -97,13 +96,13 @@ ^download\.nonumber\.nl$ # Prestashop -^.*\.prestashop\.com$ +.+\.prestashop\.com$ ^www\.presta-module\.com$ ^www\.presteamshop\.com$ # Others -^.*.drupal\.org$ -^.*\.dotclear\.(net|org)$ +.+\.drupal\.org$ +.+\.dotclear\.(net|org)$ ^www\.phpbb\.com$ ^www\.typolight\.org$ ^www\.spip\.net$ @@ -113,8 +112,8 @@ # Google -^.*\.googleapis\.com$ -^.*\.google-analytics\.com$ +.+\.googleapis\.com$ +.+\.google-analytics\.com$ ^blogsearch\.google\.(com|fr)$ ^csi\.gstatic\.com$ ^maps\.google\..*$ @@ -123,8 +122,8 @@ ^fonts\.googleapis\.com$ # Facebook -^.*\.facebook\.com$ -^.*\.fbcdn\.net$ +.+\.facebook\.com$ +.+\.fbcdn\.net$ # Maxmind ^geolite\.maxmind\.com$ @@ -138,15 +137,15 @@ ^www\.liberation\.fr$ # Others -#^.*\.amazon.com$ -^.*\.twitter\.com$ -^.*\.feedburner\.com$ -^.*\.openx\.(org|com|net)$ +#.+\.amazon.com$ +.+\.twitter\.com$ +.+\.feedburner\.com$ +.+\.openx\.(org|com|net)$ ^geoip-api\.meteor\.com$ ^www\.bing\.com$ ^www\.telize\.com$ -^.*\.ident\.me$ -^.*\.icanhazip\.com$ +.+\.ident\.me$ +.+\.icanhazip\.com$ ^www\.express-mailing\.com$ ^bot\.whatismyipaddress\.com$ ^ipecho\.net$ @@ -158,12 +157,13 @@ ^ftp-.*\.osuosl\.org$ ^ftp\.icm\.edu\.pl$ ^apt\.newrelic\.com$ -^.*\.cloudfront\.net$ +.+\.cloudfront\.net$ ^api\.mailjet\.com$ ^bfmbusiness\.bfmtv\.com$ ^api\.pinterest\.com$ ^api\.openweathermap\.org$ ^www\.lefigaro\.fr$ ^www\.dailymotion\.com$ -^.*\.123rf\.com$ -^.*.gouv\.fr$ +.+\.123rf\.com$ +.+\.gouv\.fr$ +^ifconfig\.me$ \ No newline at end of file From 4167b6d2a905b6ae4c5f19ba0340264a9e0e4701 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 3 Jul 2021 09:10:22 +0200 Subject: [PATCH 035/182] fix CHANGELOG --- CHANGELOG.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56086961..06abf68b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,28 +15,19 @@ The **patch** part changes incrementally at each release. * Preliminary support for Debian 11 « Bullseye » * apache: new variable for mpm mode (+ updated default config accordingly) * certbot: add script for manual deploy hooks execution -* evolinux-base: add default motd template -* kvm-host: add migrate-vm script * listupgrade: crontab is configurable * mongodb: create munin plugins directory if missing -* mysql: variable to disable myadd script overwrite (default: True) * redis: instance service for Debian 11 ### Changed * Use python3 modules for Debian 11 and later -* apt: store keys in /etc/apt/trusted.gpg.d in ascii format -* certbot: sync_remote.sh is configurable * elasticsearch: 7.x by default -* evolinux-base: copy GPG key instead of using apt-key * evolinux-base: force Debian version to buster for Evolix repository (temporary) * kibana: 7.x by default * listupgrade: upstream release 21.06.3 * mysql: mariadb-client-10.5 on Debian 11 * mysql: use python3 with Debian 11 and later -* ntpd: Add leapfile configuration setting to ntpd on debian 10+ -* packweb-apache: install phpMyAdmin from buster-backports -* spamassassin: change dependency on evomaintenance * squid: improve default whitelist (more specific patterns) * squid: must be started in foreground mode for systemd * squid: remove obsolete variable on Squid 4 From d1829e700052d761bf08e78af80009ae85fd3a1a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 3 Jul 2021 09:16:12 +0200 Subject: [PATCH 036/182] metricbeat: fix indentation --- metricbeat/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index 17d4a7d7..ded5d008 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -129,5 +129,5 @@ - "templates/metricbeat/metricbeat.default.yml.j2" - "templates/metricbeat.default.yml.j2" notify: restart metricbeat - when: metricbeat_update_config | bool + when: metricbeat_update_config | bool when: metricbeat_use_config_template | bool From ffd7d0e5048410fdbfe9b6cd80f24a5c408fda3d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 4 Jul 2021 22:07:51 +0200 Subject: [PATCH 037/182] evolinux-base: alert5 comes after the network --- CHANGELOG.md | 1 + evolinux-base/files/alert5.service | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06abf68b..d4bd6ca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes incrementally at each release. * Use python3 modules for Debian 11 and later * elasticsearch: 7.x by default +* evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) * kibana: 7.x by default * listupgrade: upstream release 21.06.3 diff --git a/evolinux-base/files/alert5.service b/evolinux-base/files/alert5.service index ea560a51..eb5c72a9 100644 --- a/evolinux-base/files/alert5.service +++ b/evolinux-base/files/alert5.service @@ -7,3 +7,4 @@ ExecStart=/usr/share/scripts/alert5.sh [Install] WantedBy=multi-user.target +After=network.target \ No newline at end of file From 29ec7bdcf2bc9cf72f9be3a2170268cafee56b40 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 4 Jul 2021 22:08:47 +0200 Subject: [PATCH 038/182] Remove embedded GPG keys only if legacy keyring is present --- CHANGELOG.md | 1 + apt/tasks/evolix_public.yml | 8 ++++++++ elasticsearch/tasks/packages.yml | 9 +++++++++ evolinux-base/tasks/hardware.yml | 10 +++++++++- filebeat/tasks/main.yml | 9 +++++++++ fluentd/tasks/main.yml | 9 +++++++++ jenkins/tasks/main.yml | 6 ++++++ kibana/tasks/main.yml | 9 +++++++++ logstash/tasks/main.yml | 9 +++++++++ metricbeat/tasks/main.yml | 9 +++++++++ mongodb/tasks/main_bullseye.yml | 7 ++++++- mongodb/tasks/main_buster.yml | 6 ++++++ newrelic/tasks/sources.yml | 6 ++++++ nodejs/tasks/main.yml | 10 ++++++++++ nodejs/tasks/yarn.yml | 11 +++++++++++ percona/tasks/main.yml | 6 ++++++ postgresql/tasks/pgdg-repo.yml | 6 ++++++ 17 files changed, 129 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4bd6ca5..d6993a0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes incrementally at each release. ### Changed * Use python3 modules for Debian 11 and later +* Remove embedded GPG keys only if legacy keyring is present * elasticsearch: 7.x by default * evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index 00067f46..8352e666 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -1,10 +1,18 @@ --- +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - apt + - name: Evolix embedded GPG key is absent apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - apt diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml index b1291d4a..826fee1e 100644 --- a/elasticsearch/tasks/packages.yml +++ b/elasticsearch/tasks/packages.yml @@ -8,11 +8,20 @@ - elasticsearch - packages +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - elasticsearch + - packages + - name: Elastic embedded GPG key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - elasticsearch - packages diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 7f4ebf36..34ed46b3 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -35,6 +35,11 @@ changed_when: "'FAILED' in raidmodel.stdout" failed_when: "'FAILED' in raidmodel.stdout" +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: HPE Smart Storage Administrator (ssacli) is present block: - name: HPE GPG embedded key is absent @@ -42,6 +47,7 @@ id: "26C2B797" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: HPE GPG key is installed copy: @@ -108,7 +114,9 @@ id: "23B3D3B4" keyring: /etc/apt/trusted.gpg state: absent - when: ansible_distribution_major_version is version('9', '>=') + when: + - trusted_gpg_keyring.stat.present + - ansible_distribution_major_version is version('9', '>=') - name: HWRaid GPG key is installed copy: diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml index 034808d3..c84c4db8 100644 --- a/filebeat/tasks/main.yml +++ b/filebeat/tasks/main.yml @@ -8,11 +8,20 @@ - filebeat - packages +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - filebeat + - packages + - name: Elastic embedded GPG key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - filebeat - packages diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index 159748e6..282accf2 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -1,10 +1,19 @@ --- +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - packages + - fluentd + - name: Fluentd embedded GPG key is absent apt_key: id: "AB97ACBE" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - packages - fluentd diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml index da23e5f5..8ed3d38c 100644 --- a/jenkins/tasks/main.yml +++ b/jenkins/tasks/main.yml @@ -5,11 +5,17 @@ # http://mirrors.jenkins.io/.* # http://jenkins.mirror.isppower.de/.* +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: Jenkins embedded GPG key is absent apt_key: id: "D50582E6" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add Jenkins GPG key copy: diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml index 8ebbe752..d0694094 100644 --- a/kibana/tasks/main.yml +++ b/kibana/tasks/main.yml @@ -8,11 +8,20 @@ - kibana - packages +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - kibana + - packages + - name: Elastic embedded GPG key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - kibana - packages diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml index 4ae70623..73bdab1d 100644 --- a/logstash/tasks/main.yml +++ b/logstash/tasks/main.yml @@ -8,11 +8,20 @@ - logstash - packages +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - logstash + - packages + - name: Elastic embedded GPG key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - logstash - packages diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml index ded5d008..8a009f7f 100644 --- a/metricbeat/tasks/main.yml +++ b/metricbeat/tasks/main.yml @@ -8,11 +8,20 @@ - metricbeat - packages +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - metricbeat + - packages + - name: Elastic embedded GPG key is absent apt_key: id: "D88E42B4" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - metricbeat - packages diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index 63b2193b..d9e6e0eb 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -1,11 +1,16 @@ --- -# https://wiki.debian.org/DebianRepository/UseThirdParty +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: MongoDB embedded GPG key is absent apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key copy: diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml index 2e62255a..fc7ac7ed 100644 --- a/mongodb/tasks/main_buster.yml +++ b/mongodb/tasks/main_buster.yml @@ -1,10 +1,16 @@ --- +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: MongoDB embedded GPG key is absent apt_key: id: "B8612B5D" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add MongoDB GPG key copy: diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml index 08a3ae51..c27de24d 100644 --- a/newrelic/tasks/sources.yml +++ b/newrelic/tasks/sources.yml @@ -1,10 +1,16 @@ --- +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: NewRelic embedded GPG key is absent apt_key: id: "548C16BF" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add NewRelic GPG key copy: diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index 4f8c2849..5ab49e70 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -9,11 +9,21 @@ - packages - nodejs +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - system + - packages + - nodejs + - name: NodeJS embedded GPG key is absent apt_key: id: "68576280" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - system - packages diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml index 44306d42..e3dfe1da 100644 --- a/nodejs/tasks/yarn.yml +++ b/nodejs/tasks/yarn.yml @@ -1,10 +1,21 @@ --- +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + tags: + - system + - packages + - nodejs + - yarn + - name: Yarn embedded GPG key is absent apt_key: id: "86E50310" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists tags: - system - packages diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml index b14c4876..27544252 100644 --- a/percona/tasks/main.yml +++ b/percona/tasks/main.yml @@ -3,11 +3,17 @@ - set_fact: percona__apt_config_package_file: "percona-release_latest.{{ ansible_distribution_release }}_all.deb" +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: Percona embedded GPG key is absent apt_key: id: "8507EFA5" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add Percona GPG key copy: diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index 429e33cc..a13b7469 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -13,11 +13,17 @@ repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main" update_cache: yes +- name: Look for legacy apt keyring + stat: + path: /etc/apt/trusted.gpg + register: _trusted_gpg_keyring + - name: PGDG embedded GPG key is absent apt_key: id: "ACCC4CF8" keyring: /etc/apt/trusted.gpg state: absent + when: _trusted_gpg_keyring.stat.exists - name: Add PGDG GPG key copy: From 49cb5adf921603dbf4081d221c49670bc3e1d8b4 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 6 Jul 2021 16:09:17 +0200 Subject: [PATCH 039/182] evolinux-base: Fix hw card detect Run the shell command as bash instead of sh; otherwise it will fail because of the set -o pipefail --- evolinux-base/tasks/hardware.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 34ed46b3..3f5d4232 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -29,7 +29,9 @@ # HP gen <10: Hewlett-Packard Company Smart Array # HP gen >=10: Adaptec Smart Storage PQI - name: Detect if RAID is installed - shell: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" + shell: + cmd: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" + executable: /bin/bash check_mode: no register: raidmodel changed_when: "'FAILED' in raidmodel.stdout" From 7a089f88af4c596c2f771a027feb138926a5978d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 6 Jul 2021 16:09:54 +0200 Subject: [PATCH 040/182] Correct typo in var name trusted_gpg_keyring.stat.present instead of _trusted_gpg_keyring.stat.present --- evolinux-base/tasks/hardware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 3f5d4232..49b8af8e 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -117,7 +117,7 @@ keyring: /etc/apt/trusted.gpg state: absent when: - - trusted_gpg_keyring.stat.present + - _trusted_gpg_keyring.stat.present - ansible_distribution_major_version is version('9', '>=') - name: HWRaid GPG key is installed From 8e6c08b81b0a27f0922e99895222eeb8384e550a Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 6 Jul 2021 16:12:14 +0200 Subject: [PATCH 041/182] evolinux-base: Change the pattern of MegaRAID detect Seems the card names may somethings between 'MegaRAID' and 'SAS' I'll take the short and easy path as I think MegaRAID is enough in most cases --- evolinux-base/tasks/hardware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 49b8af8e..69f4da79 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -153,6 +153,6 @@ name: megaclisas-statusd enabled: true state: started - when: "'MegaRAID SAS' in raidmodel.stdout" + when: "'MegaRAID' in raidmodel.stdout" - meta: flush_handlers From b362fadc80a8cc5e297df1a128acd9ba71b20b1e Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 6 Jul 2021 16:22:45 +0200 Subject: [PATCH 042/182] typo (again) + not using trusted.gpg isn't restricted to debian 9+ --- evolinux-base/tasks/hardware.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 69f4da79..127988a9 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -116,9 +116,7 @@ id: "23B3D3B4" keyring: /etc/apt/trusted.gpg state: absent - when: - - _trusted_gpg_keyring.stat.present - - ansible_distribution_major_version is version('9', '>=') + when: _trusted_gpg_keyring.stat.exists - name: HWRaid GPG key is installed copy: From 73352f55d7189d18ca71e3e49ded1398fc23ce03 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Jul 2021 14:32:38 +0200 Subject: [PATCH 043/182] evolinux-base: add tags to hardawre tasks --- evolinux-base/tasks/hardware.yml | 45 +++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 127988a9..9f0c6da3 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -3,6 +3,8 @@ apt: name: pciutils state: present + tags: + - packages ## Broadcom NetXtreme II @@ -12,6 +14,8 @@ register: broadcom_netextreme_search failed_when: False changed_when: False + tags: + - packages # TODO: add the "non-free" part to the existing sources # instead of adding a new source @@ -22,6 +26,8 @@ tasks_from: basics.yml vars: apt_basics_components: "main contrib non-free" + tags: + - packages when: broadcom_netextreme_search.rc == 0 ## RAID @@ -36,11 +42,15 @@ register: raidmodel changed_when: "'FAILED' in raidmodel.stdout" failed_when: "'FAILED' in raidmodel.stdout" + tags: + - packages - name: Look for legacy apt keyring stat: path: /etc/apt/trusted.gpg register: _trusted_gpg_keyring + tags: + - packages - name: HPE Smart Storage Administrator (ssacli) is present block: @@ -50,6 +60,8 @@ keyring: /etc/apt/trusted.gpg state: absent when: _trusted_gpg_keyring.stat.exists + tags: + - packages - name: HPE GPG key is installed copy: @@ -59,14 +71,21 @@ mode: "0644" owner: root group: root + tags: + - packages - name: Add HPE repository apt_repository: repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free' state: present + tags: + - packages + - name: Install HPE Smart Storage Administrator (ssacli) apt: name: ssacli + tags: + - packages when: - "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - "'Adaptec Smart Storage PQI' in raidmodel.stdout" @@ -80,6 +99,8 @@ src: check_hpraid.cron.sh dest: /etc/cron.{{ evolinux_cron_checkhpraid_frequency | mandatory }}/check_hpraid mode: "0755" + tags: + - config when: "'Adaptec Smart Storage PQI' in raidmodel.stdout" - name: Install and configure cciss-vol-status (HP gen <10) @@ -88,12 +109,16 @@ apt: name: cciss-vol-status state: present + tags: + - packages - name: cciss-vol-statusd init script is present (HP gen <10) template: src: hardware/cciss-vol-statusd.j2 dest: /etc/init.d/cciss-vol-statusd mode: "0755" + tags: + - packages - name: Configure cciss-vol-statusd (HP gen <10) lineinfile: @@ -101,12 +126,17 @@ line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' regexp: 'MAILTO=' create: yes + tags: + - config - name: Enable cciss-vol-status in systemd (HP gen <10) service: name: cciss-vol-statusd enabled: true state: restarted + tags: + - packages + - config when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - name: MegaRAID SAS package is present @@ -116,6 +146,8 @@ id: "23B3D3B4" keyring: /etc/apt/trusted.gpg state: absent + tags: + - packages when: _trusted_gpg_keyring.stat.exists - name: HWRaid GPG key is installed @@ -126,12 +158,16 @@ mode: "0644" owner: root group: root + tags: + - packages when: ansible_distribution_major_version is version('9', '>=') - name: Add HW tool repository apt_repository: repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main' state: present + tags: + - packages - name: Install packages for DELL/LSI hardware apt: @@ -139,18 +175,25 @@ - megacli - megaclisas-status allow_unauthenticated: yes + tags: + - packages - name: Configure packages for DELL/LSI hardware template: src: hardware/megaclisas-statusd.j2 dest: /etc/default/megaclisas-statusd mode: "0755" + tags: + - config - name: Enable DELL/LSI hardware in systemd service: name: megaclisas-statusd enabled: true - state: started + state: restarted + tags: + - packages + - config when: "'MegaRAID' in raidmodel.stdout" - meta: flush_handlers From 32b5efa30e2a2e18b2f7b7a867ec9be27178faff Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Jul 2021 15:20:24 +0200 Subject: [PATCH 044/182] evocheck: upstream release 21.07 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 125 ++++++++++++++++++++++++------------- 2 files changed, 84 insertions(+), 42 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d6993a0d..a6170ca4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes incrementally at each release. * Use python3 modules for Debian 11 and later * Remove embedded GPG keys only if legacy keyring is present * elasticsearch: 7.x by default +* evocheck: upstream release 21.07 * evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) * kibana: 7.x by default diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 7adf5757..02fa4a6b 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,8 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -readonly VERSION="20.12" +VERSION="21.07" +readonly