Merge branch 'unstable' into stable
This commit is contained in:
commit
2f96151c70
113
CHANGELOG.md
113
CHANGELOG.md
|
@ -21,6 +21,111 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [24.02] 2024-02-08
|
||||
|
||||
### Added
|
||||
|
||||
* Support for PHP 8.3 with bookworm LXC containers
|
||||
* apt: add task file to install ELTS repository (default: False)
|
||||
* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation
|
||||
* check_free_space: added role
|
||||
* etc-git: add /var/chroot-bind/etc/bind repo
|
||||
* fail2ban: add script unban_ip
|
||||
* generateldif: new Services for check_pressure_{cpu,io,mem}
|
||||
* kvm-host: Automatically add an LVM filter when LVM is present
|
||||
* lxc-php: Allow one to install php83 on Bookworm container
|
||||
* minifirewall: Fix nagios check for old versions of minifirewall
|
||||
* mongodb: add gpg key for 7.0
|
||||
* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel
|
||||
* nagios-nrpe: new check_pressure_{cpu,io,mem}
|
||||
* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition
|
||||
* vrrpd: configure minifirewall
|
||||
* vrrpd: test if interface exists before deleting it
|
||||
* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm
|
||||
* webapps/nextcloud: Add condition for archive tasks
|
||||
* webapps/nextcloud: Add condition for config tasks
|
||||
* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
|
||||
* webapps/nextcloud: Set ownership and permissions of data directory
|
||||
|
||||
### Changed
|
||||
|
||||
* add-vm.sh: allow VM name max length > 20
|
||||
* amavis: make ldap_suffix mandatory
|
||||
* apache : fix goaway pattern for bad bots
|
||||
* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name)
|
||||
* apache: use backward compatible Redirect directive
|
||||
* apt: Disable archive repository for Debian 8
|
||||
* apt: Use the GPG version of the key for Debian 8-9
|
||||
* bind: Update role for Buster, Bullseye and Bookworm support
|
||||
* dovecot: add variables for LDAP
|
||||
* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`)
|
||||
* evocheck: upstream release 24.01
|
||||
* evolinux-base: dump-server-state upstream release 23.11
|
||||
* evolinux-base: use separate default config file for rsyslog
|
||||
* kvmstats: use .capacity instead of .physical for disk size
|
||||
* ldap: make ldap_suffix mandatory
|
||||
* listupgrade : old-kernel-removal.sh upstream release 24.01
|
||||
* log2mail: move custom config in separate file
|
||||
* lxc: init /etc git repository in lxc container
|
||||
* mysql: disable performance schema for Debian 8
|
||||
* nagios: add dockerd check in nrpe check template
|
||||
* nagios: cleaning nrpe check template
|
||||
* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12
|
||||
* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11
|
||||
* redis: manage config template inside a block, to allow custom modifications outside
|
||||
* spamassassin: Use spamd starting with Bookworm
|
||||
* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8
|
||||
* unbound: Add config file to allow configuration reload on Debian 11 and lower
|
||||
* unbound: Add munin configuration & setup plugin
|
||||
* unbound: Big cleanup
|
||||
* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf`
|
||||
* unbound: Use root hints provided by debian package dns-root-data instead of downloading them
|
||||
* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…)
|
||||
* vrrpd: variable to force update the switch script (default: false)
|
||||
* webapps/nextcloud: Add Ceph volume to fstab
|
||||
* webapps/nextcloud: Set home directory's mode
|
||||
|
||||
### Fixed
|
||||
|
||||
* Add php-fpm82 to LDAP when relevant
|
||||
* Check stat.exists before stat.isdir
|
||||
* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o
|
||||
* apt: use archive.debian.org with Stretch
|
||||
* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP)
|
||||
* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »).
|
||||
* dovecot: fix missing default mails
|
||||
* dovecot: fix plugin dovecot1
|
||||
* evoadmin-web: Fix PHP version for Bookworm
|
||||
* evolinux-base: fix hardware.yml (wrong repo, missing update cache)
|
||||
* evolinux-base: start to install linux-image-cloud-amd64 with Buster
|
||||
* fail2ban: fix template marker
|
||||
* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore.
|
||||
* nagios: fix default file to monitor for check_clamav_db
|
||||
* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode
|
||||
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
|
||||
* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode)
|
||||
* nginx: keep indentation
|
||||
* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode
|
||||
* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository
|
||||
* php: drop apt_preferences(5) file for sury
|
||||
* postfix: remove dependency on evolinux_fqdn var
|
||||
* proftpd: set missing default listen IP for SFTP
|
||||
* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL)
|
||||
* ssl: no not execute haproxy tasks and reload if haproxy is disabled
|
||||
* unbound: Add a apt cache validity to enforce an apt update if needed
|
||||
* webapps/nextcloud: added check that nextcloud uid is over 3000
|
||||
* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src
|
||||
* webapps/nextcloud: fix misplaced gid attribute
|
||||
* webapps/nextcloud: fix missing gid
|
||||
* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice)
|
||||
* amavis: Add variables for generate "ldap_suffix"
|
||||
* proftpd: fix error when no SSH key is provided
|
||||
|
||||
### Removed
|
||||
|
||||
* evolinux-base: no need to remove update-evobackup-canary from sbin anymore
|
||||
* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore
|
||||
|
||||
## [23.10] 2023-10-14
|
||||
|
||||
### Added
|
||||
|
@ -381,16 +486,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Added
|
||||
|
||||
* docker : Introduce new default settings + allow to change the docker data directory
|
||||
* docker : Introduce new variables to tweak daemon settings
|
||||
* docker: Introduce new default settings + allow to change the docker data directory
|
||||
* docker: Introduce new variables to tweak daemon settings
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.05
|
||||
* evocheck: Upstream release 22.05
|
||||
|
||||
### Removed
|
||||
|
||||
* docker : Removed Debian Jessie support
|
||||
* docker: Removed Debian Jessie support
|
||||
|
||||
## [22.05] 2022-05-10
|
||||
|
||||
|
|
5
amavis/defaults/main.yml
Normal file
5
amavis/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
|
||||
ldap_hostname: "{{ ansible_hostname }}"
|
||||
ldap_domain: "{{ ansible_domain }}"
|
||||
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
|
@ -6,7 +6,7 @@
|
|||
- amavisd-new
|
||||
state: present
|
||||
tags:
|
||||
- amavis
|
||||
- amavis
|
||||
|
||||
- name: configure Amavis
|
||||
ansible.builtin.template:
|
||||
|
@ -15,7 +15,7 @@
|
|||
mode: "0644"
|
||||
notify: restart amavis
|
||||
tags:
|
||||
- amavis
|
||||
- amavis
|
||||
|
||||
- name: Install purge custom cron
|
||||
ansible.builtin.copy:
|
||||
|
@ -23,5 +23,5 @@
|
|||
dest: /etc/cron.daily/amavis_purge_virusmails
|
||||
mode: "0755"
|
||||
tags:
|
||||
- amavis
|
||||
- amavis_purge_cron
|
||||
- amavis
|
||||
- amavis_purge_cron
|
||||
|
|
|
@ -44,7 +44,7 @@ $max_servers = 2;
|
|||
$enable_ldap = 1;
|
||||
$default_ldap = {
|
||||
hostname => '127.0.0.1', tls => 0,
|
||||
base => '{{ ldap_suffix }}', scope => 'sub',
|
||||
base => '{{ ldap_suffix | mandatory }}', scope => 'sub',
|
||||
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
||||
};
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ MaxKeepAliveRequests 10
|
|||
StartServers 50
|
||||
MinSpareServers 20
|
||||
MaxSpareServers 30
|
||||
MaxRequestsPerChild 0
|
||||
MaxConnectionsPerChild 100
|
||||
</IfModule>
|
||||
|
||||
<IfModule mpm_worker_module>
|
||||
|
@ -20,7 +20,7 @@ MaxKeepAliveRequests 10
|
|||
ThreadLimit 64
|
||||
ThreadsPerChild 25
|
||||
MaxRequestWorkers 150
|
||||
MaxConnectionsPerChild 0
|
||||
MaxConnectionsPerChild 100
|
||||
</IfModule>
|
||||
|
||||
<IfModule mpm_itk_module>
|
||||
|
@ -40,28 +40,25 @@ MaxKeepAliveRequests 10
|
|||
</IfModule>
|
||||
</IfModule>
|
||||
|
||||
|
||||
<Directory /home/>
|
||||
AllowOverride None
|
||||
Require all granted
|
||||
# "Require not env XXX" is not supported :(
|
||||
Deny from env=GoAway
|
||||
</Directory>
|
||||
# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
|
||||
<If "reqenv('GoAway') -eq 1">
|
||||
Require all denied
|
||||
</If>
|
||||
|
||||
<DirectoryMatch "/\.git">
|
||||
# We don't want to let the client know a file exist on the server,
|
||||
# so we return 404 "Not found" instead of 403 "Forbidden".
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</DirectoryMatch>
|
||||
|
||||
# File names starting with
|
||||
<FilesMatch "^\.(git|env)">
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</FilesMatch>
|
||||
|
||||
# File names ending with
|
||||
<FilesMatch "\.(inc|bak)$">
|
||||
Redirect 404
|
||||
Redirect 404 "-"
|
||||
</FilesMatch>
|
||||
|
||||
<LocationMatch "^/evolinux_fpm_status-.*">
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
create: yes
|
||||
loop: "{{ apache_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
|
|
|
@ -14,6 +14,7 @@ apt_install_backports: False
|
|||
apt_backports_components: "main"
|
||||
|
||||
apt_install_evolix_public: True
|
||||
apt_install_extended_lts: False
|
||||
|
||||
apt_clean_gandi_sourceslist: False
|
||||
|
||||
|
@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*"
|
|||
apt_check_hold_cron_day: "*"
|
||||
apt_check_hold_cron_month: "*"
|
||||
|
||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=bookworm-backports
|
||||
Pin-Priority: 50
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=bullseye-backports
|
||||
Pin-Priority: 50
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=buster-backports
|
||||
Pin-Priority: 50
|
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
BIN
apt/files/freexian-archive-extended-lts.gpg
Normal file
Binary file not shown.
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 50
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=stretch-backports
|
||||
Pin-Priority: 50
|
|
@ -10,19 +10,9 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- name: Backports configuration
|
||||
ansible.builtin.copy:
|
||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
when: apt_backports_sources is changed or apt_backports_config is changed
|
||||
when: apt_backports_sources is changed
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -17,16 +17,6 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- name: Backports configuration
|
||||
ansible.builtin.copy:
|
||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Archived backport are accepted (jessie)
|
||||
ansible.builtin.lineinfile:
|
||||
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
|
||||
|
@ -42,4 +32,4 @@
|
|||
update_cache: yes
|
||||
tags:
|
||||
- apt
|
||||
when: apt_backports_list is changed or apt_backports_config is changed
|
||||
when: apt_backports_list is changed
|
||||
|
|
|
@ -24,10 +24,16 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Set Evolix GPG key format to ASC
|
||||
set_fact:
|
||||
apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
dest: "{{ apt_evolix_public_key }}"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
|
|
@ -24,10 +24,26 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Set Evolix GPG key format to GPG (Debian < 9)
|
||||
set_fact:
|
||||
apt_evolix_public_key: "pub_evolix.gpg"
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '<')
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Set Evolix GPG key format to ASC (Debian >= 9)
|
||||
set_fact:
|
||||
apt_evolix_public_key: "pub_evolix.asc"
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
src: "{{ apt_evolix_public_key }}"
|
||||
dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
|
|
37
apt/tasks/extended-lts.oneline.yml
Normal file
37
apt/tasks/extended-lts.oneline.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: "freexian-archive-extended-lts.gpg"
|
||||
dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: ELTS list is installed
|
||||
ansible.builtin.template:
|
||||
src: "{{ ansible_distribution_release }}_extended-lts.list.j2"
|
||||
dest: /etc/apt/sources.list.d/extended-lts.list
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_extended_lts
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Apt update
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
tags:
|
||||
- apt
|
||||
when: apt_extended_lts is changed
|
|
@ -80,6 +80,14 @@
|
|||
- apt_install_evolix_public | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Install Extended-LTS repositories (Debian < 10)
|
||||
ansible.builtin.import_tasks: extended-lts.oneline.yml
|
||||
tags:
|
||||
- apt
|
||||
when:
|
||||
- apt_install_extended_lts | bool
|
||||
- ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
- name: Clean GANDI sources
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
|
@ -126,4 +134,4 @@
|
|||
upgrade: dist
|
||||
when: apt_upgrade | bool
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
|
|
@ -31,6 +31,11 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- name: Is system.sources present?
|
||||
ansible.builtin.stat:
|
||||
path: /etc/apt/sources.list.d/system.sources
|
||||
register: _system_sources
|
||||
|
||||
- name: Add signed-by when relevant for bookworm
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/apt/sources.list.d/system.sources
|
||||
|
@ -39,6 +44,12 @@
|
|||
state: present
|
||||
tags:
|
||||
- apt
|
||||
when: _system_sources.stat.exists or not ansible_check_mode
|
||||
|
||||
- name: Is security.sources present?
|
||||
ansible.builtin.stat:
|
||||
path: /etc/apt/sources.list.d/security.sources
|
||||
register: _security_sources
|
||||
|
||||
- name: Add signed-by when relevant for bookworm-security
|
||||
ansible.builtin.lineinfile:
|
||||
|
@ -48,3 +59,4 @@
|
|||
state: present
|
||||
tags:
|
||||
- apt
|
||||
when: _security_sources.stat.exists or not ansible_check_mode
|
||||
|
|
|
@ -3,6 +3,6 @@
|
|||
Types: deb
|
||||
URIs: http://mirror.evolix.org/debian
|
||||
Suites: bookworm bookworm-updates
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
|
||||
|
|
|
@ -3,6 +3,6 @@
|
|||
Types: deb
|
||||
URIs: https://security.debian.org/debian-security
|
||||
Suites: bookworm-security
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
|
||||
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||
deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
Types:deb
|
||||
Types: deb
|
||||
URIs: http://pub.evolix.org/evolix
|
||||
Suites: {{ ansible_distribution_release }}
|
||||
Components: main
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}
|
||||
### Those repositories are unusable. Move to ELTS (manually).
|
||||
# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }}
|
||||
# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
4
apt/templates/jessie_extended-lts.list.j2
Normal file
4
apt/templates/jessie_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main
|
|
@ -1,5 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
|
||||
deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }}
|
||||
deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
4
apt/templates/stretch_extended-lts.list.j2
Normal file
4
apt/templates/stretch_extended-lts.list.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main
|
||||
deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main
|
22
autosysadmin/defaults/main.yml
Normal file
22
autosysadmin/defaults/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
|
||||
general_scripts_dir: "/usr/share/scripts"
|
||||
autosysadmin_dir: "{{ general_scripts_dir }}/autosysadmin"
|
||||
|
||||
# Default values for enabled checks
|
||||
repair_amavis: 'on'
|
||||
repair_disk: 'on'
|
||||
repair_elasticsearch: 'on'
|
||||
repair_http: 'on'
|
||||
repair_mysql: 'on'
|
||||
repair_opendkim: 'off'
|
||||
repair_php_fpm56: 'off'
|
||||
repair_php_fpm70: 'off'
|
||||
repair_php_fpm73: 'off'
|
||||
repair_php_fpm74: 'off'
|
||||
repair_php_fpm80: 'off'
|
||||
repair_php_fpm81: 'off'
|
||||
repair_php_fpm82: 'off'
|
||||
repair_php_fpm83: 'off'
|
||||
repair_redis: 'off'
|
||||
repair_tomcat_instance: 'off'
|
13
autosysadmin/files/logrotate_autosysadmin.conf
Normal file
13
autosysadmin/files/logrotate_autosysadmin.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
/var/log/autosysadmin.log {
|
||||
daily
|
||||
missingok
|
||||
rotate 365
|
||||
compress
|
||||
nodelaycompress
|
||||
notifempty
|
||||
dateext
|
||||
dateformat .%Y-%m-%d
|
||||
dateyesterday
|
||||
copytruncate
|
||||
create 0640 root adm
|
||||
}
|
3
autosysadmin/files/rsyslog_autosysadmin.conf
Normal file
3
autosysadmin/files/rsyslog_autosysadmin.conf
Normal file
|
@ -0,0 +1,3 @@
|
|||
$template autosysadmin, "/var/log/autosysadmin.log"
|
||||
if $programname contains 'autosysadmin' then ?autosysadmin
|
||||
& stop
|
478
autosysadmin/files/scripts/functions.sh
Normal file
478
autosysadmin/files/scripts/functions.sh
Normal file
|
@ -0,0 +1,478 @@
|
|||
#!/bin/bash
|
||||
|
||||
get_system() {
|
||||
uname -s
|
||||
}
|
||||
|
||||
get_fqdn() {
|
||||
if [ "$(get_system)" = "Linux" ]; then
|
||||
hostname --fqdn
|
||||
elif [ "$(get_system)" = "OpenBSD" ]; then
|
||||
hostname
|
||||
else
|
||||
log_error_exit "OS not detected!"
