Merge pull request '10.5.1' (#125) from unstable into stable
continuous-integration/drone/push Build is passing Details
continuous-integration/drone/tag Build is passing Details

Reviewed-on: #125
This commit is contained in:
Jérémy Lecour 2021-04-13 15:57:16 +02:00
commit 2f4b5b9448
6 changed files with 116 additions and 65 deletions

View File

@ -20,6 +20,16 @@ The **patch** part changes incrementally at each release.
### Security
## [10.5.1] 2021-04-13
### Added
* haproxy: dedicated internal address/binding (without SSL)
### Changed
* etc-git: commit in /usr/share/scripts when there's an active repository
## [10.5.0] 2021-04-01
### Added

View File

@ -1,57 +1,27 @@
---
- name: is /etc clean?
command: git status --porcelain
args:
chdir: /etc
changed_when: False
register: git_status
when: not ansible_check_mode
ignore_errors: yes
tags:
- etc-git
- commit-etc
- debug:
var: git_status
verbosity: 3
tags:
- etc-git
- commit-etc
- name: Is /etc a git repository
stat:
path: /etc/.git
register: _etc_git
- name: fetch current Git user.email
git_config:
name: user.email
repo: /etc
register: git_config_user_email
ignore_errors: yes
tags:
- etc-git
- commit-etc
- name: "set commit author"
set_fact:
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
commit_email: '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
tags:
- etc-git
- commit-etc
- name: "/etc modifications are committed"
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
args:
chdir: /etc
register: etc_commit_end_run
- include: do_commit.yml
vars:
git_folder: "/etc"
when:
- not ansible_check_mode
- git_status.stdout
ignore_errors: yes
tags:
- etc-git
- commit-etc
- _etc_git.stat.exists
- _etc_git.stat.isdir
- debug:
var: etc_commit_end_run
verbosity: 4
tags:
- etc-git
- commit-etc
- name: Is /usr/share/scripts a git repository
stat:
path: /usr/share/scripts/.git
register: _usr_share_scripts_git
- include: do_commit.yml
vars:
git_folder: "/usr/share/scripts"
when:
- _usr_share_scripts_git.stat.exists
- _usr_share_scripts_git.stat.isdir

View File

@ -0,0 +1,64 @@
---
- name: "Remount /usr if needed"
include_role:
name: remount-usr
when: git_folder is match('/usr/.*')
- name: "is {{ git_folder }} clean?"
command: git status --porcelain
args:
chdir: "{{ git_folder }}"
changed_when: False
register: git_status
when: not ansible_check_mode
ignore_errors: yes
tags:
- etc-git
- commit
- debug:
var: git_status
verbosity: 3
tags:
- etc-git
- commit
- name: fetch current Git user.email
git_config:
name: user.email
repo: "{{ git_folder }}"
register: git_config_user_email
ignore_errors: yes
tags:
- etc-git
- commit
- name: "set commit author"
set_fact:
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
commit_email: '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
tags:
- etc-git
- commit
- name: "{{ git_folder }} modifications are committed"
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
args:
chdir: "{{ git_folder }}"
register: commit_end_run
when:
- not ansible_check_mode
- git_status.stdout
ignore_errors: yes
tags:
- etc-git
- commit
- debug:
var: commit_end_run
verbosity: 4
tags:
- etc-git
- commit

View File

@ -1,34 +1,36 @@
---
haproxy_ssl_dir: "/etc/haproxy/ssl/"
# backward compatibility with a previously used variable
haproxy_stats_enable: False
haproxy_stats_ssl: True
haproxy_stats_host: "*"
haproxy_stats_port: "8080"
haproxy_stats_path: "/"
haproxy_stats_bind_directive: "{{ haproxy_stats_host }}:{{ haproxy_stats_port }} {% if haproxy_stats_ssl %}ssl crt {{ haproxy_ssl_dir }}{% endif %}"
haproxy_stats_internal_url: "{% if haproxy_stats_ssl %}https:{% else %}http:{% endif %}//{% if haproxy_stats_host == '*' or haproxy_stats_host == '0.0.0.0' %}127.0.0.1{% else %}{{ haproxy_stats_host }}{% endif %}:{{ haproxy_stats_port }}{{ haproxy_stats_path }}"
haproxy_stats_internal_enable: True
haproxy_stats_internal_host: "127.0.0.1"
haproxy_stats_internal_port: "8081"
haproxy_stats_external_url: "{% if haproxy_stats_ssl %}https:{% else %}http:{% endif %}//{{ ansible_fqdn }}:{{ haproxy_stats_port }}{{ haproxy_stats_path }}"
haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
haproxy_update_config: True
haproxy_force_config: True
haproxy_socket: /run/haproxy/admin.sock
haproxy_chroot: /var/lib/haproxy
haproxy_stats_access_ips: []
haproxy_stats_admin_ips: []
haproxy_stats_users: []
## use crypt(8) password encryption
# haproxy_stats_users:
# - { login: "", password: "" }
haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
haproxy_update_config: True
haproxy_force_config: True
haproxy_socket: /run/haproxy/admin.sock
haproxy_chroot: /var/lib/haproxy
haproxy_maintenance_ips: []
haproxy_deny_ips: []
haproxy_ssl_dir: "/etc/haproxy/ssl/"
haproxy_stats_enable: False
haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
haproxy_backports_packages_stretch: haproxy libssl1.0.0
haproxy_backports_packages_buster: haproxy

View File

@ -45,6 +45,9 @@ userlist stats_users
listen stats
mode http
bind {{ haproxy_stats_bind_directive }}
{% if haproxy_stats_internal_enable %}
bind {{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}
{% endif %}
acl stats_access_ips src -f /etc/haproxy/stats_access_ips
acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips

View File

@ -1,2 +1,4 @@
[haproxy_*]
env.url {{ haproxy_stats_internal_url }};csv;norefresh
{% if haproxy_stats_internal_enable %}
env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}/;csv;norefresh
{% endif %}