VERSION # base functions @@ -12,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2021 Evolix , Romain Dessort , Benoit Série , Gregory Colpart , @@ -62,6 +63,8 @@ detect_os() { 8) DEBIAN_RELEASE="jessie";; 9) DEBIAN_RELEASE="stretch";; 10) DEBIAN_RELEASE="buster";; + 11) DEBIAN_RELEASE="bullseye";; + 12) DEBIAN_RELEASE="bookworm";; esac fi elif [ "$(uname -s)" = "OpenBSD" ]; then @@ -91,6 +94,12 @@ is_debian_stretch() { is_debian_buster() { test "${DEBIAN_RELEASE}" = "buster" } +is_debian_bullseye() { + test "${DEBIAN_RELEASE}" = "bullseye" +} +is_debian_bookworm() { + test "${DEBIAN_RELEASE}" = "bookworm" +} debian_release() { printf "%s" "${DEBIAN_RELEASE}" } @@ -109,7 +118,7 @@ is_pack_samba(){ } is_installed(){ for pkg in "$@"; do - dpkg -l "$pkg" 2>/dev/null | grep -q -E '^(i|h)i' || return 1 + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 done } minifirewall_file() { @@ -147,7 +156,7 @@ check_lsbrelease(){ ## only the major version matters lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) rhs=$(cut -d "." -f 1 < /etc/debian_version) - test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})" else failed "IS_LSBRELEASE" "lsb_release is missing or not executable" fi @@ -165,7 +174,7 @@ check_dpkgwarning() { test -e /etc/apt/apt.conf \ && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" fi - elif is_debian_stretch || is_debian_buster; then + elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then test -e /etc/apt/apt.conf.d/z-evolinux.conf \ || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" fi @@ -234,13 +243,13 @@ check_aptitudeonly() { fi } check_aptitude() { - if is_debian_jessie || is_debian_stretch || is_debian_buster; then + if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" fi } check_aptgetbak() { - if is_debian_jessie || is_debian_stretch || is_debian_buster; then - test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "missing dpkg-divert apt-get.bak" + if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)" fi } check_apticron() { @@ -276,7 +285,7 @@ check_mountfstab() { fi } check_listchangesconf() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed apt-listchanges; then failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" fi @@ -307,7 +316,7 @@ check_tmoutprofile() { grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" } check_alert5boot() { - if is_debian_buster; then + if is_debian_buster || is_debian_bullseye; then grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing" systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" @@ -320,7 +329,7 @@ check_alert5boot() { fi } check_alert5minifw() { - if is_debian_buster; then + if is_debian_buster || is_debian_bullseye; then grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" else @@ -357,7 +366,11 @@ check_nrpedisks() { test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" } check_nrpepid() { - if ! is_debian_squeeze; then + if is_debian_bullseye; then + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" + elif ! is_debian_squeeze; then { test -e /etc/nagios/nrpe.cfg \ && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" @@ -372,7 +385,7 @@ check_grsecprocs() { } check_apachemunin() { if test -e /etc/apache2/apache2.conf; then - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then { test -h /etc/apache2/mods-enabled/status.load \ && test -h /etc/munin/plugins/apache_accesses \ && test -h /etc/munin/plugins/apache_processes \ @@ -431,7 +444,7 @@ check_muninlogrotate() { } # Verification de l'activation de Squid dans le cas d'un pack mail check_squid() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then squidconffile="/etc/squid/evolinux-custom.conf" else squidconffile="/etc/squid*/squid.conf" @@ -473,7 +486,7 @@ check_log2mailrunning() { fi } check_log2mailapache() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then conf=/etc/log2mail/config/apache else conf=/etc/log2mail/config/default @@ -532,10 +545,10 @@ check_network_interfaces() { } # Verify if all if are in auto check_autoif() { - if is_debian_stretch || is_debian_buster; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else - interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ") + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi for interface in $interfaces; do if ! grep -q "^auto $interface" /etc/network/interfaces; then @@ -681,6 +694,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then + # shellcheck disable=SC2231 for file in ${backup_dir}/*; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") @@ -771,7 +785,7 @@ check_tune2fs_m5() { done } check_evolinuxsudogroup() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if grep -q "^evolinux-sudo:" /etc/group; then grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" @@ -779,7 +793,7 @@ check_evolinuxsudogroup() { fi } check_userinadmgroup() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') for user in $users; do if ! groups "$user" | grep -q adm; then @@ -790,7 +804,7 @@ check_userinadmgroup() { fi } check_apache2evolinuxconf() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if test -d /etc/apache2; then { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ @@ -800,7 +814,7 @@ check_apache2evolinuxconf() { fi } check_backportsconf() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then grep -qsE "^[^#].*backports" /etc/apt/sources.list \ && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then @@ -810,7 +824,7 @@ check_backportsconf() { fi } check_bind9munin() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed bind9; then { test -L /etc/munin/plugins/bind9 \ && test -e /etc/munin/plugin-conf.d/bind9; @@ -819,7 +833,7 @@ check_bind9munin() { fi } check_bind9logrotate() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed bind9; then test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" fi @@ -840,7 +854,7 @@ check_broadcomfirmware() { check_hardwareraidtool() { LSPCI_BIN=$(command -v lspci) if [ -x "${LSPCI_BIN}" ]; then - if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then + if ${LSPCI_BIN} | grep -q 'MegaRAID'; then # shellcheck disable=SC2015 is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" @@ -853,7 +867,7 @@ check_hardwareraidtool() { fi } check_log2mailsystemdunit() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then systemctl -q is-active log2mail.service \ || failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running" test -f /etc/systemd/system/log2mail.service \ @@ -869,7 +883,7 @@ check_listupgrade() { || failed "IS_LISTUPGRADE" "missing listupgrade script or not executable" } check_mariadbevolinuxconf() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed mariadb-server; then { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; @@ -945,6 +959,7 @@ check_elastic_backup() { fi } check_mariadbsystemdunit() { + # TODO: check if it is still needed for bullseye if is_debian_stretch || is_debian_buster; then if is_installed mariadb-server; then if systemctl -q is-active mariadb.service; then @@ -955,7 +970,7 @@ check_mariadbsystemdunit() { fi } check_mysqlmunin() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed mariadb-server; then for file in mysql_bytes mysql_queries mysql_slowqueries \ mysql_threads mysql_connections mysql_files_tables \ @@ -973,7 +988,7 @@ check_mysqlmunin() { fi } check_mysqlnrpe() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed mariadb-server; then nagios_file=~nagios/.my.cnf if ! test -f ${nagios_file}; then @@ -989,9 +1004,10 @@ check_mysqlnrpe() { fi } check_phpevolinuxconf() { - if is_debian_stretch || is_debian_buster; then - is_debian_stretch && phpVersion="7.0" - is_debian_buster && phpVersion="7.3" + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then + is_debian_stretch && phpVersion="7.0" + is_debian_buster && phpVersion="7.3" + is_debian_bullseye && phpVersion="7.4" if is_installed php; then { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini @@ -1000,7 +1016,7 @@ check_phpevolinuxconf() { fi } check_squidlogrotate() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed squid; then grep -q monthly /etc/logrotate.d/squid \ || failed "IS_SQUIDLOGROTATE" "missing squid logrotate file" @@ -1008,7 +1024,7 @@ check_squidlogrotate() { fi } check_squidevolinuxconf() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_installed squid; then { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ && test -f /etc/squid/evolinux-defaults.conf \ @@ -1044,7 +1060,7 @@ check_duplicate_fs_label() { fi } check_evolix_user() { - grep -q "evolix:" /etc/passwd \ + grep -q -E "^evolix:" /etc/passwd \ && failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install" } check_evoacme_cron() { @@ -1083,7 +1099,7 @@ check_apache_confenabled() { # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debian_jessie || is_debian_stretch || is_debian_buster; then + if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then if [ -f /etc/apache2/apache2.conf ]; then test -d /etc/apache2/conf.d/ \ && failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" @@ -1095,7 +1111,7 @@ check_apache_confenabled() { check_meltdown_spectre() { # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then for vuln in meltdown spectre_v1 spectre_v2; do test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ || failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln" @@ -1148,7 +1164,7 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" } check_sshpermitrootno() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if grep -q "^PermitRoot" /etc/ssh/sshd_config; then grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" @@ -1159,7 +1175,7 @@ check_sshpermitrootno() { fi } check_evomaintenanceusers() { - if is_debian_stretch || is_debian_buster; then + if is_debian_stretch || is_debian_buster || is_debian_bullseye; then users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') else if [ -f /etc/sudoers.d/evolinux ]; then @@ -1295,6 +1311,27 @@ check_nginx_letsencrypt_uptodate() { fi } +check_lxc_container_resolv_conf() { + if is_installed lxc; then + container_list=$(lxc-ls) + current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) + + for container in $container_list; do + if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then + + while read -r resolver; do + if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf" + fi + done <<< "${current_resolvers}" + + else + failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}" + fi + done + fi +} + main() { # Default return code : 0 = no error RC=0 @@ -1421,6 +1458,7 @@ main() { test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate + test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf fi #----------------------------------------------------------- @@ -1528,10 +1566,13 @@ main() { exit ${RC} } +PROGNAME=$(basename "$0") # shellcheck disable=SC2034 -readonly PROGNAME=$(basename "$0") -# shellcheck disable=2124 -readonly ARGS=$@ +readonly PROGNAME + +# shellcheck disable=SC2124 +ARGS=$@ +readonly ARGS # Disable LANG* export LANG=C From bf49ec8df5d3bd9e15298fb9c6954d8c93bc5663 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 8 Jul 2021 15:10:35 +0200 Subject: [PATCH 045/182] mysql: script "mysql_connections" to display a compact list of connections --- CHANGELOG.md | 1 + mysql/files/mysql_connections.sh | 37 ++++++++++++++++++++++++++++++++ mysql/tasks/utils.yml | 9 ++++++++ 3 files changed, 47 insertions(+) create mode 100644 mysql/files/mysql_connections.