|
||||
fi
|
||||
}
|
||||
|
||||
get_complete_hostname() {
|
||||
REAL_HOSTNAME="$(get_fqdn)"
|
||||
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
|
||||
echo "${HOSTNAME}"
|
||||
else
|
||||
echo "${HOSTNAME} (${REAL_HOSTNAME})"
|
||||
fi
|
||||
}
|
||||
|
||||
get_evomaintenance_mail() {
|
||||
email="$(grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2)"
|
||||
|
||||
if [[ -z "$email" ]]; then
|
||||
email='alert5@evolix.fr'
|
||||
fi
|
||||
|
||||
echo "${email}"
|
||||
}
|
||||
|
||||
arguments="${*}"
|
||||
|
||||
get_argument() {
|
||||
no_found=1
|
||||
for argument in ${arguments} ; do
|
||||
if [ "${argument}" = "${1}" ] ;
|
||||
then
|
||||
no_found=0
|
||||
fi
|
||||
done
|
||||
return ${no_found}
|
||||
}
|
||||
|
||||
internal_info() {
|
||||
INTERNAL_INFO="$(printf '%b\n%s' "${INTERNAL_INFO}" "$*")"
|
||||
}
|
||||
|
||||
log_action() {
|
||||
log "Action : $*"
|
||||
ACTIONS="$(printf '%s\n%s' "${ACTIONS}" "$*")"
|
||||
}
|
||||
|
||||
log() {
|
||||
INTERNAL_LOG="$(printf '%s\n%s %s %s %s' "${INTERNAL_LOG}" "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*")"
|
||||
printf '%s %s %s %s\n' "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*" | tee -a "${LOG_DIR}/autosysadmin.log"
|
||||
echo "$*" | /usr/bin/logger -p local0.notice -t autosysadmin."$0"
|
||||
}
|
||||
|
||||
log_error_exit() {
|
||||
log "ERROR : $*"
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: $*" --no-commit --no-mail
|
||||
exit 1
|
||||
}
|
||||
|
||||
log_check_php_fpm() {
|
||||
|
||||
# Extraire seulement les chiffres du nom du script exécuté
|
||||
# ./repair_php_fpm81.sh ==> 81
|
||||
PHP_VERSION="${0//[^0-9]/}"
|
||||
|
||||
PHP_PATH_POOL=$(find /var/lib/lxc/php"${PHP_VERSION}"/ -type d -name "pool.d")
|
||||
/usr/local/lib/nagios/plugins/check_phpfpm_multi "${PHP_PATH_POOL}" > "${LOG_DIR}/nrpe.txt"
|
||||
}
|
||||
|
||||
log_system_status() {
|
||||
DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)"
|
||||
|
||||
if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then
|
||||
log "Warning: dump-server-state is not present. No server state recorded...."
|
||||
fi
|
||||
|
||||
if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then
|
||||
|
||||
# NOTE We don't want the logging to take too much time, so we kill it
|
||||
# if it take more than 20 seconds.
|
||||
timeout --signal 9 20 \
|
||||
"${DUMP_SERVER_STATE_BIN}" \
|
||||
--dump-dir="$LOG_DIR" \
|
||||
--df \
|
||||
--dmesg \
|
||||
--iptables \
|
||||
--lxc \
|
||||
--netcfg \
|
||||
--netstat \
|
||||
--uname \
|
||||
--processes \
|
||||
--systemctl \
|
||||
--uptime \
|
||||
--virsh \
|
||||
--disks \
|
||||
--mysql-processes \
|
||||
--no-apt-states \
|
||||
--no-apt-config \
|
||||
--no-dpkg-full \
|
||||
--no-dpkg-status \
|
||||
--no-mount \
|
||||
--no-packages \
|
||||
--no-sysctl \
|
||||
--no-etc
|
||||
|
||||
log "System status logged in ${LOG_DIR}"
|
||||
fi
|
||||
}
|
||||
|
||||
read_log_system_status(){
|
||||
files="df.txt dmesg.txt lxc-list.txt netstat-legacy.txt netstat-ss.txt pstree.txt ps.txt systemctl-failed-services.txt"
|
||||
echo -e "\n\n#### Détails de dump-server-state"
|
||||
for file in ${files} ; do
|
||||
echo -e "\n### cat ${LOG_DIR}/${file} :"
|
||||
tail -n 1000 "${LOG_DIR}"/"${file}"
|
||||
done
|
||||
}
|
||||
|
||||
ensure_no_active_users_or_exit() {
|
||||
if is_debug; then return; fi
|
||||
|
||||
# Is there any active user ?
|
||||
for user in $(LC_ALL=C who --users|awk '{print $1}'); do
|
||||
idle_time="$(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}')"
|
||||
for sameusertime in $(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}'); do
|
||||
if is_active_user "$sameusertime"; then
|
||||
hook_mail abort_active_users
|
||||
log_error_exit 'At least one user was recently active. That requires human intervention. Nothing to do here!'
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
is_active_user() {
|
||||
# Check if a user was active in the last 30 minutes
|
||||
idle_time="$1"
|
||||
|
||||
if [ "${idle_time}" = "old" ];
|
||||
then
|
||||
return 1
|
||||
elif [ "${idle_time}" = "." ];
|
||||
then
|
||||
return 0
|
||||
else
|
||||
hh="$(echo "${idle_time}" | awk -F':' '{print $1}')"
|
||||
mm="$(echo "${idle_time}" | awk -F':' '{print $2}')"
|
||||
idle_minutes="$(( 60 * "${hh}" + "${mm}" ))"
|
||||
if [ "${idle_minutes}" -ge 30 ];
|
||||
then
|
||||
return 1
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
is_debug() {
|
||||
debug_file="/etc/evolinux/autosysadmin.debug"
|
||||
|
||||
if [ -e "${debug_file}" ]; then
|
||||
last_change=$(stat -c %Z "${debug_file}")
|
||||
limit_date=$(date --date "14400 seconds ago" +"%s")
|
||||
|
||||
if [ $(( last_change - limit_date )) -le "0" ]; then
|
||||
rm "${debug_file}"
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
check_nrpe() {
|
||||
check="$1"
|
||||
list_command_nrpe=$( grep --exclude=*~ -E "\[${check}\]" -r /etc/nagios/ | grep -v '#command' )
|
||||
command_nrpe_primary=$( echo "${list_command_nrpe}" | grep "/etc/nagios/nrpe.d/evolix.cfg" | cut -d'=' -f2- )
|
||||
command_nrpe_secondary=$( echo "${list_command_nrpe}" | head -n1 | cut -d'=' -f2- )
|
||||
|
||||
if [ -z "${command_nrpe_primary}" ] && [ -z "${command_nrpe_secondary}" ]
|
||||
then
|
||||
return 1
|
||||
else
|
||||
if [ -n "${command_nrpe_primary}" ]
|
||||
then
|
||||
${command_nrpe_primary}
|
||||
else
|
||||
${command_nrpe_secondary}
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
acquire_lock_or_exit() {
|
||||
lockfile="$1"
|
||||
waittime="$2"
|
||||
|
||||
# si le temps d’attente n’est pas compréhensible par sleep(1), il vaut 0
|
||||
if ! echo "${waittime}" | grep -Eq '^[0-9]+[smhd]?$'
|
||||
then
|
||||
waittime=0
|
||||
fi
|
||||
|
||||
# si le temps d’attente est supérieur à 0 et si le lock existe, on attend
|
||||
if test "${waittime}" -gt 0 && test -f "${lockfile}"
|
||||
then
|
||||
sleep "${waittime}"
|
||||
fi
|
||||
|
||||
# si le lock existe, on s’arrête
|
||||
if test -f "${lockfile}"
|
||||
then
|
||||
log_error_exit "lock file ${lockfile} exists"
|
||||
fi
|
||||
touch "${lockfile}"
|
||||
}
|
||||
|
||||
is_too_soon() {
|
||||
if is_debug; then return; fi
|
||||
|
||||
witness="/tmp/autosysadmin_witness_$(basename "$0")"
|
||||
if test -f "${witness}"
|
||||
then
|
||||
compare="$(($(date +%s)-$(stat -c "%Y" "${witness}")))"
|
||||
if [ "${compare}" -lt 1800 ];
|
||||
then
|
||||
log_error_exit 'already executed less than 30 minutes ago'
|
||||
fi
|
||||
rm "${witness}"
|
||||
fi
|
||||
touch "${witness}"
|
||||
}
|
||||
|
||||
init_autosysadmin() {
|
||||
PATH="${PATH}":/usr/sbin:/sbin↩
|
||||
unset ACTIONS
|
||||
|
||||
SCRIPTNAME=$(basename "$0")
|
||||
PROGNAME=${SCRIPTNAME%.sh}
|
||||
|
||||
RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${SCRIPTNAME}_$(openssl rand -hex 6)"
|
||||
LOG_DIR="/var/log/autosysadmin/${RUN_ID}"
|
||||
mkdir -p "${LOG_DIR}"
|
||||
|
||||
log "Autosysadmin : Script ${SCRIPTNAME} triggered"
|
||||
|
||||
# Detect operating system name, version and release↩
|
||||
detect_os
|
||||
}
|
||||
|
||||
load_conf() {
|
||||
# Load conf and enable script by default.
|
||||
# To disable script locally, set "$PROGNAME"=off in /etc/evolinux/autosysadmin.
|
||||
# To disable script globally, set "$PROGNAME"=off in the script, after load_conf() call.
|
||||
declare -g "$PROGNAME"=on # dynamic variable assignment ($PROGNAME == repair_*)
|
||||
|
||||
# Source configuration file
|
||||
# shellcheck source=../roles/deploy_autosysadmin/templates/autosysadmin.cfg.j2
|
||||
test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin
|
||||
}
|
||||
|
||||
detect_os() {
|
||||
# OS detection
|
||||
DEBIAN_RELEASE=""
|
||||
LSB_RELEASE_BIN="$(command -v lsb_release)"
|
||||
|
||||
if [ -e /etc/debian_version ]; then
|
||||
DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)"
|
||||
if [ -x "${LSB_RELEASE_BIN}" ]; then
|
||||
DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)"
|
||||
else
|
||||
case "${DEBIAN_VERSION}" in
|
||||
8) DEBIAN_RELEASE="jessie";;
|
||||
9) DEBIAN_RELEASE="stretch";;
|
||||
10) DEBIAN_RELEASE="buster";;
|
||||
11) DEBIAN_RELEASE="bullseye";;
|
||||
esac
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
is_debian_jessie() {
|
||||
test "${DEBIAN_RELEASE}" = "jessie"
|
||||
}
|
||||
is_debian_stretch() {
|
||||
test "${DEBIAN_RELEASE}" = "stretch"
|
||||
}
|
||||
is_debian_buster() {
|
||||
test "${DEBIAN_RELEASE}" = "buster"
|
||||
}
|
||||
is_debian_bullseye() {
|
||||
test "${DEBIAN_RELEASE}" = "bullseye"
|
||||
}
|
||||
|
||||
systemd_list_service_failed() {
|
||||
systemctl list-units --failed --no-legend --full --type=service "$1" |
|
||||
awk '{print $1}'
|
||||
}
|
||||
|
||||
systemd_list_units_enabled() {
|
||||
list_units_enabled=$(systemctl list-unit-files --state=enabled --no-legend | awk "/$1/{print \$1}")
|
||||
if [ -z "${list_units_enabled}" ]
|
||||
then
|
||||
return 1
|
||||
else
|
||||
echo "${list_units_enabled}"
|
||||
fi
|
||||
}
|
||||
|
||||
format_mail_success() {
|
||||
cat <<EOTEMPLATE
|
||||
From: AutoSysadmin Evolix <equipe+autosysadmin@evolix.net>
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
X-Script: $(basename "$0")
|
||||
X-RunId: ${RUN_ID}
|
||||
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||
Cc: autosysadmin@evolix.fr
|
||||
Subject: [autosysadmin] Intervention sur ${HOSTNAME_TEXT}
|
||||
|
||||
Bonjour,
|
||||
|
||||
Une intervention automatique vient de se terminer.
|
||||
|
||||
Nom du serveur : ${HOSTNAME_TEXT}
|
||||
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||
|
||||
### Renseignements sur l'intervention
|
||||
|
||||
${ACTIONS}
|
||||
|
||||
### Réagir à cette intervention
|
||||
|
||||
Vous pouvez répondre à ce message (sur l'adresse mail equipe@evolix.net).
|
||||
En cas d'urgence, utilisez l'adresse maintenance@evolix.fr ou
|
||||
notre téléphone portable d'astreinte (04.26.99.99.26)
|
||||
|
||||
--
|
||||
Votre AutoSysadmin
|
||||
EOTEMPLATE
|
||||
}
|
||||
|
||||
format_mail_abort_active_users() {
|
||||
cat <<EOTEMPLATE
|
||||
From: AutoSysadmin Evolix <equipe+autosysadmin@evolix.net>
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
X-Script: $(basename "$0")
|
||||
X-RunId: ${RUN_ID}
|
||||
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||
Cc: autosysadmin@evolix.fr
|
||||
Subject: [autosysadmin] Intervention interrompue sur ${HOSTNAME_TEXT}
|
||||
|
||||
Bonjour,
|
||||
|
||||
Une intervention automatique a été interrompue en raison
|
||||
d'un utilisateur actuellement actif sur le serveur.
|
||||
|
||||
Nom du serveur : ${HOSTNAME_TEXT}
|
||||
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||
|
||||
### Utilisateur(s) connecté(s)
|
||||
$(w)
|
||||
|
||||
--
|
||||
Votre AutoSysadmin
|
||||
EOTEMPLATE
|
||||
}
|
||||
|
||||
format_mail_internal_info() {
|
||||
cat <<EOTEMPLATE
|
||||
From: AutoSysadmin Evolix <equipe+autosysadmin@evolix.net>
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
X-Script: $(basename "$0")
|
||||
X-RunId: ${RUN_ID}
|
||||
To: autosysadmin@evolix.fr
|
||||
Subject: [autosysadmin] Complements (interne) - Intervention sur ${HOSTNAME_TEXT}
|
||||
|
||||
Bonjour,
|
||||
|
||||
Une intervention automatique vient de se terminer.
|
||||
|
||||
Nom du serveur : ${HOSTNAME_TEXT}
|
||||
Heure d'intervention : $(LC_ALL=fr_FR.utf8 date)
|
||||
Script déclenché : $(basename "$0")
|
||||
|
||||
### Actions effectuées
|
||||
|
||||
${ACTIONS}
|
||||
|
||||
### Logs autosysadmin
|
||||
|
||||
${INTERNAL_LOG}
|
||||
|
||||
### Utilisateur(s) connecté(s)
|
||||
|
||||
$(w)
|
||||
|
||||
### Informations additionnelles données par le script $(basename "$0")
|
||||
|
||||
${INTERNAL_INFO}
|
||||
|
||||
--
|
||||
Votre AutoSysadmin
|
||||
EOTEMPLATE
|
||||
}
|
||||
|
||||
hook_mail() {
|
||||
if is_debug; then return; fi
|
||||
|
||||
HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}"
|
||||
HOSTNAME_TEXT="$(get_complete_hostname)"
|
||||
EMAIL_CLIENT="$(get_evomaintenance_mail)"
|
||||
|
||||
MAIL_CONTENT="$(format_mail_"$1")"
|
||||
|
||||
SENDMAIL_BIN="$(command -v sendmail)"
|
||||
|
||||
if [ -z "${SENDMAIL_BIN}" ]; then
|
||||
log "No \`sendmail' command has been found, can't send mail."
|
||||
fi
|
||||
|
||||
if [ -x "${SENDMAIL_BIN}" ]; then
|
||||
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.net"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
# We need stable output for gcal, so we force some language environment variables
|
||||
export TZ=Europe/Paris
|
||||
export LANGUAGE=fr_FR.UTF-8
|
||||
|
||||
is_holiday() {
|
||||
# gcal mark today as a holiday by surrounding with < and > the day
|
||||
# of the month of that holiday line. For exemple if today is 2022-05-01 we'll
|
||||
# get among other lines:
|
||||
# Fête du Travail (FR) + Di, < 1>Mai 2022
|
||||
# Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours
|
||||
gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet
|
||||
}
|
||||
|
||||
is_weekend() {
|
||||
day_of_week=$(date +%u)
|
||||
if [ "$day_of_week" != 6 ] && [ "$day_of_week" != 7 ]; then
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
is_workday() {
|
||||
if is_holiday || is_weekend; then
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
is_worktime() {
|
||||
if ! is_workday; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
hour=$(date +%H)
|
||||
if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then
|
||||
return 1
|
||||
fi
|
||||
}
|
33
autosysadmin/files/scripts/repair_amavis.sh
Normal file
33
autosysadmin/files/scripts/repair_amavis.sh
Normal file
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
# shellcheck source=./restart_amavis.sh
|
||||
source /usr/share/scripts/autosysadmin/restart_amavis.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_amavis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Verify if check_nrpe are not OK
|
||||
check_nrpe "check_amavis" && log_error_exit 'check_amavis is OK, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
get_argument "--no-delay" || is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_amavis"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
restart_amavis
|
||||
|
||||
hook_mail success
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
173
autosysadmin/files/scripts/repair_disk.sh
Normal file
173
autosysadmin/files/scripts/repair_disk.sh
Normal file
|
@ -0,0 +1,173 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_disk:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_disk"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
get_mountpoints() {
|
||||
# the $(...) get the check_disk1 command
|
||||
# the cut command selects the critical part of the check_disk1 output
|
||||
# the grep command extracts the mountpoints and available disk space
|
||||
# the last cut command selects the mountpoints
|
||||
$(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-) -e | cut -d'|' -f1 | grep -Eo '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -f1 -d' '
|
||||
}
|
||||
|
||||
is_reserved-blocks() {
|
||||
fs_type="$(findmnt -n --output=fstype "$1")"
|
||||
if [ "${fs_type}" = "ext4" ];
|
||||
then
|
||||
device="$(findmnt -n --output=source "$1")"
|
||||
reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
|
||||
block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')"
|
||||
percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
||||
|
||||
log "Reserved blocks for $1 is curently at $percentage%"
|
||||
if [ "${percentage}" -gt "1" ]
|
||||
then
|
||||
log "Allowing tune2fs action to reduce the number of reserved blocks"
|
||||
return 0
|
||||
else
|
||||
log "Reserved blocks already at or bellow 1%, no automatic action possible"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
log "Filesystem for $1 partition is not ext4"
|
||||
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
change_reserved-blocks() {
|
||||
# We alwasy keep some reserved blocks to avoid missing some logs
|
||||
# https://gitea.evolix.org/evolix/autosysadmin/issues/22
|
||||
tune2fs -m 1 "$(findmnt -n --output=source "$1")"
|
||||
log_action "Reserved blocks for $1 changed to 1 percent"
|
||||
}
|
||||
|
||||
is_tmp_to_delete() {
|
||||
size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
|
||||
if [ -n "${size}" ]
|
||||
then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
is_log_to_delete() {
|
||||
size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')"
|
||||
if [ -n "${size}" ]
|
||||
then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
clean_apt_cache() {
|
||||
for lxc in $(du -ax /var | sort -nr | head -n10 | grep -E '/var/lib/lxc/php[0-9]+/rootfs/var/cache$' | grep -Eo 'php[0-9]+')
|
||||
do
|
||||
lxc-attach --name "${lxc}" -- apt-get clean
|
||||
log_action '[lxc/'"${lxc}"'] Clean apt cache'
|
||||
done
|
||||
case "$(du -sx /var/* | sort -rn | sed 's/^[0-9]\+[[:space:]]\+//;q')" in
|
||||
'/var/cache')
|
||||
apt-get clean
|
||||
log_action 'Clean apt cache'
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
clean_amavis_virusmails() {
|
||||
if du --inodes /var/lib/* | sort -n | tail -n3 | grep -q 'virusmails$'
|
||||
then
|
||||
find /var/lib/amavis/virusmails/ -type f -atime +30 -delete
|
||||
log_action 'Clean /var/lib/amavis/virusmails'
|
||||
fi
|
||||
}
|
||||
|
||||
for mountpoint in $(get_mountpoints)
|
||||
do
|
||||
case "${mountpoint}" in
|
||||
/var)
|
||||
#if is_log_to_delete
|
||||
#then
|
||||
# find /var/log/ -type f -mtime +365 -delete
|
||||
# log_action "$size Mo of disk space freed in /var"
|
||||
#fi
|
||||
if is_reserved-blocks /var
|
||||
then
|
||||
change_reserved-blocks /var
|
||||
clean_apt_cache
|
||||
clean_amavis_virusmails
|
||||
hook_mail success
|
||||
fi
|
||||
;;
|
||||
/tmp)
|
||||
#if is_tmp_to_delete
|
||||
#then
|
||||
# find /tmp/ -type f -ctime +1 -delete
|
||||
# log_action "$size Mo of disk space freed in /tmp"
|
||||
#fi
|
||||
if is_reserved-blocks /tmp
|
||||
then
|
||||
change_reserved-blocks /tmp
|
||||
hook_mail success
|
||||
fi
|
||||
;;
|
||||
/home)
|
||||
if is_reserved-blocks /home
|
||||
then
|
||||
change_reserved-blocks /home
|
||||
hook_mail success
|
||||
fi
|
||||
;;
|
||||
/srv)
|
||||
if is_reserved-blocks /srv
|
||||
then
|
||||
change_reserved-blocks /srv
|
||||
hook_mail success
|
||||
fi
|
||||
;;
|
||||
/filer)
|
||||
if is_reserved-blocks /filer
|
||||
then
|
||||
change_reserved-blocks /filer
|
||||
hook_mail success
|
||||
fi
|
||||
;;
|
||||
/)
|
||||
if is_reserved-blocks /
|
||||
then
|
||||
change_reserved-blocks /
|
||||
hook_mail success
|
||||
# Suggest remove old kernel ?
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
# unknown
|
||||
log 'Unknown partition (or weird case) or nothing to do'
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
57
autosysadmin/files/scripts/repair_elasticsearch.sh
Normal file
57
autosysadmin/files/scripts/repair_elasticsearch.sh
Normal file
|
@ -0,0 +1,57 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_elasticsearch:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_elasticsearch"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
elasticsearch_is_enabled() {
|
||||
systemd_list_units_enabled "elasticsearch.service"
|
||||
|
||||
}
|
||||
|
||||
elasticsearch_restart() {
|
||||
if ! timeout 60 systemctl restart elasticsearch.service > /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart elasticsearch'
|
||||
fi
|
||||
}
|
||||
|
||||
# Test functions
|
||||
test_elasticsearch_process_present() {
|
||||
pgrep -u elasticsearch > /dev/null
|
||||
}
|
||||
|
||||
if elasticsearch_is_enabled
|
||||
then
|
||||
if ! test_elasticsearch_process_present
|
||||
then
|
||||
log_action "Redémarrage de elasticsearch"
|
||||
elasticsearch_restart
|
||||
hook_mail success
|
||||
else
|
||||
log_error_exit "Elasticsearch process alive. Aborting"
|
||||
fi
|
||||
else
|
||||
log_error_exit "Elasticsearch is not enabled. Aborting"
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
141
autosysadmin/files/scripts/repair_http.sh
Normal file
141
autosysadmin/files/scripts/repair_http.sh
Normal file
|
@ -0,0 +1,141 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_http:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
|
||||
http_detect_service() {
|
||||
# check whether nginx, apache or both are supposed to be running
|
||||
if is_debian_jessie; then
|
||||
find /etc/rc2.d/
|
||||
else
|
||||
systemctl list-unit-files --state=enabled
|
||||
fi | awk '/nginx/ { nginx = 1 } /apache2/ { apache2 = 1 } END { if (nginx && apache2) { print "both" } else if (nginx) { print "nginx" } else if (apache2) { print "apache2" } }'
|
||||
# The previous awk command looks for two patterns: "nginx"
|
||||
# and "apache2". If a line matches the patterns, a variable
|
||||
# "nginx" or "apache2" is set to 1 (true). The "END" checks
|
||||
# if one or both patterns has been found.
|
||||
}
|
||||
|
||||
http_handle_apache() {
|
||||
# check syntax
|
||||
if ! apache2ctl -t > /dev/null 2> /dev/null
|
||||
then
|
||||
log_error_exit 'apache2 configuration syntax is not valid'
|
||||
fi
|
||||
|
||||
# try restart
|
||||
if ! timeout 20 systemctl restart apache2.service > /dev/null 2> /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart apache2'
|
||||
fi
|
||||
|
||||
log_action "Redémarrage de Apache"
|
||||
|
||||
internal_info "#### grep $(LANG=en_US.UTF-8 date '+%b %d') /home/*/log/error.log /var/log/apache2/*error.log (avec filtrage)"
|
||||
ERROR_LOG=$(grep "$(LANG=en_US.UTF-8 date '+%b %d')" /home/*/log/error.log /var/log/apache2/*error.log | grep -v -e "Got error 'PHP message:" -e "No matching DirectoryIndex" -e "client denied by server configuration" -e "server certificate does NOT include an ID which matches the server name" )
|
||||
internal_info "$ERROR_LOG"
|
||||
|
||||
}
|
||||
|
||||
http_handle_nginx() {
|
||||
# check syntax
|
||||
if ! nginx -t > /dev/null 2> /dev/null
|
||||
then
|
||||
log_error_exit 'nginx configuration syntax is not valid'
|
||||
fi
|
||||
|
||||
# try restart
|
||||
if ! timeout 20 systemctl restart nginx.service > /dev/null 2> /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart nginx'
|
||||
fi
|
||||
|
||||
log_action "Redémarrage de Nginx"
|
||||
}
|
||||
|
||||
http_handle_lxc_php() {
|
||||
# check whether containers are used for PHP and reboot them if so
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
for php in $(lxc-ls | grep 'php'); do
|
||||
lxc-stop -n "$php"
|
||||
lxc-start --daemon -n "$php"
|
||||
log_action "lxc-fpm - Redémarrage container ${php}"
|
||||
done
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
http_handle_fpm_php() {
|
||||
# check whether php-fpm is installed and restart it if so
|
||||
if enabled_units="$(systemd_list_units_enabled "php.*-fpm")"
|
||||
then
|
||||
systemctl restart "${enabled_units}"
|
||||
log_action 'php-fpm - Redémarrage de php-fpm'
|
||||
fi
|
||||
}
|
||||
|
||||
case "$(http_detect_service)" in
|
||||
nginx)
|
||||
|
||||
http_handle_nginx
|
||||
|
||||
http_handle_lxc_php
|
||||
http_handle_fpm_php
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
;;
|
||||
|
||||
apache2)
|
||||
|
||||
http_handle_apache
|
||||
|
||||
http_handle_lxc_php
|
||||
http_handle_fpm_php
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
;;
|
||||
|
||||
both)
|
||||
|
||||
http_handle_nginx
|
||||
http_handle_apache
|
||||
|
||||
http_handle_lxc_php
|
||||
http_handle_fpm_php
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
;;
|
||||
|
||||
*)
|
||||
# unknown
|
||||
log 'nothing to do'
|
||||
;;
|
||||
esac
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
71
autosysadmin/files/scripts/repair_mysql.sh
Normal file
71
autosysadmin/files/scripts/repair_mysql.sh
Normal file
|
@ -0,0 +1,71 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_mysql:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_mysql"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
|
||||
mysql_is_enabled() {
|
||||
if is_debian_jessie
|
||||
then
|
||||
find /etc/rc2.d/ -name '*mysql*' > /dev/null
|
||||
else
|
||||
systemd_list_units_enabled "mysql.service"
|
||||
fi
|
||||
}
|
||||
|
||||
mysql_restart() {
|
||||
if is_debian_jessie
|
||||
then
|
||||
if ! timeout 60 /etc/init.d/mysql restart > /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart mysql'
|
||||
fi
|
||||
else
|
||||
if ! timeout 60 systemctl restart mysql.service > /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart mysql'
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Test functions
|
||||
test_mysql_process_present() {
|
||||
pgrep -u mysql mysqld > /dev/null
|
||||
}
|
||||
|
||||
if mysql_is_enabled
|
||||
then
|
||||
if ! test_mysql_process_present
|
||||
then
|
||||
log_action "Redémarrage de MySQL"
|
||||
mysql_restart
|
||||
hook_mail success
|
||||
else
|
||||
log_error_exit "mysqld process alive. Aborting"
|
||||
fi
|
||||
else
|
||||
log_error_exit "MySQL/MariaDB not enabled. Aborting"
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
61
autosysadmin/files/scripts/repair_opendkim.sh
Normal file
61
autosysadmin/files/scripts/repair_opendkim.sh
Normal file
|
@ -0,0 +1,61 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_opendkim:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_opendkim"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
log_system_status
|
||||
|
||||
# Functions dedicated to this repair script
|
||||
|
||||
opendkim_is_enabled() {
|
||||
systemd_list_units_enabled "opendkim.service"
|
||||
|
||||
}
|
||||
|
||||
opendkim_restart() {
|
||||
if ! timeout 60 systemctl restart opendkim.service > /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart opendkim'
|
||||
fi
|
||||
}
|
||||
|
||||
opendkim_test_process_present() {
|
||||
pgrep -u opendkim > /dev/null
|
||||
}
|
||||
|
||||
|
||||
# Main logic
|
||||
|
||||
if opendkim_is_enabled
|
||||
then
|
||||
if ! opendkim_test_process_present
|
||||
then
|
||||
log_action "Redémarrage de opendkim"
|
||||
opendkim_restart
|
||||
hook_mail success
|
||||
else
|
||||
log_error_exit "opendkim process alive. Aborting"
|
||||
fi
|
||||
else
|
||||
log_error_exit "opendkim is not enabled. Aborting"
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm56.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm56.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm56:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php56
|
||||
then
|
||||
lxc-stop -n php56
|
||||
lxc-start --daemon -n php56
|
||||
log_action "lxc-fpm - Redémarrage container php56"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm70.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm70.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm70:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php70
|
||||
then
|
||||
lxc-stop -n php70
|
||||
lxc-start --daemon -n php70
|
||||
log_action "lxc-fpm - Redémarrage container php70"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm73.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm73.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm73:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php73
|
||||
then
|
||||
lxc-stop -n php73
|
||||
lxc-start --daemon -n php73
|
||||
log_action "lxc-fpm - Redémarrage container php73"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm74.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm74.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm74:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php74
|
||||
then
|
||||
lxc-stop -n php74
|
||||
lxc-start --daemon -n php74
|
||||
log_action "lxc-fpm - Redémarrage container php74"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm80.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm80.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm80:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php80
|
||||
then
|
||||
lxc-stop -n php80
|
||||
lxc-start --daemon -n php80
|
||||
log_action "lxc-fpm - Redémarrage container php80"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm81.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm81.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm81:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php81
|
||||
then
|
||||
lxc-stop -n php81
|
||||
lxc-start --daemon -n php81
|
||||
log_action "lxc-fpm - Redémarrage container php81"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm82.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm82.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm82:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php82
|
||||
then
|
||||
lxc-stop -n php82
|
||||
lxc-start --daemon -n php82
|
||||
log_action "lxc-fpm - Redémarrage container php82"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_php_fpm83.sh
Normal file
53
autosysadmin/files/scripts/repair_php_fpm83.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_php_fpm83:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_http"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}" 15s
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
log_check_php_fpm
|
||||
|
||||
if systemd_list_units_enabled 'lxc'
|
||||
then
|
||||
|
||||
if lxc-ls | grep -q php83
|
||||
then
|
||||
lxc-stop -n php83
|
||||
lxc-start --daemon -n php83
|
||||
log_action "lxc-fpm - Redémarrage container php83"
|
||||
|
||||
internal_info "#### tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log"
|
||||
FPM_LOG=$(tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log)
|
||||
internal_info "$FPM_LOG" "$(read_log_system_status)"
|
||||
|
||||
hook_mail success
|
||||
hook_mail internal_info
|
||||
|
||||
else
|
||||
log 'Not possible :v'
|
||||
fi
|
||||
|
||||
else
|
||||
log 'Error, not a multi-php install'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
58
autosysadmin/files/scripts/repair_redis.sh
Normal file
58
autosysadmin/files/scripts/repair_redis.sh
Normal file
|
@ -0,0 +1,58 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_redis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_redis"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
handle_redis() {
|
||||
for service in $(systemd_list_service_failed redis*)
|
||||
do
|
||||
# ne rien faire si le service est désactivé
|
||||
if ! systemctl is-enabled --quiet "${service}"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
# ne rien faire si le service est actif
|
||||
if systemctl is-active --quiet "${service}"
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
if ! timeout 20 systemctl restart redis.service > /dev/null 2> /dev/null
|
||||
then
|
||||
log_error_exit "failed to restart redis ${service}"
|
||||
fi
|
||||
|
||||
log_action "Redémarrer service ${service}"
|
||||
done
|
||||
}
|
||||
|
||||
if ( systemd_list_units_enabled 'redis.*\.service$' ) > /dev/null
|
||||
then
|
||||
handle_redis
|
||||
hook_mail success
|
||||
else
|
||||
log 'Error: redis service is not enabled'
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
63
autosysadmin/files/scripts/repair_template.sh
Normal file
63
autosysadmin/files/scripts/repair_template.sh
Normal file
|
@ -0,0 +1,63 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
# Comment this line to enable
|
||||
repair_template=off
|
||||
test "${repair_template:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_template"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
log_system_status
|
||||
|
||||
# Functions dedicated to this repair script
|
||||
|
||||
template_is_enabled() {
|
||||
systemd_list_units_enabled "template.service"
|
||||
|
||||
}
|
||||
|
||||
template_restart() {
|
||||
if ! timeout 60 systemctl restart template.service > /dev/null
|
||||
then
|
||||
log_error_exit 'failed to restart template'
|
||||
fi
|
||||
}
|
||||
|
||||
template_test_process_present() {
|
||||
pgrep -u template > /dev/null
|
||||
}
|
||||
|
||||
|
||||
# Main logic
|
||||
|
||||
if template_is_enabled
|
||||
then
|
||||
if ! template_test_process_present
|
||||
then
|
||||
log_action "Redémarrage de template"
|
||||
template_restart
|
||||
hook_mail success
|
||||
else
|
||||
log_error_exit "template process alive. Aborting"
|
||||
fi
|
||||
else
|
||||
log_error_exit "template is not enabled. Aborting"
|
||||
fi
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
53
autosysadmin/files/scripts/repair_tomcat_instance.sh
Normal file
53
autosysadmin/files/scripts/repair_tomcat_instance.sh
Normal file
|
@ -0,0 +1,53 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Source functions file
|
||||
# shellcheck source=./functions.sh
|
||||
source /usr/share/scripts/autosysadmin/functions.sh
|
||||
|
||||
init_autosysadmin
|
||||
load_conf
|
||||
|
||||
test "${repair_tomcat_instance:=off}" = off && log_error_exit 'Script disabled, nothing to do here!'