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index a6170ca4..429879ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes incrementally at each release. * certbot: add script for manual deploy hooks execution * listupgrade: crontab is configurable * mongodb: create munin plugins directory if missing +* mysql: script "mysql_connections" to display a compact list of connections * redis: instance service for Debian 11 ### Changed diff --git a/mysql/files/mysql_connections.sh b/mysql/files/mysql_connections.sh new file mode 100644 index 00000000..589a8c40 --- /dev/null +++ b/mysql/files/mysql_connections.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# Example: +# # mysql_compact_processes +# *************************** 1. row *************************** +# host_short: +# users: system user +# processes: 1 +# *************************** 2. row *************************** +# host_short: 31.170.X.Z +# users: repl +# processes: 1 +# *************************** 3. row *************************** +# host_short: sql00.evolix.net +# users: repl +# processes: 1 +# *************************** 4. row *************************** +# host_short: sql02.evolix.net +# users: repl +# processes: 1 +# *************************** 5. row *************************** +# host_short: localhost +# users: mysqladmin,percona +# processes: 2 +# *************************** 6. row *************************** +# host_short: prod10.evolix.net +# users: user1,user2 +# processes: 11 +# *************************** 7. row *************************** +# host_short: prod11.evolix.net +# users: user3,user4,user5 +# processes: 312 + + +set -e + +mysql -e "SELECT SUBSTRING_INDEX(host, ':', 1) AS host_short, GROUP_CONCAT(DISTINCT USER) AS users, COUNT(*) AS processes FROM information_schema.processlist GROUP BY host_short ORDER BY processes, host_short\G" diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index f1a9cb24..4ad22aa1 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -199,3 +199,12 @@ force: no tags: - mysql + +- name: "Install mysql_connections" + copy: + src: mysql_connections.sh + dest: "{{ _mysql_scripts_dir }}/mysql_connections" + mode: "0755" + force: no + tags: + - mysql From 491407953c80f30379f5fbfc589ee8eb45845a10 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 8 Jul 2021 19:22:00 +0200 Subject: [PATCH 046/182] We want LDAP listen on ldapi:/// by default --- ldap/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 29c51244..83760815 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,10 +1,10 @@ --- -ldap_listen: "ldap://127.0.0.1:389/" +ldap_listen: "ldap://127.0.0.1:389/ ldapi:///" ldap_hostname: "{{ ansible_hostname }}" ldap_domain: "{{ ansible_domain }}" ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" ldap_admin_password: "" -ldap_nagios_password: "" \ No newline at end of file +ldap_nagios_password: "" From 139b342fbdc036c21f3a3dd43182bd0cc20c4c27 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 20 Jul 2021 17:19:57 +0200 Subject: [PATCH 047/182] certbot: silence letsencrypt deprecation warnings --- CHANGELOG.md | 2 + certbot/files/letsencrypt-auto | 80 ++++++++++++++------------------ certbot/tasks/install-legacy.yml | 1 + 3 files changed, 39 insertions(+), 44 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 429879ea..9150721c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes incrementally at each release. * Use python3 modules for Debian 11 and later * Remove embedded GPG keys only if legacy keyring is present +* certbot: silence letsencrypt deprecation warnings * elasticsearch: 7.x by default * evocheck: upstream release 21.07 * evolinux-base: alert5 comes after the network @@ -35,6 +36,7 @@ The **patch** part changes incrementally at each release. * squid: improve default whitelist (more specific patterns) * squid: must be started in foreground mode for systemd * squid: remove obsolete variable on Squid 4 + ### Fixed * certbot: sync_remote excludes itself diff --git a/certbot/files/letsencrypt-auto b/certbot/files/letsencrypt-auto index 0e26e29a..5f6ace3d 100644 --- a/certbot/files/letsencrypt-auto +++ b/certbot/files/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="1.9.0" +LE_AUTO_VERSION="1.14.0" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -497,7 +497,7 @@ Python36SclIsAvailable() { # Try to enable rh-python36 from SCL if it is necessary and possible. EnablePython36SCL() { - if "$EXISTS" python3.6 > /dev/null 2>/dev/null; then + if "$EXISTS" python3.6 > /dev/null 2> /dev/null; then return 0 fi if [ ! -f /opt/rh/rh-python36/enable ]; then @@ -799,15 +799,15 @@ BootstrapMageiaCommon() { # that function. If Bootstrap is set to a function that doesn't install any # packages BOOTSTRAP_VERSION is not set. if [ -f /etc/debian_version ]; then - Bootstrap() { - BootstrapMessage "Debian-based OSes" - BootstrapDebCommon - } - BOOTSTRAP_VERSION="BootstrapDebCommon $BOOTSTRAP_DEB_COMMON_VERSION" + DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/mageia-release ]; then # Mageia has both /etc/mageia-release and /etc/redhat-release DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/redhat-release ]; then + DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 # Run DeterminePythonVersion to decide on the basis of available Python versions # whether to use 2.x or 3.x on RedHat-like systems. # Then, revert LE_PYTHON to its previous state. @@ -815,7 +815,7 @@ elif [ -f /etc/redhat-release ]; then unset LE_PYTHON DeterminePythonVersion "NOCRASH" - RPM_DIST_NAME=`(. /etc/os-release 2>/dev/null && echo $ID) || echo "unknown"` + RPM_DIST_NAME=`(. /etc/os-release 2> /dev/null && echo $ID) || echo "unknown"` if [ "$PYVER" -eq 26 -a $(uname -m) != 'x86_64' ]; then # 32 bits CentOS 6 and affiliates are not supported anymore by certbot-auto. @@ -825,7 +825,7 @@ elif [ -f /etc/redhat-release ]; then # Set RPM_DIST_VERSION to VERSION_ID from /etc/os-release after splitting on # '.' characters (e.g. "8.0" becomes "8"). If the command exits with an # error, RPM_DIST_VERSION is set to "unknown". - RPM_DIST_VERSION=$( (. /etc/os-release 2>/dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown") + RPM_DIST_VERSION=$( (. /etc/os-release 2> /dev/null && echo "$VERSION_ID") | cut -d '.' -f1 || echo "unknown") # If RPM_DIST_VERSION is an empty string or it contains any nonnumeric # characters, the value is unexpected so we set RPM_DIST_VERSION to 0. @@ -840,12 +840,7 @@ elif [ -f /etc/redhat-release ]; then INTERACTIVE_BOOTSTRAP=1 fi - Bootstrap() { - BootstrapMessage "Legacy RedHat-based OSes that will use Python3" - BootstrapRpmPython3Legacy - } USE_PYTHON_3=1 - BOOTSTRAP_VERSION="BootstrapRpmPython3Legacy $BOOTSTRAP_RPM_PYTHON3_LEGACY_VERSION" # Try now to enable SCL rh-python36 for systems already bootstrapped # NB: EnablePython36SCL has been defined along with BootstrapRpmPython3Legacy in certbot-auto @@ -864,43 +859,38 @@ elif [ -f /etc/redhat-release ]; then fi if [ "$RPM_USE_PYTHON_3" = 1 ]; then - Bootstrap() { - BootstrapMessage "RedHat-based OSes that will use Python3" - BootstrapRpmPython3 - } USE_PYTHON_3=1 - BOOTSTRAP_VERSION="BootstrapRpmPython3 $BOOTSTRAP_RPM_PYTHON3_VERSION" - else - Bootstrap() { - BootstrapMessage "RedHat-based OSes" - BootstrapRpmCommon - } - BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION" fi fi LE_PYTHON="$prev_le_python" elif [ -f /etc/os-release ] && `grep -q openSUSE /etc/os-release` ; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/arch-release ]; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/manjaro-release ]; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/gentoo-release ]; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif uname | grep -iq FreeBSD ; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif uname | grep -iq Darwin ; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then - Bootstrap() { - ExperimentalBootstrap "Amazon Linux" BootstrapRpmCommon - } - BOOTSTRAP_VERSION="BootstrapRpmCommon $BOOTSTRAP_RPM_COMMON_VERSION" + DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 elif [ -f /etc/product ] && grep -q "Joyent Instance" /etc/product ; then DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 else DEPRECATED_OS=1 + NO_SELF_UPGRADE=1 fi # We handle this case after determining the normal bootstrap version to allow @@ -1122,15 +1112,17 @@ if [ "$1" = "--le-auto-phase2" ]; then if [ "$DEPRECATED_OS" = 1 ]; then # Phase 2 damage control mode for deprecated OSes. # In this situation, we bypass any bootstrap or certbot venv setup. - error "Your system is not supported by certbot-auto anymore." + # error "Your system is not supported by certbot-auto anymore." if [ ! -d "$VENV_PATH" ] && OldVenvExists; then VENV_BIN="$OLD_VENV_PATH/bin" fi