|
||||
|
||||
# Has it recently been run?
|
||||
is_too_soon
|
||||
|
||||
lockfile="/run/lock/repair_tomcat_instance"
|
||||
cleanup() {
|
||||
rm -f "${lockfile}"
|
||||
}
|
||||
trap 'cleanup' 0
|
||||
acquire_lock_or_exit "${lockfile}"
|
||||
|
||||
ensure_no_active_users_or_exit
|
||||
|
||||
# The actual work starts below !
|
||||
|
||||
log_system_status
|
||||
|
||||
repair_tomcat_instance_handle_tomcat() {
|
||||
|
||||
if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then
|
||||
if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service"
|
||||
then
|
||||
log_error_exit "Echec de redémarrage instance tomcat utilisateur ${1}"
|
||||
else
|
||||
log_action "Redémarrage instance tomcat utilisateur ${1}"
|
||||
fi
|
||||
elif /bin/systemctl --quiet is-active "${1}".service ; then
|
||||
if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service
|
||||
then
|
||||
log_error_exit "Echec de redémarrage instance tomcat ${1}"
|
||||
else
|
||||
log_action "Redémarrage instance tomcat ${1}"
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ;
|
||||
do
|
||||
repair_tomcat_instance_handle_tomcat "${instance}"
|
||||
done
|
||||
|
||||
AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail
|
35
autosysadmin/files/scripts/restart_amavis.sh
Normal file
35
autosysadmin/files/scripts/restart_amavis.sh
Normal file
|
@ -0,0 +1,35 @@
|
|||
#!/bin/bash
|
||||
|
||||
restart_amavis() {
|
||||
/etc/init.d/amavis stop 2>/dev/null
|
||||
/etc/init.d/clamav-freshclam stop 2>/dev/null
|
||||
/etc/init.d/clamav-daemon stop 2>/dev/null
|
||||
|
||||
if systemctl is-enabled --quiet 'clamav-freshclam.service'
|
||||
then
|
||||
freshclam
|
||||
log_action "Mise à jour des définitions antivirus"
|
||||
fi
|
||||
|
||||
if systemctl is-enabled --quiet 'clamav-daemon.service'
|
||||
then
|
||||
/etc/init.d/clamav-daemon start
|
||||
log_action "Redémarrage de clamav-daemon"
|
||||
else
|
||||
log 'Error, clamav not installed'
|
||||
fi
|
||||
|
||||
if systemctl is-enabled --quiet 'clamav-freshclam.service'
|
||||
then
|
||||
/etc/init.d/clamav-freshclam start
|
||||
log_action "Redémarrage de clamav-freshclam"
|
||||
fi
|
||||
|
||||
if systemctl is-enabled --quiet 'amavis.service'
|
||||
then
|
||||
/etc/init.d/amavis start
|
||||
log_action "Redémarrage de amavis"
|
||||
else
|
||||
log 'Error, amavis not installed'
|
||||
fi
|
||||
}
|
16
autosysadmin/handlers/main.yml
Normal file
16
autosysadmin/handlers/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
- name: Restart nagios-nrpe-server
|
||||
ansible.builtin.service:
|
||||
name: nagios-nrpe-server
|
||||
state: restarted
|
||||
|
||||
- name: Restart nrpe
|
||||
ansible.builtin.service:
|
||||
name: nrpe
|
||||
state: restarted
|
||||
|
||||
- name: Restart rsyslog
|
||||
ansible.builtin.service:
|
||||
name: rsyslog
|
||||
state: restarted
|
61
autosysadmin/tasks/autosysadmin_scripts.yml
Normal file
61
autosysadmin/tasks/autosysadmin_scripts.yml
Normal file
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
- name: "Remount /usr if needed"
|
||||
ansible.builtin.import_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: Create autosysadmin directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ autosysadmin_dir }}"
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0750"
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Copy scripts
|
||||
ansible.builtin.copy:
|
||||
src: "files/scripts/{{ item }}"
|
||||
dest: "{{ autosysadmin_dir }}/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
loop:
|
||||
- "functions.sh"
|
||||
- "restart_amavis.sh"
|
||||
- "repair_amavis.sh"
|
||||
- "repair_disk.sh"
|
||||
- "repair_elasticsearch.sh"
|
||||
- "repair_http.sh"
|
||||
- "repair_mysql.sh"
|
||||
- "repair_php_fpm56.sh"
|
||||
- "repair_php_fpm70.sh"
|
||||
- "repair_php_fpm73.sh"
|
||||
- "repair_php_fpm74.sh"
|
||||
- "repair_php_fpm80.sh"
|
||||
- "repair_php_fpm81.sh"
|
||||
- "repair_php_fpm82.sh"
|
||||
- "repair_php_fpm83.sh"
|
||||
- "repair_tomcat_instance.sh"
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Ensure /etc/evolinux folder exists
|
||||
ansible.builtin.file:
|
||||
path: "/etc/evolinux"
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0700"
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Copy the configuration file
|
||||
ansible.builtin.template:
|
||||
src: "autosysadmin.cf.j2"
|
||||
dest: "/etc/evolinux/autosysadmin"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
tags:
|
||||
- autosysadmin
|
4
autosysadmin/tasks/dependencies.yml
Normal file
4
autosysadmin/tasks/dependencies.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Install gcal
|
||||
ansible.builtin.apt:
|
||||
name: gcal
|
10
autosysadmin/tasks/logrotate.yml
Normal file
10
autosysadmin/tasks/logrotate.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Copy logrotate configuration for autosysadmin
|
||||
ansible.builtin.copy:
|
||||
src: "files/logrotate_autosysadmin.conf"
|
||||
dest: "/etc/logrotate.d/autosysadmin"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
tags:
|
||||
- autosysadmin
|
37
autosysadmin/tasks/main.yml
Normal file
37
autosysadmin/tasks/main.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- name: Install dependencies
|
||||
ansible.builtin.import_tasks: dependencies.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Install autosysadmin scripts
|
||||
ansible.builtin.import_tasks: autosysadmin_scripts.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Amend NRPE configuration
|
||||
ansible.builtin.import_tasks: nrpe.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Amend sudo configuration
|
||||
ansible.builtin.import_tasks: sudo.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Amend rsyslog configuration
|
||||
ansible.builtin.import_tasks: rsyslog.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Amend logrotate configuration
|
||||
ansible.builtin.import_tasks: logrotate.yml
|
||||
tags:
|
||||
- autosysadmin
|
||||
|
||||
- name: Install last version of dump-server-state
|
||||
ansible.builtin.import_role:
|
||||
name: evolinux-base
|
||||
tasks_from: dump-server-state.yml
|
||||
tags:
|
||||
- autosysadmin
|
11
autosysadmin/tasks/nrpe.yml
Normal file
11
autosysadmin/tasks/nrpe.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- name: Custom configuration is present
|
||||
ansible.builtin.template:
|
||||
src: autosysadmin.cfg.j2
|
||||
dest: /etc/nagios/nrpe.d/autosysadmin.cfg
|
||||
group: nagios
|
||||
mode: "0640"
|
||||
force: true
|
||||
notify: Restart nagios-nrpe-server
|
||||
tags:
|
||||
- autosysadmin
|
11
autosysadmin/tasks/rsyslog.yml
Normal file
11
autosysadmin/tasks/rsyslog.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- name: Copy rsyslog configuration for autosysadmin
|
||||
ansible.builtin.copy:
|
||||
src: "files/rsyslog_autosysadmin.conf"
|
||||
dest: "/etc/rsyslog.d/autosysadmin.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: Restart rsyslog
|
||||
tags:
|
||||
- autosysadmin
|
9
autosysadmin/tasks/sudo.yml
Normal file
9
autosysadmin/tasks/sudo.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: Add autosysadmin sudoers file
|
||||
ansible.builtin.template:
|
||||
src: sudoers.j2
|
||||
dest: /etc/sudoers.d/autosysadmin
|
||||
mode: "0600"
|
||||
validate: "visudo -cf %s"
|
||||
tags:
|
||||
- autosysadmin
|
74
autosysadmin/templates/autosysadmin.cf.j2
Normal file
74
autosysadmin/templates/autosysadmin.cf.j2
Normal file
|
@ -0,0 +1,74 @@
|
|||
#
|
||||
# Ansible managed - DO NOT MODIFY, your changes will be **overwritten** !
|
||||
#
|
||||
# Update the hosts_vars/group_vars on the autosysadmin project
|
||||
# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master
|
||||
#
|
||||
|
||||
# Configuration for autosysadmin
|
||||
# Use this file to change configuration values defined in repair scripts
|
||||
# Ex : repair_http=off
|
||||
|
||||
{% if repair_amavis == "off" %}
|
||||
repair_amavis=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_disk == "off" %}
|
||||
repair_disk=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_elasticsearch == "off" %}
|
||||
repair_elasticsearch=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_http == "off" %}
|
||||
repair_http=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_mysql == "off" %}
|
||||
repair_mysql=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_opendkim == "off" %}
|
||||
repair_opendkim=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm56 == "off" %}
|
||||
repair_php_fpm56=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm70 == "off" %}
|
||||
repair_php_fpm70=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm73 == "off" %}
|
||||
repair_php_fpm73=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm74 == "off" %}
|
||||
repair_php_fpm74=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm80 == "off" %}
|
||||
repair_php_fpm80=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm81 == "off" %}
|
||||
repair_php_fpm81=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm82 == "off" %}
|
||||
repair_php_fpm82=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_php_fpm83 == "off" %}
|
||||
repair_php_fpm83=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_redis == "off" %}
|
||||
repair_redis=off
|
||||
{% endif %}
|
||||
|
||||
{% if repair_tomcat_instance == "off" %}
|
||||
repair_tomcat_instance=off
|
||||
{% endif %}
|
22
autosysadmin/templates/autosysadmin.cfg.j2
Normal file
22
autosysadmin/templates/autosysadmin.cfg.j2
Normal file
|
@ -0,0 +1,22 @@
|
|||
#
|
||||
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
|
||||
#
|
||||
|
||||
# Autosysadmin repair commands
|
||||
command[repair_amavis]=sudo {{ autosysadmin_dir }}/repair_amavis.sh
|
||||
command[repair_disk]=sudo {{ autosysadmin_dir }}/repair_disk.sh
|
||||
command[repair_elasticsearch]=sudo {{ autosysadmin_dir }}/repair_elasticsearch.sh
|
||||
command[repair_http]=sudo {{ autosysadmin_dir }}/repair_http.sh
|
||||
command[repair_mysql]=sudo {{ autosysadmin_dir }}/repair_mysql.sh
|
||||
command[repair_opendkim]=sudo {{ autosysadmin_dir }}/repair_opendkim.sh
|
||||
command[repair_php_fpm56]=sudo {{ autosysadmin_dir }}/repair_php_fpm56.sh
|
||||
command[repair_php_fpm70]=sudo {{ autosysadmin_dir }}/repair_php_fpm70.sh
|
||||
command[repair_php_fpm73]=sudo {{ autosysadmin_dir }}/repair_php_fpm73.sh
|
||||
command[repair_php_fpm74]=sudo {{ autosysadmin_dir }}/repair_php_fpm74.sh
|
||||
command[repair_php_fpm80]=sudo {{ autosysadmin_dir }}/repair_php_fpm80.sh
|
||||
command[repair_php_fpm81]=sudo {{ autosysadmin_dir }}/repair_php_fpm81.sh
|
||||
command[repair_php_fpm82]=sudo {{ autosysadmin_dir }}/repair_php_fpm82.sh
|
||||
command[repair_php_fpm83]=sudo {{ autosysadmin_dir }}/repair_php_fpm83.sh
|
||||
command[repair_redis]=sudo {{ autosysadmin_dir }}/repair_redis.sh
|
||||
command[repair_tomcat_instance]=sudo {{ autosysadmin_dir }}/repair_tomcat_instance.sh
|
||||
|
21
autosysadmin/templates/sudoers.j2
Normal file
21
autosysadmin/templates/sudoers.j2
Normal file
|
@ -0,0 +1,21 @@
|
|||
#
|
||||
# Ansible managed - DO NOT MODIFY, your changes will be overwritten !
|
||||
#
|
||||
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_amavis.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_disk.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_elasticsearch.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_http.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_mysql.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_opendkim.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm56.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm70.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm73.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm74.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm80.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm81.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm82.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm83.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_redis.sh
|
||||
nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_tomcat_instance.sh
|
||||
|
|
@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml`
|
|||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
waening : sync chroot-bind.sh
|
||||
warning : sync chroot-bind.sh
|
||||
|
|
5
bind/files/apparmor.usr.sbin.named
Normal file
5
bind/files/apparmor.usr.sbin.named
Normal file
|
@ -0,0 +1,5 @@
|
|||
/var/chroot-bind/etc/bind/** r,
|
||||
/var/chroot-bind/var/** rw,
|
||||
/var/chroot-bind/dev/** rw,
|
||||
/var/chroot-bind/run/** rw,
|
||||
/var/chroot-bind/usr/** r,
|
37
bind/files/bind-reload-zone.sh
Executable file
37
bind/files/bind-reload-zone.sh
Executable file
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Script utilitaire pour tester et recharger facilement une zone dans Bind
|
||||
#
|
||||
|
||||
usage() {
|
||||
echo "Usage: bind-reload-zone <DOMAIN>"
|
||||
echo " bind-reload-zone -h|--help"
|
||||
}
|
||||
|
||||
if [ $# -ne 1 ] ; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
zone=$1
|
||||
break
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if ! [ -f "/etc/bind/db.${zone}" ]; then
|
||||
>&2 echo "Error: zone for ${zone} not found."
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
named-checkzone "${zone}" /etc/bind/db."${zone}" && rndc reload "${zone}"
|
||||
|
18
bind/files/bind-reload-zone_completion.sh
Normal file
18
bind/files/bind-reload-zone_completion.sh
Normal file
|
@ -0,0 +1,18 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
_bind_reload_zone_dynamic_completion() {
|
||||
local cur;
|
||||
cur=${COMP_WORDS[COMP_CWORD]};
|
||||
COMPREPLY=();
|
||||
COMPREPLY=( $( compgen -W '$(grep -v -h '"'"'//'"'"' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep -v arpa | awk '"'"'{gsub(/"/, "", $2); print $2}'"'"' | sort | uniq)' -- $cur ) );
|
||||
|
||||
# reverse ipv4 :
|
||||
#grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep -v ip6 | awk '{gsub(/"/, "", $2); gsub(/.in-addr.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1 }'
|
||||
|
||||
# reveres ipv6 : je bloque sur l'inversion 4 par 4
|
||||
#grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep ip6 | awk '{gsub(/"/, "", $2); gsub(/.ip6.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) { if ($i % 4 == 0) printf("%s.",$i); else printf("%s",$i); } print $1 }'
|
||||
|
||||
}
|
||||
|
||||
complete -F _bind_reload_zone_dynamic_completion bind-reload-zone
|
||||
|
|
@ -3,12 +3,17 @@
|
|||
# Gregory Colpart <reg@debian.org>
|
||||
# chroot (or re-chroot) script for bind9
|
||||
|
||||
# tested on Debian Wheezy/Jessie/Stretch
|
||||
# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm
|
||||
# Exec this script after `(apt-get|aptitude|apt) install bind9`
|
||||
# and after *each* bind9 upgrade
|
||||
|
||||
# When the script is finished, ensure you have
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9
|
||||
# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named
|
||||
# (since Bullseye) or, until Buster, in /etc/default/bind9
|
||||
#
|
||||
# Since Bookmworm, one also needs to handle bind mount points
|
||||
# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12
|
||||
#
|
||||
# and /etc/init.d/bind9 (re)start
|
||||
#
|
||||
# for Jessie/systemd only:
|
||||
|
@ -22,8 +27,10 @@ mkdir -p /var/chroot-bind
|
|||
mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \
|
||||
/var/chroot-bind/lib /var/chroot-bind/usr/lib \
|
||||
/var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \
|
||||
/var/chroot-bind/run/named/
|
||||
/var/chroot-bind/var/log /var/chroot-bind/var/run/named \
|
||||
/var/chroot-bind/run/named /var/chroot-bind/usr/share/dns
|
||||
|
||||
chmod 750 /var/chroot-bind
|
||||
|
||||
# for conf
|
||||
if [ ! -h "/etc/bind" ]; then
|
||||
|
@ -31,6 +38,11 @@ if [ ! -h "/etc/bind" ]; then
|
|||
ln -s /var/chroot-bind/etc/bind/ /etc/bind
|
||||
fi
|
||||
|
||||
# for dns
|
||||
if [ -d "/usr/share/dns" ]; then
|
||||
cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/
|
||||
fi
|
||||
|
||||
# for logs
|
||||
touch /var/chroot-bind/var/log/bind.log
|
||||
if [ ! -h "/var/log/bind.log" ]; then
|
||||
|
@ -58,11 +70,16 @@ fi
|
|||
#chmod 666 /var/chroot-bind/dev/{null,random}
|
||||
|
||||
# essential libs
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \
|
||||
/usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do
|
||||
install -D $i /var/chroot-bind/${i##/}
|
||||
for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1`
|
||||
do install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
|
||||
if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then
|
||||
for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so
|
||||
do install -D $i /var/chroot-bind/${i##/}
|
||||
done
|
||||
fi
|
||||
|
||||
# essential (hum, bash is required ??)
|
||||
#cp /bin/bash /var/chroot-bind/bin/
|
||||
cp /usr/sbin/named /var/chroot-bind/usr/sbin/
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Script utilitaire pour tester et recharger facilement un domaine dans Bind
|
||||
# Usage : reload-zone <DOMAINE>
|
||||
#
|
||||
# TODO:
|
||||
# - renommer le script (par ex bind-safe-reload)
|
||||
# - vérifier le serial
|
||||
# - ajouter un -h --help
|
||||
# - prendre en charge plusieurs zones (ou aucune)
|
||||
# - ajouter le script dans le role bind
|
||||
|
||||
named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1"
|
||||
|
|
@ -3,7 +3,6 @@
|
|||
ansible.builtin.systemd:
|
||||
daemon-reload: yes
|
||||
|
||||
|
||||
- name: restart apparmor
|
||||
ansible.builtin.systemd:
|
||||
name: apparmor
|
||||
|
|
|
@ -14,6 +14,8 @@ galaxy_info:
|
|||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
galaxy_tags: []
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
|
|
|
@ -17,13 +17,13 @@
|
|||
register: check_apparmor
|
||||
|
||||
- name: configure apparmor
|
||||
ansible.builtin.template:
|
||||
src: apparmor.usr.sbin.named.j2
|
||||
dest: /etc/apparmor.d/usr.sbin.named
|
||||
owner: root
|
||||
group: root
|
||||
ansible.builtin.copy:
|
||||
src: apparmor.usr.sbin.named
|
||||
dest: /etc/apparmor.d/local/usr.sbin.named
|
||||
mode: "0644"
|
||||
owner: root
|
||||
force: true
|
||||
backup: yes
|
||||
notify: restart apparmor
|
||||
when: check_apparmor.rc == 0
|
||||
|
||||
|
@ -94,13 +94,67 @@
|
|||
- bind_chroot_set | bool
|
||||
- chrootbind_run.stdout | length > 0
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
||||
- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/default/bind9
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when: bind_chroot_set | bool
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('11', '<')
|
||||
|
||||
- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/default/named
|
||||
regexp: '^OPTIONS=.*'
|
||||
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('11', '>=')
|
||||
|
||||
- name: Create mount target directory for chroot (since Bookworm)
|
||||
ansible.builtin.file:
|
||||
path: /var/chroot-bind/run/systemd/journal
|
||||
state: directory
|
||||
owner: bind
|
||||
group: bind
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Create mount targets for chroot (since Bookworm)
|
||||
ansible.builtin.file:
|
||||
path: '{{ item }}'
|
||||
state: touch
|
||||
owner: bind
|
||||
group: bind
|
||||
loop:
|
||||
- /var/chroot-bind/run/systemd/journal/socket
|
||||
- /var/chroot-bind/run/systemd/journal/stdout
|
||||
- /var/chroot-bind/run/systemd/notify
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: Set up bind mount for chroot (since Bookworm)
|
||||
ansible.posix.mount:
|
||||
src: "{{ item }}"
|
||||
path: "/var/chroot-bind{{ item }}"
|
||||
opts: bind
|
||||
state: mounted
|
||||
fstype: none
|
||||
loop:
|
||||
- /run/systemd/journal/socket
|
||||
- /run/systemd/journal/stdout
|
||||
- /run/systemd/notify
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_chroot_set | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: logrotate for bind
|
||||
ansible.builtin.template:
|
||||
|
|
|
@ -1,97 +0,0 @@
|
|||
# vim:syntax=apparmor
|
||||
# Last Modified: Tue Mar 9 14:17:50 EST 2021
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/sbin/named flags=(attach_disconnected) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability net_bind_service,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
|
||||
# /etc/bind should be read-only for bind
|
||||
# /var/lib/bind is for dynamically updated zone (and journal) files.
|
||||
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
|
||||
# See /usr/share/doc/bind9/README.Debian.gz
|
||||
/etc/bind/** r,
|
||||
/var/lib/bind/** rw,
|
||||
/var/lib/bind/ rw,
|
||||
/var/cache/bind/** lrw,
|
||||
/var/cache/bind/ rw,
|
||||
|
||||
# Database file used by allow-new-zones
|
||||
/var/cache/bind/_default.nzd-lock rwk,
|
||||
|
||||
# gssapi
|
||||
/etc/krb5.keytab kr,
|
||||
/etc/bind/krb5.keytab kr,
|
||||
|
||||
# ssl
|
||||
/etc/ssl/openssl.cnf r,
|
||||
|
||||
# root hints from dns-data-root
|
||||
/usr/share/dns/root.* r,
|
||||
|
||||
# GeoIP data files for GeoIP ACLs
|
||||
/usr/share/GeoIP/** r,
|
||||
|
||||
# dnscvsutil package
|
||||
/var/lib/dnscvsutil/compiled/** rw,
|
||||
|
||||
# Allow changing worker thread names
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
@{PROC}/net/if_inet6 r,
|
||||
@{PROC}/*/net/if_inet6 r,
|
||||
@{PROC}/sys/net/ipv4/ip_local_port_range r,
|
||||
/usr/sbin/named mr,
|
||||
/{,var/}run/named/named.pid w,
|
||||
/{,var/}run/named/session.key w,
|
||||
# support for resolvconf
|
||||
/{,var/}run/named/named.options r,
|
||||
|
||||
# some people like to put logs in /var/log/named/ instead of having
|
||||
# syslog do the heavy lifting.
|
||||
{{ bind_log_file }} rw,
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{{ bind_query_file }} rw,
|
||||
{% endif %}
|
||||
|
||||
# gssapi
|
||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||
/var/lib/sss/pubconf/krb5.include.d/ r,
|
||||
/var/lib/sss/mc/initgroups r,
|
||||
/etc/gss/mech.d/ r,
|
||||
|
||||
# ldap
|
||||
/etc/ldap/ldap.conf r,
|
||||
/{,var/}run/slapd-*.socket rw,
|
||||
|
||||
# dynamic updates
|
||||
/var/tmp/DNS_* rw,
|
||||
|
||||
# dyndb backends
|
||||
/usr/lib/bind/*.so rm,
|
||||
|
||||
# Samba DLZ
|
||||
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
|
||||
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
|
||||
/var/lib/samba/bind-dns/dns.keytab rk,
|
||||
/var/lib/samba/bind-dns/named.conf r,
|
||||
/var/lib/samba/bind-dns/dns/** rwk,
|
||||
/var/lib/samba/private/dns.keytab rk,
|
||||
/var/lib/samba/private/named.conf r,
|
||||
/var/lib/samba/private/dns/** rwk,
|
||||
/etc/samba/smb.conf r,
|
||||
/dev/urandom rwmk,
|
||||
owner /var/tmp/krb5_* rwk,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.named>
|
||||
}
|
||||
|
|
@ -16,7 +16,7 @@ config_check() {
|
|||
${doveconf_bin} > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
|
||||
${doveconf_bin} | grep -E "^[[:blank:]]*ssl_cert[^_]" | grep -q "letsencrypt"
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
|
|
|
@ -21,6 +21,8 @@
|
|||
|
||||
- ansible.builtin.include: acme-challenge.yml
|
||||
|
||||
# This is always going to mark a "change".
|
||||
# Couldn't figure out why !
|
||||
- name: Deploy hooks are present
|
||||
ansible.builtin.copy:
|
||||
src: hooks/deploy/
|
||||
|
|
6
check_free_space/defaults/main.yml
Normal file
6
check_free_space/defaults/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
check_free_space_partitions:
|
||||
- "/home"
|
||||
- "/srv"
|
||||
check_free_space_max_percent: 70
|
||||
check_free_space_mailto: Null
|
166
check_free_space/files/check_free_space.sh
Executable file
166
check_free_space/files/check_free_space.sh
Executable file
|
@ -0,0 +1,166 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This script verifies if the specified partitions on a machine are filled
|
||||
# at more than x%.
|
||||
#
|
||||
# If so, it sends a mail to the admin of that machine, warning him/her
|
||||
# that mesures should be taken.
|
||||
#
|
||||
# Two outputs are provided to the recipient of the mail:
|
||||
# * some general infos with `df`
|
||||
# * a more indepth inspection with `duc`
|
||||
#
|
||||
# This script takes 3 (mandatory) arguments:
|
||||
# * a list of the partitions to check (space separated)
|
||||
# * the maximum allowed percentage
|
||||
# * the email template to use
|
||||
#
|
||||
# This script should be ran by cron @daily.
|
||||
#
|
||||
#
|
||||
# Copyright (C) 2016 Louis-Philippe Véronneau <lpveronneau@evolix.ca, Evolix <info@evolix.fr>
|
||||
#
|
||||
# This program is licensed under GPLv3 +
|
||||
|
||||
|
||||
# Check argument sanity
|
||||
|
||||
PID_FILE='/var/run/check_free_space.pid'
|
||||
|
||||
if test -f "$PID_FILE"
|
||||
then
|
||||
pid=$(cat "$PID_FILE")
|
||||
ps -p "$pid" > /dev/null
|
||||
if test $? -eq 0
|
||||
then
|
||||
echo "$0 already run !" >&2
|
||||
exit 1
|
||||
else
|
||||
rm $PID_FILE
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $$ > $PID_FILE
|
||||
|
||||
if test -z "$1" || test -z "$2" || test -z "$3" # is non null
|
||||
then
|
||||
echo "Some arguments are missing. Please issue a partition list, a" \
|
||||
"maximum percentage and an email template."