if [ -f "$VENV_BIN/letsencrypt" -a "$INSTALL_ONLY" != 1 ]; then - error "Certbot will no longer receive updates." - error "Please visit https://certbot.eff.org/ to check for other alternatives." + # error "certbot-auto and its Certbot installation will no longer receive updates." + # error "You will not receive any bug fixes including those fixing server compatibility" + # error "or security problems." + # error "Please visit https://certbot.eff.org/ to check for other alternatives." "$VENV_BIN/letsencrypt" "$@" exit 0 else @@ -1497,18 +1489,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==1.9.0 \ - --hash=sha256:d5a804d32e471050921f7b39ed9859e2e9de02824176ed78f57266222036b53a \ - --hash=sha256:2ff9bf7d9af381c7efee22dec2dd6938d9d8fddcc9e11682b86e734164a30b57 -acme==1.9.0 \ - --hash=sha256:d8061b396a22b21782c9b23ff9a945b23e50fca2573909a42f845e11d5658ac5 \ - --hash=sha256:38a1630c98e144136c62eec4d2c545a1bdb1a3cd4eca82214be6b83a1f5a161f -certbot-apache==1.9.0 \ - --hash=sha256:09528a820d57e54984d490100644cd8a6603db97bf5776f86e95795ecfacf23d \ - --hash=sha256:f47fb3f4a9bd927f4812121a0beefe56b163475a28f4db34c64dc838688d9e9e -certbot-nginx==1.9.0 \ - --hash=sha256:bb2e3f7fe17f071f350a3efa48571b8ef40a8e4b6db9c6da72539206a20b70be \ - --hash=sha256:ab26a4f49d53b0e8bf0f903e58e2a840cda233fe1cbbc54c36ff17f973e57d65 +certbot==1.14.0 \ + --hash=sha256:67b4d26ceaea6c7f8325d0d45169e7a165a2cabc7122c84bc971ba068ca19cca \ + --hash=sha256:959ea90c6bb8dca38eab9772722cb940972ef6afcd5f15deef08b3c3636841eb +acme==1.14.0 \ + --hash=sha256:4f48c41261202f1a389ec2986b2580b58f53e0d5a1ae2463b34318d78b87fc66 \ + --hash=sha256:61daccfb0343628cbbca551a7fc4c82482113952c21db3fe0c585b7c98fa1c35 +certbot-apache==1.14.0 \ + --hash=sha256:b757038db23db707c44630fecb46e99172bd791f0db5a8e623c0842613c4d3d9 \ + --hash=sha256:887fe4a21af2de1e5c2c9428bacba6eb7c1219257bc70f1a1d8447c8a321adb0 +certbot-nginx==1.14.0 \ + --hash=sha256:8916a815437988d6c192df9f035bb7a176eab20eee0956677b335d0698d243fb \ + --hash=sha256:cc2a8a0de56d9bb6b2efbda6c80c647dad8db2bb90675cac03ade94bd5fc8597 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/certbot/tasks/install-legacy.yml b/certbot/tasks/install-legacy.yml index e186c80d..d9dfb382 100644 --- a/certbot/tasks/install-legacy.yml +++ b/certbot/tasks/install-legacy.yml @@ -8,6 +8,7 @@ - include_role: name: evolix/remount-usr +# copied and customized from https://raw.githubusercontent.com/certbot/certbot/v1.14.0/letsencrypt-auto - name: Let's Encrypt script is present copy: src: letsencrypt-auto From c9f25f4638e85d021efcd9eb89ee1622dbfb8637 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 16 Aug 2021 13:47:33 +0200 Subject: [PATCH 048/182] bullseye-detect: this role is obsolete, Debian 11 has been fully released --- CHANGELOG.md | 1 + bullseye-detect/tasks/main.yml | 8 -------- 2 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 bullseye-detect/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 9150721c..dfe2a9f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ The **patch** part changes incrementally at each release. ### Removed +* bullseye-detect: this role is obsolete, Debian 11 has been fully released * php: remove php-gettext for 7.4 ### Security diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml deleted file mode 100644 index 6f97db0a..00000000 --- a/bullseye-detect/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -# Force facts until Debian 11 is released because Ansible is dumb -- set_fact: - ansible_distribution_major_version: 11 - ansible_distribution: "Debian" - ansible_distribution_release: "bullseye" - when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'" \ No newline at end of file From d186e21239bf87fbcb56399c4cd699349bfb9dd7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 16 Aug 2021 13:49:13 +0200 Subject: [PATCH 049/182] evoadmin-web: simpler PHP packages lists --- CHANGELOG.md | 1 + webapps/evoadmin-web/tasks/packages.yml | 13 +++---------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dfe2a9f4..8e07c764 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes incrementally at each release. * Remove embedded GPG keys only if legacy keyring is present * certbot: silence letsencrypt deprecation warnings * elasticsearch: 7.x by default +* evoadmin-web: simpler PHP packages lists * evocheck: upstream release 21.07 * evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index 7044bd43..e78f6c7b 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -4,32 +4,25 @@ name: evolix/apt tasks_from: evolix_public.yml -- name: Install PHP packages (Debian 10 and later) - apt: - name: php-pear - state: present - when: ansible_distribution_major_version is version('10', '>=') - # /!\ Warning, this is a temporary hack - include_role: name: evolix/remount-usr # /!\ Warning, this is a temporary hack -- name: Install PHP packages from sid (Debian 10 and later) +- name: Install PHP packages from sid (Debian 10) apt: deb: '{{ item }}' state: present loop: - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb' - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_major_version is version('10', '=') -- name: Install PHP packages (stretch) +- name: Install PHP packages apt: name: - php-pear - php-log state: present - when: ansible_distribution_release == "stretch" - name: Install PHP5 packages (jessie) apt: From 969a5bce7d34624dd529bbe526d02d12e38e6ff9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 16 Aug 2021 13:50:53 +0200 Subject: [PATCH 050/182] apt: remove workaround for Evolix public repositories with Debian 11 --- CHANGELOG.md | 1 + apt/templates/evolix_public.list.j2 | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e07c764..6ec39284 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes incrementally at each release. * Use python3 modules for Debian 11 and later * Remove embedded GPG keys only if legacy keyring is present +* apt: remove workaround for Evolix public repositories with Debian 11 * certbot: silence letsencrypt deprecation warnings * elasticsearch: 7.x by default * evoadmin-web: simpler PHP packages lists diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 25156cd0..06de99c0 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,8 +1,3 @@ # {{ ansible_managed }} -{% if ansible_distribution_release == 'bullseye' %} -# Force previous Debian version (temporary) -deb http://pub.evolix.net/ buster/ -{% else %} deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ -{% endif %} From ad457dd7ba315d8b47c6563ef9647307ee5594c4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 16 Aug 2021 14:12:31 +0200 Subject: [PATCH 051/182] apt: use the new security repository for Bullseye --- CHANGELOG.md | 1 + apt/templates/bullseye_basics.list.j2 | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ec39284..9ed5b8e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes incrementally at each release. * Use python3 modules for Debian 11 and later * Remove embedded GPG keys only if legacy keyring is present * apt: remove workaround for Evolix public repositories with Debian 11 +* apt: use the new security repository for Bullseye * certbot: silence letsencrypt deprecation warnings * elasticsearch: 7.x by default * evoadmin-web: simpler PHP packages lists diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 index 5e0a0a53..94b0995d 100644 --- a/apt/templates/bullseye_basics.list.j2 +++ b/apt/templates/bullseye_basics.list.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} -deb http://security.debian.org/ bullseye-security {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} +deb https://deb.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} \ No newline at end of file From ca7d8e973919283fc9bc4da6cf3a430b9f58ed92 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 17 Aug 2021 15:11:10 +0200 Subject: [PATCH 052/182] Add variable mysql_performance_schema and configuration in evolinux_custom template --- mysql/defaults/main.yml | 2 ++ mysql/templates/evolinux-custom.cnf.j2 | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 2986a869..80f526c6 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -48,6 +48,8 @@ mysql_evolinux_custom_file: zzz-evolinux-custom.cnf mysql_restart_if_needed: True +mysql_performance_schema: True + # replication variables: mysql_replication: false mysql_log_bin: null diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2 index 63d7ea2d..119943a1 100644 --- a/mysql/templates/evolinux-custom.cnf.j2 +++ b/mysql/templates/evolinux-custom.cnf.j2 @@ -39,3 +39,9 @@ lower_case_table_names = {{ mysql_lower_case_table_names }} innodb_log_file_size = {{ mysql_innodb_log_file_size }} {% endif %} read_only = {{ mysql_read_only }} +{% if mysql_performance_schema %} +performance_schema = ON +performance-schema-instrument='stage/%=ON' +performance-schema-consumer-events-stages-current=ON +performance-schema-consumer-events-stages-history=ON +{% endif %} From 066baf35384d18b1390f1b05a263b88dc59b4532 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 17 Aug 2021 15:32:53 +0200 Subject: [PATCH 053/182] Revert "bullseye-detect: this role is obsolete, Debian 11 has been fully released" This reverts commit c9f25f4638e85d021efcd9eb89ee1622dbfb8637. --- CHANGELOG.md | 1 - bullseye-detect/tasks/main.yml | 8 ++++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 bullseye-detect/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ed5b8e0..930d2696 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,6 @@ The **patch** part changes incrementally at each release. ### Removed -* bullseye-detect: this role is obsolete, Debian 11 has been fully released * php: remove php-gettext for 7.4 ### Security diff --git a/bullseye-detect/tasks/main.yml b/bullseye-detect/tasks/main.yml new file mode 100644 index 00000000..6f97db0a --- /dev/null +++ b/bullseye-detect/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +# Force facts until Debian 11 is released because Ansible is dumb +- set_fact: + ansible_distribution_major_version: 11 + ansible_distribution: "Debian" + ansible_distribution_release: "bullseye" + when: "ansible_lsb.codename == 'bullseye' or ansible_lsb.release == 'testing/unstable'" \ No newline at end of file From 42189ba6136f53b25b279b02d1a236395f311347 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 17 Aug 2021 16:38:02 +0200 Subject: [PATCH 054/182] Configure php7.4 for evoadmin-web on bullseye --- webapps/evoadmin-web/tasks/web.