|
||||
exit 1
|
||||
elif ! [ "$2" -le 100 -a "$2" -ge 0 ] # is a percentage
|
||||
then
|
||||
echo "Please enter a maximum percentage value between 0 and 100."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Argument processing
|
||||
|
||||
partition_list=$1
|
||||
max_percentage=$((100-$2))
|
||||
email_template=$3
|
||||
|
||||
HOSTNAME=$(hostname)
|
||||
debian_version=$(lsb_release -c)
|
||||
|
||||
check_disk='/usr/lib/nagios/plugins/check_disk'
|
||||
|
||||
test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf
|
||||
|
||||
|
||||
# Test what version of df we have
|
||||
|
||||
old_df=false
|
||||
|
||||
case "$debian_version" in
|
||||
*squeeze* ) old_df=true ;;
|
||||
*wheezy* ) old_df=true ;;
|
||||
esac
|
||||
|
||||
|
||||
# Check disk space
|
||||
|
||||
df_options="size,avail,pcent,itotal,iavail,ipcent"
|
||||
|
||||
for partition in $partition_list
|
||||
do
|
||||
if ! $check_disk -w $max_percentage% -W $max_percentage% $partition > /dev/null
|
||||
then
|
||||
# the 'newline' is a hack to make sed behave
|
||||
PARTITION_DATA="$PARTITION_DATA newline $partition newline"
|
||||
if [ $old_df ]
|
||||
then
|
||||
PARTITION_DATA="$PARTITION_DATA $(/bin/df -h $partition) newline"
|
||||
PARTITION_DATA="$PARTITION_DATA newline $(df -ih $partition) newlinenewline"
|
||||
else
|
||||
PARTITION_DATA="$PARTITION_DATA $(/bin/df -h --output=$df_options $partition) newline"
|
||||
fi
|
||||
full_partitions="$full_partitions $partition"
|
||||
partname=$(echo $partition|tr -s '/' '-')
|
||||
graph_list="$graph_list -a /home/duc${partname}.png"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# Exit if everything is OK
|
||||
|
||||
if test -z "$PARTITION_DATA"
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
||||
# If there is indeed a problem, get more infos with duc
|
||||
|
||||
/usr/bin/ionice -c3 /usr/bin/duc index -H -d /home/duc.idx -x $full_partitions -q
|
||||
|
||||
for partition in $full_partitions
|
||||
do
|
||||
duc_temp=$(/usr/bin/duc ls -d /home/duc.idx -Fg $partition)
|
||||
duc_temp=$(printf "$duc_temp" | sed -e "s@]@]newline@" | grep -v "lost+found")
|
||||
DUC_OUTPUT="$DUC_OUTPUT newline$partition newline$duc_temp"
|
||||
partname=$(echo $partition|tr -s '/' '-')
|
||||
duc graph -d /home/duc.idx -o /home/duc${partname}.png -l8 -s 1024 $partition
|
||||
done
|
||||
|
||||
|
||||
# Replace placeholders & send the mail !
|
||||
|
||||
PARTITION_DATA="$(echo "$PARTITION_DATA"|tr -d $'\n')" # make sed accept the input
|
||||
DUC_OUTPUT="$(echo "$DUC_OUTPUT"|tr -d $'\n')"
|
||||
|
||||
if [ $old_df ]
|
||||
then
|
||||
sed -e "s/__TO__/$EVOMAINTMAIL/" \
|
||||
-e "s/__HOSTNAME__/$HOSTNAME/" \
|
||||
-e "s@__PARTITION_DATA__@$PARTITION_DATA@" \
|
||||
-e "s@__DUC_OUTPUT__@$DUC_OUTPUT@" \
|
||||
-e "s/newline/\n/g" \
|
||||
-e "s/IUse%/IUse%\n/g" \
|
||||
-e "s/ Use%/ Use%\n/g" \
|
||||
-e "s@Filesystem \{12\}@@g" \
|
||||
-e "s@Mounted on\/dev\/[a-z]\{3\}[0-9]\+ \{13\}@@g" \
|
||||
-e "s@% \/[a-z]\+@%@g" \
|
||||
-e "s/__MAX_PERCENTAGE__/$max_percentage/" \
|
||||
-e "s/__FULLFROM__/$FULLFROM/" \
|
||||
-e "s/__FROM__/$FROM/" \
|
||||
-e "s/__URGENCYFROM__/$URGENCYFROM/" \
|
||||
-e "s/__URGENCYTEL__/$URGENCYTEL/" \
|
||||
$email_template | \
|
||||
/usr/bin/mutt -H - $graph_list
|
||||
else
|
||||
sed -e "s/__TO__/$EVOMAINTMAIL/" \
|
||||
-e "s/__HOSTNAME__/$HOSTNAME/" \
|
||||
-e "s@__PARTITION_DATA__@$PARTITION_DATA@" \
|
||||
-e "s@__DUC_OUTPUT__@$DUC_OUTPUT@" \
|
||||
-e "s/newline/\n/g" \
|
||||
-e "s/IUse%/IUse%\n/g" \
|
||||
-e "s/__MAX_PERCENTAGE__/$max_percentage/" \
|
||||
-e "s/__FULLFROM__/$FULLFROM/" \
|
||||
-e "s/__FROM__/$FROM/" \
|
||||
-e "s/__URGENCYFROM__/$URGENCYFROM/" \
|
||||
-e "s/__URGENCYTEL__/$URGENCYTEL/" \
|
||||
$email_template | \
|
||||
/usr/bin/mutt -H - $graph_list
|
||||
fi
|
||||
|
||||
rm -f $PID_FILE
|
24
check_free_space/files/check_free_space.tpl
Normal file
24
check_free_space/files/check_free_space.tpl
Normal file
|
@ -0,0 +1,24 @@
|
|||
From: __FULLFROM__
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
To: __TO__
|
||||
Subject: [WARNING] Espace disque faible sur __HOSTNAME__
|
||||
|
||||
Bonjour,
|
||||
|
||||
Ceci est un message automatique pour vous informer qu'il y a un
|
||||
souci d'espace disque sur votre serveur __HOSTNAME__
|
||||
|
||||
Voici les informations sur l'espace disque qui pose problème :
|
||||
__PARTITION_DATA__
|
||||
Détails sur les partitions problématiques :
|
||||
__DUC_OUTPUT__
|
||||
Un graphe par partition problématique est disponible en pièce jointe.
|
||||
|
||||
Nous vous recommandons d'effectuer du ménage pour maintenir
|
||||
chaque partition avec un minimum de __MAX_PERCENTAGE__% d'espace disque libre.
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
__FULLFROM__
|
37
check_free_space/tasks/main.yml
Normal file
37
check_free_space/tasks/main.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- ansible.builtin.include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: Copy check_free_space.sh script
|
||||
ansible.builtin.copy:
|
||||
src: files/check_free_space.sh
|
||||
dest: /usr/share/scripts/check_free_space
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: Copy email template
|
||||
ansible.builtin.copy:
|
||||
src: files/check_free_space.tpl
|
||||
dest: /usr/share/scripts/check_free_space.tpl
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
# not using the cron_module for this since it is buggy
|
||||
- name: check_free_space.sh is run by cron
|
||||
ansible.builtin.template:
|
||||
src: templates/cron_check_free_space.j2
|
||||
dest: /etc/cron.d/check_free_space
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: false
|
||||
|
||||
- name: Duc and Mutt are installed
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- mutt
|
||||
- duc
|
||||
state: present
|
||||
|
30
check_free_space/tasks/shell_script.yml
Normal file
30
check_free_space/tasks/shell_script.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: shell script
|
||||
copy:
|
||||
src: files/check_free_space.sh
|
||||
dest: /usr/share/scripts/check_free_space
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: email template
|
||||
copy:
|
||||
src: files/check_free_space.tpl
|
||||
dest: /usr/share/scripts/check_free_space.tpl
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
# not using the cron_module for this since it is buggy
|
||||
- name: cron
|
||||
template:
|
||||
src: templates/cron_check_free_space.j2
|
||||
dest: /etc/cron.d/check_free_space
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: false
|
4
check_free_space/templates/cron_check_free_space.j2
Normal file
4
check_free_space/templates/cron_check_free_space.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
{% if check_free_space_mailto and check_free_space_mailto != "" %}
|
||||
MAILTO={{ check_free_space_mailto }}
|
||||
{% endif %}
|
||||
30 4 * * 1 root /usr/share/scripts/check_free_space "{{ check_free_space_partitions | join(' ') }}" {{ check_free_space_max_percent }} /usr/share/scripts/check_free_space.tpl
|
|
@ -119,4 +119,4 @@
|
|||
cmd: "{{ docker_tls_path }}/shellpki.sh init"
|
||||
when:
|
||||
- docker_tls_enabled | bool
|
||||
- not tls_certs_stat.stat.isdir
|
||||
- not (tls_certs_stat.stat.exists and tls_certs_stat.stat.isdir)
|
||||
|
|
|
@ -1,4 +1,12 @@
|
|||
---
|
||||
|
||||
general_alert_email: "root@localhost"
|
||||
log2mail_alert_email: Null
|
||||
|
||||
dovecot_vmail_uid: 5000
|
||||
dovecot_vmail_gid: 5000
|
||||
|
||||
ldap_hostname: "{{ ansible_hostname }}"
|
||||
ldap_domain: "{{ ansible_domain }}"
|
||||
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
||||
ldap_enabled: False
|
||||
|
|
24
dovecot/files/munin_plugin_dovecot1
Normal file → Executable file
24
dovecot/files/munin_plugin_dovecot1
Normal file → Executable file
|
@ -53,15 +53,17 @@ if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
|
|||
exit 0;
|
||||
}
|
||||
|
||||
if (-f "$logfile.0") {
|
||||
$rotlogfile = $logfile . ".0";
|
||||
} elsif (-f "$logfile.1") {
|
||||
$rotlogfile = $logfile . ".1";
|
||||
} elsif (-f "$logfile.01") {
|
||||
$rotlogfile = $logfile . ".01";
|
||||
} else {
|
||||
$rotlogfile = $logfile . ".0";
|
||||
}
|
||||
# Disable rotated log inpection because name is not deterministic across systems
|
||||
# and data loss is may 5 min
|
||||
#if (-f "$logfile.0") {
|
||||
# $rotlogfile = $logfile . ".0";
|
||||
#} elsif (-f "$logfile.1") {
|
||||
# $rotlogfile = $logfile . ".1";
|
||||
#} elsif (-f "$logfile.01") {
|
||||
# $rotlogfile = $logfile . ".01";
|
||||
#} else {
|
||||
# $rotlogfile = $logfile . ".0";
|
||||
#}
|
||||
|
||||
if ( $ARGV[0] and $ARGV[0] eq "config" ) {
|
||||
print "multigraph dovecot_connections\n";
|
||||
|
@ -179,7 +181,9 @@ if (!defined $pos) {
|
|||
|
||||
if ($startsize < $pos) {
|
||||
# Log rotated
|
||||
parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
|
||||
# Disable rotated log inpection because name is not deterministic across systems
|
||||
# and data loss is may 5 min
|
||||
#parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
|
||||
$pos = 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
---
|
||||
|
||||
- name: ensure packages are installed
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
|
@ -8,7 +10,7 @@
|
|||
- dovecot-managesieved
|
||||
state: present
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes)
|
||||
community.crypto.openssl_dhparam:
|
||||
|
@ -21,7 +23,7 @@
|
|||
regexp: "[^#]!include auth-system.conf.ext"
|
||||
replace: "#!include auth-system.conf.ext"
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: update ldap auth
|
||||
ansible.builtin.lineinfile:
|
||||
|
@ -33,14 +35,15 @@
|
|||
- { key: 'hosts', value: '127.0.0.1' }
|
||||
- { key: 'auth_bind', value: 'yes' }
|
||||
- { key: 'ldap_version', value: 3 }
|
||||
- { key: 'base', value: "{{ ldap_suffix }}" }
|
||||
- { key: 'base', value: "{{ ldap_suffix | mandatory }}" }
|
||||
- { key: 'user_attrs', value: 'homeDirectory=home' }
|
||||
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
|
||||
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
|
||||
when: ldap_suffix is defined
|
||||
- { key: 'iterate_filter', value: '(&(isActive=TRUE))' }
|
||||
when: ldap_enabled | bool | default(False)
|
||||
notify: reload dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: create vmail group
|
||||
ansible.builtin.group:
|
||||
|
@ -48,7 +51,7 @@
|
|||
gid: "{{ dovecot_vmail_gid }}"
|
||||
system: True
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: create vmail user
|
||||
ansible.builtin.user:
|
||||
|
@ -58,16 +61,16 @@
|
|||
shell: /bin/false
|
||||
system: True
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: deploy evolix config
|
||||
- name: deploy evolix config for Dovecot
|
||||
ansible.builtin.template:
|
||||
src: z-evolinux-defaults.conf.j2
|
||||
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
notify: reload dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- name: deploy file for custom configuration
|
||||
ansible.builtin.template:
|
||||
|
@ -76,7 +79,7 @@
|
|||
mode: "0644"
|
||||
notify: reload dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
- dovecot
|
||||
|
||||
- ansible.builtin.include: munin.yml
|
||||
tags:
|
||||
|
@ -86,7 +89,8 @@
|
|||
ansible.builtin.apt:
|
||||
name: log2mail
|
||||
state: present
|
||||
tags: dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: dovecot is configured in log2mail
|
||||
ansible.builtin.blockinfile:
|
||||
|
@ -101,5 +105,6 @@
|
|||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
||||
notify: restart log2mail
|
||||
tags: dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
|
|
|
@ -9,15 +9,18 @@
|
|||
- name: Munin plugins are present and configured
|
||||
block:
|
||||
|
||||
- name: Disable dovecot plugin
|
||||
- name: Disable Dovecot plugin
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugins/dovecot
|
||||
state: absent
|
||||
|
||||
- name: Remove dovecot plugin conf
|
||||
- name: Remove old Dovecot plugin conf
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugin-conf.d/dovecot
|
||||
path: "/etc/munin/plugin-conf.d/{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- dovecot
|
||||
- z-evolinux-dovecot
|
||||
|
||||
- name: "Remount /usr if needed"
|
||||
ansible.builtin.include_role:
|
||||
|
@ -46,8 +49,8 @@
|
|||
|
||||
- name: Copy Munin config
|
||||
ansible.builtin.copy:
|
||||
src: z-evolinux-dovecot.conf
|
||||
dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
||||
src: munin_plugins.conf
|
||||
dest: /etc/munin/plugin-conf.d/zzz-dovecot
|
||||
mode: '0644'
|
||||
notify: restart munin-node
|
||||
|
||||
|
|
|
@ -24,14 +24,36 @@
|
|||
- ansible.builtin.include_role:
|
||||
name: evolix/remount-usr
|
||||
when:
|
||||
- _usr_share_scripts.stat.isdir
|
||||
- _usr_share_scripts.stat.exists and _usr_share_scripts.stat.isdir
|
||||
|
||||
- ansible.builtin.import_tasks: repository.yml
|
||||
vars:
|
||||
repository_path: "/usr/share/scripts"
|
||||
gitignore_items: []
|
||||
when:
|
||||
- _usr_share_scripts.stat.isdir
|
||||
- _usr_share_scripts.stat.exists and _usr_share_scripts.stat.isdir
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
tags:
|
||||
- etc-git
|
||||
- etc-git
|
||||
|
||||
|
||||
- name: verify /var/chroot-bind/ presence
|
||||
ansible.builtin.stat:
|
||||
path: /var/chroot-bind
|
||||
register: _var_chroot_bind
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: /var/chroot-bind/etc/bind is a safe directory
|
||||
ansible.builtin.shell: git config --global --add safe.directory /var/chroot-bind/etc/bind
|
||||
|
||||
- ansible.builtin.import_tasks: repository.yml
|
||||
vars:
|
||||
repository_path: "/var/chroot-bind/etc/bind"
|
||||
gitignore_items: []
|
||||
when:
|
||||
- _var_chroot_bind.stat.exists and _var_chroot_bind.stat.isdir
|
||||
- ansible_distribution_major_version is version('8', '>=')
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.07"
|
||||
VERSION="24.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.07"
|
||||
VERSION="24.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -68,6 +68,8 @@ detect_os() {
|
|||
10) DEBIAN_RELEASE="buster";;
|
||||
11) DEBIAN_RELEASE="bullseye";;
|
||||
12) DEBIAN_RELEASE="bookworm";;
|
||||
13) DEBIAN_RELEASE="trixie";;
|
||||
14) DEBIAN_RELEASE="forky";;
|
||||
esac
|
||||
fi
|
||||
fi
|
||||
|
@ -85,6 +87,12 @@ is_debian_bullseye() {
|
|||
is_debian_bookworm() {
|
||||
test "${DEBIAN_RELEASE}" = "bookworm"
|
||||
}
|
||||
is_debian_trixie() {
|
||||
test "${DEBIAN_RELEASE}" = "trixie"
|
||||
}
|
||||
is_debian_forky() {
|
||||
test "${DEBIAN_RELEASE}" = "forky"
|
||||
}
|
||||
|
||||
is_pack_web(){
|
||||
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
|
||||
|
@ -148,13 +156,13 @@ check_dpkgwarning() {
|
|||
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
|
||||
check_postfix_mydestination() {
|
||||
# shellcheck disable=SC2016
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then
|
||||
failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option."