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 7f95c96c..9778da4e 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -27,6 +27,15 @@ notify: reload apache2 when: ansible_distribution_major_version is version('10', '=') +- name: "Set custom values for PHP config (Debian 11)" + ini_file: + dest: /etc/php/7.4/apache2/conf.d/zzz-evolinux-custom.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache2 + when: ansible_distribution_major_version is version('11', '=') + - name: Install evoadmin VHost template: src: "{{ item }}" From 24481680084c08a267049e1040340ba0c4033bcd Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 17 Aug 2021 18:03:00 +0200 Subject: [PATCH 055/182] evolinux-base: Add swap column to htop and top --- evolinux-base/files/htoprc | 2 ++ evolinux-base/files/topdefaultrc | 15 +++++++++++++++ evolinux-base/tasks/htop.yml | 6 ++++++ evolinux-base/tasks/main.yml | 4 ++++ evolinux-base/tasks/top.yml | 7 +++++++ 5 files changed, 34 insertions(+) create mode 100644 evolinux-base/files/htoprc create mode 100644 evolinux-base/files/topdefaultrc create mode 100644 evolinux-base/tasks/htop.yml create mode 100644 evolinux-base/tasks/top.yml diff --git a/evolinux-base/files/htoprc b/evolinux-base/files/htoprc new file mode 100644 index 00000000..c3380903 --- /dev/null +++ b/evolinux-base/files/htoprc @@ -0,0 +1,2 @@ +# Force the SWAP column to the right of the CPU one +fields=0 48 17 18 38 39 40 119 2 46 47 49 1 diff --git a/evolinux-base/files/topdefaultrc b/evolinux-base/files/topdefaultrc new file mode 100644 index 00000000..b49be289 --- /dev/null +++ b/evolinux-base/files/topdefaultrc @@ -0,0 +1,15 @@ +top's Config File (Linux processes with windows) +Id:j, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0 +Def fieldscur=ķ&')*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz + winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0 + summclr=1, msgsclr=1, headclr=3, taskclr=1 +Job fieldscur=(Ļ@<)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz + winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0 + summclr=6, msgsclr=6, headclr=7, taskclr=6 +Mem fieldscur=?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz + winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0, double_up=0, combine_cpus=0 + summclr=3, msgsclr=3, headclr=2, taskclr=3 +Fixed_widest=0, Summ_mscale=1, Task_mscale=0, Zero_suppress=0 diff --git a/evolinux-base/tasks/htop.yml b/evolinux-base/tasks/htop.yml new file mode 100644 index 00000000..eeb59beb --- /dev/null +++ b/evolinux-base/tasks/htop.yml @@ -0,0 +1,6 @@ +--- +- name: Deploy htop configuration + copy: + src: htoprc + dest: /etc/htoprc + mode: "0644" diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 2da87162..b64badd6 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -129,3 +129,7 @@ include_role: name: evolix/generate-ldif when: evolinux_generateldif_include | bool + +- include: top.yml + +- include: htop.yml diff --git a/evolinux-base/tasks/top.yml b/evolinux-base/tasks/top.yml new file mode 100644 index 00000000..12eff20c --- /dev/null +++ b/evolinux-base/tasks/top.yml @@ -0,0 +1,7 @@ +--- +- name: Deploy top configuration file + copy: + # The config format is unredable; ATM it only add the SWAP column + src: htoprc + dest: /etc/topdefaultrc + mode: "0644" From bd92ff95c8c6381fddd78aa0965fd9389a34b452 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 20 Aug 2021 11:32:16 +0200 Subject: [PATCH 056/182] use absolute path in evacme cron --- evoacme/files/evoacme.cron | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/evoacme/files/evoacme.cron b/evoacme/files/evoacme.cron index 4d849673..ea78f2c2 100755 --- a/evoacme/files/evoacme.cron +++ b/evoacme/files/evoacme.cron @@ -15,12 +15,12 @@ find "${CRT_DIR}" \ -maxdepth 1 \ -mindepth 1 \ -type d \ - ! -path "*accounts" \ - ! -path "*archive" \ - ! -path "*csr" \ - ! -path "*hooks" \ - ! -path "*keys" \ - ! -path "*live" \ - ! -path "*renewal" \ + ! -path "${CRT_DIR}/accounts" \ + ! -path "${CRT_DIR}/archive" \ + ! -path "${CRT_DIR}/csr" \ + ! -path "${CRT_DIR}/hooks" \ + ! -path "${CRT_DIR}/keys" \ + ! -path "${CRT_DIR}/live" \ + ! -path "${CRT_DIR}/renewal" \ -printf "%f\n" \ | xargs --max-args=1 --no-run-if-empty evoacme From 5a83a30a4c0149e4e0a8cb08381b4a7c3d6f8b8b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 24 Aug 2021 18:16:11 +0200 Subject: [PATCH 057/182] whitespace --- evolinux-base/tasks/hardware.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 9f0c6da3..7fa04a70 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -35,8 +35,8 @@ # HP gen <10: Hewlett-Packard Company Smart Array # HP gen >=10: Adaptec Smart Storage PQI - name: Detect if RAID is installed - shell: - cmd: "set -o pipefail && lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" + shell: + cmd: "lspci -q | grep -e 'RAID bus controller' -e 'Serial Attached SCSI controller'" executable: /bin/bash check_mode: no register: raidmodel From 916138575a24c7b7e83badf8f3311705da8fc485 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Wed, 25 Aug 2021 11:48:10 +0200 Subject: [PATCH 058/182] Add generate dhparam and update variables for dovecot 2.3 --- dovecot/tasks/main.yml | 4 ++++ dovecot/templates/z-evolinux-defaults.conf.j2 | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index aa817086..7558afd5 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -10,6 +10,10 @@ tags: - dovecot +- name: Generate Diffie-Hellman parameters with the default size (4096 bits) + openssl_dhparam: + path: /etc/ssl/dhparams.pem + - name: disable pam auth replace: dest: /etc/dovecot/conf.d/10-auth.conf diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index 2c067b99..ab74ec0d 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -38,9 +38,9 @@ mail_max_userip_connections = 42 # SSL/TLS ssl = yes ssl_prefer_server_ciphers = yes -ssl_dh_parameters_length = 2048 +ssl_dh= Date: Wed, 25 Aug 2021 11:52:10 +0200 Subject: [PATCH 059/182] Add "may take several minutes" for task generate dhparam --- dovecot/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 7558afd5..efe0644e 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -10,7 +10,7 @@ tags: - dovecot -- name: Generate Diffie-Hellman parameters with the default size (4096 bits) +- name: Generate Diffie-Hellman parameters with the default size 4096 bits (may take several minutes) openssl_dhparam: path: /etc/ssl/dhparams.pem From 2c7380240cc5ef2a6e900db12bf1848f12407e2f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 25 Aug 2021 10:43:02 +0200 Subject: [PATCH 060/182] nagios-nrpe + evolinux-users: new checks for bkctld --- CHANGELOG.md | 1 + evolinux-users/templates/sudoers_jessie.j2 | 2 ++ evolinux-users/templates/sudoers_stretch.j2 | 2 ++ nagios-nrpe/templates/evolix.cfg.j2 | 3 +++ 4 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 930d2696..853cfbfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes incrementally at each release. * listupgrade: crontab is configurable * mongodb: create munin plugins directory if missing * mysql: script "mysql_connections" to display a compact list of connections +* nagios-nrpe + evolinux-users: new checks for bkctld * redis: instance service for Debian 11 ### Changed diff --git a/evolinux-users/templates/sudoers_jessie.j2 b/evolinux-users/templates/sudoers_jessie.j2 index b82c67ac..c0703c49 100644 --- a/evolinux-users/templates/sudoers_jessie.j2 +++ b/evolinux-users/templates/sudoers_jessie.j2 @@ -7,6 +7,8 @@ nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats nagios ALL = NOPASSWD: /usr/sbin/bkctld check +nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails +nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt ADMINS ALL = (ALL:ALL) ALL diff --git a/evolinux-users/templates/sudoers_stretch.j2 b/evolinux-users/templates/sudoers_stretch.j2 index 539f871e..7874a19a 100644 --- a/evolinux-users/templates/sudoers_stretch.j2 +++ b/evolinux-users/templates/sudoers_stretch.j2 @@ -6,6 +6,8 @@ nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats nagios ALL = NOPASSWD: /usr/sbin/bkctld check +nagios ALL = NOPASSWD: /usr/sbin/bkctld check-jails +nagios ALL = NOPASSWD: /usr/sbin/bkctld check-setup nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php70/rootfs/etc/php/7.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php73/rootfs/etc/php/7.3/fpm/pool.d/ diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 7306b9cb..148314ab 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -51,6 +51,9 @@ command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 54321 +command[check_bkctld_setup]=sudo /usr/sbin/bkctld check-setup +command[check_bkctld_jails]=sudo /usr/sbin/bkctld check-jails +# "check_bkctld" is here as backward compatibility, but is replaced by "check_bkctld_jails" command[check_bkctld]=sudo /usr/sbin/bkctld check command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023 From ecba57ad75a8fbe71913296595ee0a3218d78883 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 25 Aug 2021 17:57:38 +0200 Subject: [PATCH 061/182] evolinux-base: install molly-guard by default --- CHANGELOG.md | 1 + evolinux-base/tasks/packages.