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp 'localhost([[:blank:]]|$)'; then
|
||||
failed "IS_POSTFIX_MYDESTINATION" "'localhost' is missing in Postfix mydestination option."
|
||||
fi
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.localdomain'; then
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.localdomain'; then
|
||||
failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option."
|
||||
fi
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.\$mydomain'; then
|
||||
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.$mydomain'; then
|
||||
failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option."
|
||||
fi
|
||||
}
|
||||
|
@ -193,6 +201,65 @@ check_debiansecurity() {
|
|||
apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
|
||||
test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
|
||||
}
|
||||
check_debiansecurity_lxc() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
DEBIAN_LXC_VERSION=$(cut -d "." -f 1 < /var/lib/lxc/${container}/rootfs/etc/debian_version)
|
||||
if [ $DEBIAN_LXC_VERSION -ge 9 ]; then
|
||||
lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
|
||||
test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_backports_version() {
|
||||
# Look for enabled "Debian Backports" sources from the "Debian" origin
|
||||
apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
|
||||
test $? -eq 1 || ( \
|
||||
apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet "\bn=${DEBIAN_RELEASE}-backports\b" && \
|
||||
test $? -eq 0 || failed "IS_BACKPORTS_VERSION" "Debian Backports enabled for another release than ${DEBIAN_RELEASE}" )
|
||||
}
|
||||
check_oldpub() {
|
||||
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
|
||||
apt-cache policy | grep --quiet pub.evolix.net
|
||||
test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
|
||||
}
|
||||
check_oldpub_lxc() {
|
||||
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
|
||||
test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_newpub() {
|
||||
# Look for enabled pub.evolix.org sources
|
||||
apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
|
||||
test $? -eq 0 || failed "IS_NEWPUB" "New pub.evolix.org repository is missing"
|
||||
}
|
||||
check_sury() {
|
||||
# Look for enabled packages.sury.org sources
|
||||
apt-cache policy | grep --quiet packages.sury.org
|
||||
if [ $? -eq 0 ]; then
|
||||
apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
|
||||
test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
|
||||
fi
|
||||
}
|
||||
check_sury_lxc() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org
|
||||
if [ $? -eq 0 ]; then
|
||||
lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
|
||||
test $? -eq 0 || failed "IS_SURY_LXC" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${container}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_aptitude() {
|
||||
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
|
||||
}
|
||||
|
@ -283,11 +350,20 @@ check_alert5minifw() {
|
|||
fi
|
||||
}
|
||||
check_minifw() {
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||
|| failed "IS_MINIFW" "minifirewall seems not started"
|
||||
{
|
||||
if [ -f /etc/systemd/system/minifirewall.service ]; then
|
||||
systemctl is-active minifirewall > /dev/null 2>&1
|
||||
else
|
||||
if test -x /usr/share/scripts/minifirewall_status; then
|
||||
/usr/share/scripts/minifirewall_status > /dev/null 2>&1
|
||||
else
|
||||
/sbin/iptables -L -n 2> /dev/null | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
|
||||
fi
|
||||
fi
|
||||
} || failed "IS_MINIFW" "minifirewall seems not started"
|
||||
}
|
||||
check_minifw_includes() {
|
||||
if is_debian_bullseye; then
|
||||
if { ! is_debian_stretch && ! is_debian_buster ; }; then
|
||||
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then
|
||||
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
|
||||
fi
|
||||
|
@ -314,13 +390,13 @@ check_nrpedisks() {
|
|||
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
|
||||
}
|
||||
check_nrpepid() {
|
||||
if { is_debian_bullseye || is_debian_bookworm ; }; then
|
||||
if { is_debian_stretch || is_debian_buster ; }; then
|
||||
{ test -e /etc/nagios/nrpe.cfg \
|
||||
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
||||
else
|
||||
{ test -e /etc/nagios/nrpe.cfg \
|
||||
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
||||
fi
|
||||
}
|
||||
|
@ -447,7 +523,11 @@ check_log2mailsquid() {
|
|||
check_bindchroot() {
|
||||
if is_installed bind9; then
|
||||
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
|
||||
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
|
||||
default_conf=/etc/default/named
|
||||
if is_debian_buster || is_debian_stretch; then
|
||||
default_conf=/etc/default/bind9
|
||||
fi
|
||||
if grep -q '^OPTIONS=".*-t' "${default_conf}" && grep -q '^OPTIONS=".*-u' "${default_conf}"; then
|
||||
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
|
||||
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
|
||||
if [ "$md5_original" != "$md5_chrooted" ]; then
|
||||
|
@ -525,7 +605,12 @@ check_evobackup_exclude_mount() {
|
|||
# If rsync is not limited by "one-file-system"
|
||||
# then we verify that every mount is excluded
|
||||
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
# old releases of evobackups don't have version
|
||||
if grep -q "^VERSION=" "${evobackup_file}" && dpkg --compare-versions "$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}")" ge 22.12 ; then
|
||||
sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}"
|
||||
else
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
fi
|
||||
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||
for mount in ${not_excluded}; do
|
||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||
|
@ -578,7 +663,7 @@ check_apacheipinallow() {
|
|||
check_muninapacheconf() {
|
||||
muninconf="/etc/apache2/conf-available/munin.conf"
|
||||
if is_installed apache2; then
|
||||
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \
|
||||
test -e $muninconf && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$muninconf" \
|
||||
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
|
||||
fi
|
||||
}
|
||||
|
@ -587,17 +672,17 @@ check_phpmyadminapacheconf() {
|
|||
phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf"
|
||||
phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf"
|
||||
if is_installed apache2; then
|
||||
test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \
|
||||
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled"
|
||||
test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \
|
||||
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled"
|
||||
test -e $phpmyadminconf0 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf0" \
|
||||
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) should be commented or disabled"
|
||||
test -e $phpmyadminconf1 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf1" \
|
||||
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) should be commented or disabled"
|
||||
fi
|
||||
}
|
||||
# Verification si le système doit redémarrer suite màj kernel.
|
||||
check_kerneluptodate() {
|
||||
if is_installed linux-image*; then
|
||||
# shellcheck disable=SC2012
|
||||
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
|
||||
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}')" +%s)
|
||||
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
|
||||
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
|
||||
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
|
||||
|
@ -664,6 +749,16 @@ check_etcgit() {
|
|||
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|
||||
|| failed "IS_ETCGIT" "/etc is not a git repository"
|
||||
}
|
||||
check_etcgit_lxc() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
export GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/rootfs/etc"
|
||||
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|
||||
|| failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
# Check if /etc/.git/ has read/write permissions for root only.
|
||||
check_gitperms() {
|
||||
GIT_DIR="/etc/.git"
|
||||
|
@ -673,6 +768,19 @@ check_gitperms() {
|
|||
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
|
||||
fi
|
||||
}
|
||||
check_gitperms_lxc() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git"
|
||||
if test -d $GIT_DIR; then
|
||||
expected="700"
|
||||
actual=$(stat -c "%a" $GIT_DIR)
|
||||
[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
# Check if no package has been upgraded since $limit.
|
||||
check_notupgraded() {
|
||||
last_upgrade=0
|
||||
|
@ -760,10 +868,6 @@ check_apache2evolinuxconf() {
|
|||
check_backportsconf() {
|
||||
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
|
||||
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
|
||||
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
|
||||
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|
||||
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
|
||||
fi
|
||||
}
|
||||
check_bind9munin() {
|
||||
if is_installed bind9; then
|
||||
|
@ -777,12 +881,25 @@ check_bind9logrotate() {
|
|||
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
|
||||
fi
|
||||
}
|
||||
check_drbd_two_primaries() {
|
||||
if is_installed drbd-utils; then
|
||||
if command -v drbd-overview >/dev/null; then
|
||||
if drbd-overview 2>&1 | grep -q "Primary/Primary"; then
|
||||
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
|
||||
fi
|
||||
elif command -v drbdadm >/dev/null; then
|
||||
if drbdadm role all 2>&1 | grep -q 'Primary/Primary'; then
|
||||
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_broadcomfirmware() {
|
||||
LSPCI_BIN=$(command -v lspci)
|
||||
if [ -x "${LSPCI_BIN}" ]; then
|
||||
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
|
||||
{ is_installed firmware-bnx2 \
|
||||
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
|
||||
&& apt-cache policy | grep "\bl=Debian\b" | grep --quiet -v "\b,c=non-free\b"
|
||||
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
|
||||
fi
|
||||
else
|
||||
|
@ -958,6 +1075,7 @@ check_phpevolinuxconf() {
|
|||
is_debian_stretch && phpVersion="7.0"
|
||||
is_debian_buster && phpVersion="7.3"
|
||||
is_debian_bullseye && phpVersion="7.4"
|
||||
is_debian_bookworm && phpVersion="8.2"
|
||||
if is_installed php; then
|
||||
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
|
||||
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
|
||||
|
@ -1089,16 +1207,10 @@ check_usrsharescripts() {
|
|||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
||||
}
|
||||
check_sshpermitrootno() {
|
||||
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
|
||||
if is_debian_stretch; then
|
||||
# Noop, we'll use the default $sshd_args
|
||||
:
|
||||
elif is_debian_buster; then
|
||||
# You could change the SSH port in /etc/evocheck.cf
|
||||
sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}"
|
||||
if is_debian_buster; then
|
||||
sshd_args="${sshd_args},rdomain="
|
||||
else
|
||||
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||
# -T doesn't require the additional -C.
|
||||
sshd_args=
|
||||
fi
|
||||
# shellcheck disable=SC2086
|
||||
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
|
||||
|
@ -1219,7 +1331,7 @@ check_lxc_container_resolv_conf() {
|
|||
container_list=$(lxc-ls)
|
||||
current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
|
||||
|
||||
for container in $container_list; do
|
||||
for container in $container_list; do
|
||||
if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
|
||||
|
||||
while read -r resolver; do
|
||||
|
@ -1265,6 +1377,34 @@ check_lxc_php_fpm_service_umask_set() {
|
|||
fi
|
||||
fi
|
||||
}
|
||||
# Check that LXC containers have the proper Debian version.
|
||||
check_lxc_php_bad_debian_version() {
|
||||
if is_installed lxc; then
|
||||
php_containers_list=$(lxc-ls --filter php)
|
||||
missing_umask=""
|
||||
for container in $php_containers_list; do
|
||||
if [ "$container" = "php56" ]; then
|
||||
grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Jessie"
|
||||
elif [ "$container" = "php70" ]; then
|
||||
grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Stretch"
|
||||
elif [ "$container" = "php73" ]; then
|
||||
grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Buster"
|
||||
elif [ "$container" = "php74" ]; then
|
||||
grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye"
|
||||
elif [ "$container" = "php82" ]; then
|
||||
grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_lxc_openssh() {
|
||||
if is_installed lxc; then
|
||||
container_list=$(lxc-ls)
|
||||
for container in $container_list; do
|
||||
test -e /var/lib/lxc/${container}/rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" "openssh-server should not be installed in container ${container}"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
download_versions() {
|
||||
local file
|
||||
|
@ -1418,6 +1558,13 @@ main() {
|
|||
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
|
||||
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
|
||||
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
|
||||
test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
|
||||
test "${IS_BACKPORTS_VERSION:=1}" = 1 && check_backports_version
|
||||
test "${IS_OLDPUB:=1}" = 1 && check_oldpub
|
||||
test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
|
||||
test "${IS_NEWPUB:=1}" = 1 && check_newpub
|
||||
test "${IS_SURY:=1}" = 1 && check_sury
|
||||
test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
|
||||
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
|
||||
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
|
||||
test "${IS_USRRO:=1}" = 1 && check_usrro
|
||||
|
@ -1470,7 +1617,9 @@ main() {
|
|||
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
|
||||
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
||||
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
|
||||
test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc
|
||||
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
||||
test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc
|
||||
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
|
||||
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
|
||||
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
|
||||
|
@ -1479,6 +1628,7 @@ main() {
|
|||
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
|
||||
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
|
||||
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
|
||||
test "${IS_DRBDTWOPRIMARIES:=1}" = 1 && check_drbd_two_primaries
|
||||
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
|
||||
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
|
||||
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
|
||||
|
@ -1511,6 +1661,8 @@ main() {
|
|||
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
|
||||
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
|
||||
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
|
||||
test "${IS_LXC_PHP_BAD_DEBIAN_VERSION:=1}" = 1 && check_lxc_php_bad_debian_version
|
||||
test "${IS_LXC_OPENSSH:=1}" = 1 && check_lxc_openssh
|
||||
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||
|
||||
if [ -f "${main_output_file}" ]; then
|
||||
|
@ -1526,7 +1678,7 @@ main() {
|
|||
}
|
||||
cleanup() {
|
||||
# Cleanup tmp files
|
||||
# shellcheck disable=SC2086,SC2317
|
||||
# shellcheck disable=SC2068,SC2317
|
||||
rm -f ${files_to_cleanup[@]}
|
||||
|
||||
log "$PROGNAME exit."
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.07"
|
||||
VERSION="24.01"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
|
@ -159,12 +159,10 @@ evolinux_root_disable_ssh: False
|
|||
# postfix
|
||||
|
||||
evolinux_postfix_include: True
|
||||
|
||||
evolinux_postfix_packages: True
|
||||
evolinux_mail_aliases_include: True
|
||||
evolinux_postfix_users_alias_root: True
|
||||
evolinux_postfix_mailer_alias_root: True
|
||||
evolinux_postfix_root_alias: True
|
||||
evolinux_postfix_purge_exim: True
|
||||
|
||||
# logs
|
||||
|
||||
|
@ -211,6 +209,10 @@ evolinux_munin_include: True
|
|||
|
||||
evolinux_nagios_nrpe_include: True
|
||||
|
||||
# check_free_space
|
||||
|
||||
evolinux_check_free_space_include: True
|
||||
|
||||
# fail2ban
|
||||
|
||||
evolinux_fail2ban_include: False
|
||||
|
@ -235,3 +237,6 @@ evolinux_motd_include: True
|
|||
|
||||
# Utils
|
||||
evolinux_utils_include: True
|
||||
|
||||
# Autosysadmin
|
||||
evolinux_autosysadmin_include: false
|
||||
|
|
37
evolinux-base/files/cert.sh
Normal file
37
evolinux-base/files/cert.sh
Normal file
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Shortcut to show certificate content or enddate.
|
||||
#
|
||||
|
||||
usage() {
|
||||
echo "Usage : cert [date] <CERT_PATH>"
|
||||
}
|
||||
|
||||
if [ "$#" -eq 1 ]; then
|
||||
cert_path=$1
|
||||
if [ -f "${cert_path}" ]; then
|
||||
openssl x509 -noout -in "${cert_path}" -text
|
||||
else
|
||||
>&2 echo "Error, file ${cert_path} does not exist."
|
||||
fi
|
||||
|
||||
elif [ "$#" -eq 2 ]; then
|
||||
if [ "$1" = "date" ]; then
|
||||
cert_path=$2
|
||||
if [ -f "${cert_path}" ]; then
|
||||
openssl x509 -noout -in "$cert_path" -enddate
|
||||
else
|
||||
>&2 echo "Error, file ${cert_path} does not exist."
|
||||
fi
|
||||
else
|
||||
>&2 echo "Error, two arguments provided but 'date' is only allowed as first."