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 853cfbfd..f14be146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release. * Preliminary support for Debian 11 « Bullseye » * apache: new variable for mpm mode (+ updated default config accordingly) * certbot: add script for manual deploy hooks execution +* evolinux-base: install molly-guard by default * listupgrade: crontab is configurable * mongodb: create munin plugins directory if missing * mysql: script "mysql_connections" to display a compact list of connections diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8df64abd..9d9a6d6a 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -34,6 +34,7 @@ - telnet - traceroute - man + - molly-guard when: evolinux_packages_diagnostic | bool - name: Install/Update hardware tools From 6c21c3b505b5719d2c1b2df1a4bbd71acbe13944 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 26 Aug 2021 09:51:09 +0200 Subject: [PATCH 062/182] Add configuration for listener stats write and read with correct right --- dovecot/templates/z-evolinux-defaults.conf.j2 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2 index ab74ec0d..74081a57 100644 --- a/dovecot/templates/z-evolinux-defaults.conf.j2 +++ b/dovecot/templates/z-evolinux-defaults.conf.j2 @@ -35,6 +35,21 @@ service login { } mail_max_userip_connections = 42 +# Configuration pour stats dovecot +service stats { + unix_listener stats-reader { + user = vmail + group = vmail + mode = 0660 + } + + unix_listener stats-writer { + user = vmail + group = vmail + mode = 0660 + } +} + # SSL/TLS ssl = yes ssl_prefer_server_ciphers = yes From 5e794cd2b6e26f6b18c38af7e2868a31ab20e850 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 26 Aug 2021 11:42:02 +0200 Subject: [PATCH 063/182] commit whitespace --- evolinux-base/files/logs/logrotate.disabled/ldap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/files/logs/logrotate.disabled/ldap b/evolinux-base/files/logs/logrotate.disabled/ldap index 59372a33..4be35fa8 100644 --- a/evolinux-base/files/logs/logrotate.disabled/ldap +++ b/evolinux-base/files/logs/logrotate.disabled/ldap @@ -2,8 +2,8 @@ weekly missingok rotate 3 - compress - notifempty + compress + notifempty create 640 root adm } From d2ef3fe27f6718b220768e22c85869315bb57d7e Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Fri, 27 Aug 2021 10:50:11 +0200 Subject: [PATCH 064/182] Fix syntax on task "plugins are installed for" --- rbenv/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rbenv/tasks/main.yml b/rbenv/tasks/main.yml index 08f8242e..de366e78 100644 --- a/rbenv/tasks/main.yml +++ b/rbenv/tasks/main.yml @@ -68,8 +68,7 @@ version: '{{ item.version }}' accept_hostkey: yes force: yes - loop: - - "{{ rbenv_plugins }}" + loop: "{{ rbenv_plugins }}" become_user: "{{ username }}" become: yes tags: From 74ab96d67fba699b334b6e90ffb1197dcc797c3f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 27 Aug 2021 11:01:26 +0200 Subject: [PATCH 065/182] loop syntax and whitespaces --- clamav/tasks/main.yml | 106 +++++++++++++-------------- evolinux-base/tasks/kernel.yml | 8 +- evolinux-base/tasks/system.yml | 8 +- java/tasks/oracle.yml | 6 +- kvm-host/tasks/ssh.yml | 6 +- lxc-solr/tasks/main.yml | 6 +- opendkim/tasks/main.yml | 4 +- postfix/tasks/packmail.yml | 44 +++++------ postgresql/tasks/munin.yml | 10 +-- postgresql/tasks/packages_jessie.yml | 6 +- redmine/tasks/config.yml | 6 +- vrrpd/tasks/main.yml | 12 +-- webapps/evoadmin-web/tasks/user.yml | 6 +- 13 files changed, 111 insertions(+), 117 deletions(-) diff --git a/clamav/tasks/main.yml b/clamav/tasks/main.yml index be9e5b00..6d1da3eb 100644 --- a/clamav/tasks/main.yml +++ b/clamav/tasks/main.yml @@ -6,48 +6,48 @@ value: "{{ item.value }}" vtype: "{{ item.type }}" loop: - - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' } - - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } - - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } - - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } - - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' } - - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' } - - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' } - - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' } - - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' } - - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' } - - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' } - - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' } - - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' } - - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' } - - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' } - - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' } - - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' } - - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' } - - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' } - - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' } - - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' } - - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' } - - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' } - - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' } - - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' } - - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' } - - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' } - - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' } + - { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' } + - { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' } + - { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' } + - { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' } + - { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' } + - { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' } + - { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' } + - { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/User', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' } + - { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' } + - { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' } + - { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' } + - { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' } + - { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' } + - { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' } + - { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' } + - { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' } + - { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' } + - { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' } + - { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' } + - { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' } + - { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' } + - { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' } + - { key: 'clamav-daemon/AddGroups', type: 'string', value: '' } + - { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' } tags: - clamav @@ -58,17 +58,17 @@ value: "{{ item.value }}" vtype: "{{ item.type }}" loop: - - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' } - - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' } - - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' } - - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' } - - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' } - - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' } - - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' } - - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' } - - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' } - - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' } - - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } + - { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' } + - { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' } + - { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' } + - { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' } + - { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' } + - { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' } + - { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' } + - { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' } + - { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' } tags: - clamav diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index b49968f1..6ddeb57f 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -8,8 +8,8 @@ state: present reload: yes loop: - - { name: kernel.panic_on_oops, value: 1 } - - { name: kernel.panic, value: 60 } + - { name: kernel.panic_on_oops, value: 1 } + - { name: kernel.panic, value: 60 } when: evolinux_kernel_reboot_after_panic | bool - name: Don't reboot after panic @@ -19,8 +19,8 @@ state: absent reload: yes loop: - - kernel.panic_on_oops - - kernel.panic + - kernel.panic_on_oops + - kernel.panic when: not evolinux_kernel_reboot_after_panic | bool - name: Disable net.ipv4.tcp_timestamps diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 554bb02a..486dc2e8 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -119,10 +119,10 @@ regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" loop: - - { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' } - - { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } - - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } - - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } + - { regexp: '^17((\s*\*){4})', replace: '{{ 59|random(start=1) }}\1' } + - { regexp: '^25\s*6((\s*\*){3})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } + - { regexp: '^47\s*6((\s*\*){2}\s*7)', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } + - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } when: - is_cron_installed.rc == 0 - evolinux_system_cron_random | bool diff --git a/java/tasks/oracle.yml b/java/tasks/oracle.yml index c2ab5ebf..0b057695 100644 --- a/java/tasks/oracle.yml +++ b/java/tasks/oracle.yml @@ -14,9 +14,9 @@ state: directory mode: "0777" loop: - - /srv/java-package - - /srv/java-package/src - - /srv/java-package/tmp + - /srv/java-package + - /srv/java-package/src + - /srv/java-package/tmp tags: - java diff --git a/kvm-host/tasks/ssh.yml b/kvm-host/tasks/ssh.yml index fe71c287..c48722a3 100644 --- a/kvm-host/tasks/ssh.yml +++ b/kvm-host/tasks/ssh.yml @@ -34,8 +34,7 @@ special_time: "hourly" user: root job: "rsync -a --delete /etc/libvirt/qemu/ {{ hostvars[item]['ansible_hostname'] }}:/root/libvirt-{{ inventory_hostname }}/" - loop: - - "{{ groups['hypervisors'] }}" + loop: "{{ groups['hypervisors'] }}" when: item != inventory_hostname - name: Crontab for sync list of running vm @@ -45,6 +44,5 @@ special_time: "daily" user: root job: "virsh list --all | ssh {{ hostvars[item]['ansible_hostname'] }} 'cat >/root/libvirt-{{ inventory_hostname }}/virsh-list.txt'" - loop: - - "{{ groups['hypervisors'] }}" + loop: "{{ groups['hypervisors'] }}" when: item != inventory_hostname diff --git a/lxc-solr/tasks/main.yml b/lxc-solr/tasks/main.yml index 3fad863f..d629bbf6 100644 --- a/lxc-solr/tasks/main.yml +++ b/lxc-solr/tasks/main.yml @@ -8,9 +8,7 @@ path: "/var/lib/lxc/{{ item.name }}/rootfs" state: directory mode: '0755' - loop: - - "{{ lxc_containers }}" + loop: "{{ lxc_containers }}" - include: "solr.yml name={{item.name}} solr_version={{item.solr_version}} solr_port={{item.solr_port}}" - loop: - - "{{ lxc_containers }}" + loop: "{{ lxc_containers }}" diff --git a/opendkim/tasks/main.yml b/opendkim/tasks/main.yml index 1db961e2..94aa3dfd 100644 --- a/opendkim/tasks/main.yml +++ b/opendkim/tasks/main.yml @@ -39,8 +39,8 @@ group: opendkim mode: "0640" loop: - - 'KeyTable' - - 'SigningTable' + - 'KeyTable' + - 'SigningTable' changed_when: False tags: - opendkim diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 80f90232..90d424b2 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -38,17 +38,17 @@ dest: "/etc/postfix/{{ item }}" force: no loop: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr register: postfix_copy_filter tags: - postfix @@ -56,17 +56,17 @@ - name: postmap filter files command: "postmap /etc/postfix/{{ item }}" loop: - - virtual - - client.access - - client.access_local - - header_kill - - header_kill_local - - recipient.access - - recipient.access_local - - sa-blacklist.access - - sender.access - - sender.access_local - - spamd.cidr + - virtual + - client.access + - client.access_local + - header_kill + - header_kill_local + - recipient.access + - recipient.access_local + - sa-blacklist.access + - sender.access + - sender.access_local + - spamd.cidr when: postfix_copy_filter is changed tags: - postfix diff --git a/postgresql/tasks/munin.yml b/postgresql/tasks/munin.yml index 4e62ddf6..ed2cc883 100644 --- a/postgresql/tasks/munin.yml +++ b/postgresql/tasks/munin.yml @@ -15,11 +15,11 @@ src: '/usr/share/munin/plugins/{{item}}' dest: '/etc/munin/plugins/{{item}}' loop: - - postgres_bgwriter - - postgres_checkpoints - - postgres_connections_db - - postgres_users - - postgres_xlog + - postgres_bgwriter + - postgres_checkpoints + - postgres_connections_db + - postgres_users + - postgres_xlog notify: restart munin-node when: etc_munin_plugins.stat.exists and usr_share_munin_plugins.stat.exists diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index cf8f0879..b9f9b31b 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -12,6 +12,6 @@ apt: name: '{{item}}' loop: - - "postgresql-{{postgresql_version}}" - - ptop - - libdbd-pg-perl + - "postgresql-{{postgresql_version}}" + - ptop + - libdbd-pg-perl diff --git a/redmine/tasks/config.yml b/redmine/tasks/config.yml index d65f8172..e45bcea5 100644 --- a/redmine/tasks/config.yml +++ b/redmine/tasks/config.yml @@ -7,9 +7,9 @@ owner: "{{ redmine_user }}" group: "{{ redmine_user }}" loop: - - ".config" - - ".config/systemd" - - ".config/systemd/user" + - ".config" + - ".config/systemd" + - ".config/systemd/user" tags: - redmine diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 84d4f4ee..74dfa5c2 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -19,11 +19,11 @@ sysctl_set: yes state: present loop: - - { name: 'net.ipv4.conf.default.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.all.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } - - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } - - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } + - { name: 'net.ipv4.conf.default.rp_filter', value: 0 } + - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 } + - { name: 'net.ipv4.conf.all.rp_filter', value: 0 } + - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } + - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } + - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } tags: - vrrpd diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 68ac91de..bbad1b8f 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -38,10 +38,8 @@ regexp: "{{ item.regexp }}" state: present loop: - - line: 'evoadmin: root' - regexp: '^evoadmin:' - - line: 'www-evoadmin: root' - regexp: '^www-evoadmin:' + - { line: 'evoadmin: root', regexp: '^evoadmin:' } + - { line: 'www-evoadmin: root', regexp: '^www-evoadmin:' } notify: "newaliases" when: etc_aliases.stat.exists From 65750d2aa6199d06fe78a089aa9d5ce96c4289f7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 30 Aug 2021 09:24:57 +0200 Subject: [PATCH 066/182] evomaintenance: extract a config.yyml tasks file --- CHANGELOG.md | 1 + evomaintenance/tasks/config.yml | 18 ++++++++++++++++++ evomaintenance/tasks/install_vendor_debian.yml | 13 +------------ evomaintenance/tasks/main.yml | 11 ++--------- evomaintenance/tasks/minifirewall.yml | 3 +++ 5 files changed, 25 insertions(+), 21 deletions(-) create mode 100644 evomaintenance/tasks/config.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index f14be146..31ef9b18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ The **patch** part changes incrementally at each release. * certbot: silence letsencrypt deprecation warnings * elasticsearch: 7.x by default * evoadmin-web: simpler PHP packages lists +* evomaintenance: extract a config.yyml tasks file * evocheck: upstream release 21.07 * evolinux-base: alert5 comes after the network * evolinux-base: force Debian version to buster for Evolix repository (temporary) diff --git a/evomaintenance/tasks/config.yml b/evomaintenance/tasks/config.yml new file mode 100644 index 00000000..097e9770 --- /dev/null +++ b/evomaintenance/tasks/config.yml @@ -0,0 +1,18 @@ +--- + +- assert: + that: + - evomaintenance_api_endpoint is not none + - evomaintenance_api_key is not none + msg: evomaintenance api variables must be set + +- name: Configuration is installed + template: + src: evomaintenance.j2 + dest: /etc/evomaintenance.cf + owner: root + group: root + mode: "0600" + force: "{{ evomaintenance_force_config | bool }}" + tags: + - evomaintenance diff --git a/evomaintenance/tasks/install_vendor_debian.yml b/evomaintenance/tasks/install_vendor_debian.yml index 2faaac79..99448e3c 100644 --- a/evomaintenance/tasks/install_vendor_debian.yml +++ b/evomaintenance/tasks/install_vendor_debian.yml @@ -46,15 +46,4 @@ - { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' } - { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' } tags: - - evomaintenance - -- name: Configuration is installed - template: - src: evomaintenance.j2 - dest: /etc/evomaintenance.cf - owner: root - group: root - mode: "0600" - force: "{{ evomaintenance_force_config | bool }}" - tags: - - evomaintenance + - evomaintenance \ No newline at end of file diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 9826089b..0a4e5010 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -1,14 +1,5 @@ --- -- set_fact: - minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" - -- assert: - that: - - evomaintenance_api_endpoint is not none - - evomaintenance_api_key is not none - msg: evomaintenance api variables must be set - - include: install_package_debian.yml when: - not (evomaintenance_install_vendor | bool) @@ -19,6 +10,8 @@ - evomaintenance_install_vendor | bool - ansible_distribution == "Debian" +- include: config.yml + - include: minifirewall.yml when: - evomaintenance_hook_db | bool diff --git a/evomaintenance/tasks/minifirewall.yml b/evomaintenance/tasks/minifirewall.yml index ad48e856..98dad15b 100644 --- a/evomaintenance/tasks/minifirewall.yml +++ b/evomaintenance/tasks/minifirewall.yml @@ -1,5 +1,8 @@ --- +- set_fact: + minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" + - name: Is minifirewall installed? stat: path: /etc/default/minifirewall From 73f55a42fa58a54b3e4f098a45f426a983c0d873 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 30 Aug 2021 09:26:04 +0200 Subject: [PATCH 067/182] forgotten file --- evomaintenance/tasks/install_package_debian.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/evomaintenance/tasks/install_package_debian.yml b/evomaintenance/tasks/install_package_debian.yml index a5da77ea..ce9d90e7 100644 --- a/evomaintenance/tasks/install_package_debian.yml +++ b/evomaintenance/tasks/install_package_debian.yml @@ -12,15 +12,4 @@ name: evomaintenance allow_unauthenticated: yes tags: - - evomaintenance - -- name: Configuration is installed - template: - src: evomaintenance.j2 - dest: /etc/evomaintenance.cf - owner: root - group: root - mode: "0600" - force: "{{ evomaintenance_force_config | bool }}" - tags: - - evomaintenance + - evomaintenance \ No newline at end of file From e45ee59801f8c9f6a5e1057b05d28c7646d48d67 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 30 Aug 2021 14:05:15 +0200 Subject: [PATCH 068/182] mysql: script "mysql-queries-killer.sh" to kill MySQL queries --- CHANGELOG.md | 1 + mysql/files/mysql-queries-killer.sh | 168 ++++++++++++++++++++++++++++ mysql/tasks/utils.yml | 9 ++ 3 files changed, 178 insertions(+) create mode 100644 mysql/files/mysql-queries-killer.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 31ef9b18..890631f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The **patch** part changes incrementally at each release. * listupgrade: crontab is configurable * mongodb: create munin plugins directory if missing * mysql: script "mysql_connections" to display a compact list of connections +* mysql: script "mysql-queries-killer.sh" to kill MySQL queries * nagios-nrpe + evolinux-users: new checks for bkctld * redis: instance service for Debian 11 diff --git a/mysql/files/mysql-queries-killer.sh b/mysql/files/mysql-queries-killer.sh new file mode 100644 index 00000000..203d992e --- /dev/null +++ b/mysql/files/mysql-queries-killer.sh @@ -0,0 +1,168 @@ +#!/bin/sh + +VERSION="21.07.1" + +show_version() { + cat <, + Jérémy Lecour + and others. + +mysql-queries-killer comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public Licence for details. +END +} + +show_help() { + cat <] --list [--time