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
else
|
||||
>&2 echo "Error, more than two arguments provided."
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
PROGNAME="dump-server-state"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state"
|
||||
|
||||
VERSION="23.08"
|
||||
VERSION="23.11"
|
||||
readonly VERSION
|
||||
|
||||
dump_dir=
|
||||
|
@ -35,43 +35,44 @@ ${PROGNAME} is dumping information related to the state of the server.
|
|||
Usage: ${PROGNAME} --dump-dir=/path/to/dump/directory [OPTIONS]
|
||||
|
||||
Main options
|
||||
-d, --dump-dir path to the directory where data will be stored
|
||||
--backup-dir legacy option for dump directory
|
||||
-f, --force keep existing dump directory and its content
|
||||
-v, --verbose print details about each task
|
||||
-V, --version print version and exit
|
||||
-h, --help print this message and exit
|
||||
-d, --dump-dir path to the directory where data will be stored
|
||||
--backup-dir legacy option for dump directory
|
||||
-f, --force keep existing dump directory and its content
|
||||
-v, --verbose print details about each task
|
||||
-V, --version print version and exit
|
||||
-h, --help print this message and exit
|
||||
|
||||
Tasks options
|
||||
--all reset options to execute all tasks
|
||||
--none reset options to execute no task
|
||||
--[no-]etc copy of /etc (default: no)
|
||||
--[no-]dpkg-full copy of /var/lib/dpkg (default: no)
|
||||
--[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes)
|
||||
--[no-]apt-states copy of apt extended states (default: yes)
|
||||
--[no-]apt-config copy of apt configuration (default: yes)
|
||||
--[no-]packages copy of dpkg selections (default: yes)
|
||||
--[no-]processes copy of process list (default: yes)
|
||||
--[no-]uname copy of uname value (default: yes)
|
||||
--[no-]uptime copy of uptime value (default: yes)
|
||||
--[no-]netstat copy of netstat (default: yes)
|
||||
--[no-]netcfg copy of network configuration (default: yes)
|
||||
--[no-]iptables copy of iptables (default: yes)
|
||||
--[no-]sysctl copy of sysctl values (default: yes)
|
||||
--[no-]virsh copy of virsh list (default: yes)
|
||||
--[no-]lxc copy of lxc list (default: yes)
|
||||
--[no-]disks copy of MBR and partitions (default: yes)
|
||||
--[no-]mount copy of mount points (default: yes)
|
||||
--[no-]df copy of disk usage (default: yes)
|
||||
--[no-]dmesg copy of dmesg (default: yes)
|
||||
--[no-]mysql copy of mysql processes (default: yes)
|
||||
--[no-]systemctl copy of systemd services states (default: yes)
|
||||
--all reset options to execute all tasks
|
||||
--none reset options to execute no task
|
||||
--[no-]etc copy of /etc (default: no)
|
||||
--[no-]dpkg-full copy of /var/lib/dpkg (default: no)
|
||||
--[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes)
|
||||
--[no-]apt-states copy of apt extended states (default: yes)
|
||||
--[no-]apt-config copy of apt configuration (default: yes)
|
||||
--[no-]packages copy of dpkg selections (default: yes)
|
||||
--[no-]processes copy of process list (default: yes)
|
||||
--[no-]uname copy of uname value (default: yes)
|
||||
--[no-]uptime copy of uptime value (default: yes)
|
||||
--[no-]netstat copy of netstat (default: yes)
|
||||
--[no-]netcfg copy of network configuration (default: yes)
|
||||
--[no-]iptables copy of iptables (default: yes)
|
||||
--[no-]sysctl copy of sysctl values (default: yes)
|
||||
--[no-]virsh copy of virsh list (default: yes)
|
||||
--[no-]lxc copy of lxc list (default: yes)
|
||||
--[no-]disks copy of MBR and partitions (default: yes)
|
||||
--[no-]mount copy of mount points (default: yes)
|
||||
--[no-]df copy of disk usage (default: yes)
|
||||
--[no-]dmesg copy of dmesg (default: yes)
|
||||
--[no-]mysql-processes copy of mysql processes (default: yes)
|
||||
--[no-]mysql-summary copy of mysql summary (default: yes)
|
||||
--[no-]systemctl copy of systemd services states (default: yes)
|
||||
|
||||
Tasks options order matters. They are evaluated from left to right.
|
||||
Examples :
|
||||
* "[…] --none --uname" will do only the uname task
|
||||
* "[…] --all --no-etc" will do everything but the etc task
|
||||
* "[…] --etc --none --mysql" will do only the mysql task
|
||||
* "[…] --etc --none --mysql-summary" will do only the mysql task
|
||||
END
|
||||
}
|
||||
debug() {
|
||||
|
@ -741,6 +742,41 @@ task_mysql_processes() {
|
|||
fi
|
||||
}
|
||||
|
||||
task_mysql_summary() {
|
||||
debug "Task: MySQL summary"
|
||||
|
||||
mysqladmin_bin=$(command -v mysqladmin)
|
||||
pt_mysql_summary_bin=$(command -v pt-mysql-summary)
|
||||
|
||||
if [ -n "${mysqladmin_bin}" ] && [ -n "${pt_mysql_summary_bin}" ]; then
|
||||
# Look for local MySQL or MariaDB process
|
||||
if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then
|
||||
if ${mysqladmin_bin} ping > /dev/null 2>&1; then
|
||||
# important to set sleep to 0
|
||||
# because we don't want to block
|
||||
# even if we lose some insight.
|
||||
${pt_mysql_summary_bin} --sleep 0 > "${dump_dir}/mysql-summary.txt" 2> "${dump_dir}/mysql-summary.err"
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* pt-mysql-summary OK"
|
||||
else
|
||||
debug "* pt-mysql-summary ERROR"
|
||||
debug < "${dump_dir}/mysql-summary.err"
|
||||
rm "${dump_dir}/mysql-summary.err"
|
||||
rc=10
|
||||
fi
|
||||
else
|
||||
debug "* unable to ping with mysqladmin"
|
||||
fi
|
||||
else
|
||||
debug "* no mysqld or mariadbd process is running"
|
||||
fi
|
||||
else
|
||||
debug "* pt-mysql-summary not found"
|
||||
fi
|
||||
}
|
||||
|
||||
task_systemctl() {
|
||||
debug "Task: Systemd services"
|
||||
|
||||
|
@ -841,6 +877,9 @@ main() {
|
|||
if [ "${TASK_MYSQL_PROCESSES}" -eq 1 ]; then
|
||||
task_mysql_processes
|
||||
fi
|
||||
if [ "${TASK_MYSQL_SUMMARY}" -eq 1 ]; then
|
||||
task_mysql_summary
|
||||
fi
|
||||
if [ "${TASK_SYSTEMCTL}" -eq 1 ]; then
|
||||
task_systemctl
|
||||
fi
|
||||
|
@ -950,6 +989,7 @@ while :; do
|
|||
TASK_DF \
|
||||
TASK_DMESG \
|
||||
TASK_MYSQL_PROCESSES \
|
||||
TASK_MYSQL_SUMMARY \
|
||||
TASK_SYSTEMCTL
|
||||
do
|
||||
eval "${option}=1"
|
||||
|
@ -978,6 +1018,7 @@ while :; do
|
|||
TASK_DF \
|
||||
TASK_DMESG \
|
||||
TASK_MYSQL_PROCESSES \
|
||||
TASK_MYSQL_SUMMARY \
|
||||
TASK_SYSTEMCTL
|
||||
do
|
||||
eval "${option}=0"
|
||||
|
@ -1124,6 +1165,13 @@ while :; do
|
|||
TASK_MYSQL_PROCESSES=0
|
||||
;;
|
||||
|
||||
--mysql-summary)
|
||||
TASK_MYSQL_SUMMARY=1
|
||||
;;
|
||||
--no-mysql-summary)
|
||||
TASK_MYSQL_SUMMARY=0
|
||||
;;
|
||||
|
||||
--systemctl)
|
||||
TASK_SYSTEMCTL=1
|
||||
;;
|
||||
|
@ -1173,6 +1221,7 @@ done
|
|||
: "${TASK_DF:=1}"
|
||||
: "${TASK_DMESG:=1}"
|
||||
: "${TASK_MYSQL_PROCESSES:=1}"
|
||||
: "${TASK_MYSQL_SUMMARY:=1}"
|
||||
: "${TASK_SYSTEMCTL:=1}"
|
||||
|
||||
export LC_ALL=C
|
||||
|
|
|
@ -1,122 +0,0 @@
|
|||
# Syslog for Pack Evolix serveur - Debian Squeeze
|
||||
|
||||
|
||||
#################
|
||||
#### MODULES ####
|
||||
#################
|
||||
|
||||
$ModLoad imuxsock # provides support for local system logging
|
||||
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
|
||||
#$ModLoad immark # provides --MARK-- message capability
|
||||
|
||||
# provides UDP syslog reception
|
||||
#$ModLoad imudp
|
||||
#$UDPServerRun 514
|
||||
|
||||
# provides TCP syslog reception
|
||||
#$ModLoad imtcp
|
||||
#$InputTCPServerRun 514
|
||||
|
||||
|
||||
###########################
|
||||
#### GLOBAL DIRECTIVES ####
|
||||
###########################
|
||||
|
||||
#
|
||||
# Use traditional timestamp format.
|
||||
# To enable high precision timestamps, comment out the following line.
|
||||
#
|
||||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
|
||||
|
||||
#
|
||||
# Set the default permissions for all log files.
|
||||
#
|
||||
$FileOwner root
|
||||
$FileGroup adm
|
||||
$FileCreateMode 0640
|
||||
$DirCreateMode 0755
|
||||
$Umask 0022
|
||||
|
||||
#
|
||||
# Include all config files in /etc/rsyslog.d/
|
||||
#
|
||||
$IncludeConfig /etc/rsyslog.d/*.conf
|
||||
|
||||
|
||||
###############
|
||||
#### RULES ####
|
||||
###############
|
||||
|
||||
#
|
||||
# First some standard log files. Log by facility.
|
||||
#
|
||||
auth,authpriv.* /var/log/auth.log
|
||||
*.*;auth,authpriv.none;cron,mail,local4,local5.none -/var/log/syslog
|
||||
cron.* /var/log/cron.log
|
||||
daemon.* -/var/log/daemon.log
|
||||
kern.* -/var/log/kern.log
|
||||
lpr.* -/var/log/lpr.log
|
||||
mail.* -/var/log/mail.log
|
||||
user.* -/var/log/user.log
|
||||
uucp.* /var/log/uucp.log
|
||||
news.* /var/log/news.log
|
||||
|
||||
local4.* -/var/log/openldap.log
|
||||
local1.* /var/log/sympa.log
|
||||
local0.* /var/log/postgresql.log
|
||||
local7.* -/var/log/dhcp.log
|
||||
local5.* -/var/log/haproxy.log
|
||||
|
||||
|
||||
#
|
||||
# Logging for the mail system. Split it up so that
|
||||
# it is easy to write scripts to parse these files.
|
||||
#
|
||||
#mail.info -/var/log/mail.info
|
||||
#mail.warn -/var/log/mail.warn
|
||||
#mail.err /var/log/mail.err
|
||||
|
||||
#
|
||||
# Logging for INN news system.
|
||||
#
|
||||
#news.crit /var/log/news/news.crit
|
||||
#news.err /var/log/news/news.err
|
||||
#news.notice -/var/log/news/news.notice
|
||||
|
||||
#
|
||||
# Some "catch-all" log files.
|
||||
#
|
||||
#*.=debug;\
|
||||
# auth,authpriv.none;\
|
||||
# news.none;mail.none -/var/log/debug
|
||||
#*.=info;*.=notice;*.=warn;\
|
||||
# auth,authpriv.none;\
|
||||
# cron,daemon.none;\
|
||||
# mail,news.none -/var/log/messages
|
||||
|
||||
#
|
||||
# Emergencies are sent to everybody logged in.
|
||||
#
|
||||
*.emerg *
|
||||
|
||||
#
|
||||
# I like to have messages displayed on the console, but only on a virtual
|
||||
# console I usually leave idle.
|
||||
#
|
||||
#daemon,mail.*;\
|
||||
# news.=crit;news.=err;news.=notice;\
|
||||
# *.=debug;*.=info;\
|
||||
# *.=notice;*.=warn /dev/tty8
|
||||
|
||||
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
|
||||
# you must invoke `xconsole' with the `-file' option:
|
||||
#
|
||||
# $ xconsole -file /dev/xconsole [...]
|
||||
#
|
||||
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
|
||||
# busy site..
|
||||
#
|
||||
#daemon.*;mail.*;\
|
||||
# news.err;\
|
||||
# *.=debug;*.=info;\
|
||||
# *.=notice;*.=warn |/dev/xconsole
|
13
evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf
Normal file
13
evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf
Normal file
|
@ -0,0 +1,13 @@
|
|||
# RSyslog for Pack Evolix serveur - Debian Bookworm
|
||||
|
||||
daemon.* action(type="omfile" file="/var/log/daemon.log")
|
||||
lpr.* action(type="omfile" file="/var/log/lpr.log")
|
||||
news.* action(type="omfile" file="/var/log/news.log")
|
||||
uucp.* action(type="omfile" file="/var/log/uucp.log")
|
||||
|
||||
local0.* action(type="omfile" file="/var/log/postgresql.log")
|
||||
local1.* action(type="omfile" file="/var/log/sympa.log")
|
||||
# To be explicit we specify “sync="off"” even though it's the default
|
||||
local4.* action(type="omfile" sync="off" file="/var/log/openldap.log")
|
||||
local5.* action(type="omfile" sync="off" file="/var/log/haproxy.log")
|
||||
local7.* action(type="omfile" file="/var/log/dhcp.log")
|
|
@ -5,11 +5,4 @@
|
|||
force: True
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0750"
|
||||
|
||||
- name: symlink backup-server-state to dump-server-state
|
||||
ansible.builtin.file:
|
||||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
force: true
|
||||
mode: "0750"
|
|
@ -6,11 +6,11 @@
|
|||
tags:
|
||||
- packages
|
||||
|
||||
- name: firmware-non-free components are installed (Debian 12+)
|
||||
- name: non-free-firmware components are installed (Debian 12+)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/apt/sources.list.d/system.sources
|
||||
regexp: '^(Components: ((?!\bfirmware-non-free\b).)*)$'
|
||||
replace: '\1 firmware-non-free'
|
||||
regexp: '^(Components: ((?!\bnon-free-firmware\b).)*)$'
|
||||
replace: '\1 non-free-firmware'
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
|
@ -48,6 +48,7 @@
|
|||
- firmware-linux-nonfree
|
||||
- intel-microcode
|
||||
state: present
|
||||
update_cache: True
|
||||
tags:
|
||||
- packages
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
- ansible_machine == "x86_64"
|
||||
- ansible_virtualization_role == "guest"
|
||||
- evolinux_kernel_cloud_auto | bool
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
|
||||
- name: "Remove non-Cloud kernel on virtual servers"
|
||||
ansible.builtin.apt:
|
||||
|
|
|
@ -17,18 +17,23 @@
|
|||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: log2mail config is present
|
||||
- name: log2mail evolinux config is absent from default config
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/log2mail/config/default
|
||||
owner: log2mail
|
||||
group: adm
|
||||
mode: "0640"
|
||||
marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE"
|
||||
block: |
|
||||
file = /var/log/syslog
|
||||
pattern = "Out of memory: Kill"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
||||
state: absent
|
||||
notify: restart log2mail
|
||||
tags:
|
||||
- log2mail
|
||||
|
||||
- name: log2mail evolinux-defaults config is present
|
||||
ansible.builtin.template:
|
||||
src: log2mail/evolinux-defaults.j2
|
||||
dest: /etc/log2mail/config/evolinux-defaults
|
||||
owner: log2mail
|
||||
group: adm
|
||||
mode: "0640"
|
||||
force: yes
|
||||
notify: restart log2mail
|
||||
tags:
|
||||
- log2mail
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue