From 679e170dce5b3b267a63157be9afe7c539ae9c39 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Wed, 18 Oct 2023 15:09:36 +0200 Subject: [PATCH 001/151] evolinux-base: use separate default config file for rsyslog --- CHANGELOG.md | 1 + evolinux-base/files/logs/rsyslog.conf | 122 ------------------ .../logs/rsyslog.d/10-evolinux-default.conf | 13 ++ evolinux-base/tasks/logs.yml | 6 +- 4 files changed, 17 insertions(+), 125 deletions(-) delete mode 100644 evolinux-base/files/logs/rsyslog.conf create mode 100644 evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a4c9e60..8ebb68f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,6 +56,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evolinux-base: use separate default config file for rsyslog * all: change syntax "become: [yes,no]" → "become: [true,false]" * all: change syntax "force: [yes,no]" → "force: [true,false]" * elasticsearch: improve networking configuration diff --git a/evolinux-base/files/logs/rsyslog.conf b/evolinux-base/files/logs/rsyslog.conf deleted file mode 100644 index 9c2a2d22..00000000 --- a/evolinux-base/files/logs/rsyslog.conf +++ /dev/null @@ -1,122 +0,0 @@ -# Syslog for Pack Evolix serveur - Debian Squeeze - - -################# -#### MODULES #### -################# - -$ModLoad imuxsock # provides support for local system logging -$ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark # provides --MARK-- message capability - -# provides UDP syslog reception -#$ModLoad imudp -#$UDPServerRun 514 - -# provides TCP syslog reception -#$ModLoad imtcp -#$InputTCPServerRun 514 - - -########################### -#### GLOBAL DIRECTIVES #### -########################### - -# -# Use traditional timestamp format. -# To enable high precision timestamps, comment out the following line. -# -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# -# Set the default permissions for all log files. -# -$FileOwner root -$FileGroup adm -$FileCreateMode 0640 -$DirCreateMode 0755 -$Umask 0022 - -# -# Include all config files in /etc/rsyslog.d/ -# -$IncludeConfig /etc/rsyslog.d/*.conf - - -############### -#### RULES #### -############### - -# -# First some standard log files. Log by facility. -# -auth,authpriv.* /var/log/auth.log -*.*;auth,authpriv.none;cron,mail,local4,local5.none -/var/log/syslog -cron.* /var/log/cron.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -lpr.* -/var/log/lpr.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log -uucp.* /var/log/uucp.log -news.* /var/log/news.log - -local4.* -/var/log/openldap.log -local1.* /var/log/sympa.log -local0.* /var/log/postgresql.log -local7.* -/var/log/dhcp.log -local5.* -/var/log/haproxy.log - - -# -# Logging for the mail system. Split it up so that -# it is easy to write scripts to parse these files. -# -#mail.info -/var/log/mail.info -#mail.warn -/var/log/mail.warn -#mail.err /var/log/mail.err - -# -# Logging for INN news system. -# -#news.crit /var/log/news/news.crit -#news.err /var/log/news/news.err -#news.notice -/var/log/news/news.notice - -# -# Some "catch-all" log files. -# -#*.=debug;\ -# auth,authpriv.none;\ -# news.none;mail.none -/var/log/debug -#*.=info;*.=notice;*.=warn;\ -# auth,authpriv.none;\ -# cron,daemon.none;\ -# mail,news.none -/var/log/messages - -# -# Emergencies are sent to everybody logged in. -# -*.emerg * - -# -# I like to have messages displayed on the console, but only on a virtual -# console I usually leave idle. -# -#daemon,mail.*;\ -# news.=crit;news.=err;news.=notice;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn /dev/tty8 - -# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, -# you must invoke `xconsole' with the `-file' option: -# -# $ xconsole -file /dev/xconsole [...] -# -# NOTE: adjust the list below, or you'll go crazy if you have a reasonably -# busy site.. -# -#daemon.*;mail.*;\ -# news.err;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn |/dev/xconsole diff --git a/evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf b/evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf new file mode 100644 index 00000000..c072df40 --- /dev/null +++ b/evolinux-base/files/logs/rsyslog.d/10-evolinux-default.conf @@ -0,0 +1,13 @@ +# RSyslog for Pack Evolix serveur - Debian Bookworm + +daemon.* action(type="omfile" file="/var/log/daemon.log") +lpr.* action(type="omfile" file="/var/log/lpr.log") +news.* action(type="omfile" file="/var/log/news.log") +uucp.* action(type="omfile" file="/var/log/uucp.log") + +local0.* action(type="omfile" file="/var/log/postgresql.log") +local1.* action(type="omfile" file="/var/log/sympa.log") +# To be explicit we specify “sync="off"” even though it's the default +local4.* action(type="omfile" sync="off" file="/var/log/openldap.log") +local5.* action(type="omfile" sync="off" file="/var/log/haproxy.log") +local7.* action(type="omfile" file="/var/log/dhcp.log") diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index 75978711..46ada1d2 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -3,10 +3,10 @@ # TODO: voir comment faire des backups initiaux des fichiers # RSyslog -- name: Copy rsyslog.conf +- name: Copy rsyslog evolinux defaut conf ansible.builtin.copy: - src: logs/rsyslog.conf - dest: /etc/rsyslog.conf + src: logs/rsyslog.d/10-evolinux-default.conf + dest: /etc/rsyslog.d/10-evolinux-default.conf mode: "0644" notify: restart rsyslog when: evolinux_logs_rsyslog_conf | bool From ab30ea4cde9faace893ada2dcb7b9a5bea32931d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 18 Oct 2023 22:12:35 +0200 Subject: [PATCH 002/151] nginx: keep indentation --- nginx/tasks/main.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 1284a6a1..57a036d4 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -20,18 +20,20 @@ - name: customize worker_connections ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf - regexp: '^(\s*worker_connections)\s+.+;' - line: ' worker_connections 1024;' + regexp: '^(\s*)(worker_connections)\s+.+;' + line: '\1worker_connections 1024;' insertafter: 'events \{' + backrefs: yes tags: - nginx - name: use epoll ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf - regexp: '^(\s*use)\s+.+;' - line: ' use epoll;' + regexp: '^(\s*)(use)\s+.+;' + line: '\1use epoll;' insertafter: 'events \{' + backrefs: yes tags: - nginx From 03c09dc092c6c8b7b386b1e13ee99c8d03f41924 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 23 Oct 2023 18:15:57 +0200 Subject: [PATCH 003/151] evoadmin-web: Fix PHP version for Bookworm --- webapps/evoadmin-web/tasks/web.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index fc266462..db4d8e74 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -36,9 +36,9 @@ notify: reload apache2 when: ansible_distribution_release == "bullseye" -- name: "Set custom values for PHP config (Debian 11)" +- name: "Set custom values for PHP config (Debian 12)" community.general.ini_file: - dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini + dest: /etc/php/8.2/apache2/conf.d/zzz-evolinux-custom.ini section: PHP option: "disable_functions" value: "shell-exec,system,passthru,putenv,popen" From b05fa5a7796925c21ff756fb68699ad3ca18fba3 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 26 Oct 2023 15:12:44 +0200 Subject: [PATCH 004/151] Add php-fpm82 to LDAP when relevant --- generate-ldif/templates/generateldif.sh.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index e306f075..7e35ff5a 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -685,6 +685,20 @@ ServiceVersion: PHP-FPM 8.1 (multiphp) EOT fi +if lxc-ls | grep -q php82 ; then + cat <> "${ldif_file}" + +dn: ServiceName=php-fpm82,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: php-fpm82 +ipServicePort: 443 +ServiceType: web +ServiceVersion: PHP-FPM 8.2 (multiphp) +EOT +fi + fi # END - LXC (multiphp) From 1259b88588aaf6c7015a53397b67c3b4fb211d74 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 26 Oct 2023 15:13:06 +0200 Subject: [PATCH 005/151] php83: preliminary work --- evolinux-users/templates/sudoers.j2 | 1 + generate-ldif/templates/generateldif.sh.j2 | 14 ++++++++++++++ lxc-php/defaults/main.yml | 2 ++ lxc-php/handlers/main.yml | 5 +++++ lxc-php/tasks/main.yml | 3 +++ nagios-nrpe/templates/evolix.cfg.j2 | 1 + php/handlers/main.yml | 5 +++++ 7 files changed, 31 insertions(+) diff --git a/evolinux-users/templates/sudoers.j2 b/evolinux-users/templates/sudoers.j2 index 60b5b782..0e8471bf 100644 --- a/evolinux-users/templates/sudoers.j2 +++ b/evolinux-users/templates/sudoers.j2 @@ -15,6 +15,7 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 7e35ff5a..75eedfb4 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -699,6 +699,20 @@ ServiceVersion: PHP-FPM 8.2 (multiphp) EOT fi +if lxc-ls | grep -q php83 ; then + cat <> "${ldif_file}" + +dn: ServiceName=php-fpm83,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: php-fpm83 +ipServicePort: 443 +ServiceType: web +ServiceVersion: PHP-FPM 8.3 (multiphp) +EOT +fi + fi # END - LXC (multiphp) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index c0612f4e..7d5e6abf 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -22,6 +22,7 @@ lxc_php_container_releases: php80: "bullseye" php81: "bullseye" php82: "bookworm" + php83: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -31,6 +32,7 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' php82: 'php8.2-fpm.service' + php83: 'php8.3-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index b703933b..c1f58f92 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -10,6 +10,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" +- name: Reload php83-fpm + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload php8.3-fpm" + - name: Reload php82-fpm community.general.lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 035bfe15..c27aca4a 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -42,6 +42,9 @@ - ansible.builtin.import_tasks: "php82.yml" when: lxc_php_version == "php82" +- ansible.builtin.import_tasks: "php83.yml" + when: lxc_php_version == "php83" + - ansible.builtin.import_tasks: "umask.yml" - ansible.builtin.import_tasks: "misc.yml" diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index a7bcab7d..14b7f26a 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -84,6 +84,7 @@ command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ +command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool diff --git a/php/handlers/main.yml b/php/handlers/main.yml index b333fe9b..d2b96b99 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -34,3 +34,8 @@ ansible.builtin.service: name: php8.2-fpm state: restarted + +- name: restart php8.3-fpm + ansible.builtin.service: + name: php8.3-fpm + state: restarted From 45436d77b1b411cb8d872d28c2bd19541acd3a13 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 26 Oct 2023 16:03:45 +0200 Subject: [PATCH 006/151] evocheck: upstream release 23.10 --- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 84 ++++++++++++++++++++++++------- evocheck/files/evocheck.wheezy.sh | 2 +- 3 files changed, 67 insertions(+), 21 deletions(-) diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 9cc1dcbb..fba55fd5 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.07" +VERSION="23.10" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 65a26a3e..89f17aba 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.07" +VERSION="23.10" readonly VERSION # base functions @@ -149,7 +149,7 @@ check_dpkgwarning() { check_postfix_mydestination() { # shellcheck disable=SC2016 if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then - failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option." + failed "IS_POSTFIX_MYDESTINATION" "'localhost' is missing in Postfix mydestination option." fi if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.localdomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." @@ -193,6 +193,24 @@ check_debiansecurity() { apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" } +check_oldpub() { + # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch) + apt-cache policy | grep --quiet pub.evolix.net + test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled" +} +check_newpub() { + # Look for enabled pub.evolix.org sources + apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php + test $? -eq 0 || failed "IS_NEWPUB" "New pub.evolix.org repository is missing" +} +check_sury() { + # Look for enabled packages.sury.org sources + apt-cache policy | grep --quiet packages.sury.org + if [ $? -eq 0 ]; then + apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet + test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing" + fi +} check_aptitude() { test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8" } @@ -231,15 +249,8 @@ check_customcrontab() { test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" } check_sshallowusers() { - if is_debian_bookworm; then - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \ - || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*" - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \ - && failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config" - else - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ - || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" - fi + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" } check_diskperf() { perfFile="/root/disk-perf.txt" @@ -283,8 +294,17 @@ check_alert5minifw() { fi } check_minifw() { - /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ - || failed "IS_MINIFW" "minifirewall seems not started" + { + if [ -f /etc/systemd/system/minifirewall.service ]; then + systemctl is-active minifirewall > /dev/null 2>&1 + else + if test -x /usr/share/scripts/minifirewall_status; then + /usr/share/scripts/minifirewall_status > /dev/null 2>&1 + else + /sbin/iptables -L -n 2> /dev/null | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + fi + fi + } || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { if is_debian_bullseye; then @@ -447,7 +467,11 @@ check_log2mailsquid() { check_bindchroot() { if is_installed bind9; then if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then - if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + default_conf=/etc/default/named + if is_debian_buster || is_debian_stretch; then + default_conf=/etc/default/bind9 + fi + if grep -q '^OPTIONS=".*-t' "${default_conf}" && grep -q '^OPTIONS=".*-u' "${default_conf}"; then md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') if [ "$md5_original" != "$md5_chrooted" ]; then @@ -525,7 +549,16 @@ check_evobackup_exclude_mount() { # If rsync is not limited by "one-file-system" # then we verify that every mount is excluded if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + # old releases of evobackups don't have version + if grep -q "^VERSION=" "${evobackup_file}"; then + evobackup_version=$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}") + # versions over 22.12 use a new syntax to exclude rsync files + if dpkg --compare-versions "$evobackup_version" ge 22.12 ; then + sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' > "${excludes_file}" + else + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + fi + fi not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" @@ -760,10 +793,6 @@ check_apache2evolinuxconf() { check_backportsconf() { grep -qsE "^[^#].*backports" /etc/apt/sources.list \ && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" - if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then - grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ - || failed "IS_BACKPORTSCONF" "backports must have preferences" - fi } check_bind9munin() { if is_installed bind9; then @@ -777,6 +806,19 @@ check_bind9logrotate() { test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file" fi } +check_drbd_two_primaries() { + if is_installed drbd-utils; then + if command -v drbd-overview >/dev/null; then + if drbd-overview 2>&1 | grep -q "Primary/Primary"; then + failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!" + fi + elif command -v drbdadm >/dev/null; then + if drbdadm status | grep Primary -A2 | grep peer | grep -q Primary; then + failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!" + fi + fi + fi +} check_broadcomfirmware() { LSPCI_BIN=$(command -v lspci) if [ -x "${LSPCI_BIN}" ]; then @@ -1418,6 +1460,9 @@ main() { test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_OLDPUB:=1}" = 1 && check_oldpub + test "${IS_NEWPUB:=1}" = 1 && check_newpub + test "${IS_SURY:=1}" = 1 && check_sury test "${IS_APTITUDE:=1}" = 1 && check_aptitude test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak test "${IS_USRRO:=1}" = 1 && check_usrro @@ -1479,6 +1524,7 @@ main() { test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate + test "${IS_DRBDTWOPRIMARIES:=1}" = 1 && check_drbd_two_primaries test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 2df0e814..3bbcc1f1 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.07" +VERSION="23.10" readonly VERSION # base functions From 953ca015c5db78cbe3d51939e4190acdfaaa2ff3 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 26 Oct 2023 16:09:42 +0200 Subject: [PATCH 007/151] Changelog entries for latest changes --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ebb68f9..12313297 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,10 +13,19 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* Preliminary work for php83 + ### Changed +* evolinux-base: use separate default config file for rsyslog +* evocheck: upstream release 23.10 + ### Fixed +* nginx: keep indentation +* evoadmin-web: Fix PHP version for Bookworm +* Add php-fpm82 to LDAP when relevant + ### Removed ### Security @@ -56,7 +65,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evolinux-base: use separate default config file for rsyslog * all: change syntax "become: [yes,no]" → "become: [true,false]" * all: change syntax "force: [yes,no]" → "force: [true,false]" * elasticsearch: improve networking configuration From 331f4e88757bd6c90c48096f373bbd78ee35f4dc Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 27 Oct 2023 14:33:12 +0200 Subject: [PATCH 008/151] Revert "php83: preliminary work" This reverts commit 1259b88588aaf6c7015a53397b67c3b4fb211d74. --- evolinux-users/templates/sudoers.j2 | 1 - generate-ldif/templates/generateldif.sh.j2 | 14 -------------- lxc-php/defaults/main.yml | 2 -- lxc-php/handlers/main.yml | 5 ----- lxc-php/tasks/main.yml | 3 --- nagios-nrpe/templates/evolix.cfg.j2 | 1 - php/handlers/main.yml | 5 ----- 7 files changed, 31 deletions(-) diff --git a/evolinux-users/templates/sudoers.j2 b/evolinux-users/templates/sudoers.j2 index 0e8471bf..60b5b782 100644 --- a/evolinux-users/templates/sudoers.j2 +++ b/evolinux-users/templates/sudoers.j2 @@ -15,7 +15,6 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ -nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 75eedfb4..7e35ff5a 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -699,20 +699,6 @@ ServiceVersion: PHP-FPM 8.2 (multiphp) EOT fi -if lxc-ls | grep -q php83 ; then - cat <> "${ldif_file}" - -dn: ServiceName=php-fpm83,${computer_dn} -NagiosEnabled: TRUE -ipServiceProtocol: tcp -objectClass: EvoService -ServiceName: php-fpm83 -ipServicePort: 443 -ServiceType: web -ServiceVersion: PHP-FPM 8.3 (multiphp) -EOT -fi - fi # END - LXC (multiphp) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 7d5e6abf..c0612f4e 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -22,7 +22,6 @@ lxc_php_container_releases: php80: "bullseye" php81: "bullseye" php82: "bookworm" - php83: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -32,7 +31,6 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' php82: 'php8.2-fpm.service' - php83: 'php8.3-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index c1f58f92..b703933b 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -10,11 +10,6 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" -- name: Reload php83-fpm - community.general.lxc_container: - name: "{{ lxc_php_version }}" - container_command: "systemctl reload php8.3-fpm" - - name: Reload php82-fpm community.general.lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index c27aca4a..035bfe15 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -42,9 +42,6 @@ - ansible.builtin.import_tasks: "php82.yml" when: lxc_php_version == "php82" -- ansible.builtin.import_tasks: "php83.yml" - when: lxc_php_version == "php83" - - ansible.builtin.import_tasks: "umask.yml" - ansible.builtin.import_tasks: "misc.yml" diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 14b7f26a..a7bcab7d 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -84,7 +84,6 @@ command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ -command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool diff --git a/php/handlers/main.yml b/php/handlers/main.yml index d2b96b99..b333fe9b 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -34,8 +34,3 @@ ansible.builtin.service: name: php8.2-fpm state: restarted - -- name: restart php8.3-fpm - ansible.builtin.service: - name: php8.3-fpm - state: restarted From 74a6b2ead1fbb7cd7519c83234949196992cddaa Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Fri, 27 Oct 2023 15:02:28 +0200 Subject: [PATCH 009/151] nagios-nrpe: add check_sentinel --- CHANGELOG.md | 1 + nagios-nrpe/files/plugins/check_sentinel | 203 +++++++++++++++++++++++ nagios-nrpe/templates/evolix.cfg.j2 | 1 + 3 files changed, 205 insertions(+) create mode 100755 nagios-nrpe/files/plugins/check_sentinel diff --git a/CHANGELOG.md b/CHANGELOG.md index 12313297..b9293012 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * Preliminary work for php83 +* nagios-nrpe: add check_sentinel for monitoring Redis Sentinel ### Changed diff --git a/nagios-nrpe/files/plugins/check_sentinel b/nagios-nrpe/files/plugins/check_sentinel new file mode 100755 index 00000000..a76e45e7 --- /dev/null +++ b/nagios-nrpe/files/plugins/check_sentinel @@ -0,0 +1,203 @@ +#!/bin/sh +# +# Verify the health of Redis instances using Redis Sentinel. +# +# Exemple output: +# OK - 0 UNCHK / 0 CRIT / 0 WARN / 4 OK +# +# OK: Sentinels quorum reached / Active: 2 (quorum: 2) +# OK: '10.11.24.217:6379' is a 'master' of 'redis' +# OK: '10.11.24.227:6379' is a 'slave' of 'redis', in sync with '10.11.24.217' +# OK: '10.11.24.208:6379' is a 'slave' of 'redis', in sync with '10.11.24.217' + +set -u + +usage() { + echo "Usage:" + echo " $0 -c " + exit 1 +} + +sentinel_config_file= +while [ $# -gt 0 ]; do + case $1 in + -c) + sentinel_config_file="$2" + shift + shift + ;; + *) + echo "Invalid option: $1" + usage + ;; + esac +done +test -z "$sentinel_config_file" && usage + +# NRPE specific + +exit_code=0 +ok_count=0 +warn_count=0 +crit_count=0 +unchk_count=0 + +output=$(mktemp --tmpdir $(basename "$0").XXXXXXXX) + +ok() { + message=$1 + printf "OK: %s\n" "$message" >> "$output" + ok_count=$(( ok_count + 1)) +} + +warn() { + message=$1 + printf "WARN: %s\n" "$message" >> "$output" + warn_count=$(( warn_count + 1)) + [ "$exit_code" -lt 1 ] && exit_code=1 +} + +crit() { + message=$1 + printf "CRIT: %s\n" "$message" >> "$output" + crit_count=$(( crit_count + 1)) + [ "$exit_code" -lt 2 ] && exit_code=2 +} + +unchk() { + message=$1 + printf "UNCHK: %s\n" "$message" >> "$output" + unchk_count=$(( unchk_count + 1)) + [ "$exit_code" -lt 3 ] && exit_code=3 + exit 1 +} + +nrpe_output() { + case "$exit_code" in + 0) output_header="OK" ;; + 1) output_header="WARNING" ;; + 2) output_header="CRITICAL" ;; + *) output_header="UNCHK" ;; + esac + + printf "%s - %s UNCHK / %s CRIT / %s WARN / %s OK\n\n" \ + "${output_header}" "${unchk_count}" "${crit_count}" "${warn_count}" "${ok_count}" + + grep -E "^CRIT" "$output" + grep -E "^WARN" "$output" + grep -E "^UNCHK" "$output" + grep -E "^OK" "$output" + + rm -f "$output" + + exit "$exit_code" +} +trap nrpe_output EXIT + +# Redis specific + +test -r "$sentinel_config_file" || unchk "Can't read file '${sentinel_config_file}'" + +command -v redis-cli 1>/dev/null || unchk "Can't find executable 'redis-cli'" + +redis_cli_args='' +sentinel_port=$(awk '/^port/{print $2}' "${sentinel_config_file}") +! test -z "$sentinel_port" && redis_cli_args="${redis_cli_args} -p ${sentinel_port}" +sentinel_pass=$(awk '/^requirepass/{print $2}' "${sentinel_config_file}") +! test -z "$sentinel_pass" && redis_cli_args="${redis_cli_args} --pass ${sentinel_pass}" +alias _redis-cli="redis-cli ${redis_cli_args}" + +# List all masters names known by sentinel +redis_sentinel_masters() { + _redis-cli sentinel masters | + sed 'N;s/\n/=/' | + awk -F = '$1 ~ /^name$/ { print $2 }' +} + +# Verify redis sentinel master +check_master() { + master=$1 + input=$(_redis-cli sentinel master "$master" | sed 'N;s/\n/=/') + + for line in $input; do + case "$line" in + ip=*) ip=${line#ip=} ;; + port=*) port=${line#port=} ;; + flags=*) flags=${line#flags=} ;; + num-other-sentinels=*) num_sentinels=$(( ${line#num-other-sentinels=} + 1)) ;; + quorum=*) quorum=${line#quorum=} ;; + esac + done + + + if [ "$num_sentinels" -ge "$quorum" ]; then + ok "Sentinels quorum reached / Active: ${num_sentinels} (quorum: ${quorum})" + else + crit "No quorum of sentinels / Active: ${num_sentinels} (quorum: ${quorum})" + fi + + if echo "$flags" | grep -q master; then + ok "'${ip}:${port}' is a '${flags}' of '${master}'" + else + crit "'${ip}:${port}' is not a 'master' of '${master}'" + fi + + unset ip port flags status master_host +} + +check_slaves_output() { + name=$1 + flags=$2 + status=$3 + master_host=$4 + + if [ "$status" = ok ]; then + ok "'${name}' is a '${flags}' of '${master}', in sync with '${master_host}'" + else + crit "'${name}' is a '${flags}' of '${master}', not in sync" + fi +} + +# Verify redis slaves are in sync with their master +check_slaves() { + master=$1 + input=$(_redis-cli sentinel slaves "$master" | sed 'N;s/\n/=/') + + name= + flags= + status= + master_host= + for line in $input; do + case "$line" in + # "name" is the field begining a new record + name=*) + if [ -n "$name" ]; then + # output for all the slaves record, except the very last one + check_slaves_output "$name" "$flags" "$status" "$master_host" + unset name flags status master_host + fi + name=${line#name=} + ;; + flags=*) flags=${line#flags=} ;; + master-link-status=*) status=${line#master-link-status=} ;; + master-host=*) master_host=${line#master-host=} ;; + esac + done + # output for the last slave record in $input + check_slaves_output "$name" "$flags" "$status" "$master_host" + unset name flags status master_host +} + +if ! systemctl is-active --quiet redis-sentinel.service; then + unchk "'redis-sentinel' process isn't running" +else + masters=$(redis_sentinel_masters) + if [ -n "$masters" ]; then + for master in $masters; do + check_master "$master" + check_slaves "$master" + done + else + crit "No Redis master" + fi +fi diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index a7bcab7d..546b9bf0 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -75,6 +75,7 @@ command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 12 command[check_haproxy]=sudo {{ nagios_plugins_directory }}/check_haproxy_stats -s /run/haproxy/admin.sock -w 80 -c 90 --ignore-maint --ignore-nolb --ignore-drain command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall command[check_redis_instances]={{ nagios_plugins_directory }}/check_redis_instances +command[check_sentinel]=sudo {{ nagios_plugins_directory }}/check_sentinel -c /etc/redis/sentinel.conf command[check_hpraid]={{ nagios_plugins_directory }}/check_hpraid command[check_php-fpm]={{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm56]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php56/rootfs/etc/php5/fpm/pool.d/ From bc284f82487c91e4391693603a1de3bbf2674630 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 3 Nov 2023 10:48:28 +0100 Subject: [PATCH 010/151] add-vm.sh: allow VM name max length > 20 --- CHANGELOG.md | 1 + kvm-host/files/add-vm.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9293012..118c8290 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: use separate default config file for rsyslog * evocheck: upstream release 23.10 +* add-vm.sh: allow VM name max length > 20 ### Fixed diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index f945d401..6ded1103 100755 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -88,7 +88,7 @@ ${DIALOG} \ "memory" 2 1 "${defaultRAM}" 2 10 20 0 \ "volRoot" 3 1 "${disks[0]}-${defaultRootSize}" 3 10 20 0 \ "volHome" 4 1 "${disks[1]}-${defaultHomeSize}" 4 10 20 0 \ - "vmName" 5 1 "${defaultVmName}" 5 10 20 0 \ + "vmName" 5 1 "${defaultVmName}" 5 10 20 1024 \ 2> "${DIALOGOUT}" vCPU=$(sed 1'q;d' "${DIALOGOUT}") From c9c8ade55d79692fb0086460b0c6af57283f1f36 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 3 Nov 2023 18:03:35 +0100 Subject: [PATCH 011/151] nagios: fix default file to monitor for check_clamav_db --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 118c8290..6e0914eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nginx: keep indentation * evoadmin-web: Fix PHP version for Bookworm * Add php-fpm82 to LDAP when relevant +* nagios: fix default file to monitor for check_clamav_db ### Removed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 546b9bf0..2d1837e1 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -46,7 +46,7 @@ command[check_tomcat-ajp13]=/usr/lib/nagios/plugins/check_tcp -p 8009 command[check_proxy]=/usr/lib/nagios/plugins/check_http -H {{ nagios_nrpe_check_proxy_host }} command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v -command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/evolix.ndb +command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex From 41ec5b737b182f610caec53c42af5ff79e65cdbf Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 7 Nov 2023 17:46:29 +0100 Subject: [PATCH 012/151] nagios: rename var into and check systemd-timesyncd instead of ntpd in Debian 12 --- CHANGELOG.md | 1 + nagios-nrpe/defaults/main.yml | 7 ++++++- nagios-nrpe/tasks/main.yml | 7 +++++++ nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e0914eb..3f3561e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: use separate default config file for rsyslog * evocheck: upstream release 23.10 * add-vm.sh: allow VM name max length > 20 +* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 ### Fixed diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index 28b85d99..8ac9c3f4 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -6,7 +6,12 @@ nagios_nrpe_pgsql_passwd: PGSQL_PASSWD nagios_nrpe_amavis_from: "foobar@{{ ansible_domain }}" nagios_nrpe_default_ntp_server: "pool.ntp.org" nagios_nrpe_ntp_server: Null -nagios_nrpe_process_processes: [ cron rsyslogd ntpd munin-node ] + +# Use nagios_nrpe_processes to override +nagios_nrpe_processes_default_before_debian_12: [ cron rsyslogd ntpd munin-node ] +nagios_nrpe_processes_default: [ cron rsyslogd systemd-timesyn munin-node ] +# Built dynamically : +nagios_nrpe_processes: Null nagios_nrpe_force_update_allowed_hosts: False diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index 5d4c01aa..bf63a44a 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,4 +1,11 @@ --- + +- name: + ansible.builtin.set_fact: + nagios_nrpe_processes: "{{ nagios_nrpe_processes_default_before_debian_12 if ansible_distribution_major_version is version('12', '<') else nagios_nrpe_processes_default }}" + when: + nagios_nrpe_processes == None or nagios_nrpe_processes|length <= 0 + - name: base nrpe & plugins packages are installed ansible.builtin.apt: name: diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 2d1837e1..de495868 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -66,7 +66,7 @@ command[check_amavis]={{ nagios_plugins_directory }}/check_amavis --server 127.0 command[check_spamd]={{ nagios_plugins_directory }}/check_spamd -H 127.0.0.1 command[check_nfsclient]=sudo -u www-data {{ nagios_plugins_directory }}/check_nfsclient command[check_evobackup]={{ nagios_plugins_directory }}/check_evobackup -command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_process_processes | join(' ') }} +command[check_process]={{ nagios_plugins_directory }}/check_process {{ nagios_nrpe_processes | join(' ') }} command[check_drbd]={{ nagios_plugins_directory }}/check_drbd -d All -c StandAlone command[check_mongodb_connect]={{ nagios_plugins_directory }}/check_mongodb -H localhost -P27017 -A connect command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -n 0 From 009de62e2806bbdb83fe3e0985229f44ad7c1562 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Thu, 9 Nov 2023 15:19:15 +0100 Subject: [PATCH 013/151] webapps/nextcloud Added var nextcloud_user_uid to enforce uid for nextcloud user --- CHANGELOG.md | 1 + webapps/nextcloud/defaults/main.yml | 1 + webapps/nextcloud/tasks/user.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f3561e0..496b806b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel +* webapps/nextcloud Added var nextcloud_user_uid to enforce uid for nextcloud user ### Changed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index c6e0a316..72ce812d 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -5,6 +5,7 @@ nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" nextcloud_instance_name: "nextcloud" nextcloud_user: "{{ nextcloud_instance_name }}" +nextcloud_user_uid: 3000 nextcloud_domains: [] nextcloud_home: "/home/{{ nextcloud_user }}" diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index fdc5b7a6..f24f28c5 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -12,6 +12,7 @@ name: "{{ nextcloud_user | mandatory }}" group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" + uid: "{{ nextcloud_user_uid | mandatory }}" shell: '/bin/bash' create_home: True state: present From aab3381887c45d63f4df2d75d6e76084360c725d Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Thu, 9 Nov 2023 15:59:45 +0100 Subject: [PATCH 014/151] webapps/nextcloud: fix missing gid --- CHANGELOG.md | 3 ++- webapps/nextcloud/tasks/user.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 496b806b..845631cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel -* webapps/nextcloud Added var nextcloud_user_uid to enforce uid for nextcloud user +* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user ### Changed @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evoadmin-web: Fix PHP version for Bookworm * Add php-fpm82 to LDAP when relevant * nagios: fix default file to monitor for check_clamav_db +* webapps/nextcloud: fix missing gid ### Removed diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index f24f28c5..ab00f8ba 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -13,6 +13,7 @@ group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" uid: "{{ nextcloud_user_uid | mandatory }}" + gid: "{{ nextcloud_user_uid | mandatory }}" shell: '/bin/bash' create_home: True state: present From 6ae9e04f273799f8f9b8d88b26b3afbf2422f07c Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Thu, 9 Nov 2023 16:48:17 +0100 Subject: [PATCH 015/151] webapps/nextcloud: fix misplaced gid attr and added check for nexctcloud uid --- CHANGELOG.md | 4 +++- webapps/nextcloud/tasks/user.yml | 7 ++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 845631cb..134c77c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * evoadmin-web: Fix PHP version for Bookworm * Add php-fpm82 to LDAP when relevant * nagios: fix default file to monitor for check_clamav_db -* webapps/nextcloud: fix missing gid +* webapps/nextcloud: fix missing gid +* webapps/nextcloud: fix misplaced gid attribute +* webapps/nextcloud: added check that nexctcloud uid is over 3000 ### Removed diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index ab00f8ba..c0ce5172 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -1,9 +1,15 @@ --- +- name: Check nextcloud user id is over 2999 + ansible.builtin.assert: + that: + - nextcloud_user_uid >= 3000 + - name: Create {{ nextcloud_user }} unix group ansible.builtin.group: name: "{{ nextcloud_user | mandatory }}" state: present + gid: "{{ nextcloud_user_uid | mandatory }}" tags: - nextcloud @@ -13,7 +19,6 @@ group: "{{ nextcloud_user | mandatory }}" home: "{{ nextcloud_home | mandatory }}" uid: "{{ nextcloud_user_uid | mandatory }}" - gid: "{{ nextcloud_user_uid | mandatory }}" shell: '/bin/bash' create_home: True state: present From c97e94bfe73de300363b1c57ff088c0971d4ded0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 10 Nov 2023 17:17:39 +0100 Subject: [PATCH 016/151] use ternary syntax for readability (subjective) --- evolinux-base/templates/log2mail/evolinux-defaults.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 evolinux-base/templates/log2mail/evolinux-defaults.j2 diff --git a/evolinux-base/templates/log2mail/evolinux-defaults.j2 b/evolinux-base/templates/log2mail/evolinux-defaults.j2 new file mode 100644 index 00000000..c030ed41 --- /dev/null +++ b/evolinux-base/templates/log2mail/evolinux-defaults.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +file = /var/log/syslog +pattern = "Out of memory: Kill" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail + +file = /var/log/syslog +pattern = "memory read error" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail \ No newline at end of file From b77845cc8cdb054606ade6295910e861b2e93b3a Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 13 Nov 2023 16:17:22 +0100 Subject: [PATCH 017/151] php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository --- CHANGELOG.md | 1 + php/tasks/sury_pre.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 134c77c0..47599bd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evoadmin-web: Fix PHP version for Bookworm * Add php-fpm82 to LDAP when relevant * nagios: fix default file to monitor for check_clamav_db +* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository * webapps/nextcloud: fix missing gid * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: added check that nexctcloud uid is over 3000 diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index d38efe13..a0640e4c 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -24,7 +24,7 @@ - name: Setup pub.evolix.org repository - Add source list ansible.builtin.apt_repository: - repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php81 main" + repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php{{ php_version | replace('.', '')}} main" filename: evolix-php state: present when: From 4a6e6e6ba23fd598466c79b05ed0ce15f879539b Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 15 Nov 2023 09:43:10 +0100 Subject: [PATCH 018/151] ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key --- CHANGELOG.md | 1 + proftpd/defaults/main.yml | 2 +- proftpd/templates/sftp.conf.j2 | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47599bd7..e03d4964 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 23.10 * add-vm.sh: allow VM name max length > 20 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 +* ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key ### Fixed diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml index 25d60d5b..9473731e 100644 --- a/proftpd/defaults/main.yml +++ b/proftpd/defaults/main.yml @@ -12,7 +12,7 @@ proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem" proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key" proftpd_sftp_enable: False proftpd_sftp_override: False -proftpd_sftp_use_publickeys: False +proftpd_sftp_use_publickeys: True proftpd_sftp_port: 22222 proftpd_accounts: [] proftpd_accounts_final: [] diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index 457f638b..c0eaf171 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -27,6 +27,7 @@ SFTPHostKey /etc/ssh/ssh_host_ecdsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key + SFTPHostKey /etc/ssh/ssh_host_ed25519_key RequireValidShell off From 1394052fd601e391ba7547b2230dfe52709d75cd Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 15 Nov 2023 10:53:22 +0100 Subject: [PATCH 019/151] ProFTPd: set missing default listen IP for SFTP, enable ed25525549 key only for Debian >= 11 --- CHANGELOG.md | 3 ++- proftpd/defaults/main.yml | 2 +- proftpd/templates/sftp.conf.j2 | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e03d4964..5118693e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,7 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 23.10 * add-vm.sh: allow VM name max length > 20 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 -* ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key +* ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 ### Fixed @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix missing gid * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: added check that nexctcloud uid is over 3000 +* ProFTPd: set missing default listen IP for SFTP ### Removed diff --git a/proftpd/defaults/main.yml b/proftpd/defaults/main.yml index 9473731e..0bcaa40f 100644 --- a/proftpd/defaults/main.yml +++ b/proftpd/defaults/main.yml @@ -1,7 +1,7 @@ --- proftpd_hostname: "{{ ansible_hostname }}" proftpd_fqdn: "{{ ansible_fqdn }}" -proftpd_default_address: [] +proftpd_default_address: ["0.0.0.0"] proftpd_ftp_enable: True proftpd_ftp_override: False proftpd_port: 21 diff --git a/proftpd/templates/sftp.conf.j2 b/proftpd/templates/sftp.conf.j2 index c0eaf171..e70aa71c 100644 --- a/proftpd/templates/sftp.conf.j2 +++ b/proftpd/templates/sftp.conf.j2 @@ -27,7 +27,9 @@ SFTPHostKey /etc/ssh/ssh_host_ecdsa_key SFTPHostKey /etc/ssh/ssh_host_rsa_key + {% if ansible_distribution_major_version is version('11', '>=') %} SFTPHostKey /etc/ssh/ssh_host_ed25519_key + {% endif %} RequireValidShell off From b1a67d1a5ccec34aa0502964af16e297e2f839b3 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 16 Nov 2023 14:21:45 +0100 Subject: [PATCH 020/151] apache : fix goaway pattern for bad bots --- CHANGELOG.md | 1 + apache/files/evolinux-defaults.conf | 11 ++++------- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5118693e..0431abeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 +* apache : fix goaway pattern for bad bots ### Fixed diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 65c8c921..a66e2797 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -40,13 +40,10 @@ MaxKeepAliveRequests 10 - - - AllowOverride None - Require all granted - # "Require not env XXX" is not supported :( - Deny from env=GoAway - +# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf) + + Require all denied + # We don't want to let the client know a file exist on the server, From ac72c7ac317559b6113aed3ba75d2434ec9cfd0e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 16 Nov 2023 14:43:22 +0100 Subject: [PATCH 021/151] apache: fix MaxRequestsPerChild value to be sync with wiki.e.o --- CHANGELOG.md | 1 + apache/files/evolinux-defaults.conf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0431abeb..68604257 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: added check that nexctcloud uid is over 3000 * ProFTPd: set missing default listen IP for SFTP +* apache: fix MaxRequestsPerChild value to be sync with wiki.e.o ### Removed diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index a66e2797..6a9c9240 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -10,7 +10,7 @@ MaxKeepAliveRequests 10 StartServers 50 MinSpareServers 20 MaxSpareServers 30 - MaxRequestsPerChild 0 + MaxRequestsPerChild 100 @@ -20,7 +20,7 @@ MaxKeepAliveRequests 10 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 150 - MaxConnectionsPerChild 0 + MaxConnectionsPerChild 100 From 0578d5a3ec57696a0b82736219e047d4abf90aee Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 16 Nov 2023 14:45:07 +0100 Subject: [PATCH 022/151] apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) --- CHANGELOG.md | 1 + apache/files/evolinux-defaults.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68604257..cd7e74f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * apache : fix goaway pattern for bad bots +* apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) ### Fixed diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 6a9c9240..73b7f136 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -10,7 +10,7 @@ MaxKeepAliveRequests 10 StartServers 50 MinSpareServers 20 MaxSpareServers 30 - MaxRequestsPerChild 100 + MaxConnectionsPerChild 100 From a5e4359d0e1e0027d72e5790ad94ffc630373000 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 17 Nov 2023 15:51:33 +0100 Subject: [PATCH 023/151] #73871 ssl: no not execute haproxy tasks and reload if haproxy is disabled --- CHANGELOG.md | 1 + ssl/tasks/main.yml | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd7e74f9..f1307a85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: added check that nexctcloud uid is over 3000 * ProFTPd: set missing default listen IP for SFTP * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o +* ssl: no not execute haproxy tasks and reload if haproxy is disabled ### Removed diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml index 01398dec..cc092c84 100644 --- a/ssl/tasks/main.yml +++ b/ssl/tasks/main.yml @@ -39,5 +39,12 @@ tags: - ssl +- name: Collect facts about system services + service_facts: + - ansible.builtin.include: haproxy.yml - when: haproxy_check.rc == 0 + when: + - haproxy_check.rc == 0 + - ansible_facts.services['haproxy.service']['state'] == "running" + - ansible_facts.services['haproxy.service']['status'] == "enabled" + From 642fbb1ea478bd604a3fc466c5da28fedd4efb8f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:02:03 +0100 Subject: [PATCH 024/151] evolinux-base: dump-server-state upstream release 23.11 --- CHANGELOG.md | 9 +- evolinux-base/files/dump-server-state.sh | 111 ++++++++++++++++------- 2 files changed, 85 insertions(+), 35 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1307a85..f652dade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,13 +19,14 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evolinux-base: use separate default config file for rsyslog -* evocheck: upstream release 23.10 * add-vm.sh: allow VM name max length > 20 -* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 -* ProFTPd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* evocheck: upstream release 23.10 +* evolinux-base: dump-server-state upstream release 23.11 +* evolinux-base: use separate default config file for rsyslog +* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 +* proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 ### Fixed diff --git a/evolinux-base/files/dump-server-state.sh b/evolinux-base/files/dump-server-state.sh index 8ed50c7a..77e06bef 100644 --- a/evolinux-base/files/dump-server-state.sh +++ b/evolinux-base/files/dump-server-state.sh @@ -3,7 +3,7 @@ PROGNAME="dump-server-state" REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state" -VERSION="23.08" +VERSION="23.11" readonly VERSION dump_dir= @@ -35,43 +35,44 @@ ${PROGNAME} is dumping information related to the state of the server. Usage: ${PROGNAME} --dump-dir=/path/to/dump/directory [OPTIONS] Main options - -d, --dump-dir path to the directory where data will be stored - --backup-dir legacy option for dump directory - -f, --force keep existing dump directory and its content - -v, --verbose print details about each task - -V, --version print version and exit - -h, --help print this message and exit + -d, --dump-dir path to the directory where data will be stored + --backup-dir legacy option for dump directory + -f, --force keep existing dump directory and its content + -v, --verbose print details about each task + -V, --version print version and exit + -h, --help print this message and exit Tasks options - --all reset options to execute all tasks - --none reset options to execute no task - --[no-]etc copy of /etc (default: no) - --[no-]dpkg-full copy of /var/lib/dpkg (default: no) - --[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes) - --[no-]apt-states copy of apt extended states (default: yes) - --[no-]apt-config copy of apt configuration (default: yes) - --[no-]packages copy of dpkg selections (default: yes) - --[no-]processes copy of process list (default: yes) - --[no-]uname copy of uname value (default: yes) - --[no-]uptime copy of uptime value (default: yes) - --[no-]netstat copy of netstat (default: yes) - --[no-]netcfg copy of network configuration (default: yes) - --[no-]iptables copy of iptables (default: yes) - --[no-]sysctl copy of sysctl values (default: yes) - --[no-]virsh copy of virsh list (default: yes) - --[no-]lxc copy of lxc list (default: yes) - --[no-]disks copy of MBR and partitions (default: yes) - --[no-]mount copy of mount points (default: yes) - --[no-]df copy of disk usage (default: yes) - --[no-]dmesg copy of dmesg (default: yes) - --[no-]mysql copy of mysql processes (default: yes) - --[no-]systemctl copy of systemd services states (default: yes) + --all reset options to execute all tasks + --none reset options to execute no task + --[no-]etc copy of /etc (default: no) + --[no-]dpkg-full copy of /var/lib/dpkg (default: no) + --[no-]dpkg-status copy of /var/lib/dpkg/status (default: yes) + --[no-]apt-states copy of apt extended states (default: yes) + --[no-]apt-config copy of apt configuration (default: yes) + --[no-]packages copy of dpkg selections (default: yes) + --[no-]processes copy of process list (default: yes) + --[no-]uname copy of uname value (default: yes) + --[no-]uptime copy of uptime value (default: yes) + --[no-]netstat copy of netstat (default: yes) + --[no-]netcfg copy of network configuration (default: yes) + --[no-]iptables copy of iptables (default: yes) + --[no-]sysctl copy of sysctl values (default: yes) + --[no-]virsh copy of virsh list (default: yes) + --[no-]lxc copy of lxc list (default: yes) + --[no-]disks copy of MBR and partitions (default: yes) + --[no-]mount copy of mount points (default: yes) + --[no-]df copy of disk usage (default: yes) + --[no-]dmesg copy of dmesg (default: yes) + --[no-]mysql-processes copy of mysql processes (default: yes) + --[no-]mysql-summary copy of mysql summary (default: yes) + --[no-]systemctl copy of systemd services states (default: yes) Tasks options order matters. They are evaluated from left to right. Examples : * "[…] --none --uname" will do only the uname task * "[…] --all --no-etc" will do everything but the etc task -* "[…] --etc --none --mysql" will do only the mysql task +* "[…] --etc --none --mysql-summary" will do only the mysql task END } debug() { @@ -741,6 +742,41 @@ task_mysql_processes() { fi } +task_mysql_summary() { + debug "Task: MySQL summary" + + mysqladmin_bin=$(command -v mysqladmin) + pt_mysql_summary_bin=$(command -v pt-mysql-summary) + + if [ -n "${mysqladmin_bin}" ] && [ -n "${pt_mysql_summary_bin}" ]; then + # Look for local MySQL or MariaDB process + if pgrep mysqld > /dev/null || pgrep mariadbd > /dev/null; then + if ${mysqladmin_bin} ping > /dev/null 2>&1; then + # important to set sleep to 0 + # because we don't want to block + # even if we lose some insight. + ${pt_mysql_summary_bin} --sleep 0 > "${dump_dir}/mysql-summary.txt" 2> "${dump_dir}/mysql-summary.err" + last_rc=$? + + if [ ${last_rc} -eq 0 ]; then + debug "* pt-mysql-summary OK" + else + debug "* pt-mysql-summary ERROR" + debug < "${dump_dir}/mysql-summary.err" + rm "${dump_dir}/mysql-summary.err" + rc=10 + fi + else + debug "* unable to ping with mysqladmin" + fi + else + debug "* no mysqld or mariadbd process is running" + fi + else + debug "* pt-mysql-summary not found" + fi +} + task_systemctl() { debug "Task: Systemd services" @@ -841,6 +877,9 @@ main() { if [ "${TASK_MYSQL_PROCESSES}" -eq 1 ]; then task_mysql_processes fi + if [ "${TASK_MYSQL_SUMMARY}" -eq 1 ]; then + task_mysql_summary + fi if [ "${TASK_SYSTEMCTL}" -eq 1 ]; then task_systemctl fi @@ -950,6 +989,7 @@ while :; do TASK_DF \ TASK_DMESG \ TASK_MYSQL_PROCESSES \ + TASK_MYSQL_SUMMARY \ TASK_SYSTEMCTL do eval "${option}=1" @@ -978,6 +1018,7 @@ while :; do TASK_DF \ TASK_DMESG \ TASK_MYSQL_PROCESSES \ + TASK_MYSQL_SUMMARY \ TASK_SYSTEMCTL do eval "${option}=0" @@ -1124,6 +1165,13 @@ while :; do TASK_MYSQL_PROCESSES=0 ;; + --mysql-summary) + TASK_MYSQL_SUMMARY=1 + ;; + --no-mysql-summary) + TASK_MYSQL_SUMMARY=0 + ;; + --systemctl) TASK_SYSTEMCTL=1 ;; @@ -1173,6 +1221,7 @@ done : "${TASK_DF:=1}" : "${TASK_DMESG:=1}" : "${TASK_MYSQL_PROCESSES:=1}" +: "${TASK_MYSQL_SUMMARY:=1}" : "${TASK_SYSTEMCTL:=1}" export LC_ALL=C From 83c178f244d5695bc2c45f9d0f67e8d2bfc465ce Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:02:48 +0100 Subject: [PATCH 025/151] log2mail: move custom config in separate file --- CHANGELOG.md | 1 + evolinux-base/tasks/log2mail.yml | 23 ++++++++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f652dade..6d18f120 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evocheck: upstream release 23.10 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog +* log2mail: move custom config in separate file * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 9a1f3314..79e4f5e0 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -17,18 +17,23 @@ state: started enabled: yes -- name: log2mail config is present +- name: log2mail evolinux config is absent from default config ansible.builtin.blockinfile: dest: /etc/log2mail/config/default - owner: log2mail - group: adm - mode: "0640" marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" - block: | - file = /var/log/syslog - pattern = "Out of memory: Kill" - mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} - template = /etc/log2mail/mail + state: absent + notify: restart log2mail + tags: + - log2mail + +- name: log2mail evolinux-defaults config is present + ansible.builtin.template: + src: log2mail/evolinux-defaults.j2 + dest: /etc/log2mail/config/evolinux-defaults + owner: log2mail + group: adm + mode: "0640" + force: yes notify: restart log2mail tags: - log2mail From 00fad357b5be3554e7dc85cd7f66db11fab5be36 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:03:39 +0100 Subject: [PATCH 026/151] use ternary condition (more readable) --- nagios-nrpe/tasks/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index bf63a44a..2a89da52 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -2,9 +2,8 @@ - name: ansible.builtin.set_fact: - nagios_nrpe_processes: "{{ nagios_nrpe_processes_default_before_debian_12 if ansible_distribution_major_version is version('12', '<') else nagios_nrpe_processes_default }}" - when: - nagios_nrpe_processes == None or nagios_nrpe_processes|length <= 0 + nagios_nrpe_processes: "{{ ansible_distribution_major_version is version('12', '<') | ternary(nagios_nrpe_processes_default_before_debian_12, nagios_nrpe_processes_default) }}" + when: nagios_nrpe_processes == None or nagios_nrpe_processes | length <= 0 - name: base nrpe & plugins packages are installed ansible.builtin.apt: From 71ed4c4c8cee59bdeefb71f552ceceaeb4815b6e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:03:50 +0100 Subject: [PATCH 027/151] shell syntax --- mysql/files/save_mysql_processlist.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mysql/files/save_mysql_processlist.sh b/mysql/files/save_mysql_processlist.sh index 95abc57d..e03036dd 100644 --- a/mysql/files/save_mysql_processlist.sh +++ b/mysql/files/save_mysql_processlist.sh @@ -7,7 +7,7 @@ processlist() { } DIR="/var/log/mysql-processlist" -TS=`date +%Y%m%d%H%M%S` +TS=$(date +%Y%m%d%H%M%S) FILE="${DIR}/${TS}" if [ ! -d "${DIR}" ]; then From f01e7453fbdccb33377c4a6a766e9c8888460acc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:13:51 +0100 Subject: [PATCH 028/151] no need to symlink backup-server-state to dump-server-state anymore --- CHANGELOG.md | 2 ++ evolinux-base/tasks/dump-server-state.yml | 9 +-------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d18f120..4ed9c403 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* evolinux-base: no need to symlink backup-server-state to dump-server-state anymore + ### Security ## [23.10] 2023-10-14 diff --git a/evolinux-base/tasks/dump-server-state.yml b/evolinux-base/tasks/dump-server-state.yml index 65ff2f45..e3fd48a7 100644 --- a/evolinux-base/tasks/dump-server-state.yml +++ b/evolinux-base/tasks/dump-server-state.yml @@ -5,11 +5,4 @@ force: True owner: root group: root - mode: "0750" - -- name: symlink backup-server-state to dump-server-state - ansible.builtin.file: - src: /usr/local/sbin/dump-server-state - dest: /usr/local/sbin/backup-server-state - state: link - force: true + mode: "0750" \ No newline at end of file From 4cba25d8fc2ad9cc04d2eb7efebb68e6fd6b9b9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 20 Nov 2023 19:15:39 +0100 Subject: [PATCH 029/151] evolinux-base: no need to remove update-evobackup-canary from sbin anymore --- CHANGELOG.md | 1 + evolinux-base/tasks/utils.yml | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ed9c403..570eaff4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed +* evolinux-base: no need to remove update-evobackup-canary from sbin anymore * evolinux-base: no need to symlink backup-server-state to dump-server-state anymore ### Security diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index a1c4d646..e3477d08 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -24,12 +24,6 @@ group: root mode: "0755" -# TODO: delete when this has been run once on all our servers -- name: update-evobackup-canary is removed from sbin - ansible.builtin.file: - path: /usr/local/sbin/update-evobackup-canary - state: absent - - name: Deploy htop configuration ansible.builtin.copy: src: htoprc From 8993242b2ce79a82daf94579ea3e34ecaf266227 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 30 Oct 2023 10:19:16 +0100 Subject: [PATCH 030/151] bind: /etc/default/bind9 has been renamed as /etc/default/named Since Bullseye (Debian 11) --- bind/README.md | 2 +- bind/files/chroot-bind.sh | 6 ++++-- bind/tasks/main.yml | 16 ++++++++++++++-- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/bind/README.md b/bind/README.md index 53f693a8..8d75b1e6 100644 --- a/bind/README.md +++ b/bind/README.md @@ -10,4 +10,4 @@ Minimal configuration is in `tasks/main.yml` The full list of variables (with default values) can be found in `defaults/main.yml`. -waening : sync chroot-bind.sh +warning : sync chroot-bind.sh diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh index 08c665e8..5273e5a1 100644 --- a/bind/files/chroot-bind.sh +++ b/bind/files/chroot-bind.sh @@ -7,8 +7,10 @@ # Exec this script after `(apt-get|aptitude|apt) install bind9` # and after *each* bind9 upgrade -# When the script is finished, ensure you have -# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9 +# When the script is finished, ensure you have (since Bullseye) +# 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named +### or (until Buster) +### 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9 # and /etc/init.d/bind9 (re)start # # for Jessie/systemd only: diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 1e20eee2..0e5c7fea 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -94,13 +94,25 @@ - bind_chroot_set | bool - chrootbind_run.stdout | length > 0 -- name: Modify OPTIONS in /etc/default/bind9 for chroot +- name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster) ansible.builtin.replace: dest: /etc/default/bind9 regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' notify: restart bind - when: bind_chroot_set | bool + when: + - bind_chroot_set | bool + - ansible_distribution_major_version is version('11', '<') + +- name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye) + ansible.builtin.replace: + dest: /etc/default/named + regexp: '^OPTIONS=.*' + replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' + notify: restart bind + when: + - bind_chroot_set | bool + - ansible_distribution_major_version is version('11', '>=') - name: logrotate for bind ansible.builtin.template: From c71521acc3761ecdca103d1782dcb9ef98d7e7b8 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 9 Nov 2023 18:12:14 +0100 Subject: [PATCH 031/151] bind: Adapt chroot-bind for Buster --- bind/files/chroot-bind.sh | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh index 5273e5a1..c69651ba 100644 --- a/bind/files/chroot-bind.sh +++ b/bind/files/chroot-bind.sh @@ -3,7 +3,7 @@ # Gregory Colpart # chroot (or re-chroot) script for bind9 -# tested on Debian Wheezy/Jessie/Stretch +# tested on Debian Wheezy/Jessie/Stretch/Buster # Exec this script after `(apt-get|aptitude|apt) install bind9` # and after *each* bind9 upgrade @@ -24,8 +24,8 @@ mkdir -p /var/chroot-bind mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \ /var/chroot-bind/lib /var/chroot-bind/usr/lib \ /var/chroot-bind/usr/sbin /var/chroot-bind/var/cache/bind \ - /var/chroot-bind/var/log /var/chroot-bind/var/run/named/ \ - /var/chroot-bind/run/named/ + /var/chroot-bind/var/log /var/chroot-bind/var/run/named \ + /var/chroot-bind/run/named /var/chroot-bind/usr/share/dns # for conf if [ ! -h "/etc/bind" ]; then @@ -33,6 +33,11 @@ if [ ! -h "/etc/bind" ]; then ln -s /var/chroot-bind/etc/bind/ /etc/bind fi +# for dns +if [ -d "/usr/share/dns" ]; then + cp -a /usr/share/dns/* /var/chroot-bind/usr/share/dns/ +fi + # for logs touch /var/chroot-bind/var/log/bind.log if [ ! -h "/var/log/bind.log" ]; then @@ -60,11 +65,16 @@ fi #chmod 666 /var/chroot-bind/dev/{null,random} # essential libs -for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` \ - /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so ; do - install -D $i /var/chroot-bind/${i##/} +for i in `ldd $(which named) | grep -v linux-vdso.so.1 | cut -d">" -f2 | cut -d"(" -f1` + do install -D $i /var/chroot-bind/${i##/} done +if [ ls /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so 1>/dev/null 2>&1 ]; then + for i in /usr/lib/x86_64-linux-gnu/openssl-1.0.*/engines/libgost.so + do install -D $i /var/chroot-bind/${i##/} + done +fi + # essential (hum, bash is required ??) #cp /bin/bash /var/chroot-bind/bin/ cp /usr/sbin/named /var/chroot-bind/usr/sbin/ From 7ad55027da4df9720bb48be311fc9a0afeb453d4 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 9 Nov 2023 18:19:42 +0100 Subject: [PATCH 032/151] bind: Adapt apparmor rules as in https://wiki.debian.org/Bind9 --- bind/files/apparmor.usr.sbin.named | 5 ++ bind/tasks/main.yml | 10 +-- bind/templates/apparmor.usr.sbin.named.j2 | 97 ----------------------- 3 files changed, 10 insertions(+), 102 deletions(-) create mode 100644 bind/files/apparmor.usr.sbin.named delete mode 100644 bind/templates/apparmor.usr.sbin.named.j2 diff --git a/bind/files/apparmor.usr.sbin.named b/bind/files/apparmor.usr.sbin.named new file mode 100644 index 00000000..3ee197b0 --- /dev/null +++ b/bind/files/apparmor.usr.sbin.named @@ -0,0 +1,5 @@ +/var/chroot-bind/etc/bind/** r, +/var/chroot-bind/var/** rw, +/var/chroot-bind/dev/** rw, +/var/chroot-bind/run/** rw, +/var/chroot-bind/usr/** r, diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 0e5c7fea..45918760 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -17,13 +17,13 @@ register: check_apparmor - name: configure apparmor - ansible.builtin.template: - src: apparmor.usr.sbin.named.j2 - dest: /etc/apparmor.d/usr.sbin.named - owner: root - group: root + ansible.builtin.copy: + src: apparmor.usr.sbin.named + dest: /etc/apparmor.d/local/usr.sbin.named mode: "0644" + owner: root force: true + backup: yes notify: restart apparmor when: check_apparmor.rc == 0 diff --git a/bind/templates/apparmor.usr.sbin.named.j2 b/bind/templates/apparmor.usr.sbin.named.j2 deleted file mode 100644 index d9f0be04..00000000 --- a/bind/templates/apparmor.usr.sbin.named.j2 +++ /dev/null @@ -1,97 +0,0 @@ -# vim:syntax=apparmor -# Last Modified: Tue Mar 9 14:17:50 EST 2021 -#include - -/usr/sbin/named flags=(attach_disconnected) { - #include - #include - - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - - # /etc/bind should be read-only for bind - # /var/lib/bind is for dynamically updated zone (and journal) files. - # /var/cache/bind is for slave/stub data, since we're not the origin of it. - # See /usr/share/doc/bind9/README.Debian.gz - /etc/bind/** r, - /var/lib/bind/** rw, - /var/lib/bind/ rw, - /var/cache/bind/** lrw, - /var/cache/bind/ rw, - - # Database file used by allow-new-zones - /var/cache/bind/_default.nzd-lock rwk, - - # gssapi - /etc/krb5.keytab kr, - /etc/bind/krb5.keytab kr, - - # ssl - /etc/ssl/openssl.cnf r, - - # root hints from dns-data-root - /usr/share/dns/root.* r, - - # GeoIP data files for GeoIP ACLs - /usr/share/GeoIP/** r, - - # dnscvsutil package - /var/lib/dnscvsutil/compiled/** rw, - - # Allow changing worker thread names - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - @{PROC}/net/if_inet6 r, - @{PROC}/*/net/if_inet6 r, - @{PROC}/sys/net/ipv4/ip_local_port_range r, - /usr/sbin/named mr, - /{,var/}run/named/named.pid w, - /{,var/}run/named/session.key w, - # support for resolvconf - /{,var/}run/named/named.options r, - - # some people like to put logs in /var/log/named/ instead of having - # syslog do the heavy lifting. - {{ bind_log_file }} rw, -{% if bind_query_file_enabled | bool %} - {{ bind_query_file }} rw, -{% endif %} - - # gssapi - /var/lib/sss/pubconf/krb5.include.d/** r, - /var/lib/sss/pubconf/krb5.include.d/ r, - /var/lib/sss/mc/initgroups r, - /etc/gss/mech.d/ r, - - # ldap - /etc/ldap/ldap.conf r, - /{,var/}run/slapd-*.socket rw, - - # dynamic updates - /var/tmp/DNS_* rw, - - # dyndb backends - /usr/lib/bind/*.so rm, - - # Samba DLZ - /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm, - /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm, - /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm, - /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm, - /var/lib/samba/bind-dns/dns.keytab rk, - /var/lib/samba/bind-dns/named.conf r, - /var/lib/samba/bind-dns/dns/** rwk, - /var/lib/samba/private/dns.keytab rk, - /var/lib/samba/private/named.conf r, - /var/lib/samba/private/dns/** rwk, - /etc/samba/smb.conf r, - /dev/urandom rwmk, - owner /var/tmp/krb5_* rwk, - - # Site-specific additions and overrides. See local/README for details. - #include -} - From 9cedf84dae26e6fd951618eed3b2afc283fac028 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Nov 2023 10:36:29 +0100 Subject: [PATCH 033/151] bind: Group accessibility for /var/chroot-bind --- bind/files/chroot-bind.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh index c69651ba..cfcec28f 100644 --- a/bind/files/chroot-bind.sh +++ b/bind/files/chroot-bind.sh @@ -3,7 +3,7 @@ # Gregory Colpart # chroot (or re-chroot) script for bind9 -# tested on Debian Wheezy/Jessie/Stretch/Buster +# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye # Exec this script after `(apt-get|aptitude|apt) install bind9` # and after *each* bind9 upgrade @@ -27,6 +27,8 @@ mkdir -p /var/chroot-bind/bin /var/chroot-bind/dev /var/chroot-bind/etc \ /var/chroot-bind/var/log /var/chroot-bind/var/run/named \ /var/chroot-bind/run/named /var/chroot-bind/usr/share/dns +chmod 750 /var/chroot-bind + # for conf if [ ! -h "/etc/bind" ]; then mv /etc/bind/ /var/chroot-bind/etc/ From 3bd87906cec584caacf73cbe2c2d8e768fc8b0f8 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 13 Nov 2023 17:59:48 +0100 Subject: [PATCH 034/151] bind: Adapt chroot-bind for Bookworm --- bind/files/chroot-bind.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bind/files/chroot-bind.sh b/bind/files/chroot-bind.sh index cfcec28f..95852e61 100644 --- a/bind/files/chroot-bind.sh +++ b/bind/files/chroot-bind.sh @@ -3,14 +3,17 @@ # Gregory Colpart # chroot (or re-chroot) script for bind9 -# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye +# tested on Debian Wheezy/Jessie/Stretch/Buster/Bullseye/Bookworm # Exec this script after `(apt-get|aptitude|apt) install bind9` # and after *each* bind9 upgrade -# When the script is finished, ensure you have (since Bullseye) +# When the script is finished, ensure you have # 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/named -### or (until Buster) -### 'OPTIONS="-u bind -t /var/chroot-bind"' in /etc/default/bind9 +# (since Bullseye) or, until Buster, in /etc/default/bind9 +# +# Since Bookmworm, one also needs to handle bind mount points +# https://wiki.evolix.org/HowtoBind#bind-mount-%C3%A0-partir-de-bookworm-debian-12 +# # and /etc/init.d/bind9 (re)start # # for Jessie/systemd only: From 33d22b26143532d46542d5156fe979fd5a734119 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 21 Nov 2023 10:48:54 +0100 Subject: [PATCH 035/151] bind: Bind mount for Bookworm --- bind/tasks/main.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml index 45918760..ea5b87c7 100644 --- a/bind/tasks/main.yml +++ b/bind/tasks/main.yml @@ -114,6 +114,48 @@ - bind_chroot_set | bool - ansible_distribution_major_version is version('11', '>=') +- name: Create mount target directory for chroot (since Bookworm) + ansible.builtin.file: + path: /var/chroot-bind/run/systemd/journal + state: directory + owner: bind + group: bind + notify: restart bind + when: + - bind_chroot_set | bool + - ansible_distribution_major_version is version('12', '>=') + +- name: Create mount targets for chroot (since Bookworm) + ansible.builtin.file: + path: '{{ item }}' + state: touch + owner: bind + group: bind + loop: + - /var/chroot-bind/run/systemd/journal/socket + - /var/chroot-bind/run/systemd/journal/stdout + - /var/chroot-bind/run/systemd/notify + notify: restart bind + when: + - bind_chroot_set | bool + - ansible_distribution_major_version is version('12', '>=') + +- name: Set up bind mount for chroot (since Bookworm) + ansible.posix.mount: + src: "{{ item }}" + path: "/var/chroot-bind{{ item }}" + opts: bind + state: mounted + fstype: none + loop: + - /run/systemd/journal/socket + - /run/systemd/journal/stdout + - /run/systemd/notify + notify: restart bind + when: + - bind_chroot_set | bool + - ansible_distribution_major_version is version('12', '>=') + - name: logrotate for bind ansible.builtin.template: src: logrotate_bind.j2 From 96d15eb5aa2923cfe2a7d39ca4fe8dd4abb88d41 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 21 Nov 2023 11:35:42 +0100 Subject: [PATCH 036/151] Changelog entry for bind changes --- CHANGELOG.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 570eaff4..19a472e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -410,16 +410,17 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* docker : Introduce new default settings + allow to change the docker data directory -* docker : Introduce new variables to tweak daemon settings +* docker: Introduce new default settings + allow to change the docker data directory +* docker: Introduce new variables to tweak daemon settings ### Changed -* evocheck: upstream release 22.05 +* evocheck: Upstream release 22.05 +* bind: Update role for Buster, Bullseye and Bookworm support ### Removed -* docker : Removed Debian Jessie support +* docker: Removed Debian Jessie support ## [22.05] 2022-05-10 From 736ed26036e3df5eef133a6a3aeed6774c7e3327 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 31 Oct 2023 17:44:55 +0100 Subject: [PATCH 037/151] lxc-php: Add variable 'lxc_php_container_name' --- lxc-php/defaults/main.yml | 1 + lxc-php/tasks/mail_opensmtpd.yml | 8 ++++---- lxc-php/tasks/mail_ssmtp.yml | 6 +++--- lxc-php/tasks/main.yml | 8 ++++---- lxc-php/tasks/misc.yml | 14 +++++++------- lxc-php/tasks/php73.yml | 6 +++--- 6 files changed, 22 insertions(+), 21 deletions(-) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index c0612f4e..4f2562de 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -13,6 +13,7 @@ php_conf_mysql_socket_dir: /mysqld php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock" lxc_php_version: Null +lxc_php_container_name: "php{{ lxc_php_version }}" lxc_php_container_releases: php56: "jessie" diff --git a/lxc-php/tasks/mail_opensmtpd.yml b/lxc-php/tasks/mail_opensmtpd.yml index 35d0e75b..f532e8e8 100644 --- a/lxc-php/tasks/mail_opensmtpd.yml +++ b/lxc-php/tasks/mail_opensmtpd.yml @@ -1,11 +1,11 @@ --- -- name: "{{ lxc_php_version }} - Install opensmtpd" +- name: "{{ lxc_php_container_name }} - Install opensmtpd" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y opensmtpd" -- name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" +- name: "{{ lxc_php_container_name }} - Configure opensmtpd (in the container)" ansible.builtin.template: src: smtpd.conf.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" @@ -14,7 +14,7 @@ when: lxc_php_container_releases[lxc_php_version] in ["jessie", "stretch", "buster"] -- name: "{{ lxc_php_version }} - Configure opensmtpd (in the container)" +- name: "{{ lxc_php_container_name }} - Configure opensmtpd (in the container)" ansible.builtin.template: src: smtpd.conf.bullseye.j2 dest: "{{ lxc_rootfs }}/etc/smtpd.conf" diff --git a/lxc-php/tasks/mail_ssmtp.yml b/lxc-php/tasks/mail_ssmtp.yml index 07b54118..62066b2e 100644 --- a/lxc-php/tasks/mail_ssmtp.yml +++ b/lxc-php/tasks/mail_ssmtp.yml @@ -1,11 +1,11 @@ --- -- name: "{{ lxc_php_version }} - Install ssmtp" +- name: "{{ lxc_php_container_name }} - Install ssmtp" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends --yes --force-yes ssmtp " -- name: "{{ lxc_php_version }} - Configure ssmtp" +- name: "{{ lxc_php_container_name }} - Configure ssmtp" ansible.builtin.template: src: ssmtp.conf.j2 dest: "{{ lxc_rootfs }}/etc/ssmtp/ssmtp.conf" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 035bfe15..13622b9e 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -9,16 +9,16 @@ name: evolix/lxc vars: lxc_containers: - - { name: "{{ lxc_php_version }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } + - { name: "{{ lxc_php_container_name }}", release: "{{ lxc_php_container_releases[lxc_php_version] }}" } when: lxc_php_version is defined - name: set LXC rootfs ansible.builtin.set_fact: - lxc_rootfs: "/var/lib/lxc/{{ lxc_php_version }}/rootfs" + lxc_rootfs: "/var/lib/lxc/{{ lxc_php_container_name }}/rootfs" -- name: "Update APT cache in container {{ lxc_php_version }}" +- name: "Update APT cache in container {{ lxc_php_container_name }}" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_command: "apt-get update" - ansible.builtin.import_tasks: "php56.yml" diff --git a/lxc-php/tasks/misc.yml b/lxc-php/tasks/misc.yml index 248aa8e2..7fc4575e 100644 --- a/lxc-php/tasks/misc.yml +++ b/lxc-php/tasks/misc.yml @@ -1,31 +1,31 @@ --- -- name: "{{ lxc_php_version }} - Configure timezone for the container" +- name: "{{ lxc_php_container_name }} - Configure timezone for the container" ansible.builtin.copy: remote_src: yes src: "/etc/timezone" dest: "{{ lxc_rootfs }}/etc/timezone" -- name: "{{ lxc_php_version }} - Ensure container's root directory is 755" +- name: "{{ lxc_php_container_name }} - Ensure container's root directory is 755" ansible.builtin.file: path: "{{ lxc_rootfs }}" state: directory mode: '0755' -- name: "{{ lxc_php_version }} - Configure mailname for the container" +- name: "{{ lxc_php_container_name }} - Configure mailname for the container" ansible.builtin.copy: content: "{{ evolinux_hostname }}.{{ evolinux_domain }}\n" dest: "{{ lxc_rootfs }}/etc/mailname" notify: "Restart opensmtpd" -- name: "{{ lxc_php_version }} - Install misc packages" +- name: "{{ lxc_php_container_name }} - Install misc packages" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y cron logrotate git zip unzip" -- name: "{{ lxc_php_version }} - Add MySQL socket to container default mounts" +- name: "{{ lxc_php_container_name }} - Add MySQL socket to container default mounts" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_config: - "lxc.mount.entry = /run/mysqld {{ php_conf_mysql_socket_dir | replace('/', '', 1) }} none bind,create=dir 0 0" when: diff --git a/lxc-php/tasks/php73.yml b/lxc-php/tasks/php73.yml index ade67b97..1335e8a1 100644 --- a/lxc-php/tasks/php73.yml +++ b/lxc-php/tasks/php73.yml @@ -1,11 +1,11 @@ --- -- name: "{{ lxc_php_version }} - Install PHP packages" +- name: "{{ lxc_php_container_name }} - Install PHP packages" community.general.lxc_container: - name: "{{ lxc_php_version }}" + name: "{{ lxc_php_container_name }}" container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-gettext php-curl php-ssh2 php-zip php-mbstring php-zip composer libphp-phpmailer" -- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" +- name: "{{ lxc_php_container_name }} - Copy evolinux PHP configuration" ansible.builtin.template: src: z-evolinux-defaults.ini.j2 dest: "{{ line_item }}" From 239065bf368c3ec930601e959753cf2f60968552 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Tue, 21 Nov 2023 16:17:48 +0100 Subject: [PATCH 038/151] kvm-host: Fix regression on old Debian --- kvm-host/files/add-vm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kvm-host/files/add-vm.sh b/kvm-host/files/add-vm.sh index 6ded1103..2dbe0ff2 100755 --- a/kvm-host/files/add-vm.sh +++ b/kvm-host/files/add-vm.sh @@ -231,7 +231,7 @@ EOT if ! isDryRun; then sleep 5 - drbdadm status | tail -4 + ( drbdadm status || drbd-overview ) 2>/dev/null | tail -4 drbdDiskPath="/dev/drbd/by-res/${vmName}/0" if ! [ -b "${drbdDiskPath}" ]; then From 95aeb9a68e6ea43101b6012d29564d4a0a7dead6 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 22 Nov 2023 16:13:37 +0100 Subject: [PATCH 039/151] Fix bind changelog entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19a472e0..d2fbc918 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * log2mail: move custom config in separate file * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 +* bind: Update role for Buster, Bullseye and Bookworm support ### Fixed @@ -416,7 +417,6 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * evocheck: Upstream release 22.05 -* bind: Update role for Buster, Bullseye and Bookworm support ### Removed From 2c86660e5213a159f96896d42a24aa781e548be9 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 22 Nov 2023 17:06:39 +0100 Subject: [PATCH 040/151] evocheck: upstream release 23.11 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 129 +++++++++++++++++++++++++++--- evocheck/files/evocheck.wheezy.sh | 2 +- 4 files changed, 120 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2fbc918..33a46223 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) -* evocheck: upstream release 23.10 +* evocheck: upstream release 23.11 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog * log2mail: move custom config in separate file diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index fba55fd5..a1bc2535 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.10" +VERSION="23.11" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 89f17aba..64caaf25 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.10" +VERSION="23.11" readonly VERSION # base functions @@ -68,6 +68,8 @@ detect_os() { 10) DEBIAN_RELEASE="buster";; 11) DEBIAN_RELEASE="bullseye";; 12) DEBIAN_RELEASE="bookworm";; + 13) DEBIAN_RELEASE="trixie";; + 14) DEBIAN_RELEASE="forky";; esac fi fi @@ -85,6 +87,12 @@ is_debian_bullseye() { is_debian_bookworm() { test "${DEBIAN_RELEASE}" = "bookworm" } +is_debian_trixie() { + test "${DEBIAN_RELEASE}" = "trixie" +} +is_debian_forky() { + test "${DEBIAN_RELEASE}" = "forky" +} is_pack_web(){ test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh @@ -193,11 +201,30 @@ check_debiansecurity() { apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository" } +check_debiansecurity_lxc() { + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}" + done + fi +} check_oldpub() { # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch) apt-cache policy | grep --quiet pub.evolix.net test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled" } +check_oldpub_lxc() { + # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard) + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net + test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}" + done + fi +} check_newpub() { # Look for enabled pub.evolix.org sources apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php @@ -208,7 +235,19 @@ check_sury() { apt-cache policy | grep --quiet packages.sury.org if [ $? -eq 0 ]; then apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet - test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing" + test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing" + fi +} +check_sury_lxc() { + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org + if [ $? -eq 0 ]; then + lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet + test $? -eq 0 || failed "IS_SURY_LXC" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${container}" + fi + done fi } check_aptitude() { @@ -249,8 +288,15 @@ check_customcrontab() { test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" } check_sshallowusers() { - grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ - || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + if is_debian_bookworm; then + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*" + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \ + && failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config" + else + grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \ + || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" + fi } check_diskperf() { perfFile="/root/disk-perf.txt" @@ -307,7 +353,7 @@ check_minifw() { } || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { - if is_debian_bullseye; then + if { ! is_debian_stretch && ! is_debian_buster ; }; then if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/" fi @@ -334,13 +380,13 @@ check_nrpedisks() { test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" } check_nrpepid() { - if { is_debian_bullseye || is_debian_bookworm ; }; then + if { is_debian_stretch || is_debian_buster ; }; then { test -e /etc/nagios/nrpe.cfg \ - && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" else { test -e /etc/nagios/nrpe.cfg \ - && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg" fi } @@ -550,11 +596,11 @@ check_evobackup_exclude_mount() { # then we verify that every mount is excluded if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then # old releases of evobackups don't have version - if grep -q "^VERSION=" "${evobackup_file}"; then - evobackup_version=$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}") + if grep -q "^VERSION="23.11"; then + evobackup_version=$(sed -E -n 's/VERSION="23.11") # versions over 22.12 use a new syntax to exclude rsync files if dpkg --compare-versions "$evobackup_version" ge 22.12 ; then - sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' > "${excludes_file}" + sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}" else grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" fi @@ -697,6 +743,16 @@ check_etcgit() { git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ || failed "IS_ETCGIT" "/etc is not a git repository" } +check_etcgit_lxc() { + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + export GIT_DIR="/var/lib/lxc/${container}/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/etc" + git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ + || failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}" + done + fi +} # Check if /etc/.git/ has read/write permissions for root only. check_gitperms() { GIT_DIR="/etc/.git" @@ -706,6 +762,19 @@ check_gitperms() { [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected" fi } +check_gitperms_lxc() { + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + GIT_DIR="/var/lib/lxc/${container}/etc/.git" + if test -d $GIT_DIR; then + expected="700" + actual=$(stat -c "%a" $GIT_DIR) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})" + fi + done + fi +} # Check if no package has been upgraded since $limit. check_notupgraded() { last_upgrade=0 @@ -1000,6 +1069,7 @@ check_phpevolinuxconf() { is_debian_stretch && phpVersion="7.0" is_debian_buster && phpVersion="7.3" is_debian_bullseye && phpVersion="7.4" + is_debian_bookworm && phpVersion="8.2" if is_installed php; then { test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \ && test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini" @@ -1261,7 +1331,7 @@ check_lxc_container_resolv_conf() { container_list=$(lxc-ls) current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' ) - for container in $container_list; do + for container in $container_list; do if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then while read -r resolver; do @@ -1307,6 +1377,34 @@ check_lxc_php_fpm_service_umask_set() { fi fi } +# Check that LXC containers have the proper Debian version. +check_lxc_php_bad_debian_version() { + if is_installed lxc; then + php_containers_list=$(lxc-ls --filter php) + missing_umask="" + for container in $php_containers_list; do + if [ "$container" = "php56" ]; then + grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Jessie" + elif [ "$container" = "php70" ]; then + grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Stretch" + elif [ "$container" = "php73" ]; then + grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Buster" + elif [ "$container" = "php74" ]; then + grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye" + elif [ "$container" = "php82" ]; then + grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm" + fi + done + fi +} +check_lxc_openssh() { + if is_installed lxc; then + container_list=$(lxc-ls) + for container in $container_list; do + test -e /var/lib/lxc/${container}/rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" "openssh-server should not be installed in container ${container}" + done + fi +} download_versions() { local file @@ -1460,9 +1558,12 @@ main() { test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity + test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc test "${IS_OLDPUB:=1}" = 1 && check_oldpub + test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc test "${IS_NEWPUB:=1}" = 1 && check_newpub test "${IS_SURY:=1}" = 1 && check_sury + test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc test "${IS_APTITUDE:=1}" = 1 && check_aptitude test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak test "${IS_USRRO:=1}" = 1 && check_usrro @@ -1515,7 +1616,9 @@ main() { test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate test "${IS_ETCGIT:=1}" = 1 && check_etcgit + test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc test "${IS_GITPERMS:=1}" = 1 && check_gitperms + test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5 test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup @@ -1557,6 +1660,8 @@ main() { test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set + test "${IS_LXC_PHP_BAD_DEBIAN_VERSION:=1}" = 1 && check_lxc_php_bad_debian_version + test "${IS_LXC_OPENSSH:=1}" = 1 && check_lxc_openssh test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions if [ -f "${main_output_file}" ]; then diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 3bbcc1f1..0b0dbd58 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.10" +VERSION="23.11" readonly VERSION # base functions From c93748487be6775cb2aa6d955ecfe96a34f8ba18 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 22 Nov 2023 17:27:39 +0100 Subject: [PATCH 041/151] evocheck: upstream release 23.11.1 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 6 +++--- evocheck/files/evocheck.wheezy.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33a46223..00ea9ded 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) -* evocheck: upstream release 23.11 +* evocheck: upstream release 23.11.1 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog * log2mail: move custom config in separate file diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index a1bc2535..6fd8062b 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11" +VERSION="23.11.1" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 64caaf25..c057157a 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11" +VERSION="23.11.1" readonly VERSION # base functions @@ -596,8 +596,8 @@ check_evobackup_exclude_mount() { # then we verify that every mount is excluded if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then # old releases of evobackups don't have version - if grep -q "^VERSION="23.11"; then - evobackup_version=$(sed -E -n 's/VERSION="23.11") + if grep -q "^VERSION=" "${evobackup_file}"; then + evobackup_version=$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}") # versions over 22.12 use a new syntax to exclude rsync files if dpkg --compare-versions "$evobackup_version" ge 22.12 ; then sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}" diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 0b0dbd58..8e114b73 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11" +VERSION="23.11.1" readonly VERSION # base functions From 892067cf2bb1f41beb4227d11b169da12226bd35 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 23 Nov 2023 12:26:20 +0100 Subject: [PATCH 042/151] kvmstats: use .capacity instead of .physical for disk size --- CHANGELOG.md | 1 + kvm-host/files/kvmstats.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00ea9ded..a1e1db28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * bind: Update role for Buster, Bullseye and Bookworm support +* kvmstats: use .capacity instead of .physical for disk size ### Fixed diff --git a/kvm-host/files/kvmstats.sh b/kvm-host/files/kvmstats.sh index 0258b322..d8e27b81 100755 --- a/kvm-host/files/kvmstats.sh +++ b/kvm-host/files/kvmstats.sh @@ -57,7 +57,7 @@ BEGIN { if (!mem) mem = $2 } -/block\.[0-9]+\.physical/ { +/block\.[0-9]+\.capacity/ { disksize += $2 } /state\.state/ { From cb03831ae8a307a6ce9ca8d5fdea9de416990aa8 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 23 Nov 2023 13:40:03 +0100 Subject: [PATCH 043/151] lxc-php: Fix lxc_php_container_name --- lxc-php/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 4f2562de..6b1e1b9c 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -13,7 +13,7 @@ php_conf_mysql_socket_dir: /mysqld php_conf_mysql_default_socket: "{{ php_conf_mysql_socket_dir }}/mysqld.sock" lxc_php_version: Null -lxc_php_container_name: "php{{ lxc_php_version }}" +lxc_php_container_name: "{{ lxc_php_version }}" lxc_php_container_releases: php56: "jessie" From 8f1fa57c372912bf304bcaf48c5c4a9d49328f26 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 23 Nov 2023 15:01:58 +0100 Subject: [PATCH 044/151] =?UTF-8?q?evocheck:=20report=20=E2=80=9CIS=5FETCG?= =?UTF-8?q?IT=5FLXC,=20IS=5FGITPERMS=5FLXC:=20fix=20path=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evocheck/files/evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index c057157a..793af266 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -747,7 +747,7 @@ check_etcgit_lxc() { if is_installed lxc; then container_list=$(lxc-ls) for container in $container_list; do - export GIT_DIR="/var/lib/lxc/${container}/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/etc" + export GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/rootfs/etc" git rev-parse --is-inside-work-tree > /dev/null 2>&1 \ || failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}" done @@ -766,7 +766,7 @@ check_gitperms_lxc() { if is_installed lxc; then container_list=$(lxc-ls) for container in $container_list; do - GIT_DIR="/var/lib/lxc/${container}/etc/.git" + GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git" if test -d $GIT_DIR; then expected="700" actual=$(stat -c "%a" $GIT_DIR) From 69bc93ff6ed27ce85d8d3040165eb47ceb69c2ba Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 24 Nov 2023 11:23:29 +0100 Subject: [PATCH 045/151] lxc: Init /etc git repository in lxc container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Note: ugly loop, but “it works”… --- CHANGELOG.md | 1 + lxc/tasks/create-container.yml | 23 +++++++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1e1db28..a7a96271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * bind: Update role for Buster, Bullseye and Bookworm support * kvmstats: use .capacity instead of .physical for disk size +* lxc: Init /etc git repository in lxc container ### Fixed diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml index 4d3851b6..45f7270b 100644 --- a/lxc/tasks/create-container.yml +++ b/lxc/tasks/create-container.yml @@ -58,13 +58,13 @@ name: "{{ name }}" state: started -- name: "Ensure /etc/profile.d exists in container" +- name: "Ensure /etc/profile.d exists in container {{ name }}" ansible.builtin.file: path: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d" mode: '0755' state: directory -- name: "Copy host /etc/profile.d/evolinux into container" +- name: "Copy host /etc/profile.d/evolinux into container {{ name }}" ansible.builtin.copy: src: "/etc/profile.d/evolinux.sh" remote_src: true @@ -75,3 +75,22 @@ community.general.lxc_container: name: "{{ name }}" container_command: "DEBIAN_FRONTEND=noninteractive apt-get purge -y openssh-server" + +- name: "Init /etc git repository in container {{ name }}" + ansible.builtin.include_role: + name: 'etc-git' + tasks_from: 'repository.yml' + apply: + vars: + gitignore_items: + - "aliases.db" + - "*.swp" + - "postfix/sa-blacklist.access" + - "postfix/*.db" + - "postfix/spamd.cidr" + - "evobackup/.keep-*" + - "letsencrypt/.certbot.lock" + become: yes + loop: ["/var/lib/lxc/{{ name }}/rootfs/etc/"] + loop_control: + loop_var: 'repository_path' From e5f5425f6dfc5a5852fb2a60ccb936a940f3720a Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 26 Oct 2023 15:13:06 +0200 Subject: [PATCH 046/151] lxc-php: Allow one to install php83 on Bookworm container --- CHANGELOG.md | 1 + evolinux-users/templates/sudoers.j2 | 1 + generate-ldif/templates/generateldif.sh.j2 | 14 +++ lxc-php/defaults/main.yml | 2 + lxc-php/handlers/main.yml | 5 + lxc-php/tasks/main.yml | 3 + lxc-php/tasks/php83.yml | 91 +++++++++++++++++++ lxc-php/templates/bookworm_basics.sources.j2 | 2 +- .../templates/bookworm_security.sources.j2 | 2 +- lxc-php/templates/evolix_sury.sources.j2 | 8 ++ lxc-php/templates/sury.sources.j2 | 4 +- nagios-nrpe/templates/evolix.cfg.j2 | 1 + php/handlers/main.yml | 5 + 13 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 lxc-php/tasks/php83.yml create mode 100644 lxc-php/templates/evolix_sury.sources.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index a7a96271..9b0e4f03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user +* lxc-php: Allow one to install php83 on Bookworm container ### Changed diff --git a/evolinux-users/templates/sudoers.j2 b/evolinux-users/templates/sudoers.j2 index 60b5b782..0e8471bf 100644 --- a/evolinux-users/templates/sudoers.j2 +++ b/evolinux-users/templates/sudoers.j2 @@ -15,6 +15,7 @@ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ +nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ nagios ALL = NOPASSWD: /usr/sbin/megaclisas-status --nagios nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ipmi_sensor nagios ALL = NOPASSWD: /sbin/dmsetup status --noflush diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 7e35ff5a..75eedfb4 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -699,6 +699,20 @@ ServiceVersion: PHP-FPM 8.2 (multiphp) EOT fi +if lxc-ls | grep -q php83 ; then + cat <> "${ldif_file}" + +dn: ServiceName=php-fpm83,${computer_dn} +NagiosEnabled: TRUE +ipServiceProtocol: tcp +objectClass: EvoService +ServiceName: php-fpm83 +ipServicePort: 443 +ServiceType: web +ServiceVersion: PHP-FPM 8.3 (multiphp) +EOT +fi + fi # END - LXC (multiphp) diff --git a/lxc-php/defaults/main.yml b/lxc-php/defaults/main.yml index 6b1e1b9c..561a11f3 100644 --- a/lxc-php/defaults/main.yml +++ b/lxc-php/defaults/main.yml @@ -23,6 +23,7 @@ lxc_php_container_releases: php80: "bullseye" php81: "bullseye" php82: "bookworm" + php83: "bookworm" lxc_php_services: php56: 'php5-fpm.service' @@ -32,6 +33,7 @@ lxc_php_services: php80: 'php8.0-fpm.service' php81: 'php8.1-fpm.service' php82: 'php8.2-fpm.service' + php83: 'php8.3-fpm.service' apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" apt_basics_components: "{{ (ansible_virtualization_role == 'host') | ternary('main contrib non-free', 'main') }}" diff --git a/lxc-php/handlers/main.yml b/lxc-php/handlers/main.yml index b703933b..c1f58f92 100644 --- a/lxc-php/handlers/main.yml +++ b/lxc-php/handlers/main.yml @@ -10,6 +10,11 @@ name: "{{ lxc_php_version }}" container_command: "systemctl restart {{ lxc_php_services[lxc_php_version] }}" +- name: Reload php83-fpm + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "systemctl reload php8.3-fpm" + - name: Reload php82-fpm community.general.lxc_container: name: "{{ lxc_php_version }}" diff --git a/lxc-php/tasks/main.yml b/lxc-php/tasks/main.yml index 13622b9e..770031fa 100644 --- a/lxc-php/tasks/main.yml +++ b/lxc-php/tasks/main.yml @@ -42,6 +42,9 @@ - ansible.builtin.import_tasks: "php82.yml" when: lxc_php_version == "php82" +- ansible.builtin.import_tasks: "php83.yml" + when: lxc_php_version == "php83" + - ansible.builtin.import_tasks: "umask.yml" - ansible.builtin.import_tasks: "misc.yml" diff --git a/lxc-php/tasks/php83.yml b/lxc-php/tasks/php83.yml new file mode 100644 index 00000000..80c33eb6 --- /dev/null +++ b/lxc-php/tasks/php83.yml @@ -0,0 +1,91 @@ +--- + +- name: set APT keyring + ansible.builtin.set_fact: + lxc_apt_keyring_dir: /etc/apt/trusted.gpg.d + +- name: "{{ lxc_php_version }} - Install dependency packages" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y wget gnupg" + +- name: "{{ lxc_php_version }} - delete sources.list bookworm repository" + ansible.builtin.file: + path: "{{ lxc_rootfs }}/etc/apt/sources.list" + state: absent + +- name: "{{ lxc_php_version }} - system bookworm repository" + ansible.builtin.template: + src: bookworm_basics.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/system.sources" + force: true + mode: "0644" + +- name: "{{ lxc_php_version }} - security bookworm repository" + ansible.builtin.template: + src: bookworm_security.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/security.sources" + force: true + mode: "0644" + +- name: "{{ lxc_php_version }} - Add sury repo" + ansible.builtin.template: + src: sury.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/sury.sources" + force: true + mode: "0644" + +- name: "{{ lxc_php_version }} - Add sury failsafe repo" + ansible.builtin.template: + src: evolix_sury.sources.j2 + dest: "{{ lxc_rootfs }}/etc/apt/sources.list.d/evolix_sury.sources" + force: true + mode: "0644" + +- name: "Ensure {{ lxc_rootfs }}{{ lxc_apt_keyring_dir }} directory exists" + file: + path: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + +- name: copy pub.evolix.org GPG key + ansible.builtin.copy: + src: pub_evolix.asc + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/pub_evolix.asc" + mode: "0644" + owner: root + group: root + +- name: copy packages.sury.org GPG Key + ansible.builtin.copy: + src: sury.gpg + dest: "{{ lxc_rootfs }}{{ lxc_apt_keyring_dir }}/sury.gpg" + mode: "0644" + owner: root + group: root + +- name: "{{ lxc_php_version }} - Update APT cache" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt update" + +- name: "{{ lxc_php_version }} - Install PHP packages" + community.general.lxc_container: + name: "{{ lxc_php_version }}" + container_command: "DEBIAN_FRONTEND=noninteractive apt install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mysql php-pgsql php-sqlite3 php-curl php-zip php-mbstring php-xml php-zip composer libphp-phpmailer" + +- name: "{{ lxc_php_version }} - Copy evolinux PHP configuration" + ansible.builtin.template: + src: z-evolinux-defaults.ini.j2 + dest: "{{ line_item }}" + mode: "0644" + notify: "Reload {{ lxc_php_version }}-fpm" + loop: + - "{{ lxc_rootfs }}/etc/php/8.3/fpm/conf.d/z-evolinux-defaults.ini" + - "{{ lxc_rootfs }}/etc/php/8.3/cli/conf.d/z-evolinux-defaults.ini" + loop_control: + loop_var: line_item + +- ansible.builtin.include: "mail_opensmtpd.yml" diff --git a/lxc-php/templates/bookworm_basics.sources.j2 b/lxc-php/templates/bookworm_basics.sources.j2 index 948c4adf..8599143d 100644 --- a/lxc-php/templates/bookworm_basics.sources.j2 +++ b/lxc-php/templates/bookworm_basics.sources.j2 @@ -2,7 +2,7 @@ Types: deb URIs: http://mirror.evolix.org/debian -Suites: bookworm bookworm-updates +Suites: {{ lxc_php_container_releases[lxc_php_version] }} {{ lxc_php_container_releases[lxc_php_version] }}-updates Components: {{ apt_basics_components | mandatory }} Enabled: yes Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg diff --git a/lxc-php/templates/bookworm_security.sources.j2 b/lxc-php/templates/bookworm_security.sources.j2 index c98d5671..a3ccc581 100644 --- a/lxc-php/templates/bookworm_security.sources.j2 +++ b/lxc-php/templates/bookworm_security.sources.j2 @@ -2,7 +2,7 @@ Types: deb URIs: https://security.debian.org/debian-security -Suites: bookworm-security +Suites: {{ lxc_php_container_releases[lxc_php_version] }}-security Components: {{ apt_basics_components | mandatory }} Enabled: yes Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg diff --git a/lxc-php/templates/evolix_sury.sources.j2 b/lxc-php/templates/evolix_sury.sources.j2 new file mode 100644 index 00000000..ee09a474 --- /dev/null +++ b/lxc-php/templates/evolix_sury.sources.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +Types:deb +URIs: http://pub.evolix.org/evolix +Suites: {{ lxc_php_container_releases[lxc_php_version] }}-{{ lxc_php_version }} +Components: main +Signed-by: {{ apt_keyring_dir }}/pub_evolix.asc +Enabled: yes diff --git a/lxc-php/templates/sury.sources.j2 b/lxc-php/templates/sury.sources.j2 index 22725a58..2c17ef9d 100644 --- a/lxc-php/templates/sury.sources.j2 +++ b/lxc-php/templates/sury.sources.j2 @@ -2,7 +2,7 @@ Types: deb URIs: https://packages.sury.org/php/ -Suites: {{ ansible_distribution_release }} +Suites: {{ lxc_php_container_releases[lxc_php_version] }} Components: main Signed-by: {{ lxc_apt_keyring_dir }}/sury.gpg -Enabled: yes \ No newline at end of file +Enabled: yes diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index de495868..ecfd6f22 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -85,6 +85,7 @@ command[check_php-fpm74]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php80/rootfs/etc/php/8.0/fpm/pool.d/ command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ +command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool diff --git a/php/handlers/main.yml b/php/handlers/main.yml index b333fe9b..d2b96b99 100644 --- a/php/handlers/main.yml +++ b/php/handlers/main.yml @@ -34,3 +34,8 @@ ansible.builtin.service: name: php8.2-fpm state: restarted + +- name: restart php8.3-fpm + ansible.builtin.service: + name: php8.3-fpm + state: restarted From f9125b8f3ff6727090bcfaf486361afebc41fd13 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 23 Nov 2023 21:12:50 +0100 Subject: [PATCH 047/151] whitespace --- apt/templates/evolix_public.sources.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/evolix_public.sources.j2 b/apt/templates/evolix_public.sources.j2 index defd1282..76bea737 100644 --- a/apt/templates/evolix_public.sources.j2 +++ b/apt/templates/evolix_public.sources.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} -Types:deb +Types: deb URIs: http://pub.evolix.org/evolix Suites: {{ ansible_distribution_release }} Components: main From 9e3e20e3a893bb1a1814b4e6e2eca304b6999fcf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 29 Nov 2023 09:22:31 +0100 Subject: [PATCH 048/151] evolinux-base: move htop/top config to different task file --- evolinux-base/tasks/system.yml | 13 +++++++++++++ evolinux-base/tasks/utils.yml | 11 ----------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 52766796..96a77a70 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -214,3 +214,16 @@ - grep_hotplug_eni.rc == 0 - ansible.builtin.meta: flush_handlers + +# Htop / top config + +- name: Deploy htop configuration + ansible.builtin.copy: + src: htoprc + dest: /etc/htoprc + mode: "0644" + +- name: Deploy top configuration file + ansible.builtin.file: + path: /etc/topdefaultrc + state: absent \ No newline at end of file diff --git a/evolinux-base/tasks/utils.yml b/evolinux-base/tasks/utils.yml index e3477d08..b9b76e3b 100644 --- a/evolinux-base/tasks/utils.yml +++ b/evolinux-base/tasks/utils.yml @@ -23,14 +23,3 @@ owner: root group: root mode: "0755" - -- name: Deploy htop configuration - ansible.builtin.copy: - src: htoprc - dest: /etc/htoprc - mode: "0644" - -- name: Deploy top configuration file - ansible.builtin.file: - path: /etc/topdefaultrc - state: absent From 81d97bb3fb6ef5aceb40849aa7572607362947a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 29 Nov 2023 09:23:22 +0100 Subject: [PATCH 049/151] vrrpd: variable to force update the switch script (default: false) --- CHANGELOG.md | 7 +-- vrrpd/defaults/main.yml | 1 + vrrpd/files/vrrp_switch.sh | 87 ++++++++++++++++++++++++++++++++++++++ vrrpd/tasks/main.yml | 9 ++++ 4 files changed, 101 insertions(+), 3 deletions(-) create mode 100644 vrrpd/files/vrrp_switch.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b0e4f03..49437036 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,15 +23,16 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* bind: Update role for Buster, Bullseye and Bookworm support * evocheck: upstream release 23.11.1 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog +* kvmstats: use .capacity instead of .physical for disk size * log2mail: move custom config in separate file +* lxc: Init /etc git repository in lxc container * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 -* bind: Update role for Buster, Bullseye and Bookworm support -* kvmstats: use .capacity instead of .physical for disk size -* lxc: Init /etc git repository in lxc container +* vrrpd: variable to force update the switch script (default: false) ### Fixed diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml index f5950a14..d5b5b3b4 100644 --- a/vrrpd/defaults/main.yml +++ b/vrrpd/defaults/main.yml @@ -1,4 +1,5 @@ --- +vrrp_force_update_switch_script: false vrrp_addresses: [] # - { diff --git a/vrrpd/files/vrrp_switch.sh b/vrrpd/files/vrrp_switch.sh new file mode 100644 index 00000000..8f260a8a --- /dev/null +++ b/vrrpd/files/vrrp_switch.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +set -u +set -e + +# Input values +STATE=$1 +VRID=$2 +VIRTUAL_IP=$3 +INTERFACE_NAME=$4 +LABEL=$5 +PRIORITY=$6 +ADVERT_INT=$7 +PREEMPT=$8 +OTHER=${9:-} + +LOG_DIR=/var/log/vrrpd/ +[ ! -d "${LOG_DIR}" ] && mkdir -p "${LOG_DIR}" +LOG_FILE="${LOG_DIR}/state.${VRID}" + +STATE_DIR=/var/run/vrrpd/ +[ ! -d "${STATE_DIR}" ] && mkdir -p "${STATE_DIR}" +STATE_FILE="${STATE_DIR}/vrrp-${LABEL}" + +# Log state change to file +printf "%s %s %s %s %s %s %s %s : %s\n" \ + "${STATE}" \ + "${VIRTUAL_IP}" \ + "${INTERFACE_NAME}" \ + "${LABEL}" \ + "${PRIORITY}" \ + "${ADVERT_INT}" \ + "${PREEMPT}" \ + "${OTHER}" \ + "$(date)" \ + >> "${LOG_FILE}" + +# Replace information in state file +{ + echo "VRRP - ${LABEL}" + echo "Group ${VRID}" + echo "State is ${STATE}" + echo "Virtual IP address is ${VIRTUAL_IP}" +} > "${STATE_FILE}" + +# Choose virtual interface name (limited in size) +INTERFACE_PREFIX="vrrp_${VRID}_" +INTERFACE_PREFIX_LEN=${#INTERFACE_PREFIX} +INTERFACE_LEN=$(( ${#INTERFACE_PREFIX} + ${#INTERFACE_NAME} )) +INTERFACE_MAX_LEN=15 + +if [ ${INTERFACE_LEN} -gt ${INTERFACE_MAX_LEN} ]; then + INTERFACE_SUFFIX=$(echo "${INTERFACE_NAME}" | tail -c $(( INTERFACE_MAX_LEN + 1 - INTERFACE_PREFIX_LEN ))) +else + INTERFACE_SUFFIX="${INTERFACE_NAME}" +fi +VIRTUAL_INTERFACE_NAME="${INTERFACE_PREFIX}${INTERFACE_SUFFIX}" + +# Apply state +case "${STATE}" in + + "master" ) + # Choose a MAC address + MAC_SUFFIX=$(printf %02x "${VRID}") + MAC="00:00:5e:00:01:${MAC_SUFFIX})" + # Create macvlan interface + ip link add link "${INTERFACE_NAME}" address "${MAC}" "${VIRTUAL_INTERFACE_NAME}" type macvlan + # Add IP to interface + ip address add "${VIRTUAL_IP}" dev "${VIRTUAL_INTERFACE_NAME}" + # Enable interface + ip link set dev "${VIRTUAL_INTERFACE_NAME}" up + ;; + + "slave" ) + # Delete interface + ip link delete "${VIRTUAL_INTERFACE_NAME}" + ;; + + * ) + # Error on unknown value for state + echo "Unknown state '${STATE}'" >&2 + exit 1 + ;; + +esac + +exit 0 diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 605fb0fd..86390a2f 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -14,6 +14,15 @@ tags: - vrrpd +- name: install custom switch script + ansible.builtin.copy: + src: vrrp_switch.sh + dest: /etc/vrrpd/vrrp_switch + mode: "0700" + owner: "root" + group: "root" + force: "{{ vrrp_force_update_switch_script | bool | ternary('yes','no') }}" + - name: Adjust sysctl config (except rp_filter) ansible.posix.sysctl: name: "{{ item.name }}" From 06c47493e96f746a9e132d9bec496c1a9b174cb8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 29 Nov 2023 09:24:28 +0100 Subject: [PATCH 050/151] sort changelog --- CHANGELOG.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49437036..754d374d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,9 +14,9 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * Preliminary work for php83 +* lxc-php: Allow one to install php83 on Bookworm container * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user -* lxc-php: Allow one to install php83 on Bookworm container ### Changed @@ -36,17 +36,17 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed -* nginx: keep indentation -* evoadmin-web: Fix PHP version for Bookworm * Add php-fpm82 to LDAP when relevant -* nagios: fix default file to monitor for check_clamav_db -* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository -* webapps/nextcloud: fix missing gid -* webapps/nextcloud: fix misplaced gid attribute -* webapps/nextcloud: added check that nexctcloud uid is over 3000 -* ProFTPd: set missing default listen IP for SFTP * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o +* evoadmin-web: Fix PHP version for Bookworm +* nagios: fix default file to monitor for check_clamav_db +* nginx: keep indentation +* php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository +* ProFTPd: set missing default listen IP for SFTP * ssl: no not execute haproxy tasks and reload if haproxy is disabled +* webapps/nextcloud: added check that nexctcloud uid is over 3000 +* webapps/nextcloud: fix misplaced gid attribute +* webapps/nextcloud: fix missing gid ### Removed From 83e61b25a52df3a4de4d43451e7bc6018b3f7822 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 29 Nov 2023 09:59:57 +0100 Subject: [PATCH 051/151] etc-git: add /var/chroot-bind/etc/bind repo --- CHANGELOG.md | 1 + etc-git/tasks/repositories.yml | 26 ++++++++++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 754d374d..1726b6c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc-php: Allow one to install php83 on Bookworm container * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user +* etc-git: add /var/chroot-bind/etc/bind repo ### Changed diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 6c76d265..dd8031ae 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -24,7 +24,7 @@ - ansible.builtin.include_role: name: evolix/remount-usr when: - - _usr_share_scripts.stat.isdir + - _usr_share_scripts.stat.exists and _usr_share_scripts.stat.isdir - ansible.builtin.import_tasks: repository.yml vars: @@ -34,4 +34,26 @@ - _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - - etc-git \ No newline at end of file + - etc-git + + +- name: verify /var/chroot-bind/ presence + ansible.builtin.stat: + path: /var/chroot-bind + register: _var_chroot_bind + tags: + - etc-git + +- debug: + var: _var_chroot_bind.stat + +- ansible.builtin.import_tasks: repository.yml + vars: + repository_path: "/var/chroot-bind/etc/bind" + gitignore_items: [] + when: + - _var_chroot_bind.stat.exists and _var_chroot_bind.stat.isdir + - ansible_distribution_major_version is version('9', '>=') + tags: + - etc-git + From 1a74bef0bcaa0a040ae539b647f610cfdab409dd Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 29 Nov 2023 10:13:27 +0100 Subject: [PATCH 052/151] check stat.exists before stat.isdir --- CHANGELOG.md | 1 + docker-host/tasks/main.yml | 2 +- etc-git/tasks/repositories.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1726b6c8..fb6418cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: added check that nexctcloud uid is over 3000 * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid +* check stat.exists before stat.isdir ### Removed diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 556570f5..036c12ce 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -119,4 +119,4 @@ cmd: "{{ docker_tls_path }}/shellpki.sh init" when: - docker_tls_enabled | bool - - not tls_certs_stat.stat.isdir + - not (tls_certs_stat.stat. and tls_certs_stat.stat.isdir) diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index dd8031ae..aab2295e 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -31,7 +31,7 @@ repository_path: "/usr/share/scripts" gitignore_items: [] when: - - _usr_share_scripts.stat.isdir + - _usr_share_scripts.stat.exists and _usr_share_scripts.stat.isdir - ansible_distribution_major_version is version('10', '>=') tags: - etc-git From fba894cad955544eb431ee4af9da7462b2b93593 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 29 Nov 2023 10:49:07 +0100 Subject: [PATCH 053/151] etc-git: create /var/chroot-bind/etc/bind GIT repo also in jessie --- etc-git/tasks/repositories.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index aab2295e..c082c74d 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -53,7 +53,7 @@ gitignore_items: [] when: - _var_chroot_bind.stat.exists and _var_chroot_bind.stat.isdir - - ansible_distribution_major_version is version('9', '>=') + - ansible_distribution_major_version is version('8', '>=') tags: - etc-git From 0ca31b91fec461793f8166a938e2397904d17993 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 30 Nov 2023 10:11:05 +0100 Subject: [PATCH 054/151] fix(certbot): Fix hook for dovecot (too strict) When we use a separate certificate for POP3 and IMAP there might be blank characters (almost certainly spaces but might as well be more lax) before `ssl_cert` which resulted in these lines not being detected and the hook not being played, forcing manual intervention. This commit fixes that problem by accepting blank characters before ssl_certs. (`\b` might be even better...) --- CHANGELOG.md | 1 + certbot/files/hooks/deploy/dovecot.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb6418cb..60fb6f2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * check stat.exists before stat.isdir +* certbot: Fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) ### Removed diff --git a/certbot/files/hooks/deploy/dovecot.sh b/certbot/files/hooks/deploy/dovecot.sh index 56e5b5ae..1ed4ab5d 100644 --- a/certbot/files/hooks/deploy/dovecot.sh +++ b/certbot/files/hooks/deploy/dovecot.sh @@ -16,7 +16,7 @@ config_check() { ${doveconf_bin} > /dev/null 2>&1 } letsencrypt_used() { - ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt" + ${doveconf_bin} | grep -E "^[[:blank:]]*ssl_cert[^_]" | grep -q "letsencrypt" } main() { if daemon_found_and_running; then From 59afbb2e9a361353b0dccecc9590664d67367616 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 30 Nov 2023 15:30:22 +0100 Subject: [PATCH 055/151] =?UTF-8?q?apt:=C2=A0Stretch=20has=20been=20archiv?= =?UTF-8?q?ed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apt/templates/bookworm_basics.sources.j2 | 2 +- apt/templates/bookworm_security.sources.j2 | 4 ++-- apt/templates/bullseye_basics.list.j2 | 2 +- apt/templates/buster_basics.list.j2 | 2 +- apt/templates/jessie_basics.list.j2 | 4 ++-- apt/templates/stretch_basics.list.j2 | 5 ++--- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apt/templates/bookworm_basics.sources.j2 b/apt/templates/bookworm_basics.sources.j2 index 948c4adf..747e2e53 100644 --- a/apt/templates/bookworm_basics.sources.j2 +++ b/apt/templates/bookworm_basics.sources.j2 @@ -3,6 +3,6 @@ Types: deb URIs: http://mirror.evolix.org/debian Suites: bookworm bookworm-updates -Components: {{ apt_basics_components | mandatory }} +Components: {{ apt_basics_components | mandatory }} Enabled: yes Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg diff --git a/apt/templates/bookworm_security.sources.j2 b/apt/templates/bookworm_security.sources.j2 index 07f1345b..b70fcec1 100644 --- a/apt/templates/bookworm_security.sources.j2 +++ b/apt/templates/bookworm_security.sources.j2 @@ -3,6 +3,6 @@ Types: deb URIs: https://security.debian.org/debian-security Suites: bookworm-security -Components: {{ apt_basics_components | mandatory }} +Components: {{ apt_basics_components | mandatory }} Enabled: yes -Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg \ No newline at end of file +Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg diff --git a/apt/templates/bullseye_basics.list.j2 b/apt/templates/bullseye_basics.list.j2 index 55f32b8d..d1820d0f 100644 --- a/apt/templates/bullseye_basics.list.j2 +++ b/apt/templates/bullseye_basics.list.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} deb http://mirror.evolix.org/debian bullseye {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ bullseye-updates {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian bullseye-updates {{ apt_basics_components | mandatory }} deb http://security.debian.org/debian-security bullseye-security {{ apt_basics_components | mandatory }} diff --git a/apt/templates/buster_basics.list.j2 b/apt/templates/buster_basics.list.j2 index 58209ba0..b392ce58 100644 --- a/apt/templates/buster_basics.list.j2 +++ b/apt/templates/buster_basics.list.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }} +deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }} deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }} diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index 467e7f30..fad381f8 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,4 +1,4 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }} -deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }} +deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} diff --git a/apt/templates/stretch_basics.list.j2 b/apt/templates/stretch_basics.list.j2 index 2f0bf99e..f679e354 100644 --- a/apt/templates/stretch_basics.list.j2 +++ b/apt/templates/stretch_basics.list.j2 @@ -1,5 +1,4 @@ # {{ ansible_managed }} -deb http://mirror.evolix.org/debian stretch {{ apt_basics_components | mandatory }} -deb http://mirror.evolix.org/debian/ stretch-updates {{ apt_basics_components | mandatory }} -deb http://security.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian stretch {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian-security stretch/updates {{ apt_basics_components | mandatory }} From 4d9e1af40f172657a9f21963e89d26dd0015e6fa Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 30 Nov 2023 15:45:48 +0100 Subject: [PATCH 056/151] =?UTF-8?q?evolinux-base:=20Don=E2=80=99t=20try=20?= =?UTF-8?q?to=20install=20unavailable=20linux-image-cloud-amd64=20before?= =?UTF-8?q?=20Buster?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evolinux-base/tasks/kernel.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml index 231ec02f..148c72df 100644 --- a/evolinux-base/tasks/kernel.yml +++ b/evolinux-base/tasks/kernel.yml @@ -9,6 +9,7 @@ - ansible_machine == "x86_64" - ansible_virtualization_role == "guest" - evolinux_kernel_cloud_auto | bool + - ansible_distribution_major_version is version('10', '>=') - name: "Remove non-Cloud kernel on virtual servers" ansible.builtin.apt: From b8732dffafe9c27ced8ce3f2c30c743dc9f7e286 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 30 Nov 2023 15:58:31 +0100 Subject: [PATCH 057/151] Changelog for previous changes --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60fb6f2c..b9152395 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: use separate default config file for rsyslog * kvmstats: use .capacity instead of .physical for disk size * log2mail: move custom config in separate file -* lxc: Init /etc git repository in lxc container +* lxc: init /etc git repository in lxc container * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) @@ -49,7 +49,10 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * check stat.exists before stat.isdir -* certbot: Fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) +* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) +* evolinux-base: start to install linux-image-cloud-amd64 with Buster +* apt: use archive.debian.org with Stretch + ### Removed From 066a66eb4bc9643f27fdfaff56b1f9cc79621a12 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 30 Nov 2023 16:45:08 +0100 Subject: [PATCH 058/151] [minor] drop extra line --- bind/handlers/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/bind/handlers/main.yml b/bind/handlers/main.yml index 5461579d..85eaa680 100644 --- a/bind/handlers/main.yml +++ b/bind/handlers/main.yml @@ -3,7 +3,6 @@ ansible.builtin.systemd: daemon-reload: yes - - name: restart apparmor ansible.builtin.systemd: name: apparmor From 9867dcb319ffa31c4e8498abaa416b9c9d9835a3 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 30 Nov 2023 17:25:14 +0100 Subject: [PATCH 059/151] Retrait debug --- etc-git/tasks/repositories.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index c082c74d..58e1f939 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -44,9 +44,6 @@ tags: - etc-git -- debug: - var: _var_chroot_bind.stat - - ansible.builtin.import_tasks: repository.yml vars: repository_path: "/var/chroot-bind/etc/bind" From c861fe19743f993a5d4fb1d9a0f2b27ff3eccc13 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 30 Nov 2023 17:41:25 +0100 Subject: [PATCH 060/151] etc-git: add /var/chroot-bind/etc/bind to Git safe directories to avoid owner check by Git (bind owns the repo, not root) --- etc-git/tasks/repositories.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc-git/tasks/repositories.yml b/etc-git/tasks/repositories.yml index 58e1f939..7745183d 100644 --- a/etc-git/tasks/repositories.yml +++ b/etc-git/tasks/repositories.yml @@ -44,6 +44,9 @@ tags: - etc-git +- name: /var/chroot-bind/etc/bind is a safe directory + ansible.builtin.shell: git config --global --add safe.directory /var/chroot-bind/etc/bind + - ansible.builtin.import_tasks: repository.yml vars: repository_path: "/var/chroot-bind/etc/bind" From ae79f33e3a23a7567e82ceb976ba0d974417698a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 4 Dec 2023 11:38:09 +0100 Subject: [PATCH 061/151] fix: search/replace error --- docker-host/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 036c12ce..ec3781e7 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -119,4 +119,4 @@ cmd: "{{ docker_tls_path }}/shellpki.sh init" when: - docker_tls_enabled | bool - - not (tls_certs_stat.stat. and tls_certs_stat.stat.isdir) + - not (tls_certs_stat.stat.exists and tls_certs_stat.stat.isdir) From 57ce920d7fed724ff4607a26547149fa9200bcb7 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Mon, 4 Dec 2023 18:46:48 +0100 Subject: [PATCH 062/151] scripts munin pour les stats sur les pools --- lxc-php/files/munin_php-fpm | 234 ++++++++++++++++++++++++++++++++++++ php/files/munin_php-fpm | 234 ++++++++++++++++++++++++++++++++++++ 2 files changed, 468 insertions(+) create mode 100755 lxc-php/files/munin_php-fpm create mode 100755 php/files/munin_php-fpm diff --git a/lxc-php/files/munin_php-fpm b/lxc-php/files/munin_php-fpm new file mode 100755 index 00000000..3647767d --- /dev/null +++ b/lxc-php/files/munin_php-fpm @@ -0,0 +1,234 @@ +#!/usr/bin/php + + 0, + 'memory' => 0, + 'cpu' => 0, + 'time' => 0 + ); + } + + //add values + $groups[$groupName]['count']++; + $groups[$groupName]['cpu'] += $cpu; + $groups[$groupName]['time'] += timeToSeconds($time); + $groups[$groupName]['memory'] += $ram / 1024; +} +foreach ($php_inactive_pools_list as $line) { + //split fields + $line = trim($line); + $groupName = $line; + //add group + if (!isset($groups[$groupName])) { + $groups[$groupName] = array( + 'count' => 0, + 'memory' => 0, + 'cpu' => 0, + 'time' => 0 + ); + } +} + +//check args +if(!isset($argv) || !isset($argv[0])) { + die("Error: No Plugin name provided\n"); +} + +$isConfig = isset($argv[1]) && $argv[1] == 'config'; + +//which plugin? +switch ($plugin_output) { +// ------------------------------------------------------ + case 'memory': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $ramMb = 0; + if($array['count'] !== 0){ + $ramMb = $array['memory'] / $array['count']; + } + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $ramMb + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Average Process Memory", + 'graph_vlabel' => 'MB' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'cpu': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $cpu = $array['cpu']; + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $cpu + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM CPU", + 'graph_vlabel' => '%', + 'graph_scale' => 'no' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'count': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $array['count'] + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Processes", + 'graph_vlabel' => 'processes' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'time': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $time=0; + if( $array['count'] !== 0){ + $time = round($array['time'] / $array['count']); + } + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $time + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Average Process Age", + 'graph_vlabel' => 'seconds', + 'graph_scale' => 'no' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + default: + die("Error: Unrecognized Plugin output name $plugin_output\n"); +} + +//output +ksort($config['elements']); +if ($isConfig) { + //graph params + echo "graph_category $php_container PHP-FPM\n"; + foreach($config['params'] as $key=>$value) { + echo $key . ' ' . $value . "\n"; + } + + //element params + foreach($config['elements'] as $element=>$data) { + foreach ($data as $key=>$value) { + if ($key == 'value') continue; + echo $element . '.' . $key . ' ' . $value . "\n"; + } + } +} else { + //element values + foreach ($config['elements'] as $pool=>$element) { + echo $pool . '.value ' . $element['value'] . "\n"; + } +} + +//functions +function timeToSeconds ($time) { + $seconds = 0; + + //days + $parts = explode('-', $time); + if(count($parts) == 2) { + $seconds += $parts[0] * 86400; + $time = $parts[1]; + } + + //hours + $parts = explode(':', $time); + if(count($parts) == 3) { + $seconds += array_shift($parts) * 3600; + } + + //minutes/seconds + $seconds += $parts[0] * 60 + $parts[1]; + return $seconds; +} diff --git a/php/files/munin_php-fpm b/php/files/munin_php-fpm new file mode 100755 index 00000000..3647767d --- /dev/null +++ b/php/files/munin_php-fpm @@ -0,0 +1,234 @@ +#!/usr/bin/php + + 0, + 'memory' => 0, + 'cpu' => 0, + 'time' => 0 + ); + } + + //add values + $groups[$groupName]['count']++; + $groups[$groupName]['cpu'] += $cpu; + $groups[$groupName]['time'] += timeToSeconds($time); + $groups[$groupName]['memory'] += $ram / 1024; +} +foreach ($php_inactive_pools_list as $line) { + //split fields + $line = trim($line); + $groupName = $line; + //add group + if (!isset($groups[$groupName])) { + $groups[$groupName] = array( + 'count' => 0, + 'memory' => 0, + 'cpu' => 0, + 'time' => 0 + ); + } +} + +//check args +if(!isset($argv) || !isset($argv[0])) { + die("Error: No Plugin name provided\n"); +} + +$isConfig = isset($argv[1]) && $argv[1] == 'config'; + +//which plugin? +switch ($plugin_output) { +// ------------------------------------------------------ + case 'memory': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $ramMb = 0; + if($array['count'] !== 0){ + $ramMb = $array['memory'] / $array['count']; + } + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $ramMb + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Average Process Memory", + 'graph_vlabel' => 'MB' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'cpu': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $cpu = $array['cpu']; + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $cpu + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM CPU", + 'graph_vlabel' => '%', + 'graph_scale' => 'no' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'count': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $array['count'] + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Processes", + 'graph_vlabel' => 'processes' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + case 'time': +// ------------------------------------------------------ + $elements = array(); + foreach ($groups as $name=>$array) { + $time=0; + if( $array['count'] !== 0){ + $time = round($array['time'] / $array['count']); + } + $label = 'Pool ' . $name; + $elements[$name] = array( + 'label' => $label, + 'type' => 'GAUGE', + 'value' => $time + ); + } + $config = array( + 'params' => array( + 'graph_title' => "$php_container PHP-FPM Average Process Age", + 'graph_vlabel' => 'seconds', + 'graph_scale' => 'no' + ), + 'elements' => $elements + ); + break; +// ------------------------------------------------------ + default: + die("Error: Unrecognized Plugin output name $plugin_output\n"); +} + +//output +ksort($config['elements']); +if ($isConfig) { + //graph params + echo "graph_category $php_container PHP-FPM\n"; + foreach($config['params'] as $key=>$value) { + echo $key . ' ' . $value . "\n"; + } + + //element params + foreach($config['elements'] as $element=>$data) { + foreach ($data as $key=>$value) { + if ($key == 'value') continue; + echo $element . '.' . $key . ' ' . $value . "\n"; + } + } +} else { + //element values + foreach ($config['elements'] as $pool=>$element) { + echo $pool . '.value ' . $element['value'] . "\n"; + } +} + +//functions +function timeToSeconds ($time) { + $seconds = 0; + + //days + $parts = explode('-', $time); + if(count($parts) == 2) { + $seconds += $parts[0] * 86400; + $time = $parts[1]; + } + + //hours + $parts = explode(':', $time); + if(count($parts) == 3) { + $seconds += array_shift($parts) * 3600; + } + + //minutes/seconds + $seconds += $parts[0] * 60 + $parts[1]; + return $seconds; +} From de949fd34876194c6ca14386cca9806d7df91773 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 5 Dec 2023 11:15:32 +0100 Subject: [PATCH 063/151] Fix timesyncd template --- timesyncd/templates/timesyncd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/timesyncd/templates/timesyncd.conf.j2 b/timesyncd/templates/timesyncd.conf.j2 index 8aebc1be..f58f81ee 100644 --- a/timesyncd/templates/timesyncd.conf.j2 +++ b/timesyncd/templates/timesyncd.conf.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} [Time] -NTP="{{ timesyncd_ntp_servers | join(' ') }}" +NTP={{ timesyncd_ntp_servers | join(' ') }} From 43aff50891942ec769fc1d722e900dc37cdcd756 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 09:34:04 +0100 Subject: [PATCH 064/151] webapps/nextcloud: Ajouter volume dans fstab --- webapps/nextcloud/tasks/user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index c0ce5172..0d999479 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -46,4 +46,4 @@ src: "{{ nextcloud_data_uuid }}" fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime - state: present + state: mounted From 31826b9ee509b478bf32e7b99cf4a12cec3dae33 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 09:42:34 +0100 Subject: [PATCH 065/151] webapps/nextcloud: Set owner and mode once mounted --- webapps/nextcloud/tasks/user.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 0d999479..a9682914 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -47,3 +47,10 @@ fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime state: mounted + +- name: Set volume's root permissions and ownership + ansible.builtin.file: + path: "{{ nextcloud_data }}" + owner: "{{ nextcloud_user }}" + group: "{{ nextcloud_user }}" + mode: "0700" From c9e8b6c4e162fefe3a464d0f998027f459f8d937 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 7 Dec 2023 10:03:28 +0100 Subject: [PATCH 066/151] dovecot: Munin plugin conf path is now /etc/munin/plugin-conf.d/zzz-dovecot (instead of z-evolinux-dovecot) --- CHANGELOG.md | 1 + dovecot/tasks/munin.yml | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9152395..5695a6e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) +* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) ### Fixed diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index 7227e991..8d0df9db 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -14,11 +14,16 @@ path: /etc/munin/plugins/dovecot state: absent - - name: Remove dovecot plugin conf + - name: Remove old dovecot plugin conf ansible.builtin.file: path: /etc/munin/plugin-conf.d/dovecot state: absent + - name: Remove old dovecot plugin conf + ansible.builtin.file: + path: /etc/munin/plugin-conf.d/z-evolinux-dovecot + state: absent + - name: "Remount /usr if needed" ansible.builtin.include_role: name: remount-usr @@ -47,7 +52,7 @@ - name: Copy Munin config ansible.builtin.copy: src: z-evolinux-dovecot.conf - dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot + dest: /etc/munin/plugin-conf.d/zzz-dovecot mode: '0644' notify: restart munin-node From 4d7de89ad4cfa90e6be094c1385677e6a213c192 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 7 Dec 2023 10:18:09 +0100 Subject: [PATCH 067/151] webapps/nextcloud: Add condition for config tasks And update CHANGELOG --- CHANGELOG.md | 3 +++ webapps/nextcloud/defaults/main.yml | 2 ++ webapps/nextcloud/tasks/main.yml | 1 + 3 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5695a6e7..a461c120 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * etc-git: add /var/chroot-bind/etc/bind repo +* webapps/nextcloud: Set ownership and permissions of data directory +* webapps/nextcloud: Add condition for config tasks ### Changed @@ -35,6 +37,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) +* webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 72ce812d..ca42901e 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -17,3 +17,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}" nextcloud_admin_login: "admin" nextcloud_admin_password: "" + +nextcloud_do_config: True diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 02304334..5329646e 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -54,3 +54,4 @@ - ansible.builtin.include: mysql-user.yml - ansible.builtin.include: config.yml + when: nextcloud_do_config From cbc51c462a011c6e5727c64c3fb5749f0bb7d4c2 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Thu, 7 Dec 2023 11:02:04 +0100 Subject: [PATCH 068/151] fix Add Ceph volume to fstab : missing UUID= in src --- CHANGELOG.md | 2 +- webapps/nextcloud/tasks/user.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a461c120..cf13de19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,7 +56,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) * evolinux-base: start to install linux-image-cloud-amd64 with Buster * apt: use archive.debian.org with Stretch - +* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src ### Removed diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index a9682914..020fce90 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -43,7 +43,7 @@ - name: Mount up Ceph volume by UUID ansible.posix.mount: path: "{{ nextcloud_data }}" - src: "{{ nextcloud_data_uuid }}" + src: "UUID={{ nextcloud_data_uuid }}" fstype: ext4 opts: defaults,noexec,nosuid,nodev,relatime,lazytime state: mounted From e32e1c54969222cedcef6e5933b6feffac882381 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 8 Dec 2023 16:13:41 +0100 Subject: [PATCH 069/151] Unbound: Big update & enhancements * Move configuration generated to /etc/unbound/unbound.conf.d/evolinux.conf so we don't override default config file * Make use of root hints provided by dns-root-data instead of downloading them * Add configuration to ensure that configuration reload work out of the box on Debian11 and old * Add required configuration in Unbound and munin to allow tge plugin to work * Make ansible-lint a bit more happy --- CHANGELOG.md | 5 ++ unbound/defaults/main.yml | 14 +++-- unbound/files/munin-plugin.conf | 5 ++ unbound/handlers/main.yml | 12 +++- unbound/tasks/main.yml | 75 +++++++++++++++++------ unbound/templates/evolinux-reload.conf.j2 | 7 +++ unbound/templates/evolinux.conf.j2 | 53 ++++++++++++++++ unbound/templates/unbound.conf.j2 | 45 -------------- 8 files changed, 144 insertions(+), 72 deletions(-) create mode 100644 unbound/files/munin-plugin.conf create mode 100644 unbound/templates/evolinux-reload.conf.j2 create mode 100644 unbound/templates/evolinux.conf.j2 delete mode 100644 unbound/templates/unbound.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index cf13de19..56b05cd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,11 @@ The **patch** part changes is incremented if multiple releases happen the same m * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * vrrpd: variable to force update the switch script (default: false) * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) +* unbound: Big cleanup +* unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* unbound: Add config file to allow configuration reload on Debian 11 and lower +* unbound: Add munin configuration & setup plugin * webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/unbound/defaults/main.yml b/unbound/defaults/main.yml index 86f51822..0d7807c1 100644 --- a/unbound/defaults/main.yml +++ b/unbound/defaults/main.yml @@ -1,9 +1,11 @@ --- + unbound_interfaces: -- '127.0.0.1' -- '::1' + - '127.0.0.1' + - '::1' + unbound_acls: -- '0.0.0.0/0 refuse' -- '127.0.0.0/8 allow_snoop' -- '::0/0 refuse' -- '::1 allow_snoop' + - '0.0.0.0/0 refuse' + - '127.0.0.0/8 allow_snoop' + - '::0/0 refuse' + - '::1 allow_snoop' diff --git a/unbound/files/munin-plugin.conf b/unbound/files/munin-plugin.conf new file mode 100644 index 00000000..cf008d48 --- /dev/null +++ b/unbound/files/munin-plugin.conf @@ -0,0 +1,5 @@ +[unbound*] +user root +env.statefile /tmp/munin-unbound-state +env.unbound_conf /etc/unbound/unbound.conf +env.unbound_control /usr/sbin/unbound-control diff --git a/unbound/handlers/main.yml b/unbound/handlers/main.yml index 7c801751..fdb9a629 100644 --- a/unbound/handlers/main.yml +++ b/unbound/handlers/main.yml @@ -1,5 +1,15 @@ --- -- name: reload unbound +- name: Restart unbound + ansible.builtin.service: + name: unbound + state: restarted + +- name: Reload unbound ansible.builtin.service: name: unbound state: reloaded + +- name: Restart munin-node + ansible.builtin.service: + name: munin-node + state: restarted diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 976c6386..6be337d3 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -1,38 +1,73 @@ --- - name: Install Unbound package ansible.builtin.apt: - name: unbound + name: + - unbound + - unbound-anchor + - dns-root-data state: present - when: ansible_distribution == "Debian" tags: - - unbound - -- name: Retrieve list of root DNS servers - ansible.builtin.get_url: - url: https://www.internic.net/domain/named.cache - dest: /etc/unbound/root.hints - force: true - mode: "0644" - notify: reload unbound - tags: - - unbound + - unbound - name: Copy Unbound config ansible.builtin.template: - src: unbound.conf.j2 - dest: /etc/unbound/unbound.conf + src: evolinux.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux.conf owner: root group: root mode: "0644" - when: ansible_distribution == "Debian" - notify: reload unbound + notify: Reload unbound tags: - - unbound + - unbound + +- name: Copy Unbound config for reloading (Debian 11 and older) + ansible.builtin.template: + src: evolinux-reload.conf.j2 + dest: /etc/unbound/unbound.conf.d/evolinux-reload.conf + owner: root + group: root + mode: "0644" + when: + - ansible_distribution_major_version is version('11', '<=') + notify: Restart unbound + tags: + - unbound + +- name: Copy munin plugin config + ansible.builtin.copy: + src: munin-plugin.conf + dest: /etc/munin/plugin-conf.d/unbound + owner: root + group: root + mode: "0644" + tags: + - unbound + +- name: Enable unbound munin plugin + ansible.builtin.file: + src: /usr/share/munin/plugins/unbound_munin_ + dest: "/etc/munin/plugins/unbound_munin_{{ plugin_name }}" + state: link + loop: + - hits + - queue + - memory + - by_type + - by_class + - by_opcode + - by_rcode + - by_flags + - histogram + loop_control: + loop_var: plugin_name + notify: Restart munin-node + tags: + - unbound - name: Starting and enabling Unbound ansible.builtin.service: name: unbound - enabled: yes + enabled: true state: started tags: - - unbound + - unbound diff --git a/unbound/templates/evolinux-reload.conf.j2 b/unbound/templates/evolinux-reload.conf.j2 new file mode 100644 index 00000000..f2f395ae --- /dev/null +++ b/unbound/templates/evolinux-reload.conf.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +remote-control: + control-enable: yes + # by default the control interface is is 127.0.0.1 and ::1 and port 8953 + # it is possible to use a unix socket too + control-interface: /run/unbound.ctl diff --git a/unbound/templates/evolinux.conf.j2 b/unbound/templates/evolinux.conf.j2 new file mode 100644 index 00000000..339dfe45 --- /dev/null +++ b/unbound/templates/evolinux.conf.j2 @@ -0,0 +1,53 @@ +server: + #interface: X.X.X.X + #interface: 127.0.0.1@5353 # listen on alternative port +{% for interface in unbound_interfaces %} + interface: {{ interface }} +{% endfor %} + +{% for acl in unbound_acls %} + access-control: {{ acl }} +{% endfor %} + + hide-identity: yes + hide-version: yes + + root-hints: "/usr/share/dns/root.hints" + + # Uncomment to enable DNSSEC validation. + #auto-trust-anchor-file: "/etc/unbound/root.key" + + # Enable extended stats for munin plugin + extended-statistics: yes + statistics-cumulative: no + statistics-interval: 0 + + + # Serve zones authoritatively from Unbound to resolver clients. + # Not for external service. + + #local-zone: "local." static + #local-data: "mycomputer.local. IN A 192.0.2.51" + #local-zone: "2.0.192.in-addr.arpa." static + #local-data-ptr: "192.0.2.51 mycomputer.local + # UDP EDNS reassembly buffer advertised to peers. Default 4096. + # May need lowering on broken networks with fragmentation/MTU issues, + # particularly if validating DNSSEC. + + #edns-buffer-size: 1480 + # Use TCP for "forward-zone" requests. Useful if you are making + # DNS requests over an SSH port forwarding. + #tcp-upstream: yes + + +# Use an upstream forwarder (recursive resolver) for specific zones. +# Example addresses given below are public resolvers valid as of 2014/03. +# +#forward-zone: +# name: "." # use for ALL queries +# forward-addr: 74.82.42.42 # he.net +# forward-addr: 2001:470:20::2 # he.net v6 +# forward-addr: 8.8.8.8 # google.com +# forward-addr: 2001:4860:4860::8888 # google.com v6 +# forward-addr: 208.67.222.222 # opendns.com +# forward-first: yes # try direct if forwarder fails diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 deleted file mode 100644 index a97e725d..00000000 --- a/unbound/templates/unbound.conf.j2 +++ /dev/null @@ -1,45 +0,0 @@ -server: - #interface: X.X.X.X - #interface: 127.0.0.1@5353 # listen on alternative port -{% for interface in unbound_interfaces %} - interface: {{ interface }} -{% endfor %} - #do-ip6: no - -{% for acl in unbound_acls %} - access-control: {{ acl }} -{% endfor %} - - hide-identity: yes - hide-version: yes - - root-hints: "/etc/unbound/root.hints" - # Uncomment to enable DNSSEC validation. - #auto-trust-anchor-file: "/etc/unbound/root.key" - # Serve zones authoritatively from Unbound to resolver clients. - # Not for external service. - - #local-zone: "local." static - #local-data: "mycomputer.local. IN A 192.0.2.51" - #local-zone: "2.0.192.in-addr.arpa." static - #local-data-ptr: "192.0.2.51 mycomputer.local - # UDP EDNS reassembly buffer advertised to peers. Default 4096. - # May need lowering on broken networks with fragmentation/MTU issues, - # particularly if validating DNSSEC. - - #edns-buffer-size: 1480 - # Use TCP for "forward-zone" requests. Useful if you are making - # DNS requests over an SSH port forwarding. - #tcp-upstream: yes - -# Use an upstream forwarder (recursive resolver) for specific zones. -# Example addresses given below are public resolvers valid as of 2014/03. -# -#forward-zone: -# name: "." # use for ALL queries -# forward-addr: 74.82.42.42 # he.net -# forward-addr: 2001:470:20::2 # he.net v6 -# forward-addr: 8.8.8.8 # google.com -# forward-addr: 2001:4860:4860::8888 # google.com v6 -# forward-addr: 208.67.222.222 # opendns.com -# forward-first: yes # try direct if forwarder fails From c90afcb4f4d67b6916baf05f9a16b38cc7a67c7b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 10:00:30 +0100 Subject: [PATCH 070/151] apt: fix Jessie repository --- apt/templates/jessie_basics.list.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index fad381f8..a3b4aea8 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,4 +1,4 @@ # {{ ansible_managed }} -deb http://archive.org/debian jessie {{ apt_basics_components | mandatory }} +deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} From 66b69f1502d2b5f16dbee789b0f6ec1b061c5fa3 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Fri, 8 Dec 2023 10:11:45 +0100 Subject: [PATCH 071/151] remount-usr: do not try to remount /usr RW if /usr is not a mounted partition --- CHANGELOG.md | 1 + remount-usr/tasks/main.yml | 19 +++++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b05cd2..cfd177ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * etc-git: add /var/chroot-bind/etc/bind repo * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for config tasks +* remount-usr: do not try to remount /usr RW if /usr is not a mounted partition ### Changed diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index eb5c0109..18dfe6ce 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -1,17 +1,28 @@ --- # findmnt returns 0 on hit, 1 on miss # If the return code is higher than 1, it's a blocking failure + +- name: "check if /usr is a mountpoint" + ansible.builtin.shell: "findmnt -n /usr &> /dev/null" + register: usr_mount_exists + failed_when: False + check_mode: False + changed_when: False + - name: "check if /usr is a read-only partition" ansible.builtin.command: cmd: 'findmnt /usr --noheadings --options ro' + register: usr_partition + when: usr_mount_exists.rc == 0 changed_when: False failed_when: usr_partition.rc > 1 - check_mode: no - register: usr_partition + check_mode: False - name: "mount /usr in rw" ansible.builtin.command: cmd: 'mount -o remount,rw /usr' - changed_when: False - when: usr_partition.rc == 0 + when: + - usr_mount_exists.rc == 0 + - usr_partition.rc == 0 notify: remount usr + changed_when: False From fb7218972feb0c7603f15794adefffac0f32f8e5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 12:28:17 +0100 Subject: [PATCH 072/151] squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 --- CHANGELOG.md | 11 ++++++----- squid/README.md | 2 +- squid/tasks/main.yml | 6 +++--- squid/templates/squid.conf.j2 | 2 +- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cfd177ec..e97ab46e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) * bind: Update role for Buster, Bullseye and Bookworm support +* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog @@ -36,13 +37,13 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc: init /etc git repository in lxc container * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 -* vrrpd: variable to force update the switch script (default: false) -* dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) -* unbound: Big cleanup -* unbound: Use root hints provided by debian package dns-root-data instead of downloading them -* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower * unbound: Add munin configuration & setup plugin +* unbound: Big cleanup +* unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` +* unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab ### Fixed diff --git a/squid/README.md b/squid/README.md index 8811a91f..aba25b4d 100644 --- a/squid/README.md +++ b/squid/README.md @@ -6,7 +6,7 @@ Installation and configuration of Squid Everything is in the `tasks/main.yml` file. -A blank file is created at `/etc/squid3/whitelist-custom.conf` to add addresses in the whitelist. +A blank file is created at `/etc/squid/whitelist-custom.conf` to add addresses in the whitelist. ## Available variables diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 2f0e94aa..965be04b 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -38,14 +38,14 @@ - name: "squid.conf is present (jessie)" ansible.builtin.template: src: squid.conf.j2 - dest: /etc/squid3/squid.conf + dest: /etc/squid/squid.conf notify: "restart squid3" when: ansible_distribution_release == "jessie" - name: "evolix whitelist is present (jessie)" ansible.builtin.copy: src: whitelist-evolinux.conf - dest: /etc/squid3/whitelist.conf + dest: /etc/squid/whitelist.conf force: false notify: "reload squid3" when: ansible_distribution_release == "jessie" @@ -135,7 +135,7 @@ - name: add some URL in whitelist (Debian 8) ansible.builtin.lineinfile: insertafter: EOF - dest: /etc/squid3/whitelist.conf + dest: /etc/squid/whitelist.conf line: "{{ item }}" state: present loop: '{{ squid_whitelist_items }}' diff --git a/squid/templates/squid.conf.j2 b/squid/templates/squid.conf.j2 index 108a3bc1..4c89a777 100644 --- a/squid/templates/squid.conf.j2 +++ b/squid/templates/squid.conf.j2 @@ -8,7 +8,7 @@ acl localhost src 127.0.0.0/32 acl INTERNE src {{ squid_address }}/32 127.0.0.0/8 acl Safe_ports port 80 # http acl SSL_ports port 443 563 -acl WHITELIST url_regex "/etc/squid3/whitelist.conf" +acl WHITELIST url_regex "/etc/squid/whitelist.conf" http_access deny !WHITELIST http_access allow INTERNE http_access deny all From ca5d9d52023aaa52796ae7df5005c3084edecb90 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 9 Dec 2023 13:52:08 +0100 Subject: [PATCH 073/151] mysql: use a boolean for read-only --- mysql/defaults/main.yml | 2 +- mysql/templates/evolinux-custom.cnf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index af43f495..871dd599 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -59,5 +59,5 @@ mysql_binlog_format: mixed mysql_server_id: null mysql_bind_address: null mysql_repl_password: '' -mysql_read_only: 0 +mysql_read_only: False diff --git a/mysql/templates/evolinux-custom.cnf.j2 b/mysql/templates/evolinux-custom.cnf.j2 index 119943a1..cc66df94 100644 --- a/mysql/templates/evolinux-custom.cnf.j2 +++ b/mysql/templates/evolinux-custom.cnf.j2 @@ -38,7 +38,7 @@ lower_case_table_names = {{ mysql_lower_case_table_names }} {% if mysql_innodb_log_file_size %} innodb_log_file_size = {{ mysql_innodb_log_file_size }} {% endif %} -read_only = {{ mysql_read_only }} +read_only = {{ mysql_read_only | bool | ternary('1','0') }} {% if mysql_performance_schema %} performance_schema = ON performance-schema-instrument='stage/%=ON' From db6390220679a5f797688bc3d7609e07425d8445 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:04:55 +0100 Subject: [PATCH 074/151] apt: use the GPG version of the key for Debian 8-9 --- CHANGELOG.md | 1 + apt/tasks/evolix_public.deb822.yml | 8 +++++++- apt/tasks/evolix_public.oneline.yml | 20 ++++++++++++++++++-- apt/templates/evolix_public.list.j2 | 2 +- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e97ab46e..ec472e70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* apt: use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 diff --git a/apt/tasks/evolix_public.deb822.yml b/apt/tasks/evolix_public.deb822.yml index 0a91dddf..0e6639c3 100644 --- a/apt/tasks/evolix_public.deb822.yml +++ b/apt/tasks/evolix_public.deb822.yml @@ -24,10 +24,16 @@ owner: root group: root +- name: Set Evolix GPG key format to ASC + set_fact: + apt_evolix_public_key: "{{ apt_keyring_dir }}/pub_evolix.asc" + tags: + - apt + - name: Add Evolix GPG key ansible.builtin.copy: src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + dest: "{{ apt_evolix_public_key }}" force: true mode: "0644" owner: root diff --git a/apt/tasks/evolix_public.oneline.yml b/apt/tasks/evolix_public.oneline.yml index 9501e595..165a7b93 100644 --- a/apt/tasks/evolix_public.oneline.yml +++ b/apt/tasks/evolix_public.oneline.yml @@ -24,10 +24,26 @@ owner: root group: root +- name: Set Evolix GPG key format to GPG (Debian < 9) + set_fact: + apt_evolix_public_key: "pub_evolix.gpg" + when: + - ansible_distribution_major_version is version('9', '<') + tags: + - apt + +- name: Set Evolix GPG key format to ASC (Debian >= 9) + set_fact: + apt_evolix_public_key: "pub_evolix.asc" + when: + - ansible_distribution_major_version is version('9', '>=') + tags: + - apt + - name: Add Evolix GPG key ansible.builtin.copy: - src: pub_evolix.asc - dest: "{{ apt_keyring_dir }}/pub_evolix.asc" + src: "{{ apt_evolix_public_key }}" + dest: "{{ apt_keyring_dir }}/{{ apt_evolix_public_key }}" force: true mode: "0644" owner: root diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index e00899e7..7ed18708 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,3 @@ # {{ ansible_managed }} -deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main +deb [signed-by={{ apt_keyring_dir }}/{{ apt_evolix_public_key }}] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main From 6c0ca0239154eb311e91688281ea7b802f5330d2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:06:10 +0100 Subject: [PATCH 075/151] apt: add task file to install ELTS repository (default: False) --- CHANGELOG.md | 1 + apt/defaults/main.yml | 3 +- apt/files/freexian-archive-extended-lts.gpg | Bin 0 -> 1176 bytes apt/tasks/extended-lts.oneline.yml.yml | 37 ++++++++++++++++++++ apt/tasks/main.yml | 10 +++++- apt/templates/jessie_extended-lts.list.j2 | 4 +++ apt/templates/stretch_extended-lts.list.j2 | 4 +++ 7 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 apt/files/freexian-archive-extended-lts.gpg create mode 100644 apt/tasks/extended-lts.oneline.yml.yml create mode 100644 apt/templates/jessie_extended-lts.list.j2 create mode 100644 apt/templates/stretch_extended-lts.list.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index ec472e70..fd1a786c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added * Preliminary work for php83 +* apt: add task file to install ELTS repository (default: False) * lxc-php: Allow one to install php83 on Bookworm container * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user diff --git a/apt/defaults/main.yml b/apt/defaults/main.yml index 3720d893..772a8fb9 100644 --- a/apt/defaults/main.yml +++ b/apt/defaults/main.yml @@ -14,6 +14,7 @@ apt_install_backports: False apt_backports_components: "main" apt_install_evolix_public: True +apt_install_extended_lts: False apt_clean_gandi_sourceslist: False @@ -28,4 +29,4 @@ apt_check_hold_cron_weekday: "*" apt_check_hold_cron_day: "*" apt_check_hold_cron_month: "*" -apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" \ No newline at end of file +apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}" diff --git a/apt/files/freexian-archive-extended-lts.gpg b/apt/files/freexian-archive-extended-lts.gpg new file mode 100644 index 0000000000000000000000000000000000000000..819c10ff58554f8c923fbb5547b91033560220c0 GIT binary patch literal 1176 zcmV;J1ZVr10u2OP3>k+35CE!*la@dGSZvSDM8iRcInG1)P{N=(7x?10JSiF{TjyF* zFAc}dYTJ`V+M7ayLf+6i@+jA%ECWj>C8yGZ+mBWK0?b}8!#>P=;K#ZAFO$=p+=TcF zW=;Ht4Bjm|zRHR^K4En3i-iQ%tt*F^W%*%3W?zD!8VklE58+9^Tu7s zw)gj&Js}nWDE>vjUXR`B0p*FuvlOEpOQ14Ok~HV`sjB*UVvvh)QxF9kC^zQiSCw~# z+m$j0EzQFz(?uoImN!zqt#o-0_v0>C+fuyI^WMNdU+HLT8w}zu*fb>?0I7e+%BJb# ziF9-va~rCRwa3MiF*E=ShNvMe7QnYdc6=@h@Fej1rR$Ord?|(dGMx~51fXoI>G1zL zjIdu#sFLmFG+ro7WeSv#ZGpGU__Dk%gV@sP_jUL&cj=Cu7%Uw^Wp2tMINGLiW}ho} zy^-0Ybo@tYDin=mM}9Al!BhAJoHL;@nIk^9aAFYLL8R-NdGQ5r-`*Xx57z|~Yo-s` z4(HON9Ld$}g#=xf*wxIn8l%B5Z&QhsVd^xx6bT3jFQ`t&Oq3m1Nwf93e1g%ke2z@; zBVF1Z`8$GP-UR>=0RRECFGYBCWo~3;WFSmbQy@}haBp*IbZ>HbAUtzLGf za%E+BX<=?IV{dIfi2_sv69EVSJ^~v91q%rX2Lc8a2nh-c0t6NU0|5da0Rk6*79j+y zS$t1#Gl0EIE9=6ba}d*M1zlPN0%DsoJp~C7=>N6=3JDOPa}d*M1zlSHx)1=Sqq_^% z{^3z{pn8(R(G*1}I^7SxxB;rzrg9!F^RQLctKT5nFL6XebR-^i=d$`>Y>!T6 z*Zb)vOxWYF4K&2Ib?EvTd8E9SAj3<8pXnP9QF_2K{vZe}ZLsbJov+lN6NFr!Tu+Db zAuxc|+O2ByA@Iy<aEH7)nm=7P^Nw$m&L^B(--*Gg ztwF#Ik3?);3h+nmze3L#G+9aPqxT6LcQ0gyuYyaEWD>|6bHrGPvg*ast`y>Oa{rIa q@dG0}9Dw33F^}f!O`7ygKR7;u{v-iCt~UQnD=$vejsPKruP6Bwc_o(s literal 0 HcmV?d00001 diff --git a/apt/tasks/extended-lts.oneline.yml.yml b/apt/tasks/extended-lts.oneline.yml.yml new file mode 100644 index 00000000..09974684 --- /dev/null +++ b/apt/tasks/extended-lts.oneline.yml.yml @@ -0,0 +1,37 @@ +--- + +- name: "Ensure {{ apt_keyring_dir }} directory exists" + file: + path: "{{ apt_keyring_dir }}" + state: directory + mode: "755" + owner: root + group: root + +- name: Add Evolix GPG key + ansible.builtin.copy: + src: "freexian-archive-extended-lts.gpg" + dest: "{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg" + force: true + mode: "0644" + owner: root + group: root + tags: + - apt + +- name: ELTS list is installed + ansible.builtin.template: + src: "{{ ansible_distribution_release }}_extended-lts.list.j2" + dest: /etc/apt/sources.list.d/extended-lts.list + force: true + mode: "0640" + register: apt_extended_lts + tags: + - apt + +- name: Apt update + ansible.builtin.apt: + update_cache: yes + tags: + - apt + when: apt_extended_lts is changed diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index 4d357f8b..c20abe54 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -80,6 +80,14 @@ - apt_install_evolix_public | bool - ansible_distribution_major_version is version('12', '>=') +- name: Install Extended-LTS repositories (Debian < 10) + ansible.builtin.import_tasks: extended-lts.oneline.yml.yml + tags: + - apt + when: + - apt_install_extended_lts | bool + - ansible_distribution_major_version is version('10', '<') + - name: Clean GANDI sources ansible.builtin.file: path: '{{ item }}' @@ -126,4 +134,4 @@ upgrade: dist when: apt_upgrade | bool tags: - - apt \ No newline at end of file + - apt diff --git a/apt/templates/jessie_extended-lts.list.j2 b/apt/templates/jessie_extended-lts.list.j2 new file mode 100644 index 00000000..c20be4e7 --- /dev/null +++ b/apt/templates/jessie_extended-lts.list.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie main +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts jessie-lts main diff --git a/apt/templates/stretch_extended-lts.list.j2 b/apt/templates/stretch_extended-lts.list.j2 new file mode 100644 index 00000000..374e571e --- /dev/null +++ b/apt/templates/stretch_extended-lts.list.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch main +deb [signed-by="{{ apt_keyring_dir }}/freexian-archive-extended-lts.gpg"] http://elts.evolix.org/extended-lts stretch-lts main From a920d2d4028eb8b7f50d0196f56705763e0ee328 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 14:07:15 +0100 Subject: [PATCH 076/151] apt: Disable archive repository for Debian 8 --- CHANGELOG.md | 3 ++- apt/templates/jessie_basics.list.j2 | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd1a786c..56c21f93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) -* apt: use the GPG version of the key for Debian 8-9 +* apt: Disable archive repository for Debian 8 +* apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 23.11.1 diff --git a/apt/templates/jessie_basics.list.j2 b/apt/templates/jessie_basics.list.j2 index a3b4aea8..7d72bfbd 100644 --- a/apt/templates/jessie_basics.list.j2 +++ b/apt/templates/jessie_basics.list.j2 @@ -1,4 +1,5 @@ # {{ ansible_managed }} -deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} -deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} +### Those repositories are unusable. Move to ELTS (manually). +# deb http://archive.debian.org/debian jessie {{ apt_basics_components | mandatory }} +# deb http://archive.debian.org/debian-security jessie/updates {{ apt_basics_components | mandatory }} From 26e3dc1be6391feabcad398931fadd2db8cea467 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 18:19:38 +0100 Subject: [PATCH 077/151] apache: use backward compatible Redirect directive --- CHANGELOG.md | 1 + apache/files/evolinux-defaults.conf | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56c21f93..42aee7fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * add-vm.sh: allow VM name max length > 20 * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) +* apache: use backward compatible Redirect directive * apt: Disable archive repository for Debian 8 * apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index 73b7f136..c05f77f2 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -48,17 +48,17 @@ MaxKeepAliveRequests 10 # We don't want to let the client know a file exist on the server, # so we return 404 "Not found" instead of 403 "Forbidden". - Redirect 404 + Redirect 404 "-" # File names starting with - Redirect 404 + Redirect 404 "-" # File names ending with - Redirect 404 + Redirect 404 "-" From b0992bcaf905d012c1feaa76f5f4a02adb9748fe Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 11 Dec 2023 18:21:57 +0100 Subject: [PATCH 078/151] mysql: disable performance schema for Debian 8 --- CHANGELOG.md | 1 + mysql/tasks/config_jessie.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42aee7fd..08b2ecb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * kvmstats: use .capacity instead of .physical for disk size * log2mail: move custom config in separate file * lxc: init /etc git repository in lxc container +* mysql: disable performance schema for Debian 8 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index 3d8c494d..364ee175 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -2,6 +2,7 @@ - ansible.builtin.set_fact: mysql_config_directory: /etc/mysql/conf.d + mysql_performance_schema: False - name: "Copy MySQL defaults config file (jessie)" ansible.builtin.copy: From 5f158e031b545bbaa48b1ca78f1aafd31be43123 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 11 Dec 2023 11:05:06 +0100 Subject: [PATCH 079/151] spamassin: Use spamd starting with Bookworm --- spamassasin/handlers/main.yml | 5 +++++ spamassasin/tasks/main.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/spamassasin/handlers/main.yml b/spamassasin/handlers/main.yml index 78597a37..7dbc9c7f 100644 --- a/spamassasin/handlers/main.yml +++ b/spamassasin/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: spamassassin state: restarted + +- name: restart spamd + ansible.builtin.service: + name: spamd + state: restarted diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 9f2889ca..fbcd6e5c 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -4,6 +4,16 @@ name: - spamassassin state: present + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: install spamd + ansible.builtin.apt: + name: + - spamd + state: present + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin @@ -13,6 +23,17 @@ dest: /etc/spamassassin/local_evolix.cf mode: "0644" notify: restart spamassassin + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: configure spamd + ansible.builtin.copy: + src: spamassassin.cf + dest: /etc/spamassassin/local_evolix.cf + mode: "0644" + notify: restart spamd + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin @@ -22,6 +43,7 @@ regexp: 'ENABLED=0' replace: 'ENABLED=1' notify: restart spamassassin + when: ansible_distribution_major_version is version('12', '<') tags: - spamassassin @@ -97,5 +119,15 @@ name: spamassassin state: started enabled: True + when: ansible_distribution_major_version is version('12', '<') + tags: + - spamassassin + +- name: ensure spamd is started and enabled + ansible.builtin.systemd: + name: spamd + state: started + enabled: True + when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin From 95610e16be9b3cbdf57603576eb40708979ca6fd Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 12 Dec 2023 17:11:45 +0100 Subject: [PATCH 080/151] bind: allow bullseye and bookworm --- bind/meta/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bind/meta/main.yml b/bind/meta/main.yml index 6cf180b1..533f4335 100644 --- a/bind/meta/main.yml +++ b/bind/meta/main.yml @@ -14,6 +14,8 @@ galaxy_info: - jessie - stretch - buster + - bullseye + - bookworm galaxy_tags: [] # Be sure to remove the '[]' above if you add dependencies From 0c09763e87d5b47f5eb51b67135ae16bbc4f46c6 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Thu, 14 Dec 2023 16:59:55 +0100 Subject: [PATCH 081/151] fix(minifirewall): Properly detect old minifirewall versions --- CHANGELOG.md | 1 + minifirewall/files/check_minifirewall | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08b2ecb7..5ff2a0f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition +* minifirewall: Fix nagios check for old versions of minifirewall ### Changed diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index fc034de4..565a912d 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -87,7 +87,7 @@ main() { append_details "configuration is up-to-date" summary_ok "minifirewall is started and configuration is up-to-date" else - if echo "${check_result}" | grep --quiet --regexp 'usage'; then + if echo "${check_result}" | grep --ignore-case --quiet --regexp 'usage'; then append_details "minifirewall is too old to check active configuration" else case "${check_rc}" in From 9e67db57e5e2693c11f337f5614c64269e1af888 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 18 Dec 2023 11:29:40 +0100 Subject: [PATCH 082/151] evolinux-base: fix hardware.yml (wrong repo, missing update cache) --- CHANGELOG.md | 1 + evolinux-base/tasks/hardware.yml | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ff2a0f2..12239973 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -70,6 +70,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: start to install linux-image-cloud-amd64 with Buster * apt: use archive.debian.org with Stretch * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src +* evolinux-base: fix hardware.yml (wrong repo, missing update cache) ### Removed diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 30badf70..b4280e09 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -6,11 +6,11 @@ tags: - packages -- name: firmware-non-free components are installed (Debian 12+) +- name: non-free-firmware components are installed (Debian 12+) ansible.builtin.replace: dest: /etc/apt/sources.list.d/system.sources - regexp: '^(Components: ((?!\bfirmware-non-free\b).)*)$' - replace: '\1 firmware-non-free' + regexp: '^(Components: ((?!\bnon-free-firmware\b).)*)$' + replace: '\1 non-free-firmware' when: - ansible_distribution_major_version is version('12', '>=') @@ -48,6 +48,7 @@ - firmware-linux-nonfree - intel-microcode state: present + update_cache: True tags: - packages From b4c9fcf6f7ff391125ead367ca8e80db2013c3c3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 18 Dec 2023 16:36:09 +0100 Subject: [PATCH 083/151] mongodb: add gpg key for 7.0 --- CHANGELOG.md | 1 + mongodb/files/server-7.0.asc | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 mongodb/files/server-7.0.asc diff --git a/CHANGELOG.md b/CHANGELOG.md index 12239973..bc0021c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * apt: add task file to install ELTS repository (default: False) * lxc-php: Allow one to install php83 on Bookworm container +* mongodb: add gpg key for 7.0 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * etc-git: add /var/chroot-bind/etc/bind repo diff --git a/mongodb/files/server-7.0.asc b/mongodb/files/server-7.0.asc new file mode 100644 index 00000000..7f4911ae --- /dev/null +++ b/mongodb/files/server-7.0.asc @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBGPILWABEACqeWP/ktugdlWEyk7YTXo3n19+5Om4AlSdIyKv49vAlKtzCfMA +QkZq3mfvjXiKMuLnL2VeElAJQIYcPoqnHf6tJbdrNv4AX2uI1cTsvGW7YS/2WNwJ +C/+vBa4o+yA2CG/MVWZRbtOjkFF/W07yRFtNHAcgdmpIjdWgSnPQr9eIqLuWXIhy +H7EerKsba227Vd/HfvKnAy30Unlsdywy7wi1FupzGJck0TPoOVGmsSpSyIQu9A4Z +uC6TE/NcJHvaN0JuHwM+bQo9oWirGsZ1NCoVqSY8/sasdUc7T9r90MbUcH674YAR +8OKYVBzU0wch4VTFhfHZecKHQnZf+V4dmP9oXnu4fY0/0w3l4jaew7Ind7kPg3yN +hvgAkBK8yRAbSu1NOtHDNiRoHGEQFgct6trVOvCqHbN/VToLNtGk0rhKGOp8kuSF +OJ02PJPxF3/zHGP8n8khCjUJcrilYPqRghZC8ZWnCj6GJVg6WjwLi+hPwNMi8xK6 +cjKhRW3eCy5Wcn73PzVBX9f7fSeFDJec+IfS47eNkxunHAOUMXa2+D+1xSWgEfK0 +PClfyWPgLIXY2pGQ6v8l3A6P5gJv4o38/E1h1RTcO3H1Z6cgZLIORZHPyAj50SPQ +cjzftEcz56Pl/Cyw3eMYC3qlbABBgsdeb6KB6G5dkNxI4or3MgmxcwfnkwARAQAB +tDdNb25nb0RCIDcuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u +Z29kYi5jb20+iQI+BBMBAgAoBQJjyC1gAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRAWDSa7F4W6OM+eD/sE7KbJyRNWyPCRTqqJXrXvyPqZtbFX +8sio0lQ8ghn4f7lmb7LnFroUsmBeWaYirM8O3b2+iQ9oj4GeR3gbRZsEhFXQfL54 +SfrmG9hrWWpJllgPP7Six+jrzcjvkf1TENqw4jRP+cJhuihH1Gfizo9ktwwoN9Yr +m7vgh+focEEmx8dysS38ApLxKlUEfTsE9bYsClgqyY1yrt3v4IpGbf66yfyBHNgY +sObR3sngDRVbap7PwNyREGsuAFfKr/Dr37HfrjY7nsn3vH7hbDpSBh+H7a0b/chS +mM60aaG4biWpvmSC7uxA/t0gz+NQuC4HL+qyNPUxvyIO+TwlaXfCI6ixazyrH+1t +F7Bj5mVsne7oeWjRrSz85jK3Tpn9tj3Fa7PCDA6auAlPK8Upbhuoajev4lIydNd2 +70yO0idm/FtpX5a8Ck7KSHDvEnXpN70imayoB4Fs2Kigi2BdZOOdib16o5F/9cx9 +piNa7HotHCLTfR6xRmelGEPWKspU1Sm7u2A5vWgjfSab99hiNQ89n+I7BcK1M3R1 +w/ckl6qBtcxz4Py+7jYIJL8BYz2tdreWbdzWzjv+XQ8ZgOaMxhL9gtlfyYqeGfnp +hYW8LV7a9pavxV2tLuVjMM+05ut/d38IkTV7OSJgisbSGcmycXIzxsipyXJVGMZt +MFw3quqJhQMRsA== +=gbRM +-----END PGP PUBLIC KEY BLOCK----- From 62c596046dac3fbe9b0bbd99f469be2445d87db4 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Mon, 18 Dec 2023 16:50:04 +0100 Subject: [PATCH 084/151] Add role for automatically deploying autosysadmin --- CHANGELOG.md | 1 + autosysadmin/defaults/main.yml | 22 + .../files/logrotate_autosysadmin.conf | 13 + autosysadmin/files/rsyslog_autosysadmin.conf | 3 + autosysadmin/files/scripts/functions.sh | 478 ++++++++++++++++++ autosysadmin/files/scripts/repair_amavis.sh | 33 ++ autosysadmin/files/scripts/repair_disk.sh | 173 +++++++ .../files/scripts/repair_elasticsearch.sh | 57 +++ autosysadmin/files/scripts/repair_http.sh | 141 ++++++ autosysadmin/files/scripts/repair_mysql.sh | 71 +++ autosysadmin/files/scripts/repair_opendkim.sh | 61 +++ .../files/scripts/repair_php_fpm56.sh | 53 ++ .../files/scripts/repair_php_fpm70.sh | 53 ++ .../files/scripts/repair_php_fpm73.sh | 53 ++ .../files/scripts/repair_php_fpm74.sh | 53 ++ .../files/scripts/repair_php_fpm80.sh | 53 ++ .../files/scripts/repair_php_fpm81.sh | 53 ++ .../files/scripts/repair_php_fpm82.sh | 53 ++ .../files/scripts/repair_php_fpm83.sh | 53 ++ autosysadmin/files/scripts/repair_redis.sh | 58 +++ autosysadmin/files/scripts/repair_template.sh | 63 +++ .../files/scripts/repair_tomcat_instance.sh | 53 ++ autosysadmin/files/scripts/restart_amavis.sh | 35 ++ autosysadmin/handlers/main.yml | 16 + autosysadmin/tasks/autosysadmin_scripts.yml | 61 +++ autosysadmin/tasks/dependencies.yml | 4 + autosysadmin/tasks/logrotate.yml | 10 + autosysadmin/tasks/main.yml | 37 ++ autosysadmin/tasks/nrpe.yml | 11 + autosysadmin/tasks/rsyslog.yml | 11 + autosysadmin/tasks/sudo.yml | 9 + autosysadmin/templates/autosysadmin.cf.j2 | 74 +++ autosysadmin/templates/autosysadmin.cfg.j2 | 22 + autosysadmin/templates/sudoers.j2 | 21 + evolinux-base/defaults/main.yml | 3 + evolinux-base/tasks/main.yml | 5 + 36 files changed, 1970 insertions(+) create mode 100644 autosysadmin/defaults/main.yml create mode 100644 autosysadmin/files/logrotate_autosysadmin.conf create mode 100644 autosysadmin/files/rsyslog_autosysadmin.conf create mode 100644 autosysadmin/files/scripts/functions.sh create mode 100644 autosysadmin/files/scripts/repair_amavis.sh create mode 100644 autosysadmin/files/scripts/repair_disk.sh create mode 100644 autosysadmin/files/scripts/repair_elasticsearch.sh create mode 100644 autosysadmin/files/scripts/repair_http.sh create mode 100644 autosysadmin/files/scripts/repair_mysql.sh create mode 100644 autosysadmin/files/scripts/repair_opendkim.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm56.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm70.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm73.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm74.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm80.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm81.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm82.sh create mode 100644 autosysadmin/files/scripts/repair_php_fpm83.sh create mode 100644 autosysadmin/files/scripts/repair_redis.sh create mode 100644 autosysadmin/files/scripts/repair_template.sh create mode 100644 autosysadmin/files/scripts/repair_tomcat_instance.sh create mode 100644 autosysadmin/files/scripts/restart_amavis.sh create mode 100644 autosysadmin/handlers/main.yml create mode 100644 autosysadmin/tasks/autosysadmin_scripts.yml create mode 100644 autosysadmin/tasks/dependencies.yml create mode 100644 autosysadmin/tasks/logrotate.yml create mode 100644 autosysadmin/tasks/main.yml create mode 100644 autosysadmin/tasks/nrpe.yml create mode 100644 autosysadmin/tasks/rsyslog.yml create mode 100644 autosysadmin/tasks/sudo.yml create mode 100644 autosysadmin/templates/autosysadmin.cf.j2 create mode 100644 autosysadmin/templates/autosysadmin.cfg.j2 create mode 100644 autosysadmin/templates/sudoers.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 12239973..54e4bc4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * minifirewall: Fix nagios check for old versions of minifirewall +* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation ### Changed diff --git a/autosysadmin/defaults/main.yml b/autosysadmin/defaults/main.yml new file mode 100644 index 00000000..56190633 --- /dev/null +++ b/autosysadmin/defaults/main.yml @@ -0,0 +1,22 @@ +--- + +general_scripts_dir: "/usr/share/scripts" +autosysadmin_dir: "{{ general_scripts_dir }}/autosysadmin" + +# Default values for enabled checks +repair_amavis: 'on' +repair_disk: 'on' +repair_elasticsearch: 'on' +repair_http: 'on' +repair_mysql: 'on' +repair_opendkim: 'off' +repair_php_fpm56: 'off' +repair_php_fpm70: 'off' +repair_php_fpm73: 'off' +repair_php_fpm74: 'off' +repair_php_fpm80: 'off' +repair_php_fpm81: 'off' +repair_php_fpm82: 'off' +repair_php_fpm83: 'off' +repair_redis: 'off' +repair_tomcat_instance: 'off' diff --git a/autosysadmin/files/logrotate_autosysadmin.conf b/autosysadmin/files/logrotate_autosysadmin.conf new file mode 100644 index 00000000..41606de5 --- /dev/null +++ b/autosysadmin/files/logrotate_autosysadmin.conf @@ -0,0 +1,13 @@ +/var/log/autosysadmin.log { + daily + missingok + rotate 365 + compress + nodelaycompress + notifempty + dateext + dateformat .%Y-%m-%d + dateyesterday + copytruncate + create 0640 root adm +} diff --git a/autosysadmin/files/rsyslog_autosysadmin.conf b/autosysadmin/files/rsyslog_autosysadmin.conf new file mode 100644 index 00000000..dd3c037f --- /dev/null +++ b/autosysadmin/files/rsyslog_autosysadmin.conf @@ -0,0 +1,3 @@ +$template autosysadmin, "/var/log/autosysadmin.log" +if $programname contains 'autosysadmin' then ?autosysadmin +& stop diff --git a/autosysadmin/files/scripts/functions.sh b/autosysadmin/files/scripts/functions.sh new file mode 100644 index 00000000..95f1a901 --- /dev/null +++ b/autosysadmin/files/scripts/functions.sh @@ -0,0 +1,478 @@ +#!/bin/bash + +get_system() { + uname -s +} + +get_fqdn() { + if [ "$(get_system)" = "Linux" ]; then + hostname --fqdn + elif [ "$(get_system)" = "OpenBSD" ]; then + hostname + else + log_error_exit "OS not detected!" + fi +} + +get_complete_hostname() { + REAL_HOSTNAME="$(get_fqdn)" + if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then + echo "${HOSTNAME}" + else + echo "${HOSTNAME} (${REAL_HOSTNAME})" + fi +} + +get_evomaintenance_mail() { + email="$(grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2)" + + if [[ -z "$email" ]]; then + email='alert5@evolix.fr' + fi + + echo "${email}" +} + +arguments="${*}" + +get_argument() { + no_found=1 + for argument in ${arguments} ; do + if [ "${argument}" = "${1}" ] ; + then + no_found=0 + fi + done + return ${no_found} +} + +internal_info() { + INTERNAL_INFO="$(printf '%b\n%s' "${INTERNAL_INFO}" "$*")" +} + +log_action() { + log "Action : $*" + ACTIONS="$(printf '%s\n%s' "${ACTIONS}" "$*")" +} + +log() { + INTERNAL_LOG="$(printf '%s\n%s %s %s %s' "${INTERNAL_LOG}" "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*")" + printf '%s %s %s %s\n' "$(date -Isec)" "$(hostname)" "$(basename "$0")" "$*" | tee -a "${LOG_DIR}/autosysadmin.log" + echo "$*" | /usr/bin/logger -p local0.notice -t autosysadmin."$0" +} + +log_error_exit() { + log "ERROR : $*" + AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: $*" --no-commit --no-mail + exit 1 +} + +log_check_php_fpm() { + + # Extraire seulement les chiffres du nom du script exécuté + # ./repair_php_fpm81.sh ==> 81 + PHP_VERSION="${0//[^0-9]/}" + + PHP_PATH_POOL=$(find /var/lib/lxc/php"${PHP_VERSION}"/ -type d -name "pool.d") + /usr/local/lib/nagios/plugins/check_phpfpm_multi "${PHP_PATH_POOL}" > "${LOG_DIR}/nrpe.txt" +} + +log_system_status() { + DUMP_SERVER_STATE_BIN="$(command -v dump-server-state || command -v backup-server-state)" + + if [ -z "${DUMP_SERVER_STATE_BIN}" ]; then + log "Warning: dump-server-state is not present. No server state recorded...." + fi + + if [ -x "${DUMP_SERVER_STATE_BIN}" ]; then + + # NOTE We don't want the logging to take too much time, so we kill it + # if it take more than 20 seconds. + timeout --signal 9 20 \ + "${DUMP_SERVER_STATE_BIN}" \ + --dump-dir="$LOG_DIR" \ + --df \ + --dmesg \ + --iptables \ + --lxc \ + --netcfg \ + --netstat \ + --uname \ + --processes \ + --systemctl \ + --uptime \ + --virsh \ + --disks \ + --mysql-processes \ + --no-apt-states \ + --no-apt-config \ + --no-dpkg-full \ + --no-dpkg-status \ + --no-mount \ + --no-packages \ + --no-sysctl \ + --no-etc + + log "System status logged in ${LOG_DIR}" + fi +} + +read_log_system_status(){ + files="df.txt dmesg.txt lxc-list.txt netstat-legacy.txt netstat-ss.txt pstree.txt ps.txt systemctl-failed-services.txt" + echo -e "\n\n#### Détails de dump-server-state" + for file in ${files} ; do + echo -e "\n### cat ${LOG_DIR}/${file} :" + tail -n 1000 "${LOG_DIR}"/"${file}" + done +} + +ensure_no_active_users_or_exit() { + if is_debug; then return; fi + + # Is there any active user ? + for user in $(LC_ALL=C who --users|awk '{print $1}'); do + idle_time="$(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}')" + for sameusertime in $(LC_ALL=C who --users | grep "${user}" | awk '{ print $6}'); do + if is_active_user "$sameusertime"; then + hook_mail abort_active_users + log_error_exit 'At least one user was recently active. That requires human intervention. Nothing to do here!' + fi + done + done +} + +is_active_user() { + # Check if a user was active in the last 30 minutes + idle_time="$1" + + if [ "${idle_time}" = "old" ]; + then + return 1 + elif [ "${idle_time}" = "." ]; + then + return 0 + else + hh="$(echo "${idle_time}" | awk -F':' '{print $1}')" + mm="$(echo "${idle_time}" | awk -F':' '{print $2}')" + idle_minutes="$(( 60 * "${hh}" + "${mm}" ))" + if [ "${idle_minutes}" -ge 30 ]; + then + return 1 + else + return 0 + fi + fi +} + +is_debug() { + debug_file="/etc/evolinux/autosysadmin.debug" + + if [ -e "${debug_file}" ]; then + last_change=$(stat -c %Z "${debug_file}") + limit_date=$(date --date "14400 seconds ago" +"%s") + + if [ $(( last_change - limit_date )) -le "0" ]; then + rm "${debug_file}" + else + return 0 + fi + fi + + return 1 +} + +check_nrpe() { + check="$1" + list_command_nrpe=$( grep --exclude=*~ -E "\[${check}\]" -r /etc/nagios/ | grep -v '#command' ) + command_nrpe_primary=$( echo "${list_command_nrpe}" | grep "/etc/nagios/nrpe.d/evolix.cfg" | cut -d'=' -f2- ) + command_nrpe_secondary=$( echo "${list_command_nrpe}" | head -n1 | cut -d'=' -f2- ) + + if [ -z "${command_nrpe_primary}" ] && [ -z "${command_nrpe_secondary}" ] + then + return 1 + else + if [ -n "${command_nrpe_primary}" ] + then + ${command_nrpe_primary} + else + ${command_nrpe_secondary} + fi + fi +} + +acquire_lock_or_exit() { + lockfile="$1" + waittime="$2" + + # si le temps d’attente n’est pas compréhensible par sleep(1), il vaut 0 + if ! echo "${waittime}" | grep -Eq '^[0-9]+[smhd]?$' + then + waittime=0 + fi + + # si le temps d’attente est supérieur à 0 et si le lock existe, on attend + if test "${waittime}" -gt 0 && test -f "${lockfile}" + then + sleep "${waittime}" + fi + + # si le lock existe, on s’arrête + if test -f "${lockfile}" + then + log_error_exit "lock file ${lockfile} exists" + fi + touch "${lockfile}" +} + +is_too_soon() { + if is_debug; then return; fi + + witness="/tmp/autosysadmin_witness_$(basename "$0")" + if test -f "${witness}" + then + compare="$(($(date +%s)-$(stat -c "%Y" "${witness}")))" + if [ "${compare}" -lt 1800 ]; + then + log_error_exit 'already executed less than 30 minutes ago' + fi + rm "${witness}" + fi + touch "${witness}" +} + +init_autosysadmin() { + PATH="${PATH}":/usr/sbin:/sbin↩ + unset ACTIONS + + SCRIPTNAME=$(basename "$0") + PROGNAME=${SCRIPTNAME%.sh} + + RUN_ID="$(date +"%Y-%m-%d_%H-%M")_${SCRIPTNAME}_$(openssl rand -hex 6)" + LOG_DIR="/var/log/autosysadmin/${RUN_ID}" + mkdir -p "${LOG_DIR}" + + log "Autosysadmin : Script ${SCRIPTNAME} triggered" + + # Detect operating system name, version and release↩ + detect_os +} + +load_conf() { + # Load conf and enable script by default. + # To disable script locally, set "$PROGNAME"=off in /etc/evolinux/autosysadmin. + # To disable script globally, set "$PROGNAME"=off in the script, after load_conf() call. + declare -g "$PROGNAME"=on # dynamic variable assignment ($PROGNAME == repair_*) + + # Source configuration file + # shellcheck source=../roles/deploy_autosysadmin/templates/autosysadmin.cfg.j2 + test -f /etc/evolinux/autosysadmin && source /etc/evolinux/autosysadmin +} + +detect_os() { + # OS detection + DEBIAN_RELEASE="" + LSB_RELEASE_BIN="$(command -v lsb_release)" + + if [ -e /etc/debian_version ]; then + DEBIAN_VERSION="$(cut -d "." -f 1 < /etc/debian_version)" + if [ -x "${LSB_RELEASE_BIN}" ]; then + DEBIAN_RELEASE="$("${LSB_RELEASE_BIN}" --codename --short)" + else + case "${DEBIAN_VERSION}" in + 8) DEBIAN_RELEASE="jessie";; + 9) DEBIAN_RELEASE="stretch";; + 10) DEBIAN_RELEASE="buster";; + 11) DEBIAN_RELEASE="bullseye";; + esac + fi + fi +} + +is_debian_jessie() { + test "${DEBIAN_RELEASE}" = "jessie" +} +is_debian_stretch() { + test "${DEBIAN_RELEASE}" = "stretch" +} +is_debian_buster() { + test "${DEBIAN_RELEASE}" = "buster" +} +is_debian_bullseye() { + test "${DEBIAN_RELEASE}" = "bullseye" +} + +systemd_list_service_failed() { + systemctl list-units --failed --no-legend --full --type=service "$1" | + awk '{print $1}' +} + +systemd_list_units_enabled() { + list_units_enabled=$(systemctl list-unit-files --state=enabled --no-legend | awk "/$1/{print \$1}") + if [ -z "${list_units_enabled}" ] + then + return 1 + else + echo "${list_units_enabled}" + fi +} + +format_mail_success() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: ${EMAIL_CLIENT:-alert5@evolix.fr} +Cc: autosysadmin@evolix.fr +Subject: [autosysadmin] Intervention sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique vient de se terminer. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) + +### Renseignements sur l'intervention + +${ACTIONS} + +### Réagir à cette intervention + +Vous pouvez répondre à ce message (sur l'adresse mail equipe@evolix.net). +En cas d'urgence, utilisez l'adresse maintenance@evolix.fr ou +notre téléphone portable d'astreinte (04.26.99.99.26) + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +format_mail_abort_active_users() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: ${EMAIL_CLIENT:-alert5@evolix.fr} +Cc: autosysadmin@evolix.fr +Subject: [autosysadmin] Intervention interrompue sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique a été interrompue en raison +d'un utilisateur actuellement actif sur le serveur. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) + +### Utilisateur(s) connecté(s) +$(w) + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +format_mail_internal_info() { + cat < +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +X-Script: $(basename "$0") +X-RunId: ${RUN_ID} +To: autosysadmin@evolix.fr +Subject: [autosysadmin] Complements (interne) - Intervention sur ${HOSTNAME_TEXT} + +Bonjour, + +Une intervention automatique vient de se terminer. + +Nom du serveur : ${HOSTNAME_TEXT} +Heure d'intervention : $(LC_ALL=fr_FR.utf8 date) +Script déclenché : $(basename "$0") + +### Actions effectuées + +${ACTIONS} + +### Logs autosysadmin + +${INTERNAL_LOG} + +### Utilisateur(s) connecté(s) + +$(w) + +### Informations additionnelles données par le script $(basename "$0") + +${INTERNAL_INFO} + +-- +Votre AutoSysadmin +EOTEMPLATE +} + +hook_mail() { + if is_debug; then return; fi + + HOSTNAME="${HOSTNAME:-"$(get_fqdn)"}" + HOSTNAME_TEXT="$(get_complete_hostname)" + EMAIL_CLIENT="$(get_evomaintenance_mail)" + + MAIL_CONTENT="$(format_mail_"$1")" + + SENDMAIL_BIN="$(command -v sendmail)" + + if [ -z "${SENDMAIL_BIN}" ]; then + log "No \`sendmail' command has been found, can't send mail." + fi + + if [ -x "${SENDMAIL_BIN}" ]; then + echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.net" + fi +} + + + +# We need stable output for gcal, so we force some language environment variables +export TZ=Europe/Paris +export LANGUAGE=fr_FR.UTF-8 + +is_holiday() { + # gcal mark today as a holiday by surrounding with < and > the day + # of the month of that holiday line. For exemple if today is 2022-05-01 we'll + # get among other lines: + # Fête du Travail (FR) + Di, < 1>Mai 2022 + # Jour de la Victoire (FR) + Di, : 8:Mai 2022 = +7 jours + gcal --cc-holidays=fr --holiday-list=short | grep -E '<[0-9 ]{2}>' --quiet +} + +is_weekend() { + day_of_week=$(date +%u) + if [ "$day_of_week" != 6 ] && [ "$day_of_week" != 7 ]; then + return 1 + fi +} + +is_workday() { + if is_holiday || is_weekend; then + return 1 + fi +} + +is_worktime() { + if ! is_workday; then + return 1 + fi + + hour=$(date +%H) + if [ "${hour}" -lt 9 ] || { [ "${hour}" -ge 12 ] && [ "${hour}" -lt 14 ] ; } || [ "${hour}" -ge 18 ]; then + return 1 + fi +} diff --git a/autosysadmin/files/scripts/repair_amavis.sh b/autosysadmin/files/scripts/repair_amavis.sh new file mode 100644 index 00000000..5139b927 --- /dev/null +++ b/autosysadmin/files/scripts/repair_amavis.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh +# shellcheck source=./restart_amavis.sh +source /usr/share/scripts/autosysadmin/restart_amavis.sh + +init_autosysadmin +load_conf + +test "${repair_amavis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Verify if check_nrpe are not OK +check_nrpe "check_amavis" && log_error_exit 'check_amavis is OK, nothing to do here!' + +# Has it recently been run? +get_argument "--no-delay" || is_too_soon + +lockfile="/run/lock/repair_amavis" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! +restart_amavis + +hook_mail success +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_disk.sh b/autosysadmin/files/scripts/repair_disk.sh new file mode 100644 index 00000000..fc35438c --- /dev/null +++ b/autosysadmin/files/scripts/repair_disk.sh @@ -0,0 +1,173 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_disk:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_disk" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +get_mountpoints() { + # the $(...) get the check_disk1 command + # the cut command selects the critical part of the check_disk1 output + # the grep command extracts the mountpoints and available disk space + # the last cut command selects the mountpoints + $(grep check_disk1 /etc/nagios/nrpe.d/evolix.cfg | cut -d'=' -f2-) -e | cut -d'|' -f1 | grep -Eo '/[[:graph:]]* [0-9]+ [A-Z][A-Z]' | cut -f1 -d' ' +} + +is_reserved-blocks() { + fs_type="$(findmnt -n --output=fstype "$1")" + if [ "${fs_type}" = "ext4" ]; + then + device="$(findmnt -n --output=source "$1")" + reserved_block_count="$(tune2fs -l "${device}" | grep 'Reserved block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')" + block_count="$(tune2fs -l "${device}" | grep 'Block count' | awk -F':' '{ gsub (" ", "", $0); print $2}')" + percentage=$(awk "BEGIN { pc=100*${reserved_block_count}/${block_count}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + log "Reserved blocks for $1 is curently at $percentage%" + if [ "${percentage}" -gt "1" ] + then + log "Allowing tune2fs action to reduce the number of reserved blocks" + return 0 + else + log "Reserved blocks already at or bellow 1%, no automatic action possible" + return 1 + fi + else + log "Filesystem for $1 partition is not ext4" + + return 1 + fi +} + +change_reserved-blocks() { + # We alwasy keep some reserved blocks to avoid missing some logs + # https://gitea.evolix.org/evolix/autosysadmin/issues/22 + tune2fs -m 1 "$(findmnt -n --output=source "$1")" + log_action "Reserved blocks for $1 changed to 1 percent" +} + +is_tmp_to_delete() { + size="$(find /var/log/ -type f -ctime +1 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')" + if [ -n "${size}" ] + then + return 0 + else + return 1 + fi +} + +is_log_to_delete() { + size="$(find /var/log/ -type f -mtime +365 -exec du {} \+ | awk '{s+=$1}END{print s / 1024}')" + if [ -n "${size}" ] + then + return 0 + else + return 1 + fi +} + +clean_apt_cache() { + for lxc in $(du -ax /var | sort -nr | head -n10 | grep -E '/var/lib/lxc/php[0-9]+/rootfs/var/cache$' | grep -Eo 'php[0-9]+') + do + lxc-attach --name "${lxc}" -- apt-get clean + log_action '[lxc/'"${lxc}"'] Clean apt cache' + done + case "$(du -sx /var/* | sort -rn | sed 's/^[0-9]\+[[:space:]]\+//;q')" in + '/var/cache') + apt-get clean + log_action 'Clean apt cache' + ;; + esac +} + +clean_amavis_virusmails() { + if du --inodes /var/lib/* | sort -n | tail -n3 | grep -q 'virusmails$' + then + find /var/lib/amavis/virusmails/ -type f -atime +30 -delete + log_action 'Clean /var/lib/amavis/virusmails' + fi +} + +for mountpoint in $(get_mountpoints) +do + case "${mountpoint}" in + /var) + #if is_log_to_delete + #then + # find /var/log/ -type f -mtime +365 -delete + # log_action "$size Mo of disk space freed in /var" + #fi + if is_reserved-blocks /var + then + change_reserved-blocks /var + clean_apt_cache + clean_amavis_virusmails + hook_mail success + fi + ;; + /tmp) + #if is_tmp_to_delete + #then + # find /tmp/ -type f -ctime +1 -delete + # log_action "$size Mo of disk space freed in /tmp" + #fi + if is_reserved-blocks /tmp + then + change_reserved-blocks /tmp + hook_mail success + fi + ;; + /home) + if is_reserved-blocks /home + then + change_reserved-blocks /home + hook_mail success + fi + ;; + /srv) + if is_reserved-blocks /srv + then + change_reserved-blocks /srv + hook_mail success + fi + ;; + /filer) + if is_reserved-blocks /filer + then + change_reserved-blocks /filer + hook_mail success + fi + ;; + /) + if is_reserved-blocks / + then + change_reserved-blocks / + hook_mail success + # Suggest remove old kernel ? + fi + ;; + *) + # unknown + log 'Unknown partition (or weird case) or nothing to do' + ;; + esac +done + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_elasticsearch.sh b/autosysadmin/files/scripts/repair_elasticsearch.sh new file mode 100644 index 00000000..3b45c6e0 --- /dev/null +++ b/autosysadmin/files/scripts/repair_elasticsearch.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_elasticsearch:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_elasticsearch" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +elasticsearch_is_enabled() { + systemd_list_units_enabled "elasticsearch.service" + +} + +elasticsearch_restart() { + if ! timeout 60 systemctl restart elasticsearch.service > /dev/null + then + log_error_exit 'failed to restart elasticsearch' + fi +} + +# Test functions +test_elasticsearch_process_present() { + pgrep -u elasticsearch > /dev/null +} + +if elasticsearch_is_enabled +then + if ! test_elasticsearch_process_present + then + log_action "Redémarrage de elasticsearch" + elasticsearch_restart + hook_mail success + else + log_error_exit "Elasticsearch process alive. Aborting" + fi +else + log_error_exit "Elasticsearch is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_http.sh b/autosysadmin/files/scripts/repair_http.sh new file mode 100644 index 00000000..b1642858 --- /dev/null +++ b/autosysadmin/files/scripts/repair_http.sh @@ -0,0 +1,141 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_http:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +http_detect_service() { + # check whether nginx, apache or both are supposed to be running + if is_debian_jessie; then + find /etc/rc2.d/ + else + systemctl list-unit-files --state=enabled + fi | awk '/nginx/ { nginx = 1 } /apache2/ { apache2 = 1 } END { if (nginx && apache2) { print "both" } else if (nginx) { print "nginx" } else if (apache2) { print "apache2" } }' + # The previous awk command looks for two patterns: "nginx" + # and "apache2". If a line matches the patterns, a variable + # "nginx" or "apache2" is set to 1 (true). The "END" checks + # if one or both patterns has been found. +} + +http_handle_apache() { + # check syntax + if ! apache2ctl -t > /dev/null 2> /dev/null + then + log_error_exit 'apache2 configuration syntax is not valid' + fi + + # try restart + if ! timeout 20 systemctl restart apache2.service > /dev/null 2> /dev/null + then + log_error_exit 'failed to restart apache2' + fi + + log_action "Redémarrage de Apache" + + internal_info "#### grep $(LANG=en_US.UTF-8 date '+%b %d') /home/*/log/error.log /var/log/apache2/*error.log (avec filtrage)" + ERROR_LOG=$(grep "$(LANG=en_US.UTF-8 date '+%b %d')" /home/*/log/error.log /var/log/apache2/*error.log | grep -v -e "Got error 'PHP message:" -e "No matching DirectoryIndex" -e "client denied by server configuration" -e "server certificate does NOT include an ID which matches the server name" ) + internal_info "$ERROR_LOG" + +} + +http_handle_nginx() { + # check syntax + if ! nginx -t > /dev/null 2> /dev/null + then + log_error_exit 'nginx configuration syntax is not valid' + fi + + # try restart + if ! timeout 20 systemctl restart nginx.service > /dev/null 2> /dev/null + then + log_error_exit 'failed to restart nginx' + fi + + log_action "Redémarrage de Nginx" +} + +http_handle_lxc_php() { + # check whether containers are used for PHP and reboot them if so + if systemd_list_units_enabled 'lxc' + then + for php in $(lxc-ls | grep 'php'); do + lxc-stop -n "$php" + lxc-start --daemon -n "$php" + log_action "lxc-fpm - Redémarrage container ${php}" + done + + fi +} + +http_handle_fpm_php() { + # check whether php-fpm is installed and restart it if so + if enabled_units="$(systemd_list_units_enabled "php.*-fpm")" + then + systemctl restart "${enabled_units}" + log_action 'php-fpm - Redémarrage de php-fpm' + fi +} + +case "$(http_detect_service)" in +nginx) + + http_handle_nginx + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +apache2) + + http_handle_apache + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +both) + + http_handle_nginx + http_handle_apache + + http_handle_lxc_php + http_handle_fpm_php + + hook_mail success + hook_mail internal_info + ;; + +*) + # unknown + log 'nothing to do' + ;; +esac + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_mysql.sh b/autosysadmin/files/scripts/repair_mysql.sh new file mode 100644 index 00000000..f80d5af7 --- /dev/null +++ b/autosysadmin/files/scripts/repair_mysql.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_mysql:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_mysql" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +mysql_is_enabled() { + if is_debian_jessie + then + find /etc/rc2.d/ -name '*mysql*' > /dev/null + else + systemd_list_units_enabled "mysql.service" + fi +} + +mysql_restart() { + if is_debian_jessie + then + if ! timeout 60 /etc/init.d/mysql restart > /dev/null + then + log_error_exit 'failed to restart mysql' + fi + else + if ! timeout 60 systemctl restart mysql.service > /dev/null + then + log_error_exit 'failed to restart mysql' + fi + fi +} + +# Test functions +test_mysql_process_present() { + pgrep -u mysql mysqld > /dev/null +} + +if mysql_is_enabled +then + if ! test_mysql_process_present + then + log_action "Redémarrage de MySQL" + mysql_restart + hook_mail success + else + log_error_exit "mysqld process alive. Aborting" + fi +else + log_error_exit "MySQL/MariaDB not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_opendkim.sh b/autosysadmin/files/scripts/repair_opendkim.sh new file mode 100644 index 00000000..f7735028 --- /dev/null +++ b/autosysadmin/files/scripts/repair_opendkim.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_opendkim:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_opendkim" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +log_system_status + +# Functions dedicated to this repair script + +opendkim_is_enabled() { + systemd_list_units_enabled "opendkim.service" + +} + +opendkim_restart() { + if ! timeout 60 systemctl restart opendkim.service > /dev/null + then + log_error_exit 'failed to restart opendkim' + fi +} + +opendkim_test_process_present() { + pgrep -u opendkim > /dev/null +} + + +# Main logic + +if opendkim_is_enabled +then + if ! opendkim_test_process_present + then + log_action "Redémarrage de opendkim" + opendkim_restart + hook_mail success + else + log_error_exit "opendkim process alive. Aborting" + fi +else + log_error_exit "opendkim is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm56.sh b/autosysadmin/files/scripts/repair_php_fpm56.sh new file mode 100644 index 00000000..6c67e0b6 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm56.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm56:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php56 + then + lxc-stop -n php56 + lxc-start --daemon -n php56 + log_action "lxc-fpm - Redémarrage container php56" + + internal_info "#### tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php56/rootfs/var/log/php5-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm70.sh b/autosysadmin/files/scripts/repair_php_fpm70.sh new file mode 100644 index 00000000..5bf8cab2 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm70.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm70:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php70 + then + lxc-stop -n php70 + lxc-start --daemon -n php70 + log_action "lxc-fpm - Redémarrage container php70" + + internal_info "#### tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php70/rootfs/var/log/php7.0-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm73.sh b/autosysadmin/files/scripts/repair_php_fpm73.sh new file mode 100644 index 00000000..6b2094fd --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm73.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm73:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php73 + then + lxc-stop -n php73 + lxc-start --daemon -n php73 + log_action "lxc-fpm - Redémarrage container php73" + + internal_info "#### tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php73/rootfs/var/log/php7.3-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm74.sh b/autosysadmin/files/scripts/repair_php_fpm74.sh new file mode 100644 index 00000000..dab16a8a --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm74.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm74:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php74 + then + lxc-stop -n php74 + lxc-start --daemon -n php74 + log_action "lxc-fpm - Redémarrage container php74" + + internal_info "#### tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php74/rootfs/var/log/php7.4-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm80.sh b/autosysadmin/files/scripts/repair_php_fpm80.sh new file mode 100644 index 00000000..35b9e36c --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm80.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm80:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php80 + then + lxc-stop -n php80 + lxc-start --daemon -n php80 + log_action "lxc-fpm - Redémarrage container php80" + + internal_info "#### tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php80/rootfs/var/log/php8.0-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm81.sh b/autosysadmin/files/scripts/repair_php_fpm81.sh new file mode 100644 index 00000000..e567f6aa --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm81.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm81:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php81 + then + lxc-stop -n php81 + lxc-start --daemon -n php81 + log_action "lxc-fpm - Redémarrage container php81" + + internal_info "#### tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php81/rootfs/var/log/php8.1-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm82.sh b/autosysadmin/files/scripts/repair_php_fpm82.sh new file mode 100644 index 00000000..295abbcd --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm82.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm82:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php82 + then + lxc-stop -n php82 + lxc-start --daemon -n php82 + log_action "lxc-fpm - Redémarrage container php82" + + internal_info "#### tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php82/rootfs/var/log/php8.2-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_php_fpm83.sh b/autosysadmin/files/scripts/repair_php_fpm83.sh new file mode 100644 index 00000000..5344c2e4 --- /dev/null +++ b/autosysadmin/files/scripts/repair_php_fpm83.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_php_fpm83:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_http" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" 15s + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status +log_check_php_fpm + +if systemd_list_units_enabled 'lxc' +then + + if lxc-ls | grep -q php83 + then + lxc-stop -n php83 + lxc-start --daemon -n php83 + log_action "lxc-fpm - Redémarrage container php83" + + internal_info "#### tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log" + FPM_LOG=$(tail /var/lib/lxc/php83/rootfs/var/log/php8.3-fpm.log) + internal_info "$FPM_LOG" "$(read_log_system_status)" + + hook_mail success + hook_mail internal_info + + else + log 'Not possible :v' + fi + +else + log 'Error, not a multi-php install' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_redis.sh b/autosysadmin/files/scripts/repair_redis.sh new file mode 100644 index 00000000..be5cfd77 --- /dev/null +++ b/autosysadmin/files/scripts/repair_redis.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_redis:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_redis" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +handle_redis() { + for service in $(systemd_list_service_failed redis*) + do + # ne rien faire si le service est désactivé + if ! systemctl is-enabled --quiet "${service}" + then + continue + fi + + # ne rien faire si le service est actif + if systemctl is-active --quiet "${service}" + then + continue + fi + + if ! timeout 20 systemctl restart redis.service > /dev/null 2> /dev/null + then + log_error_exit "failed to restart redis ${service}" + fi + + log_action "Redémarrer service ${service}" + done +} + +if ( systemd_list_units_enabled 'redis.*\.service$' ) > /dev/null +then + handle_redis + hook_mail success +else + log 'Error: redis service is not enabled' +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_template.sh b/autosysadmin/files/scripts/repair_template.sh new file mode 100644 index 00000000..33db0aac --- /dev/null +++ b/autosysadmin/files/scripts/repair_template.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +# Comment this line to enable +repair_template=off +test "${repair_template:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_template" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +log_system_status + +# Functions dedicated to this repair script + +template_is_enabled() { + systemd_list_units_enabled "template.service" + +} + +template_restart() { + if ! timeout 60 systemctl restart template.service > /dev/null + then + log_error_exit 'failed to restart template' + fi +} + +template_test_process_present() { + pgrep -u template > /dev/null +} + + +# Main logic + +if template_is_enabled +then + if ! template_test_process_present + then + log_action "Redémarrage de template" + template_restart + hook_mail success + else + log_error_exit "template process alive. Aborting" + fi +else + log_error_exit "template is not enabled. Aborting" +fi + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/repair_tomcat_instance.sh b/autosysadmin/files/scripts/repair_tomcat_instance.sh new file mode 100644 index 00000000..9bf9949c --- /dev/null +++ b/autosysadmin/files/scripts/repair_tomcat_instance.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Source functions file +# shellcheck source=./functions.sh +source /usr/share/scripts/autosysadmin/functions.sh + +init_autosysadmin +load_conf + +test "${repair_tomcat_instance:=off}" = off && log_error_exit 'Script disabled, nothing to do here!' + +# Has it recently been run? +is_too_soon + +lockfile="/run/lock/repair_tomcat_instance" +cleanup() { + rm -f "${lockfile}" +} +trap 'cleanup' 0 +acquire_lock_or_exit "${lockfile}" + +ensure_no_active_users_or_exit + +# The actual work starts below ! + +log_system_status + +repair_tomcat_instance_handle_tomcat() { + + if /bin/su - "${1}" -c "/bin/systemctl --quiet --user is-active tomcat.service" ; then + if ! /bin/su - "${1}" -c "/usr/bin/timeout 20 /bin/systemctl --quiet --user restart tomcat.service" + then + log_error_exit "Echec de redémarrage instance tomcat utilisateur ${1}" + else + log_action "Redémarrage instance tomcat utilisateur ${1}" + fi + elif /bin/systemctl --quiet is-active "${1}".service ; then + if ! /usr/bin/timeout 20 systemctl --quiet restart "${1}".service + then + log_error_exit "Echec de redémarrage instance tomcat ${1}" + else + log_action "Redémarrage instance tomcat ${1}" + fi + fi + +} + +for instance in $( /usr/local/lib/nagios/plugins/check_tomcat_instance.sh |grep CRITICAL |awk '{print $3}' |sed '1d') ; +do + repair_tomcat_instance_handle_tomcat "${instance}" +done + +AUTOSYSADMIN=1 /usr/share/scripts/evomaintenance.sh -m "$0: done" --no-commit --no-mail diff --git a/autosysadmin/files/scripts/restart_amavis.sh b/autosysadmin/files/scripts/restart_amavis.sh new file mode 100644 index 00000000..ef8c255d --- /dev/null +++ b/autosysadmin/files/scripts/restart_amavis.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +restart_amavis() { + /etc/init.d/amavis stop 2>/dev/null + /etc/init.d/clamav-freshclam stop 2>/dev/null + /etc/init.d/clamav-daemon stop 2>/dev/null + + if systemctl is-enabled --quiet 'clamav-freshclam.service' + then + freshclam + log_action "Mise à jour des définitions antivirus" + fi + + if systemctl is-enabled --quiet 'clamav-daemon.service' + then + /etc/init.d/clamav-daemon start + log_action "Redémarrage de clamav-daemon" + else + log 'Error, clamav not installed' + fi + + if systemctl is-enabled --quiet 'clamav-freshclam.service' + then + /etc/init.d/clamav-freshclam start + log_action "Redémarrage de clamav-freshclam" + fi + + if systemctl is-enabled --quiet 'amavis.service' + then + /etc/init.d/amavis start + log_action "Redémarrage de amavis" + else + log 'Error, amavis not installed' + fi +} diff --git a/autosysadmin/handlers/main.yml b/autosysadmin/handlers/main.yml new file mode 100644 index 00000000..2c0b1a7f --- /dev/null +++ b/autosysadmin/handlers/main.yml @@ -0,0 +1,16 @@ +--- + +- name: Restart nagios-nrpe-server + ansible.builtin.service: + name: nagios-nrpe-server + state: restarted + +- name: Restart nrpe + ansible.builtin.service: + name: nrpe + state: restarted + +- name: Restart rsyslog + ansible.builtin.service: + name: rsyslog + state: restarted diff --git a/autosysadmin/tasks/autosysadmin_scripts.yml b/autosysadmin/tasks/autosysadmin_scripts.yml new file mode 100644 index 00000000..4ff1c5be --- /dev/null +++ b/autosysadmin/tasks/autosysadmin_scripts.yml @@ -0,0 +1,61 @@ +--- +- name: "Remount /usr if needed" + ansible.builtin.import_role: + name: remount-usr + +- name: Create autosysadmin directory + ansible.builtin.file: + path: "{{ autosysadmin_dir }}" + state: directory + owner: "root" + group: "root" + mode: "0750" + tags: + - autosysadmin + +- name: Copy scripts + ansible.builtin.copy: + src: "files/scripts/{{ item }}" + dest: "{{ autosysadmin_dir }}/{{ item }}" + owner: root + group: root + mode: "0750" + loop: + - "functions.sh" + - "restart_amavis.sh" + - "repair_amavis.sh" + - "repair_disk.sh" + - "repair_elasticsearch.sh" + - "repair_http.sh" + - "repair_mysql.sh" + - "repair_php_fpm56.sh" + - "repair_php_fpm70.sh" + - "repair_php_fpm73.sh" + - "repair_php_fpm74.sh" + - "repair_php_fpm80.sh" + - "repair_php_fpm81.sh" + - "repair_php_fpm82.sh" + - "repair_php_fpm83.sh" + - "repair_tomcat_instance.sh" + tags: + - autosysadmin + +- name: Ensure /etc/evolinux folder exists + ansible.builtin.file: + path: "/etc/evolinux" + state: directory + owner: "root" + group: "root" + mode: "0700" + tags: + - autosysadmin + +- name: Copy the configuration file + ansible.builtin.template: + src: "autosysadmin.cf.j2" + dest: "/etc/evolinux/autosysadmin" + owner: root + group: root + mode: "0640" + tags: + - autosysadmin diff --git a/autosysadmin/tasks/dependencies.yml b/autosysadmin/tasks/dependencies.yml new file mode 100644 index 00000000..4f120944 --- /dev/null +++ b/autosysadmin/tasks/dependencies.yml @@ -0,0 +1,4 @@ +--- +- name: Install gcal + ansible.builtin.apt: + name: gcal diff --git a/autosysadmin/tasks/logrotate.yml b/autosysadmin/tasks/logrotate.yml new file mode 100644 index 00000000..d4fe7a5c --- /dev/null +++ b/autosysadmin/tasks/logrotate.yml @@ -0,0 +1,10 @@ +--- +- name: Copy logrotate configuration for autosysadmin + ansible.builtin.copy: + src: "files/logrotate_autosysadmin.conf" + dest: "/etc/logrotate.d/autosysadmin" + owner: root + group: root + mode: "0644" + tags: + - autosysadmin diff --git a/autosysadmin/tasks/main.yml b/autosysadmin/tasks/main.yml new file mode 100644 index 00000000..60204162 --- /dev/null +++ b/autosysadmin/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: Install dependencies + ansible.builtin.import_tasks: dependencies.yml + tags: + - autosysadmin + +- name: Install autosysadmin scripts + ansible.builtin.import_tasks: autosysadmin_scripts.yml + tags: + - autosysadmin + +- name: Amend NRPE configuration + ansible.builtin.import_tasks: nrpe.yml + tags: + - autosysadmin + +- name: Amend sudo configuration + ansible.builtin.import_tasks: sudo.yml + tags: + - autosysadmin + +- name: Amend rsyslog configuration + ansible.builtin.import_tasks: rsyslog.yml + tags: + - autosysadmin + +- name: Amend logrotate configuration + ansible.builtin.import_tasks: logrotate.yml + tags: + - autosysadmin + +- name: Install last version of dump-server-state + ansible.builtin.import_role: + name: evolinux-base + tasks_from: dump-server-state.yml + tags: + - autosysadmin diff --git a/autosysadmin/tasks/nrpe.yml b/autosysadmin/tasks/nrpe.yml new file mode 100644 index 00000000..f6f5c78b --- /dev/null +++ b/autosysadmin/tasks/nrpe.yml @@ -0,0 +1,11 @@ +--- +- name: Custom configuration is present + ansible.builtin.template: + src: autosysadmin.cfg.j2 + dest: /etc/nagios/nrpe.d/autosysadmin.cfg + group: nagios + mode: "0640" + force: true + notify: Restart nagios-nrpe-server + tags: + - autosysadmin diff --git a/autosysadmin/tasks/rsyslog.yml b/autosysadmin/tasks/rsyslog.yml new file mode 100644 index 00000000..6f0702c5 --- /dev/null +++ b/autosysadmin/tasks/rsyslog.yml @@ -0,0 +1,11 @@ +--- +- name: Copy rsyslog configuration for autosysadmin + ansible.builtin.copy: + src: "files/rsyslog_autosysadmin.conf" + dest: "/etc/rsyslog.d/autosysadmin.conf" + owner: root + group: root + mode: "0644" + notify: Restart rsyslog + tags: + - autosysadmin diff --git a/autosysadmin/tasks/sudo.yml b/autosysadmin/tasks/sudo.yml new file mode 100644 index 00000000..24249ab7 --- /dev/null +++ b/autosysadmin/tasks/sudo.yml @@ -0,0 +1,9 @@ +--- +- name: Add autosysadmin sudoers file + ansible.builtin.template: + src: sudoers.j2 + dest: /etc/sudoers.d/autosysadmin + mode: "0600" + validate: "visudo -cf %s" + tags: + - autosysadmin diff --git a/autosysadmin/templates/autosysadmin.cf.j2 b/autosysadmin/templates/autosysadmin.cf.j2 new file mode 100644 index 00000000..0be506c2 --- /dev/null +++ b/autosysadmin/templates/autosysadmin.cf.j2 @@ -0,0 +1,74 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be **overwritten** ! +# +# Update the hosts_vars/group_vars on the autosysadmin project +# https://gitea.evolix.org/evolix/autosysadmin/src/branch/master +# + +# Configuration for autosysadmin +# Use this file to change configuration values defined in repair scripts +# Ex : repair_http=off + +{% if repair_amavis == "off" %} +repair_amavis=off +{% endif %} + +{% if repair_disk == "off" %} +repair_disk=off +{% endif %} + +{% if repair_elasticsearch == "off" %} +repair_elasticsearch=off +{% endif %} + +{% if repair_http == "off" %} +repair_http=off +{% endif %} + +{% if repair_mysql == "off" %} +repair_mysql=off +{% endif %} + +{% if repair_opendkim == "off" %} +repair_opendkim=off +{% endif %} + +{% if repair_php_fpm56 == "off" %} +repair_php_fpm56=off +{% endif %} + +{% if repair_php_fpm70 == "off" %} +repair_php_fpm70=off +{% endif %} + +{% if repair_php_fpm73 == "off" %} +repair_php_fpm73=off +{% endif %} + +{% if repair_php_fpm74 == "off" %} +repair_php_fpm74=off +{% endif %} + +{% if repair_php_fpm80 == "off" %} +repair_php_fpm80=off +{% endif %} + +{% if repair_php_fpm81 == "off" %} +repair_php_fpm81=off +{% endif %} + +{% if repair_php_fpm82 == "off" %} +repair_php_fpm82=off +{% endif %} + +{% if repair_php_fpm83 == "off" %} +repair_php_fpm83=off +{% endif %} + +{% if repair_redis == "off" %} +repair_redis=off +{% endif %} + +{% if repair_tomcat_instance == "off" %} +repair_tomcat_instance=off +{% endif %} diff --git a/autosysadmin/templates/autosysadmin.cfg.j2 b/autosysadmin/templates/autosysadmin.cfg.j2 new file mode 100644 index 00000000..fa6fcfd2 --- /dev/null +++ b/autosysadmin/templates/autosysadmin.cfg.j2 @@ -0,0 +1,22 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be overwritten ! +# + +# Autosysadmin repair commands +command[repair_amavis]=sudo {{ autosysadmin_dir }}/repair_amavis.sh +command[repair_disk]=sudo {{ autosysadmin_dir }}/repair_disk.sh +command[repair_elasticsearch]=sudo {{ autosysadmin_dir }}/repair_elasticsearch.sh +command[repair_http]=sudo {{ autosysadmin_dir }}/repair_http.sh +command[repair_mysql]=sudo {{ autosysadmin_dir }}/repair_mysql.sh +command[repair_opendkim]=sudo {{ autosysadmin_dir }}/repair_opendkim.sh +command[repair_php_fpm56]=sudo {{ autosysadmin_dir }}/repair_php_fpm56.sh +command[repair_php_fpm70]=sudo {{ autosysadmin_dir }}/repair_php_fpm70.sh +command[repair_php_fpm73]=sudo {{ autosysadmin_dir }}/repair_php_fpm73.sh +command[repair_php_fpm74]=sudo {{ autosysadmin_dir }}/repair_php_fpm74.sh +command[repair_php_fpm80]=sudo {{ autosysadmin_dir }}/repair_php_fpm80.sh +command[repair_php_fpm81]=sudo {{ autosysadmin_dir }}/repair_php_fpm81.sh +command[repair_php_fpm82]=sudo {{ autosysadmin_dir }}/repair_php_fpm82.sh +command[repair_php_fpm83]=sudo {{ autosysadmin_dir }}/repair_php_fpm83.sh +command[repair_redis]=sudo {{ autosysadmin_dir }}/repair_redis.sh +command[repair_tomcat_instance]=sudo {{ autosysadmin_dir }}/repair_tomcat_instance.sh + diff --git a/autosysadmin/templates/sudoers.j2 b/autosysadmin/templates/sudoers.j2 new file mode 100644 index 00000000..0a458292 --- /dev/null +++ b/autosysadmin/templates/sudoers.j2 @@ -0,0 +1,21 @@ +# +# Ansible managed - DO NOT MODIFY, your changes will be overwritten ! +# + +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_amavis.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_disk.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_elasticsearch.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_http.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_mysql.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_opendkim.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm56.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm70.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm73.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm74.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm80.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm81.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm82.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_php_fpm83.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_redis.sh +nagios ALL = NOPASSWD: {{ autosysadmin_dir }}/repair_tomcat_instance.sh + diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f92fa90b..bf56d6de 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -235,3 +235,6 @@ evolinux_motd_include: True # Utils evolinux_utils_include: True + +# Autosysadmin +evolinux_autosysadmin_include: false diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index 582bcfe0..d482981a 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -127,6 +127,11 @@ name: evolix/nagios-nrpe when: evolinux_nagios_nrpe_include | bool +- name: Autosysadmin + ansible.builtin.include_role: + name: 'evolix/autosysadmin' + when: evolinux_autosysadmin_include | bool + - name: fail2ban ansible.builtin.include_role: name: evolix/fail2ban From 70c2d2583757b053dca57c5f59c184bafcd0c349 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Mon, 18 Dec 2023 18:05:36 +0100 Subject: [PATCH 085/151] evolinux-base: Check for syntax error in cron.log --- evolinux-base/templates/log2mail/evolinux-defaults.j2 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/evolinux-base/templates/log2mail/evolinux-defaults.j2 b/evolinux-base/templates/log2mail/evolinux-defaults.j2 index c030ed41..e5e15d10 100644 --- a/evolinux-base/templates/log2mail/evolinux-defaults.j2 +++ b/evolinux-base/templates/log2mail/evolinux-defaults.j2 @@ -8,4 +8,9 @@ template = /etc/log2mail/mail file = /var/log/syslog pattern = "memory read error" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} -template = /etc/log2mail/mail \ No newline at end of file +template = /etc/log2mail/mail + +file = /var/log/cron.log +pattern = "Syntax error" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail From d4ac4ef7a18689d5751e559bd26de06da19aa216 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Mon, 18 Dec 2023 19:11:18 +0100 Subject: [PATCH 086/151] nagios: cleaning nrpe check template --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e82d13b..f2941791 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * lxc: init /etc git repository in lxc container * mysql: disable performance schema for Debian 8 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 +* nagios: cleaning nrpe check template * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index ecfd6f22..94e8a1de 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -48,7 +48,6 @@ command[check_redis]=/usr/lib/nagios/plugins/check_tcp -p 6379 command[check_clamd]=/usr/lib/nagios/plugins/check_clamd -H /var/run/clamav/clamd.ctl -v command[check_clamav_db]=/usr/lib/nagios/plugins/check_file_age -w 86400 -c 172800 -f /var/lib/clamav/daily.cld command[check_ssl]=/usr/lib/nagios/plugins/check_http -f follow -I 127.0.0.1 -S -p 443 -H ssl.evolix.net -C 15,5 -command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local command[check_elasticsearch]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /_cat/health?h=st -p 9200 -r 'red' --invert-regex command[check_memcached]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 11211 command[check_opendkim]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 8891 @@ -59,6 +58,8 @@ command[check_bkctld]=sudo /usr/sbin/bkctld check command[check_postgrey]=/usr/lib/nagios/plugins/check_tcp -p10023 command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /health -p 8086 -r '"status":"pass"' command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60 +command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor +command[check_raid_status]=/usr/lib/nagios/plugins/check_raid # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 @@ -86,9 +87,8 @@ command[check_php-fpm80]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm81]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php81/rootfs/etc/php/8.1/fpm/pool.d/ command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php82/rootfs/etc/php/8.2/fpm/pool.d/ command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ -command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor -command[check_raid_status]=/usr/lib/nagios/plugins/check_raid command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool +command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates). # Beware! All checks must not take more than 10s! From 1eb5a47c711de5347dc7d994b3c20138defc2ec6 Mon Sep 17 00:00:00 2001 From: Tom David--Broglio Date: Mon, 18 Dec 2023 19:15:05 +0100 Subject: [PATCH 087/151] nagios: add dockerd check in nrpe check template --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2941791..12a49ee4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * mysql: disable performance schema for Debian 8 * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * nagios: cleaning nrpe check template +* nagios: add dockerd check in nrpe check template * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 94e8a1de..66ecc51a 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -60,6 +60,7 @@ command[check_influxdb]=/usr/lib/nagios/plugins/check_http -I 127.0.0.1 -u /heal command[check_dhcpd]=/usr/lib/nagios/plugins/check_procs -c1:1 -C dhcpd -t 60 command[check_ipmi_sensors]=sudo /usr/lib/nagios/plugins/check_ipmi_sensor command[check_raid_status]=/usr/lib/nagios/plugins/check_raid +command[check_dockerd]=/usr/lib/nagios/plugins/check_tcp -H /var/run/docker.sock --escape -s "GET /_ping HTTP/1.1\nHost: http\n\n" -e OK # Local checks (not packaged) command[check_mem]={{ nagios_plugins_directory }}/check_mem -f -C -w 20 -c 10 From 4a1b94f55d72d67ffd7227ca80e499bcfa70a43a Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Tue, 19 Dec 2023 17:55:36 +0100 Subject: [PATCH 088/151] unbound: Add a apt cache validity to enforce an apt update if needed --- CHANGELOG.md | 1 + unbound/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12a49ee4..f9d8b5d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -75,6 +75,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: use archive.debian.org with Stretch * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * evolinux-base: fix hardware.yml (wrong repo, missing update cache) +* unbound: Add a apt cache validity to enforce an apt update if needed ### Removed diff --git a/unbound/tasks/main.yml b/unbound/tasks/main.yml index 6be337d3..acc24812 100644 --- a/unbound/tasks/main.yml +++ b/unbound/tasks/main.yml @@ -6,6 +6,7 @@ - unbound-anchor - dns-root-data state: present + cache_valid_time: 3600 tags: - unbound From 046f1411b3df49191b38e649eee9be0113cbcb1a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Dec 2023 15:27:07 +0100 Subject: [PATCH 089/151] vrrpd: test if interface exists before deleting it --- CHANGELOG.md | 1 + vrrpd/files/vrrp_switch.sh | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9d8b5d5..f9b6a1da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * minifirewall: Fix nagios check for old versions of minifirewall * autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation +* vrrpd: test if interface exists before deleting it ### Changed diff --git a/vrrpd/files/vrrp_switch.sh b/vrrpd/files/vrrp_switch.sh index 8f260a8a..1bacd859 100644 --- a/vrrpd/files/vrrp_switch.sh +++ b/vrrpd/files/vrrp_switch.sh @@ -72,8 +72,10 @@ case "${STATE}" in ;; "slave" ) - # Delete interface - ip link delete "${VIRTUAL_INTERFACE_NAME}" + # Delete interface if it exists + if ip link show "${VIRTUAL_INTERFACE_NAME}" >/dev/null 2>&1; then + ip link delete "${VIRTUAL_INTERFACE_NAME}" + fi ;; * ) From d93eb2495b331b9e4f8336cc0ed8a2fb64771456 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Dec 2023 15:28:09 +0100 Subject: [PATCH 090/151] sort CHANGELOG --- CHANGELOG.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9b6a1da..f60fe536 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,17 +15,17 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * apt: add task file to install ELTS repository (default: False) +* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation +* etc-git: add /var/chroot-bind/etc/bind repo * lxc-php: Allow one to install php83 on Bookworm container +* minifirewall: Fix nagios check for old versions of minifirewall * mongodb: add gpg key for 7.0 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel -* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user -* etc-git: add /var/chroot-bind/etc/bind repo -* webapps/nextcloud: Set ownership and permissions of data directory -* webapps/nextcloud: Add condition for config tasks * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition -* minifirewall: Fix nagios check for old versions of minifirewall -* autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation * vrrpd: test if interface exists before deleting it +* webapps/nextcloud: Add condition for config tasks +* webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user +* webapps/nextcloud: Set ownership and permissions of data directory ### Changed @@ -44,9 +44,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * log2mail: move custom config in separate file * lxc: init /etc git repository in lxc container * mysql: disable performance schema for Debian 8 -* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 -* nagios: cleaning nrpe check template * nagios: add dockerd check in nrpe check template +* nagios: cleaning nrpe check template +* nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower @@ -60,23 +60,23 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * Add php-fpm82 to LDAP when relevant +* check stat.exists before stat.isdir * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o +* apt: use archive.debian.org with Stretch +* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) * evoadmin-web: Fix PHP version for Bookworm +* evolinux-base: fix hardware.yml (wrong repo, missing update cache) +* evolinux-base: start to install linux-image-cloud-amd64 with Buster * nagios: fix default file to monitor for check_clamav_db * nginx: keep indentation * php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository -* ProFTPd: set missing default listen IP for SFTP +* proftpd: set missing default listen IP for SFTP * ssl: no not execute haproxy tasks and reload if haproxy is disabled -* webapps/nextcloud: added check that nexctcloud uid is over 3000 +* unbound: Add a apt cache validity to enforce an apt update if needed +* webapps/nextcloud: added check that nextcloud uid is over 3000 +* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid -* check stat.exists before stat.isdir -* certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) -* evolinux-base: start to install linux-image-cloud-amd64 with Buster -* apt: use archive.debian.org with Stretch -* webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src -* evolinux-base: fix hardware.yml (wrong repo, missing update cache) -* unbound: Add a apt cache validity to enforce an apt update if needed ### Removed From c2de4b4cd185a8c0a6bc21b3a5ffb7ae1d2141d1 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Fri, 22 Dec 2023 11:26:08 +0100 Subject: [PATCH 091/151] kvm-host: Add LVM filter when needed --- CHANGELOG.md | 1 + kvm-host/defaults/main.yml | 9 ++++++++- kvm-host/handlers/main.yml | 8 ++++++++ kvm-host/tasks/lvm.yml | 37 +++++++++++++++++++++++++++++++++++++ kvm-host/tasks/main.yml | 2 ++ 5 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 kvm-host/tasks/lvm.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index f60fe536..e435af05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory +* kvm-host: Automatically add an LVM filter when LVM is present ### Changed diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml index 574c249f..9cbdd9a3 100644 --- a/kvm-host/defaults/main.yml +++ b/kvm-host/defaults/main.yml @@ -3,4 +3,11 @@ kvm_custom_libvirt_images_path: '' kvm_install_drbd: True kvm_scripts_dir: /usr/local/sbin -kvm_pair: null \ No newline at end of file +kvm_pair: null + +# A "r|.*/|" is always added in order to make this an allowlist +# Default = all sata/scsi disks + all nvme + all md (+partitions) +lvm_filter: + - '"a|^/dev/sd[a-zA-Z]+[0-9]*$|"' + - '"a|^/dev/nvme[0-9]+(n[0-9]+)?(p[0-9]+)?$|"' + - '"a|^/dev/md[0-9]+$|"' \ No newline at end of file diff --git a/kvm-host/handlers/main.yml b/kvm-host/handlers/main.yml index 5ca5295a..963105f9 100644 --- a/kvm-host/handlers/main.yml +++ b/kvm-host/handlers/main.yml @@ -3,3 +3,11 @@ ansible.builtin.service: name: munin-node state: restarted + +- name: Update initramfs + ansible.builtin.command: + argv: + - '/usr/sbin/update-initramfs' + - '-k' + - 'all' + - '-u' \ No newline at end of file diff --git a/kvm-host/tasks/lvm.yml b/kvm-host/tasks/lvm.yml new file mode 100644 index 00000000..41b12b2d --- /dev/null +++ b/kvm-host/tasks/lvm.yml @@ -0,0 +1,37 @@ +--- + +- name: 'Figure out if /etc/lvm/lvm.conf exists' + ansible.builtin.stat: + path: '/etc/lvm/lvm.conf' + follow: true + get_checksum: false + get_mime: false + get_attributes: false + ignore_errors: true + register: lvm_conf_stat + +- name: Add LVM filter + ansible.builtin.lineinfile: + path: '/etc/lvm/lvm.conf' + insertafter: '# Configuration option devices/filter.' + regexp: '^\s*(#\s*)?filter\s*=\s*\[.*\]' + line: " filter = [ {{ lvm_filter | list | join(', ') }}, \"r|.*/|\" ]" + state: present + firstmatch: true + notify: 'Update initramfs' + when: + - lvm_conf_stat is succeeded + - lvm_conf_stat.stat.exists | bool + +- name: Add LVM global_filter + ansible.builtin.lineinfile: + path: '/etc/lvm/lvm.conf' + insertafter: '# Configuration option devices/global_filter.' + regexp: '^\s*(#\s*)?global_filter\s*=\s*\[.*\]' + line: " global_filter = [ {{ lvm_filter | list | join(', ') }}, \"r|.*/|\" ]" + state: present + firstmatch: true + notify: 'Update initramfs' + when: + - lvm_conf_stat is succeeded + - lvm_conf_stat.stat.exists | bool diff --git a/kvm-host/tasks/main.yml b/kvm-host/tasks/main.yml index c6004b7b..7aa3bdc2 100644 --- a/kvm-host/tasks/main.yml +++ b/kvm-host/tasks/main.yml @@ -4,6 +4,8 @@ name: evolix/drbd when: kvm_install_drbd +- ansible.builtin.import_tasks: lvm.yml + ## TODO: check why it's disabled - ansible.builtin.include: ssh.yml From 9fb635b45f37b328b3bf93f7f03ce3c7f9a273d5 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 5 Dec 2023 11:50:24 +0100 Subject: [PATCH 092/151] webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (H)acked-By: David Prévot --- CHANGELOG.md | 4 +++- webapps/evoadmin-mail/tasks/main.yml | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e435af05..b9e7297a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,16 +17,17 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: add task file to install ELTS repository (default: False) * autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation * etc-git: add /var/chroot-bind/etc/bind repo +* kvm-host: Automatically add an LVM filter when LVM is present * lxc-php: Allow one to install php83 on Bookworm container * minifirewall: Fix nagios check for old versions of minifirewall * mongodb: add gpg key for 7.0 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * vrrpd: test if interface exists before deleting it +* webapps/evoadmin-mail: package can be installed via public.evolix.org/evolix repo starting from Bookworm * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory -* kvm-host: Automatically add an LVM filter when LVM is present ### Changed @@ -50,6 +51,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 +* spamassassin: Use spamd starting with Bookworm * unbound: Add config file to allow configuration reload on Debian 11 and lower * unbound: Add munin configuration & setup plugin * unbound: Big cleanup diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index a1018eca..1b2c9356 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -4,10 +4,27 @@ ansible.builtin.include_role: name: evolix/remount-usr +- name: Get evoadmin-mail package + ansible.builtin.get_url: + url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb + dest: /tmp/evoadmin-mail.deb + when: ansible_distribution_major_version is version('12', '<') + tags: + - evoadmin-mail + - name: Install evoadmin-mail package ansible.builtin.apt: deb: /tmp/evoadmin-mail.deb state: present + when: ansible_distribution_major_version is version('12', '<') + tags: + - evoadmin-mail + +- name: Install evoadmin-mail package + ansible.builtin.apt: + name: evoadmin-mail + state: present + when: ansible_distribution_major_version is version('12', '>=') tags: - evoadmin-mail From 1ac497282cb445ac8ac24d736aa832ac2303c6d6 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Fri, 22 Dec 2023 15:44:40 +0100 Subject: [PATCH 093/151] =?UTF-8?q?evoadmin-mail:=C2=A0use=20fixed=20versi?= =?UTF-8?q?on=20for=20Ansible?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 2 +- webapps/evoadmin-mail/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9e7297a..dd9c70f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition * vrrpd: test if interface exists before deleting it -* webapps/evoadmin-mail: package can be installed via public.evolix.org/evolix repo starting from Bookworm +* webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 1b2c9356..a1dd361b 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -6,7 +6,7 @@ - name: Get evoadmin-mail package ansible.builtin.get_url: - url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-1_all.deb + url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-2_all.deb dest: /tmp/evoadmin-mail.deb when: ansible_distribution_major_version is version('12', '<') tags: From 41897f4c62e3e57c642725d07ce0b726e03b3129 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 27 Dec 2023 15:01:56 +0100 Subject: [PATCH 094/151] bind: improve reload script --- bind/files/bind-reload-zone.sh | 37 +++++++++++++++++++++++ bind/files/bind-reload-zone_completion.sh | 18 +++++++++++ bind/files/reload-zone | 14 --------- 3 files changed, 55 insertions(+), 14 deletions(-) create mode 100755 bind/files/bind-reload-zone.sh create mode 100644 bind/files/bind-reload-zone_completion.sh delete mode 100755 bind/files/reload-zone diff --git a/bind/files/bind-reload-zone.sh b/bind/files/bind-reload-zone.sh new file mode 100755 index 00000000..550e5b64 --- /dev/null +++ b/bind/files/bind-reload-zone.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Script utilitaire pour tester et recharger facilement une zone dans Bind +# + +usage() { + echo "Usage: bind-reload-zone " + echo " bind-reload-zone -h|--help" +} + +if [ $# -ne 1 ] ; then + usage + exit 1 +fi + +while :; do + case $1 in + -h|--help) + usage + exit 0 + ;; + *) + zone=$1 + break + ;; + esac + shift +done + +if ! [ -f "/etc/bind/db.${zone}" ]; then + >&2 echo "Error: zone for ${zone} not found." + usage + exit 1 +fi + +named-checkzone "${zone}" /etc/bind/db."${zone}" && rndc reload "${zone}" + diff --git a/bind/files/bind-reload-zone_completion.sh b/bind/files/bind-reload-zone_completion.sh new file mode 100644 index 00000000..2e87b12c --- /dev/null +++ b/bind/files/bind-reload-zone_completion.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +_bind_reload_zone_dynamic_completion() { + local cur; + cur=${COMP_WORDS[COMP_CWORD]}; + COMPREPLY=(); + COMPREPLY=( $( compgen -W '$(grep -v -h '"'"'//'"'"' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep -v arpa | awk '"'"'{gsub(/"/, "", $2); print $2}'"'"' | sort | uniq)' -- $cur ) ); + + # reverse ipv4 : + #grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep -v ip6 | awk '{gsub(/"/, "", $2); gsub(/.in-addr.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) printf("%s.",$i); print $1 }' + + # reveres ipv6 : je bloque sur l'inversion 4 par 4 + #grep -v -h '//' /etc/bind/named.conf* | grep -B1 "type master" | grep zone | grep arpa | grep ip6 | awk '{gsub(/"/, "", $2); gsub(/.ip6.arpa/, "", $2); print $2}' | sort | uniq | awk -F'.' '{ for (i=NF; i>1; i--) { if ($i % 4 == 0) printf("%s.",$i); else printf("%s",$i); } print $1 }' + +} + +complete -F _bind_reload_zone_dynamic_completion bind-reload-zone + diff --git a/bind/files/reload-zone b/bind/files/reload-zone deleted file mode 100755 index b9acc449..00000000 --- a/bind/files/reload-zone +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -# -# Script utilitaire pour tester et recharger facilement un domaine dans Bind -# Usage : reload-zone -# -# TODO: -# - renommer le script (par ex bind-safe-reload) -# - vérifier le serial -# - ajouter un -h --help -# - prendre en charge plusieurs zones (ou aucune) -# - ajouter le script dans le role bind - -named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1" - From 0a590b6679dd8d7367115561724629f56008e1c9 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 3 Jan 2024 11:29:20 +0100 Subject: [PATCH 095/151] nginx: fix multiple fails in check mode --- CHANGELOG.md | 2 ++ nginx/handlers/main.yml | 3 +++ nginx/tasks/ip_whitelist.yml | 2 ++ nginx/tasks/main.yml | 3 +++ nginx/tasks/munin_vhost.yml | 1 + nginx/tasks/server_status_read.yml | 4 +++- nginx/tasks/server_status_write.yml | 1 + 7 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd9c70f4..574a66bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -80,6 +80,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid +* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) +* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode ### Removed diff --git a/nginx/handlers/main.yml b/nginx/handlers/main.yml index bdd5f477..af2cabf0 100644 --- a/nginx/handlers/main.yml +++ b/nginx/handlers/main.yml @@ -3,13 +3,16 @@ ansible.builtin.service: name: nginx state: restarted + when: not ansible_check_mode - name: reload nginx ansible.builtin.service: name: nginx state: reloaded + when: not ansible_check_mode - name: restart munin ansible.builtin.service: name: munin-node state: restarted + when: not ansible_check_mode diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml index fc4fd2d2..6186b419 100644 --- a/nginx/tasks/ip_whitelist.yml +++ b/nginx/tasks/ip_whitelist.yml @@ -6,6 +6,7 @@ line: "allow {{ item }};" state: present loop: "{{ nginx_ipaddr_whitelist_present }}" + when: not ansible_check_mode notify: reload nginx tags: - nginx @@ -17,6 +18,7 @@ line: "allow {{ item }};" state: absent loop: "{{ nginx_ipaddr_whitelist_absent }}" + when: not ansible_check_mode notify: reload nginx tags: - nginx diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 57a036d4..5d2f56cf 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -24,6 +24,7 @@ line: '\1worker_connections 1024;' insertafter: 'events \{' backrefs: yes + when: not ansible_check_mode tags: - nginx @@ -34,6 +35,7 @@ line: '\1use epoll;' insertafter: 'events \{' backrefs: yes + when: not ansible_check_mode tags: - nginx @@ -145,6 +147,7 @@ name: nginx enabled: yes state: started + when: not ansible_check_mode tags: - nginx diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index 98cc8672..eb08cd72 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -37,3 +37,4 @@ daemon_reload: yes enabled: yes state: started + when: not ansible_check_mode diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index d6cecbe3..b334a729 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -26,13 +26,15 @@ ansible.builtin.command: cmd: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" changed_when: False - check_mode: no + when: not ansible_check_mode register: new_nginx_serverstatus_suffix - name: overwrite nginx_serverstatus_suffix ansible.builtin.set_fact: nginx_serverstatus_suffix: "{{ new_nginx_serverstatus_suffix.stdout }}" + when: not ansible_check_mode - ansible.builtin.debug: var: nginx_serverstatus_suffix verbosity: 1 + when: not ansible_check_mode diff --git a/nginx/tasks/server_status_write.yml b/nginx/tasks/server_status_write.yml index dbed56cb..08031635 100644 --- a/nginx/tasks/server_status_write.yml +++ b/nginx/tasks/server_status_write.yml @@ -17,4 +17,5 @@ dest: /etc/nginx/sites-available/evolinux-default.conf regexp: 'location /server-status-? {' replace: 'location /server-status-{{ nginx_serverstatus_suffix }} {' + when: not ansible_check_mode notify: reload nginx From e089796c4c21770c09c6facb1a456932eb85495b Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 3 Jan 2024 17:46:15 +0100 Subject: [PATCH 096/151] evocheck: upstream release 24.01 --- CHANGELOG.md | 2 +- evocheck/files/evocheck.jessie.sh | 2 +- evocheck/files/evocheck.sh | 67 ++++++++++++++++--------------- evocheck/files/evocheck.wheezy.sh | 2 +- 4 files changed, 37 insertions(+), 36 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 574a66bc..e287b71f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) -* evocheck: upstream release 23.11.1 +* evocheck: upstream release 24.01 * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog * kvmstats: use .capacity instead of .physical for disk size diff --git a/evocheck/files/evocheck.jessie.sh b/evocheck/files/evocheck.jessie.sh index 6fd8062b..585dd735 100755 --- a/evocheck/files/evocheck.jessie.sh +++ b/evocheck/files/evocheck.jessie.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11.1" +VERSION="24.01" readonly VERSION # base functions diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 793af266..f125e713 100755 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11.1" +VERSION="24.01" readonly VERSION # base functions @@ -156,13 +156,13 @@ check_dpkgwarning() { # Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option. check_postfix_mydestination() { # shellcheck disable=SC2016 - if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp 'localhost([[:blank:]]|$)'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost' is missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.localdomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.localdomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option." fi - if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost\.\$mydomain'; then + if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.$mydomain'; then failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option." fi } @@ -205,11 +205,21 @@ check_debiansecurity_lxc() { if is_installed lxc; then container_list=$(lxc-ls) for container in $container_list; do - lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" - test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}" + DEBIAN_LXC_VERSION=$(cut -d "." -f 1 < /var/lib/lxc/${container}/rootfs/etc/debian_version) + if [ $DEBIAN_LXC_VERSION -ge 9 ]; then + lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}" + fi done fi } +check_backports_version() { + # Look for enabled "Debian Backports" sources from the "Debian" origin + apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b" + test $? -eq 1 || ( \ + apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet "\bn=${DEBIAN_RELEASE}-backports\b" && \ + test $? -eq 0 || failed "IS_BACKPORTS_VERSION" "Debian Backports enabled for another release than ${DEBIAN_RELEASE}" ) +} check_oldpub() { # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch) apt-cache policy | grep --quiet pub.evolix.net @@ -596,14 +606,10 @@ check_evobackup_exclude_mount() { # then we verify that every mount is excluded if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then # old releases of evobackups don't have version - if grep -q "^VERSION=" "${evobackup_file}"; then - evobackup_version=$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}") - # versions over 22.12 use a new syntax to exclude rsync files - if dpkg --compare-versions "$evobackup_version" ge 22.12 ; then - sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}" - else - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" - fi + if grep -q "^VERSION=" "${evobackup_file}" && dpkg --compare-versions "$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}")" ge 22.12 ; then + sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}" + else + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" fi not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do @@ -657,7 +663,7 @@ check_apacheipinallow() { check_muninapacheconf() { muninconf="/etc/apache2/conf-available/munin.conf" if is_installed apache2; then - test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \ + test -e $muninconf && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$muninconf" \ && failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled" fi } @@ -666,17 +672,17 @@ check_phpmyadminapacheconf() { phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf" phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf" if is_installed apache2; then - test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \ - && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled" - test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \ - && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled" + test -e $phpmyadminconf0 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf0" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) should be commented or disabled" + test -e $phpmyadminconf1 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf1" \ + && failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) should be commented or disabled" fi } # Verification si le système doit redémarrer suite màj kernel. check_kerneluptodate() { if is_installed linux-image*; then # shellcheck disable=SC2012 - kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}')" +%s) last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised" @@ -770,7 +776,7 @@ check_gitperms_lxc() { if test -d $GIT_DIR; then expected="700" actual=$(stat -c "%a" $GIT_DIR) - [ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})" + [ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})" fi done fi @@ -882,7 +888,7 @@ check_drbd_two_primaries() { failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!" fi elif command -v drbdadm >/dev/null; then - if drbdadm status | grep Primary -A2 | grep peer | grep -q Primary; then + if drbdadm role all 2>&1 | grep -q 'Primary/Primary'; then failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!" fi fi @@ -893,7 +899,7 @@ check_broadcomfirmware() { if [ -x "${LSPCI_BIN}" ]; then if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then { is_installed firmware-bnx2 \ - && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + && apt-cache policy | grep "\bl=Debian\b" | grep --quiet -v "\b,c=non-free\b" } || failed "IS_BROADCOMFIRMWARE" "missing non-free repository" fi else @@ -1201,16 +1207,10 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" } check_sshpermitrootno() { - sshd_args="-C addr=,user=,host=,laddr=,lport=0" - if is_debian_stretch; then - # Noop, we'll use the default $sshd_args - : - elif is_debian_buster; then + # You could change the SSH port in /etc/evocheck.cf + sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}" + if is_debian_buster; then sshd_args="${sshd_args},rdomain=" - else - # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument - # -T doesn't require the additional -C. - sshd_args= fi # shellcheck disable=SC2086 if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then @@ -1559,6 +1559,7 @@ main() { test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc + test "${IS_BACKPORTS_VERSION:=1}" = 1 && check_backports_version test "${IS_OLDPUB:=1}" = 1 && check_oldpub test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc test "${IS_NEWPUB:=1}" = 1 && check_newpub @@ -1677,7 +1678,7 @@ main() { } cleanup() { # Cleanup tmp files - # shellcheck disable=SC2086,SC2317 + # shellcheck disable=SC2068,SC2317 rm -f ${files_to_cleanup[@]} log "$PROGNAME exit." diff --git a/evocheck/files/evocheck.wheezy.sh b/evocheck/files/evocheck.wheezy.sh index 8e114b73..726a364f 100755 --- a/evocheck/files/evocheck.wheezy.sh +++ b/evocheck/files/evocheck.wheezy.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Linux (Debian) server # powered by Evolix -VERSION="23.11.1" +VERSION="24.01" readonly VERSION # base functions From f5d5e84cafb58b6a16b427b2e5a4b67c4c407655 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Tue, 9 Jan 2024 17:13:22 +0100 Subject: [PATCH 097/151] dovecot: fix plugin dovecot1 --- CHANGELOG.md | 1 + dovecot/defaults/main.yml | 2 ++ dovecot/files/munin_plugin_dovecot1 | 24 +++++++++++-------- ...olinux-dovecot.conf => munin_plugins.conf} | 0 dovecot/tasks/main.yml | 2 +- dovecot/tasks/munin.yml | 2 +- 6 files changed, 19 insertions(+), 12 deletions(-) mode change 100644 => 100755 dovecot/files/munin_plugin_dovecot1 rename dovecot/files/{z-evolinux-dovecot.conf => munin_plugins.conf} (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index e287b71f..c184cf59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -82,6 +82,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix missing gid * nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode +* dovecot: fix plugin dovecot1 ### Removed diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 52e06bda..eb4e6aa1 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -1,4 +1,6 @@ --- +log2mail_alert_email: Null + dovecot_vmail_uid: 5000 dovecot_vmail_gid: 5000 diff --git a/dovecot/files/munin_plugin_dovecot1 b/dovecot/files/munin_plugin_dovecot1 old mode 100644 new mode 100755 index 83f4d897..27139b73 --- a/dovecot/files/munin_plugin_dovecot1 +++ b/dovecot/files/munin_plugin_dovecot1 @@ -53,15 +53,17 @@ if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) { exit 0; } -if (-f "$logfile.0") { - $rotlogfile = $logfile . ".0"; -} elsif (-f "$logfile.1") { - $rotlogfile = $logfile . ".1"; -} elsif (-f "$logfile.01") { - $rotlogfile = $logfile . ".01"; -} else { - $rotlogfile = $logfile . ".0"; -} +# Disable rotated log inpection because name is not deterministic across systems +# and data loss is may 5 min +#if (-f "$logfile.0") { +# $rotlogfile = $logfile . ".0"; +#} elsif (-f "$logfile.1") { +# $rotlogfile = $logfile . ".1"; +#} elsif (-f "$logfile.01") { +# $rotlogfile = $logfile . ".01"; +#} else { +# $rotlogfile = $logfile . ".0"; +#} if ( $ARGV[0] and $ARGV[0] eq "config" ) { print "multigraph dovecot_connections\n"; @@ -179,7 +181,9 @@ if (!defined $pos) { if ($startsize < $pos) { # Log rotated - parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]); + # Disable rotated log inpection because name is not deterministic across systems + # and data loss is may 5 min + #parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]); $pos = 0; } diff --git a/dovecot/files/z-evolinux-dovecot.conf b/dovecot/files/munin_plugins.conf similarity index 100% rename from dovecot/files/z-evolinux-dovecot.conf rename to dovecot/files/munin_plugins.conf diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index adb81238..edb39164 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -60,7 +60,7 @@ tags: - dovecot -- name: deploy evolix config +- name: deploy evolix config for Dovecot ansible.builtin.template: src: z-evolinux-defaults.conf.j2 dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index 8d0df9db..c86d8c72 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -51,7 +51,7 @@ - name: Copy Munin config ansible.builtin.copy: - src: z-evolinux-dovecot.conf + src: munin_plugins.conf dest: /etc/munin/plugin-conf.d/zzz-dovecot mode: '0644' notify: restart munin-node From bf07ef74c38f320ca706b66d5fa66bb570f658a8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 11 Jan 2024 16:51:20 +0100 Subject: [PATCH 098/151] =?UTF-8?q?nginx:=20take=20care=20of=20=C2=AB=20al?= =?UTF-8?q?ready=20defined=20=C2=BB=20and=20=C2=AB=20not=20yet=20defined?= =?UTF-8?q?=20=C2=BB=20server=20status=20suffix=20in=20check=20mode?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 2 +- nginx/tasks/server_status_read.yml | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c184cf59..bc4929fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -81,7 +81,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) -* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode +* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode * dovecot: fix plugin dovecot1 ### Removed diff --git a/nginx/tasks/server_status_read.yml b/nginx/tasks/server_status_read.yml index b334a729..eddc3fe8 100644 --- a/nginx/tasks/server_status_read.yml +++ b/nginx/tasks/server_status_read.yml @@ -18,23 +18,28 @@ - name: generate random string for server-status suffix ansible.builtin.shell: - cmd: "apg -a 1 -M N -n 1 > {{ nginx_serverstatus_suffix_file }}" - args: + cmd: "apg -a 1 -M N -n 1 | tee {{ nginx_serverstatus_suffix_file }}" creates: "{{ nginx_serverstatus_suffix_file }}" + register: generated_nginx_serverstatus_suffix + +- name: check if nginx suffix file exists + ansible.builtin.stat: + path: "{{ nginx_serverstatus_suffix_file }}" + register: nginx_serverstatus_suffix_file_check - name: read nginx server status suffix ansible.builtin.command: cmd: "tail -n 1 {{ nginx_serverstatus_suffix_file }}" changed_when: False - when: not ansible_check_mode - register: new_nginx_serverstatus_suffix + check_mode: no + when: nginx_serverstatus_suffix_file_check.stat.exists + register: read_nginx_serverstatus_suffix +# If the file exists and the read value is not empty, then use it, otherwhise use the generated value - name: overwrite nginx_serverstatus_suffix ansible.builtin.set_fact: - nginx_serverstatus_suffix: "{{ new_nginx_serverstatus_suffix.stdout }}" - when: not ansible_check_mode + nginx_serverstatus_suffix: "{{ (nginx_serverstatus_suffix_file_check.stat.exists and (read_nginx_serverstatus_suffix.stdout | length > 0)) | ternary(read_nginx_serverstatus_suffix.stdout, generated_nginx_serverstatus_suffix.stdout) }}" - ansible.builtin.debug: var: nginx_serverstatus_suffix verbosity: 1 - when: not ansible_check_mode From c9df19e14613d516b4b962194a8381625d738453 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 11 Jan 2024 17:45:55 +0100 Subject: [PATCH 099/151] warning comment --- certbot/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml index 3dcb1334..a32aa630 100644 --- a/certbot/tasks/main.yml +++ b/certbot/tasks/main.yml @@ -21,6 +21,8 @@ - ansible.builtin.include: acme-challenge.yml +# This is always going to mark a "change". +# Couldn't figure out why ! - name: Deploy hooks are present ansible.builtin.copy: src: hooks/deploy/ From bca5b9f28c879b482ed9ba67f8e9facb7def4085 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 11 Jan 2024 17:46:49 +0100 Subject: [PATCH 100/151] fail2ban: fix template marker --- CHANGELOG.md | 7 ++++--- fail2ban/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc4929fc..3a2a570a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,11 +67,15 @@ The **patch** part changes is incremented if multiple releases happen the same m * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o * apt: use archive.debian.org with Stretch * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) +* dovecot: fix plugin dovecot1 * evoadmin-web: Fix PHP version for Bookworm * evolinux-base: fix hardware.yml (wrong repo, missing update cache) * evolinux-base: start to install linux-image-cloud-amd64 with Buster +* fail2ban: fix template marker * nagios: fix default file to monitor for check_clamav_db +* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: keep indentation +* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode * php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository * proftpd: set missing default listen IP for SFTP * ssl: no not execute haproxy tasks and reload if haproxy is disabled @@ -80,9 +84,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid -* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) -* nginx: take care of « already defined » and « not yet defined » server status suffix in check mode -* dovecot: fix plugin dovecot1 ### Removed diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 1629a02a..1fbb573a 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -94,7 +94,7 @@ - name: "Extend dbpurgeage if recidive jail is enabled" ansible.builtin.blockinfile: dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage - marker: "# ANSIBLE MANAGED" + marker: "# {mark} ANSIBLE MANAGED" block: | [DEFAULT] dbpurgeage = {{ fail2ban_recidive_bantime }} From f3eb7a498125b1cbda0198018307070f97694e8a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 12 Jan 2024 11:39:01 +0100 Subject: [PATCH 101/151] listupgrade : old-kernel-removal.sh upstream release 24.01 --- CHANGELOG.md | 1 + listupgrade/files/old-kernel-autoremoval.sh | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a2a570a..62552eaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog * kvmstats: use .capacity instead of .physical for disk size +* listupgrade : old-kernel-removal.sh upstream release 24.01 * log2mail: move custom config in separate file * lxc: init /etc git repository in lxc container * mysql: disable performance schema for Debian 8 diff --git a/listupgrade/files/old-kernel-autoremoval.sh b/listupgrade/files/old-kernel-autoremoval.sh index ce1c6002..6ad762e1 100644 --- a/listupgrade/files/old-kernel-autoremoval.sh +++ b/listupgrade/files/old-kernel-autoremoval.sh @@ -4,7 +4,7 @@ # fork by reg from /etc/kernel/postinst.d/apt-auto-removal script -VERSION="21.10" +VERSION="24.01" readonly VERSION PROGNAME=$(basename "$0") @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2018-2024 Evolix , Gregory Colpart , Romain Dessort , Ludovic Poujol , @@ -105,7 +105,7 @@ main() { echo "BEFORE" dpkg -l | grep linux-image - dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[234]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge + dpkg --get-selections | tr '\t' ' ' | cut -d" " -f1 | grep '^linux-image-[0-9]' | grep -v -E "(${kernels})" | xargs --no-run-if-empty ${APT} -o Dir::State::Lists="${listupgrade_state_dir}" -y purge echo " AFTER" From 72727a8332f1087eb27402967d484731f8480275 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Fri, 12 Jan 2024 13:35:21 +0100 Subject: [PATCH 102/151] nagios-nrpe: check_phpfpm_multi expand globing of args --- nagios-nrpe/files/plugins/check_phpfpm_multi | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/nagios-nrpe/files/plugins/check_phpfpm_multi b/nagios-nrpe/files/plugins/check_phpfpm_multi index b02fc7e2..e21ecf87 100644 --- a/nagios-nrpe/files/plugins/check_phpfpm_multi +++ b/nagios-nrpe/files/plugins/check_phpfpm_multi @@ -19,14 +19,21 @@ nb_ok=0 nb_unchk=0 output="" -readonly POOL_FOLDER=${1:-$(detect_pool_dir)} +# We want globbing to be expanded here +# shellcheck disable=SC2206 +readonly POOL_FOLDER=( ${1:-$(detect_pool_dir)} ) -if [[ ! -d "$POOL_FOLDER" ]]; then - echo "CRITICAL - $POOL_FOLDER does not exists" +if [ "${#POOL_FOLDER[@]}" -gt 1 ]; then + echo "CRITICAL - '${POOL_FOLDER[*]}' contains more than one directories" + exit 2 +fi; + +if [[ ! -d "${POOL_FOLDER[0]}" ]]; then + echo "CRITICAL - ${POOL_FOLDER[0]} does not exists" exit 2 fi; -readonly POOL_FILES=$(find "$POOL_FOLDER" -name "*.conf") +readonly POOL_FILES=$(find "${POOL_FOLDER[0]}" -name "*.conf") for pool_file in $POOL_FILES; do From 422f007e9d3a3b3954afcbb8dfac4243139f3fca Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 17 Jan 2024 16:45:36 +0100 Subject: [PATCH 103/151] php: drop apt_preferences(5) file for sury MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It doesn’t work as expected, and all covered cases should already be available from http://pub.evolix.org/evolix/dists/ (if $release_name-phpXY is not available, $release should probably be fixed or the correct suite added to the repository). --- php/files/sury.preferences | 7 ------- php/tasks/sury_pre.yml | 9 --------- 2 files changed, 16 deletions(-) delete mode 100644 php/files/sury.preferences diff --git a/php/files/sury.preferences b/php/files/sury.preferences deleted file mode 100644 index adcc5918..00000000 --- a/php/files/sury.preferences +++ /dev/null @@ -1,7 +0,0 @@ -Package: php* libapache2-mod-php* libpcre2* libzip4* libgd* libpcre3* -Pin: origin packages.sury.org -Pin-Priority: 999 - -Package: * -Pin: origin packages.sury.org -Pin-Priority: 50 diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index a0640e4c..599f9425 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -27,15 +27,6 @@ repo: "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }}-php{{ php_version | replace('.', '')}} main" filename: evolix-php state: present - when: - - ansible_distribution_release == "bullseye" - -- name: Setup deb.sury.org repository - Add preferences file - ansible.builtin.copy: - src: sury.preferences - dest: /etc/apt/preferences.d/z-sury - when: - - ansible_distribution_release != "bullseye" - name: Setup deb.sury.org repository - Add GPG key ansible.builtin.copy: From bceb3f5c27895a6766df767bd04876d188e8110d Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 17 Jan 2024 16:45:36 +0100 Subject: [PATCH 104/151] php: drop apt_preferences(5) file for sury (changelog) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62552eaa..d1ddf4ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -85,6 +85,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid +* php: drop apt_preferences(5) file for sury ### Removed From 531b633d991f345ffa62f6a26ddbbd54fa006918 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Wed, 17 Jan 2024 17:06:50 +0100 Subject: [PATCH 105/151] listupgrade: try and get rid of duplicate entries --- CHANGELOG.md | 1 + listupgrade/tasks/main.yml | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1ddf4ec..3d2caefe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,6 +86,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * php: drop apt_preferences(5) file for sury +* listupgrade: try and get rid of duplicate entries ### Removed diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index dec4881d..78c655e9 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -45,6 +45,19 @@ owner: root group: root +- name: Disable listupgrade cron with an extra ending space + ansible.builtin.cron: + name: "listupgrade.sh" + cron_file: "listupgrade" + user: root + job: "/usr/share/scripts/listupgrade.sh --cron " + minute: "{{ listupgrade_cron_minute }}" + hour: "{{ listupgrade_cron_hour }}" + weekday: "{{ listupgrade_cron_weekday }}" + day: "{{ listupgrade_cron_day }}" + month: "{{ listupgrade_cron_month }}" + state: "absent" + - name: Enable listupgrade cron ansible.builtin.cron: name: "listupgrade.sh" From f994e199467d1f84309ac58573e664f402c73253 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 18 Jan 2024 09:11:24 +0100 Subject: [PATCH 106/151] vrrpd: fix typo in switch script --- vrrpd/files/vrrp_switch.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vrrpd/files/vrrp_switch.sh b/vrrpd/files/vrrp_switch.sh index 1bacd859..8806a7fe 100644 --- a/vrrpd/files/vrrp_switch.sh +++ b/vrrpd/files/vrrp_switch.sh @@ -62,7 +62,7 @@ case "${STATE}" in "master" ) # Choose a MAC address MAC_SUFFIX=$(printf %02x "${VRID}") - MAC="00:00:5e:00:01:${MAC_SUFFIX})" + MAC="00:00:5e:00:01:${MAC_SUFFIX}" # Create macvlan interface ip link add link "${INTERFACE_NAME}" address "${MAC}" "${VIRTUAL_INTERFACE_NAME}" type macvlan # Add IP to interface From 51280c586a4423d103fe07e10143222d13e1d6ca Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 18 Jan 2024 10:00:38 +0100 Subject: [PATCH 107/151] redis: manage config template inside a block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows to have a coherent block managed by Ansible and extra lines that won't be overwritten. Eg. : automatically added lines for replication, sentinel groups… --- CHANGELOG.md | 1 + redis/defaults/main.yml | 2 ++ redis/tasks/default-server.yml | 28 ++++++++++++++++++++++++---- redis/tasks/instance-server.yml | 27 +++++++++++++++++++++++---- 4 files changed, 50 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d2caefe..5ba2914d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,6 +51,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: cleaning nrpe check template * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 +* redis: manage config template inside a block, to allow custom modifications outside * squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * spamassassin: Use spamd starting with Bookworm * unbound: Add config file to allow configuration reload on Debian 11 and lower diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml index b5547597..dc5a5d06 100644 --- a/redis/defaults/main.yml +++ b/redis/defaults/main.yml @@ -3,6 +3,8 @@ redis_systemd_name: redis-server redis_conf_dir_prefix: /etc/redis +redis_conf_marker_label: "ANSIBLE MANAGED CONFIGURATION" + redis_force_instance_port: False redis_port: 6379 diff --git a/redis/tasks/default-server.yml b/redis/tasks/default-server.yml index 89a664e6..89ba641e 100644 --- a/redis/tasks/default-server.yml +++ b/redis/tasks/default-server.yml @@ -1,12 +1,32 @@ --- -- name: Redis is configured. - ansible.builtin.template: - src: redis.conf.j2 - dest: "{{ redis_conf_dir }}/redis.conf" +- name: "Add begin marker if missing" + ansible.builtin.lineinfile: + path: "{{ redis_conf_dir }}/redis.conf" + line: "# BEGIN {{ redis_conf_marker_label }}" + insertbefore: BOF + create: yes + tags: + - redis + +- name: "Add end marker if missing" + ansible.builtin.lineinfile: + path: "{{ redis_conf_dir }}/redis.conf" + line: "# END {{ redis_conf_marker_label }}" + insertbefore: "Generated by CONFIG REWRITE" + create: yes + tags: + - redis + +- name: "Create config if missing" + ansible.builtin.blockinfile: + path: "{{ redis_conf_dir }}/redis.conf" + marker: "# {mark} {{ redis_conf_marker_label }}" + block: "{{ lookup('ansible.builtin.template', '../templates/redis.conf.j2') }}" mode: "0640" owner: redis group: redis + create: yes notify: "{{ redis_restart_handler_name }}" tags: - redis diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml index 42dc1876..b5f11053 100644 --- a/redis/tasks/instance-server.yml +++ b/redis/tasks/instance-server.yml @@ -118,14 +118,33 @@ tags: - redis +- name: "Add begin marker if missing" + ansible.builtin.lineinfile: + path: "{{ redis_conf_dir }}/redis.conf" + line: "# BEGIN {{ redis_conf_marker_label }}" + insertbefore: BOF + create: yes + tags: + - redis -- name: "Instance '{{ redis_instance_name }}' configuration file is present" - ansible.builtin.template: - src: redis.conf.j2 - dest: "{{ redis_conf_dir }}/redis.conf" +- name: "Add end marker if missing" + ansible.builtin.lineinfile: + path: "{{ redis_conf_dir }}/redis.conf" + line: "# END {{ redis_conf_marker_label }}" + insertbefore: "# Generated by CONFIG REWRITE" + create: yes + tags: + - redis + +- name: "Create config if missing" + ansible.builtin.blockinfile: + path: "{{ redis_conf_dir }}/redis.conf" + marker: "# {mark} {{ redis_conf_marker_label }}" + block: "{{ lookup('ansible.builtin.template', '../templates/redis.conf.j2') }}" mode: "0640" owner: redis-{{ redis_instance_name }} group: redis-{{ redis_instance_name }} + create: yes notify: "{{ redis_restart_handler_name }}" tags: - redis From 0c17e4d8fce1e0d9d71aa0d4d136302e295a1fa3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 18 Jan 2024 10:01:46 +0100 Subject: [PATCH 108/151] sort CHANGELOG --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ba2914d..982aef2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,8 +52,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * nagios: rename var `nagios_nrpe_process_processes` into `nagios_nrpe_processes` and check systemd-timesyncd instead of ntpd in Debian 12 * proftpd: in SFTP vhost, enable SSH keys login, enable ed25549 host key for Debian >= 11 * redis: manage config template inside a block, to allow custom modifications outside -* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * spamassassin: Use spamd starting with Bookworm +* squid: config directory seems to have changed from /etc/squid3 to /etc/squid in Debian 8 * unbound: Add config file to allow configuration reload on Debian 11 and lower * unbound: Add munin configuration & setup plugin * unbound: Big cleanup @@ -74,11 +74,13 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: fix hardware.yml (wrong repo, missing update cache) * evolinux-base: start to install linux-image-cloud-amd64 with Buster * fail2ban: fix template marker +* listupgrade: try and get rid of duplicate entries * nagios: fix default file to monitor for check_clamav_db * nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: keep indentation * nginx: take care of « already defined » and « not yet defined » server status suffix in check mode * php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository +* php: drop apt_preferences(5) file for sury * proftpd: set missing default listen IP for SFTP * ssl: no not execute haproxy tasks and reload if haproxy is disabled * unbound: Add a apt cache validity to enforce an apt update if needed @@ -86,8 +88,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid -* php: drop apt_preferences(5) file for sury -* listupgrade: try and get rid of duplicate entries ### Removed From bc19912b71f4aaa724dc38fa5e1f5b932fa08f43 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 18 Jan 2024 09:58:16 +0100 Subject: [PATCH 109/151] Revert "listupgrade: try and get rid of duplicate entries" This reverts commit 531b633d991f345ffa62f6a26ddbbd54fa006918. --- CHANGELOG.md | 1 - listupgrade/tasks/main.yml | 13 ------------- 2 files changed, 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 982aef2a..d0e9e7a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,7 +74,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: fix hardware.yml (wrong repo, missing update cache) * evolinux-base: start to install linux-image-cloud-amd64 with Buster * fail2ban: fix template marker -* listupgrade: try and get rid of duplicate entries * nagios: fix default file to monitor for check_clamav_db * nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: keep indentation diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 78c655e9..dec4881d 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -45,19 +45,6 @@ owner: root group: root -- name: Disable listupgrade cron with an extra ending space - ansible.builtin.cron: - name: "listupgrade.sh" - cron_file: "listupgrade" - user: root - job: "/usr/share/scripts/listupgrade.sh --cron " - minute: "{{ listupgrade_cron_minute }}" - hour: "{{ listupgrade_cron_hour }}" - weekday: "{{ listupgrade_cron_weekday }}" - day: "{{ listupgrade_cron_day }}" - month: "{{ listupgrade_cron_month }}" - state: "absent" - - name: Enable listupgrade cron ansible.builtin.cron: name: "listupgrade.sh" From aa2593f34cffd7b914823d49f71f0a589eeaf00b Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 18 Jan 2024 10:00:15 +0100 Subject: [PATCH 110/151] Revert "listupgrade: No removal (especially of the just installed cron_file) needed" This reverts commit 09f951de181ade87fceaf8409836d99a84cb1c66. --- listupgrade/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index dec4881d..1a48ac6e 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -58,6 +58,12 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" +- name: Remove old lisupgrade typo + ansible.builtin.cron: + name: "lisupgrade.sh" + cron_file: "listupgrade" + state: absent + - name: old-kernel-autoremoval script is present ansible.builtin.copy: src: old-kernel-autoremoval.sh From 30bd72614d334faef5f83af3443348030e7caa78 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 18 Apr 2023 09:47:03 +0200 Subject: [PATCH 111/151] listupgrade: Fix removal order --- listupgrade/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 1a48ac6e..9261b3fa 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -45,6 +45,12 @@ owner: root group: root +- name: Remove old lisupgrade typo + ansible.builtin.cron: + name: "lisupgrade.sh" + cron_file: "listupgrade" + state: absent + - name: Enable listupgrade cron ansible.builtin.cron: name: "listupgrade.sh" @@ -58,12 +64,6 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" -- name: Remove old lisupgrade typo - ansible.builtin.cron: - name: "lisupgrade.sh" - cron_file: "listupgrade" - state: absent - - name: old-kernel-autoremoval script is present ansible.builtin.copy: src: old-kernel-autoremoval.sh From 9b67202acc0d7d0a3c93833fb7d41d5d5a6e4f12 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 23 Jan 2024 16:35:31 +0100 Subject: [PATCH 112/151] webapps/nextcloud: Add condition for archive tasks --- CHANGELOG.md | 1 + webapps/nextcloud/defaults/main.yml | 1 + webapps/nextcloud/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0e9e7a1..6c7fda46 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory +* webapps/nextcloud: Add condition for archive tasks ### Changed diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index ca42901e..d9366933 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -18,4 +18,5 @@ nextcloud_db_name: "{{ nextcloud_instance_name }}" nextcloud_admin_login: "admin" nextcloud_admin_password: "" +nextcloud_get_archive: True nextcloud_do_config: True diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 5329646e..9bbab5b5 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -48,6 +48,7 @@ - ansible.builtin.include: user.yml - ansible.builtin.include: archive.yml + when: nextcloud_get_archive - ansible.builtin.include: apache-vhost.yml From 251416f3e8e013b7a7f4a040a21b939d11ed5057 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 23 Jan 2024 18:00:54 +0100 Subject: [PATCH 113/151] webapps/nextcloud: Set home directory's mode --- CHANGELOG.md | 1 + webapps/nextcloud/tasks/user.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c7fda46..58c62aef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * unbound: Use root hints provided by debian package dns-root-data instead of downloading them * vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab +* webapps/nextcloud: Set home directory's mode ### Fixed diff --git a/webapps/nextcloud/tasks/user.yml b/webapps/nextcloud/tasks/user.yml index 020fce90..e9a398b9 100644 --- a/webapps/nextcloud/tasks/user.yml +++ b/webapps/nextcloud/tasks/user.yml @@ -26,6 +26,11 @@ tags: - nextcloud +- name: Set mode for home directory + ansible.builtin.file: + path: "{{ nextcloud_home }}" + mode: "0701" + - name: Create top-level directories ansible.builtin.file: dest: "{{ item }}" From 68d9d3c47ce5032b22ab210ddddda6062d435f81 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 24 Jan 2024 11:45:24 +0100 Subject: [PATCH 114/151] minifirewall: do not open publicly ports except 22222 --- CHANGELOG.md | 1 + minifirewall/defaults/main.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58c62aef..f2b7ace8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -89,6 +89,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid +* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. ### Removed diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 18d7d5b3..edb849b9 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -34,9 +34,9 @@ minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] minifirewall_protected_ports_udp: [] -minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 22222] -minifirewall_public_ports_udp: [53] -minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] +minifirewall_public_ports_tcp: [22222] +minifirewall_public_ports_udp: [] +minifirewall_semipublic_ports_tcp: [22, 80, 443] minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] From cce7280cd0f49e98683c2b90fc15b8f58096429e Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 24 Jan 2024 15:24:42 +0100 Subject: [PATCH 115/151] fail2ban: add script unban_ip --- CHANGELOG.md | 1 + fail2ban/files/unban_ip.sh | 26 ++++++++++++++++++++++++++ fail2ban/tasks/main.yml | 9 +++++++++ 3 files changed, 36 insertions(+) create mode 100644 fail2ban/files/unban_ip.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index f2b7ace8..8de4ddd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for archive tasks +* fail2ban: add script unban_ip ### Changed diff --git a/fail2ban/files/unban_ip.sh b/fail2ban/files/unban_ip.sh new file mode 100644 index 00000000..c13f2ecd --- /dev/null +++ b/fail2ban/files/unban_ip.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +function version_gt() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; } + +IP="$1" +if [ "$IP" == "" ]; then + echo + echo -e "\033${TERM_COLOR_LIGHT_RED}Usage: $FUNCNAME \033${TERM_COLOR_NORMAL}" + echo + cat <&1 | grep -v "$IP is not banned"; + else + iptables -D f2b-$JAIL -s $IP -j DROP 2>&1 | grep -v 'iptables: Bad rule' && sleep 5 || echo "$IP is not banned"; + fi +done + +exit 0 + diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 1fbb573a..182dbbd5 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -111,3 +111,12 @@ - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster" tags: - fail2ban + +- name: Script unban_ip is installed + ansible.builtin.copy: + src: unban_ip.sh + dst: /usr/local/sbin/unban_ip + mode: '0700' + tags: + - fail2ban + From dae2a25f787f250c264d7e658af79f161170a67d Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 24 Jan 2024 17:25:20 +0100 Subject: [PATCH 116/151] check_free_space: add role; evolinux-base: install check_free_space by default --- CHANGELOG.md | 1 + check_free_space/defaults/main.yml | 6 + check_free_space/files/check_free_space.sh | 166 ++++++++++++++++++ check_free_space/files/check_free_space.tpl | 24 +++ check_free_space/tasks/main.yml | 37 ++++ check_free_space/tasks/shell_script.yml | 30 ++++ .../templates/cron_check_free_space.j2 | 4 + evolinux-base/defaults/main.yml | 4 + evolinux-base/tasks/main.yml | 5 + 9 files changed, 277 insertions(+) create mode 100644 check_free_space/defaults/main.yml create mode 100755 check_free_space/files/check_free_space.sh create mode 100644 check_free_space/files/check_free_space.tpl create mode 100644 check_free_space/tasks/main.yml create mode 100644 check_free_space/tasks/shell_script.yml create mode 100644 check_free_space/templates/cron_check_free_space.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8de4ddd6..4a7d57a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Set ownership and permissions of data directory * webapps/nextcloud: Add condition for archive tasks * fail2ban: add script unban_ip +* check_free_space: added role ### Changed diff --git a/check_free_space/defaults/main.yml b/check_free_space/defaults/main.yml new file mode 100644 index 00000000..c699ad91 --- /dev/null +++ b/check_free_space/defaults/main.yml @@ -0,0 +1,6 @@ +--- +check_free_space_partitions: + - "/home" + - "/srv" +check_free_space_max_percent: 70 +check_free_space_mailto: Null diff --git a/check_free_space/files/check_free_space.sh b/check_free_space/files/check_free_space.sh new file mode 100755 index 00000000..f1b89d8c --- /dev/null +++ b/check_free_space/files/check_free_space.sh @@ -0,0 +1,166 @@ +#!/bin/sh + +# This script verifies if the specified partitions on a machine are filled +# at more than x%. +# +# If so, it sends a mail to the admin of that machine, warning him/her +# that mesures should be taken. +# +# Two outputs are provided to the recipient of the mail: +# * some general infos with `df` +# * a more indepth inspection with `duc` +# +# This script takes 3 (mandatory) arguments: +# * a list of the partitions to check (space separated) +# * the maximum allowed percentage +# * the email template to use +# +# This script should be ran by cron @daily. +# +# +# Copyright (C) 2016 Louis-Philippe Véronneau +# +# This program is licensed under GPLv3 + + + +# Check argument sanity + +PID_FILE='/var/run/check_free_space.pid' + +if test -f "$PID_FILE" +then + pid=$(cat "$PID_FILE") + ps -p "$pid" > /dev/null + if test $? -eq 0 + then + echo "$0 already run !" >&2 + exit 1 + else + rm $PID_FILE + fi +fi + +echo $$ > $PID_FILE + +if test -z "$1" || test -z "$2" || test -z "$3" # is non null +then + echo "Some arguments are missing. Please issue a partition list, a" \ + "maximum percentage and an email template." + exit 1 +elif ! [ "$2" -le 100 -a "$2" -ge 0 ] # is a percentage +then + echo "Please enter a maximum percentage value between 0 and 100." + exit 1 +fi + +# Argument processing + +partition_list=$1 +max_percentage=$((100-$2)) +email_template=$3 + +HOSTNAME=$(hostname) +debian_version=$(lsb_release -c) + +check_disk='/usr/lib/nagios/plugins/check_disk' + +test -f /etc/evomaintenance.cf && . /etc/evomaintenance.cf + + +# Test what version of df we have + +old_df=false + +case "$debian_version" in + *squeeze* ) old_df=true ;; + *wheezy* ) old_df=true ;; +esac + + +# Check disk space + +df_options="size,avail,pcent,itotal,iavail,ipcent" + +for partition in $partition_list +do + if ! $check_disk -w $max_percentage% -W $max_percentage% $partition > /dev/null + then + # the 'newline' is a hack to make sed behave + PARTITION_DATA="$PARTITION_DATA newline $partition newline" + if [ $old_df ] + then + PARTITION_DATA="$PARTITION_DATA $(/bin/df -h $partition) newline" + PARTITION_DATA="$PARTITION_DATA newline $(df -ih $partition) newlinenewline" + else + PARTITION_DATA="$PARTITION_DATA $(/bin/df -h --output=$df_options $partition) newline" + fi + full_partitions="$full_partitions $partition" + partname=$(echo $partition|tr -s '/' '-') + graph_list="$graph_list -a /home/duc${partname}.png" + fi +done + + +# Exit if everything is OK + +if test -z "$PARTITION_DATA" +then + exit 0 +fi + + +# If there is indeed a problem, get more infos with duc + +/usr/bin/ionice -c3 /usr/bin/duc index -H -d /home/duc.idx -x $full_partitions -q + +for partition in $full_partitions +do + duc_temp=$(/usr/bin/duc ls -d /home/duc.idx -Fg $partition) + duc_temp=$(printf "$duc_temp" | sed -e "s@]@]newline@" | grep -v "lost+found") + DUC_OUTPUT="$DUC_OUTPUT newline$partition newline$duc_temp" + partname=$(echo $partition|tr -s '/' '-') + duc graph -d /home/duc.idx -o /home/duc${partname}.png -l8 -s 1024 $partition +done + + +# Replace placeholders & send the mail ! + +PARTITION_DATA="$(echo "$PARTITION_DATA"|tr -d $'\n')" # make sed accept the input +DUC_OUTPUT="$(echo "$DUC_OUTPUT"|tr -d $'\n')" + +if [ $old_df ] +then + sed -e "s/__TO__/$EVOMAINTMAIL/" \ + -e "s/__HOSTNAME__/$HOSTNAME/" \ + -e "s@__PARTITION_DATA__@$PARTITION_DATA@" \ + -e "s@__DUC_OUTPUT__@$DUC_OUTPUT@" \ + -e "s/newline/\n/g" \ + -e "s/IUse%/IUse%\n/g" \ + -e "s/ Use%/ Use%\n/g" \ + -e "s@Filesystem \{12\}@@g" \ + -e "s@Mounted on\/dev\/[a-z]\{3\}[0-9]\+ \{13\}@@g" \ + -e "s@% \/[a-z]\+@%@g" \ + -e "s/__MAX_PERCENTAGE__/$max_percentage/" \ + -e "s/__FULLFROM__/$FULLFROM/" \ + -e "s/__FROM__/$FROM/" \ + -e "s/__URGENCYFROM__/$URGENCYFROM/" \ + -e "s/__URGENCYTEL__/$URGENCYTEL/" \ + $email_template | \ + /usr/bin/mutt -H - $graph_list +else + sed -e "s/__TO__/$EVOMAINTMAIL/" \ + -e "s/__HOSTNAME__/$HOSTNAME/" \ + -e "s@__PARTITION_DATA__@$PARTITION_DATA@" \ + -e "s@__DUC_OUTPUT__@$DUC_OUTPUT@" \ + -e "s/newline/\n/g" \ + -e "s/IUse%/IUse%\n/g" \ + -e "s/__MAX_PERCENTAGE__/$max_percentage/" \ + -e "s/__FULLFROM__/$FULLFROM/" \ + -e "s/__FROM__/$FROM/" \ + -e "s/__URGENCYFROM__/$URGENCYFROM/" \ + -e "s/__URGENCYTEL__/$URGENCYTEL/" \ + $email_template | \ + /usr/bin/mutt -H - $graph_list +fi + +rm -f $PID_FILE diff --git a/check_free_space/files/check_free_space.tpl b/check_free_space/files/check_free_space.tpl new file mode 100644 index 00000000..15ce5635 --- /dev/null +++ b/check_free_space/files/check_free_space.tpl @@ -0,0 +1,24 @@ +From: __FULLFROM__ +Content-Type: text/plain; charset=UTF-8 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +To: __TO__ +Subject: [WARNING] Espace disque faible sur __HOSTNAME__ + +Bonjour, + +Ceci est un message automatique pour vous informer qu'il y a un +souci d'espace disque sur votre serveur __HOSTNAME__ + +Voici les informations sur l'espace disque qui pose problème : +__PARTITION_DATA__ +Détails sur les partitions problématiques : +__DUC_OUTPUT__ +Un graphe par partition problématique est disponible en pièce jointe. + +Nous vous recommandons d'effectuer du ménage pour maintenir +chaque partition avec un minimum de __MAX_PERCENTAGE__% d'espace disque libre. + +Cordialement, +-- +__FULLFROM__ diff --git a/check_free_space/tasks/main.yml b/check_free_space/tasks/main.yml new file mode 100644 index 00000000..b2b4aa07 --- /dev/null +++ b/check_free_space/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- ansible.builtin.include_role: + name: evolix/remount-usr + +- name: Copy check_free_space.sh script + ansible.builtin.copy: + src: files/check_free_space.sh + dest: /usr/share/scripts/check_free_space + owner: root + group: root + mode: "0750" + +- name: Copy email template + ansible.builtin.copy: + src: files/check_free_space.tpl + dest: /usr/share/scripts/check_free_space.tpl + owner: root + group: root + mode: "0644" + +# not using the cron_module for this since it is buggy +- name: check_free_space.sh is run by cron + ansible.builtin.template: + src: templates/cron_check_free_space.j2 + dest: /etc/cron.d/check_free_space + owner: root + group: root + mode: "0644" + force: false + +- name: Duc and Mutt are installed + ansible.builtin.apt: + pkg: + - mutt + - duc + state: present + diff --git a/check_free_space/tasks/shell_script.yml b/check_free_space/tasks/shell_script.yml new file mode 100644 index 00000000..716304a1 --- /dev/null +++ b/check_free_space/tasks/shell_script.yml @@ -0,0 +1,30 @@ +--- + +- include_role: + name: evolix/remount-usr + +- name: shell script + copy: + src: files/check_free_space.sh + dest: /usr/share/scripts/check_free_space + owner: root + group: root + mode: "0750" + +- name: email template + copy: + src: files/check_free_space.tpl + dest: /usr/share/scripts/check_free_space.tpl + owner: root + group: root + mode: "0644" + +# not using the cron_module for this since it is buggy +- name: cron + template: + src: templates/cron_check_free_space.j2 + dest: /etc/cron.d/check_free_space + owner: root + group: root + mode: "0644" + force: false diff --git a/check_free_space/templates/cron_check_free_space.j2 b/check_free_space/templates/cron_check_free_space.j2 new file mode 100644 index 00000000..5017a67b --- /dev/null +++ b/check_free_space/templates/cron_check_free_space.j2 @@ -0,0 +1,4 @@ +{% if check_free_space_mailto and check_free_space_mailto != "" %} +MAILTO={{ check_free_space_mailto }} +{% endif %} +30 4 * * 1 root /usr/share/scripts/check_free_space "{{ check_free_space_partitions | join(' ') }}" {{ check_free_space_max_percent }} /usr/share/scripts/check_free_space.tpl diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index bf56d6de..7811ae89 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -211,6 +211,10 @@ evolinux_munin_include: True evolinux_nagios_nrpe_include: True +# check_free_space + +evolinux_check_free_space_include: True + # fail2ban evolinux_fail2ban_include: False diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index d482981a..b8f64844 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -127,6 +127,11 @@ name: evolix/nagios-nrpe when: evolinux_nagios_nrpe_include | bool +- name: check_free_space + ansible.builtin.include_role: + name: evolix/check_free_space + when: evolinux_check_free_space_include | bool + - name: Autosysadmin ansible.builtin.include_role: name: 'evolix/autosysadmin' From b31aa53c810e0355ac044687b1e1b3ebe4f9c6da Mon Sep 17 00:00:00 2001 From: David Prevot Date: Thu, 25 Jan 2024 13:59:36 +0100 Subject: [PATCH 117/151] apt: Improve check mode --- apt/tasks/migrate-to-deb822.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml index e7339e8b..e79ddf82 100644 --- a/apt/tasks/migrate-to-deb822.yml +++ b/apt/tasks/migrate-to-deb822.yml @@ -31,6 +31,11 @@ tags: - apt +- name: Is system.sources present? + ansible.builtin.stat: + path: /etc/apt/sources.list.d/system.sources + register: _system_sources + - name: Add signed-by when relevant for bookworm ansible.builtin.lineinfile: dest: /etc/apt/sources.list.d/system.sources @@ -39,6 +44,12 @@ state: present tags: - apt + when: _system_sources.stat.exists or not ansible_check_mode + +- name: Is security.sources present? + ansible.builtin.stat: + path: /etc/apt/sources.list.d/security.sources + register: _security_sources - name: Add signed-by when relevant for bookworm-security ansible.builtin.lineinfile: @@ -48,3 +59,4 @@ state: present tags: - apt + when: _security_sources.stat.exists or not ansible_check_mode From d55b2b14bbab7e3955cce8abcb5bec26581a44d3 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 29 Jan 2024 09:44:57 +0100 Subject: [PATCH 118/151] evolinux-base: tfix --- evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 index 9d424a5b..8fbc2d84 100644 --- a/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 +++ b/evolinux-base/templates/hardware/hwraid.le-vert.net.sources.j2 @@ -4,5 +4,5 @@ Types: deb URIs: http://hwraid.le-vert.net/debian Suites: {{ ansible_distribution_release }} Components: main -Signed-by: {{ apt_keyring_dir }}/hwraid.le-vert.net.asc] +Signed-by: {{ apt_keyring_dir }}/hwraid.le-vert.net.asc Enabled: yes From 1924324c076714d6ce04f150c6683a15730706cd Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 29 Jan 2024 09:49:36 +0100 Subject: [PATCH 119/151] apt: No preferences needed for backports --- apt/files/bookworm_backports_preferences | 3 --- apt/files/bullseye_backports_preferences | 3 --- apt/files/buster_backports_preferences | 3 --- apt/files/jessie_backports_preferences | 3 --- apt/files/stretch_backports_preferences | 3 --- apt/tasks/backports.deb822.yml | 10 ---------- apt/tasks/backports.oneline.yml | 10 ---------- 7 files changed, 35 deletions(-) delete mode 100644 apt/files/bookworm_backports_preferences delete mode 100644 apt/files/bullseye_backports_preferences delete mode 100644 apt/files/buster_backports_preferences delete mode 100644 apt/files/jessie_backports_preferences delete mode 100644 apt/files/stretch_backports_preferences diff --git a/apt/files/bookworm_backports_preferences b/apt/files/bookworm_backports_preferences deleted file mode 100644 index eaf76d52..00000000 --- a/apt/files/bookworm_backports_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=bookworm-backports -Pin-Priority: 50 diff --git a/apt/files/bullseye_backports_preferences b/apt/files/bullseye_backports_preferences deleted file mode 100644 index 3a667c93..00000000 --- a/apt/files/bullseye_backports_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=bullseye-backports -Pin-Priority: 50 diff --git a/apt/files/buster_backports_preferences b/apt/files/buster_backports_preferences deleted file mode 100644 index 30fef48d..00000000 --- a/apt/files/buster_backports_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=buster-backports -Pin-Priority: 50 diff --git a/apt/files/jessie_backports_preferences b/apt/files/jessie_backports_preferences deleted file mode 100644 index dd3cef12..00000000 --- a/apt/files/jessie_backports_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=jessie-backports -Pin-Priority: 50 diff --git a/apt/files/stretch_backports_preferences b/apt/files/stretch_backports_preferences deleted file mode 100644 index 6d5d03be..00000000 --- a/apt/files/stretch_backports_preferences +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=stretch-backports -Pin-Priority: 50 diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 0382892d..9b92aafd 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -10,16 +10,6 @@ tags: - apt -- name: Backports configuration - ansible.builtin.copy: - src: '{{ ansible_distribution_release }}_backports_preferences' - dest: /etc/apt/preferences.d/0-backports-defaults - force: true - mode: "0640" - register: apt_backports_config - tags: - - apt - - name: Apt update ansible.builtin.apt: update_cache: yes diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index 11de5c52..a235270e 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -17,16 +17,6 @@ tags: - apt -- name: Backports configuration - ansible.builtin.copy: - src: '{{ ansible_distribution_release }}_backports_preferences' - dest: /etc/apt/preferences.d/0-backports-defaults - force: true - mode: "0640" - register: apt_backports_config - tags: - - apt - - name: Archived backport are accepted (jessie) ansible.builtin.lineinfile: dest: '/etc/apt/apt.conf.d/99no-check-valid-until' From e14408cb05de34c79090227db73a707bb3aaefa7 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 29 Jan 2024 10:06:52 +0100 Subject: [PATCH 120/151] apt: follow up from previous commit --- apt/tasks/backports.deb822.yml | 2 +- apt/tasks/backports.oneline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apt/tasks/backports.deb822.yml b/apt/tasks/backports.deb822.yml index 9b92aafd..db117d94 100644 --- a/apt/tasks/backports.deb822.yml +++ b/apt/tasks/backports.deb822.yml @@ -13,6 +13,6 @@ - name: Apt update ansible.builtin.apt: update_cache: yes - when: apt_backports_sources is changed or apt_backports_config is changed + when: apt_backports_sources is changed tags: - apt diff --git a/apt/tasks/backports.oneline.yml b/apt/tasks/backports.oneline.yml index a235270e..1630de19 100644 --- a/apt/tasks/backports.oneline.yml +++ b/apt/tasks/backports.oneline.yml @@ -32,4 +32,4 @@ update_cache: yes tags: - apt - when: apt_backports_list is changed or apt_backports_config is changed + when: apt_backports_list is changed From 393c1f4ff1dd7f6a963472e09e53fd46c3a431e2 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Mon, 29 Jan 2024 12:04:38 +0100 Subject: [PATCH 121/151] add missing LDAP conf iterate_filter to exclude disabled accounts in users list --- CHANGELOG.md | 1 + dovecot/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a7d57a3..d332ec7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -92,6 +92,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. +* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). ### Removed diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index edb39164..6c4e7608 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -37,6 +37,7 @@ - { key: 'user_attrs', value: 'homeDirectory=home' } - { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' } - { key: 'pass_attrs', value: 'uid=user,userPassword=password' } + - { key: 'iterate_filter', value: '(&(isActive=TRUE))' } when: ldap_suffix is defined notify: reload dovecot tags: From d67e2b122fb3cbaa9b8c08fd90601dcb92daf33c Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 31 Jan 2024 18:04:11 +0100 Subject: [PATCH 122/151] nagios-nrpe, generateldif: new check_pressure_{cpu,io,mem} --- CHANGELOG.md | 2 ++ generate-ldif/templates/generateldif.sh.j2 | 27 ++++++++++++++++++++++ nagios-nrpe/templates/evolix.cfg.j2 | 3 +++ 3 files changed, 32 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d332ec7d..4f6fe59a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: Add condition for archive tasks * fail2ban: add script unban_ip * check_free_space: added role +* nagios-nrpe: new check_pressure_{cpu,io,mem} +* generateldif: new Services for check_pressure_{cpu,io,mem} ### Changed diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 75eedfb4..39fc30cf 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -14,6 +14,7 @@ get_pkg_version() { sed 's/[~+-].\+//' | sed 's/.\+://' | sed 's/p.*//' | cut -d'.' -f1,2 } +debianVersion=$(cut -d "." -f 1 < /etc/debian_version) clientNumber="{{ client_number | mandatory }}" monitoringMode="{{ monitoring_mode | mandatory }}" monitoringType="{{ monitoring_type | mandatory }}" @@ -763,6 +764,32 @@ ServiceVersion: Undefined EOT fi +# Check pressure +if [ "${debianVersion}" -ge 12 ]; then + cat <> "${ldif_file}" + +dn: ServiceName=pressure_cpu,${computer_dn} +objectClass: EvoService +NagiosEnabled: TRUE +ServiceName: pressure_cpu +ServiceType: pressure +ServiceVersion: Undefined + +dn: ServiceName=pressure_io,${computer_dn} +objectClass: EvoService +NagiosEnabled: TRUE +ServiceName: pressure_io +ServiceType: pressure +ServiceVersion: Undefined + +dn: ServiceName=pressure_mem,${computer_dn} +objectClass: EvoService +NagiosEnabled: TRUE +ServiceName: pressure_mem +ServiceType: pressure +ServiceVersion: Undefined +EOT +fi # test if we have a stdout if [ -t 1 ]; then diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 66ecc51a..1f39bcff 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -90,6 +90,9 @@ command[check_php-fpm82]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi command[check_php-fpm83]=sudo {{ nagios_plugins_directory }}/check_phpfpm_multi /var/lib/lxc/php83/rootfs/etc/php/8.3/fpm/pool.d/ command[check_dhcp_pool]={{ nagios_plugins_directory }}/check_dhcp_pool command[check_ssl_local]={{ nagios_plugins_directory }}/check_ssl_local +command[check_pressure_cpu]=/usr/lib/nagios/plugins/check_pressure --cpu -w 100000 -c 500000 +command[check_pressure_mem]=/usr/lib/nagios/plugins/check_pressure --mem -w 100000 -c 500000 +command[check_pressure_io]=/usr/lib/nagios/plugins/check_pressure --io -w 100000 -c 500000 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates). # Beware! All checks must not take more than 10s! From 4c9e4a30cc7903ba3a145e19fde962f24f52ff8c Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 1 Feb 2024 11:06:21 +0100 Subject: [PATCH 123/151] userlogrotate: Ensure we use a valid group name Use user's primary group when user's name is not an existing group. --- CHANGELOG.md | 1 + userlogrotate/files/userlogrotate | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f6fe59a..8a84db8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,6 +67,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab * webapps/nextcloud: Set home directory's mode +* userlogrotate: Use user's primary group when user's name is not an existing group ### Fixed diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index 2a76eaaf..da12a36c 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -73,6 +73,9 @@ for path in ${SYSTEM_LOGS_SEARCH_PATHS[@]}; do for file in ${log_paths}; do user="$(user_for "${file}")" group="$(group_for "${file}")" + if ! getent group "${user}" > /dev/null 2> /dev/null; then + group="$(id -gn "${user}")" + fi rotate "${file}" "${group}":"${user}" delete_old "$(dirname "${file}")" done @@ -85,6 +88,9 @@ for path in ${APPLICATIVE_LOGS_SEARCH_PATHS[@]}; do for file in ${log_paths}; do user="$(user_for "${file}")" group="$(group_for "${file}")" + if ! getent group "${user}" > /dev/null 2> /dev/null; then + group="$(id -gn "${user}")" + fi rotate "${file}" "${group}":"${user}" delete_old "$(dirname "${file}")" done From 8741167a808b6b313b066b5dd28530b9e1515e87 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 1 Feb 2024 17:04:30 +0100 Subject: [PATCH 124/151] Revert last commit --- CHANGELOG.md | 1 - userlogrotate/files/userlogrotate | 6 ------ 2 files changed, 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a84db8d..4f6fe59a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,7 +67,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab * webapps/nextcloud: Set home directory's mode -* userlogrotate: Use user's primary group when user's name is not an existing group ### Fixed diff --git a/userlogrotate/files/userlogrotate b/userlogrotate/files/userlogrotate index da12a36c..2a76eaaf 100644 --- a/userlogrotate/files/userlogrotate +++ b/userlogrotate/files/userlogrotate @@ -73,9 +73,6 @@ for path in ${SYSTEM_LOGS_SEARCH_PATHS[@]}; do for file in ${log_paths}; do user="$(user_for "${file}")" group="$(group_for "${file}")" - if ! getent group "${user}" > /dev/null 2> /dev/null; then - group="$(id -gn "${user}")" - fi rotate "${file}" "${group}":"${user}" delete_old "$(dirname "${file}")" done @@ -88,9 +85,6 @@ for path in ${APPLICATIVE_LOGS_SEARCH_PATHS[@]}; do for file in ${log_paths}; do user="$(user_for "${file}")" group="$(group_for "${file}")" - if ! getent group "${user}" > /dev/null 2> /dev/null; then - group="$(id -gn "${user}")" - fi rotate "${file}" "${group}":"${user}" delete_old "$(dirname "${file}")" done From de0a98d6933a9ab51f4a8c2bdc53579153f79db0 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Feb 2024 16:42:45 +0100 Subject: [PATCH 125/151] dovecot: fix missing default mails --- CHANGELOG.md | 1 + dovecot/defaults/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f6fe59a..c2d5fb3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -95,6 +95,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix missing gid * minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. * dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). +* dovecot: fix missing default mails ### Removed diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index eb4e6aa1..7959befc 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -1,5 +1,6 @@ --- +general_alert_email: "root@localhost" log2mail_alert_email: Null dovecot_vmail_uid: 5000 From 9f530d78db5b82d9a95d2a46e743cae8afb6d53f Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Feb 2024 16:44:51 +0100 Subject: [PATCH 126/151] evolinux-base: addd cert.sh, a small readonly openssl wrapper (testing, not deployed yet) --- evolinux-base/files/cert.sh | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evolinux-base/files/cert.sh diff --git a/evolinux-base/files/cert.sh b/evolinux-base/files/cert.sh new file mode 100644 index 00000000..2782ec15 --- /dev/null +++ b/evolinux-base/files/cert.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# +# Shortcut to show certificate content or enddate. +# + +usage() { + echo "Usage : cert [date] " +} + +if [ "$#" -eq 1 ]; then + cert_path=$1 + if [ -f "${cert_path}" ]; then + openssl x509 -noout -in "${cert_path}" -text + else + >&2 echo "Error, file ${cert_path} does not exist." + fi + +elif [ "$#" -eq 2 ]; then + if [ "$1" = "date" ]; then + cert_path=$2 + if [ -f "${cert_path}" ]; then + openssl x509 -noout -in "$cert_path" -enddate + else + >&2 echo "Error, file ${cert_path} does not exist." + fi + else + >&2 echo "Error, two arguments provided but 'date' is only allowed as first." + usage + exit 1 + fi + +else + >&2 echo "Error, more than two arguments provided." + usage + exit 1 +fi From bc07010aa6d4972db6e7e3d35acf17ad9b731093 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Feb 2024 16:49:24 +0100 Subject: [PATCH 127/151] webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) --- CHANGELOG.md | 1 + webapps/evoadmin-mail/tasks/apache.yml | 1 + webapps/roundcube/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2d5fb3f..d1eed7a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -96,6 +96,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. * dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). * dovecot: fix missing default mails +* webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) ### Removed diff --git a/webapps/evoadmin-mail/tasks/apache.yml b/webapps/evoadmin-mail/tasks/apache.yml index 26c2b53b..87eb3d2a 100644 --- a/webapps/evoadmin-mail/tasks/apache.yml +++ b/webapps/evoadmin-mail/tasks/apache.yml @@ -12,6 +12,7 @@ src: "/etc/apache2/sites-available/evoadminmail.conf" dest: "/etc/apache2/sites-enabled/evoadminmail.conf" state: link + force: true notify: reload apache2 when: evoadminmail_enable_vhost | bool tags: diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index 17422246..b25adedf 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -99,6 +99,7 @@ src: /etc/apache2/sites-available/roundcube.conf dest: /etc/apache2/sites-enabled/roundcube.conf state: link + force: true notify: reload apache2 when: roundcube_webserver == "apache" tags: From 554bbaa36fe62403aa9bb98b97eddcf3feee01b3 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Thu, 1 Feb 2024 16:53:00 +0100 Subject: [PATCH 128/151] roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL) --- CHANGELOG.md | 1 + webapps/roundcube/tasks/main.yml | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1eed7a8..4cc1f8ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,6 +97,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). * dovecot: fix missing default mails * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) +* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL) ### Removed diff --git a/webapps/roundcube/tasks/main.yml b/webapps/roundcube/tasks/main.yml index b25adedf..a0fd25b9 100644 --- a/webapps/roundcube/tasks/main.yml +++ b/webapps/roundcube/tasks/main.yml @@ -58,7 +58,7 @@ tags: - roundcube -- name: configure roudcube imap port +- name: configure roundcube imap port ansible.builtin.lineinfile: dest: /etc/roundcube/config.inc.php regexp: "\\$config\\['default_port'\\]" @@ -67,6 +67,15 @@ tags: - roundcube +- name: configure roundcube smtp port + ansible.builtin.lineinfile: + dest: /etc/roundcube/config.inc.php + regexp: "\\$config\\['smtp_port'\\]" + insertafter: "\\$config\\['smtp_port'\\]" + line: "$config['smtp_port'] = 25;" + tags: + - roundcube + - name: configure managesieve plugin ansible.builtin.copy: src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist From 1f8738fbda5c8cdb6891c255e487a7a941e95c6a Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 24 Jan 2024 11:42:15 +0100 Subject: [PATCH 129/151] postfix: move postfix installation from evolinux-base to postfix role, plus some refactoring postfix: * Move common packages installation in common.yml * Replace ansible_fqdn by evolinux_fqdn, set postfix_slow_transport_include to false by default (only for packmails and packwebs) * Remove dependency on evolinux_fqdn var * Do not overwrite main.cf if it has been modified (except if postfix_force_main_cf) evolinux-base: * Move exim4 purge from evolinux-base to postfix role * Call postfix role call after nagios role (dependency) --- CHANGELOG.md | 3 ++ dovecot/defaults/main.yml | 1 - evolinux-base/defaults/main.yml | 4 +- evolinux-base/files/cert.sh | 1 + .../tasks/{postfix.yml => mail_aliases.yml} | 46 ------------------- evolinux-base/tasks/main.yml | 19 +++++++- postfix/defaults/main.yml | 6 ++- postfix/tasks/common.yml | 29 ++++++++++-- postfix/tasks/minimal.yml | 12 ++--- postfix/tasks/packmail-spam.yml | 6 +-- postfix/tasks/packmail.yml | 10 ++-- postfix/templates/packmail_main.cf.j2 | 2 +- postfix/vars/main.yml | 12 +++-- 13 files changed, 73 insertions(+), 78 deletions(-) rename evolinux-base/tasks/{postfix.yml => mail_aliases.yml} (52%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4cc1f8ec..c22a6afa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,6 +97,9 @@ The **patch** part changes is incremented if multiple releases happen the same m * dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). * dovecot: fix missing default mails * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) +* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) +* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode +* postfix: remove dependency on evolinux_fqdn var * roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL) ### Removed diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 7959befc..77bbfa05 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -2,6 +2,5 @@ general_alert_email: "root@localhost" log2mail_alert_email: Null - dovecot_vmail_uid: 5000 dovecot_vmail_gid: 5000 diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 7811ae89..97f5540e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -159,12 +159,10 @@ evolinux_root_disable_ssh: False # postfix evolinux_postfix_include: True - -evolinux_postfix_packages: True +evolinux_mail_aliases_include: True evolinux_postfix_users_alias_root: True evolinux_postfix_mailer_alias_root: True evolinux_postfix_root_alias: True -evolinux_postfix_purge_exim: True # logs diff --git a/evolinux-base/files/cert.sh b/evolinux-base/files/cert.sh index 2782ec15..f43a9dad 100644 --- a/evolinux-base/files/cert.sh +++ b/evolinux-base/files/cert.sh @@ -34,3 +34,4 @@ else usage exit 1 fi + diff --git a/evolinux-base/tasks/postfix.yml b/evolinux-base/tasks/mail_aliases.yml similarity index 52% rename from evolinux-base/tasks/postfix.yml rename to evolinux-base/tasks/mail_aliases.yml index d9dba3e2..4007d415 100644 --- a/evolinux-base/tasks/postfix.yml +++ b/evolinux-base/tasks/mail_aliases.yml @@ -1,36 +1,5 @@ --- -- name: Postfix packages are installed - ansible.builtin.apt: - name: - - postfix - - mailgraph - state: present - tags: - - packages - - postfix - when: evolinux_postfix_packages | bool - -- name: configure postfix myhostname - ansible.builtin.lineinfile: - dest: /etc/postfix/main.cf - state: present - line: "myhostname = {{ evolinux_fqdn }}" - regexp: '^myhostname' - notify: reload postfix - tags: - - postfix - -- name: configure postfix mynetworks - ansible.builtin.lineinfile: - dest: /etc/postfix/main.cf - state: present - line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain" - regexp: '^mydestination' - notify: reload postfix - tags: - - postfix - - name: fetch users list ansible.builtin.shell: cmd: "set -o pipefail && getent passwd | cut -d':' -f 1 | grep -v root" @@ -81,18 +50,3 @@ - ansible.builtin.meta: flush_handlers -- name: exim4 is absent - ansible.builtin.apt: - name: - - exim4 - - exim4-base - - exim4-config - - exim4-daemon-light - purge: yes - state: absent - tags: - - packages - - postfix - when: evolinux_postfix_purge_exim | bool - -- ansible.builtin.meta: flush_handlers diff --git a/evolinux-base/tasks/main.yml b/evolinux-base/tasks/main.yml index b8f64844..d27b69eb 100644 --- a/evolinux-base/tasks/main.yml +++ b/evolinux-base/tasks/main.yml @@ -81,9 +81,16 @@ ansible.builtin.import_tasks: root.yml when: evolinux_root_include | bool -- name: Postfix - ansible.builtin.import_tasks: postfix.yml +- name: Postfix role + ansible.builtin.include_role: + name: evolix/postfix when: evolinux_postfix_include | bool + tags: + - postfix + +- name: Configure /etc/aliases + ansible.builtin.import_tasks: mail_aliases.yml + when: evolinux_mail_aliases_include | bool - name: Logs management ansible.builtin.import_tasks: logs.yml @@ -132,6 +139,14 @@ name: evolix/check_free_space when: evolinux_check_free_space_include | bool +# postfix role must be after nagios-nrpe role +- name: Postfix role + ansible.builtin.include_role: + name: evolix/postfix + when: evolinux_postfix_include | bool + tags: + - postfix + - name: Autosysadmin ansible.builtin.include_role: name: 'evolix/autosysadmin' diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 55ab72cd..4632d79b 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,5 +1,7 @@ --- -postfix_hostname: "{{ ansible_fqdn }}" +postfix_hostname: "{{ evolinux_hostname }}.{{ evolinux_domain }}" postfix_force_main_cf: False postfix_packmail: False -postfix_slow_transport_include: "{{ postfix_packmail }}" +postfix_slow_transport_include: False +postfix_purge_exim: True + diff --git a/postfix/tasks/common.yml b/postfix/tasks/common.yml index 29e6dd07..b2a09398 100644 --- a/postfix/tasks/common.yml +++ b/postfix/tasks/common.yml @@ -1,11 +1,32 @@ ---- -- name: check if main.cf is default +- name: Postfix packages are installed + ansible.builtin.apt: + name: + - postfix + - mailgraph + state: present + tags: + - postfix + +- name: exim4 is absent + ansible.builtin.apt: + name: + - exim4 + - exim4-base + - exim4-config + - exim4-daemon-light + purge: yes + state: absent + tags: + - postfix + when: postfix_purge_exim | bool + +- name: compute main.cf SHA1 checksum ansible.builtin.shell: - cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -' + cmd: 'grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | sha1sum | cut -d " " -f1' changed_when: False check_mode: no - register: default_main_cf + register: main_cf_checksum tags: - postfix diff --git a/postfix/tasks/minimal.yml b/postfix/tasks/minimal.yml index 36327b3e..b7bd29d0 100644 --- a/postfix/tasks/minimal.yml +++ b/postfix/tasks/minimal.yml @@ -1,10 +1,8 @@ --- -- name: ensure packages are installed - ansible.builtin.apt: - name: postfix - state: present - tags: - - postfix + +- name: display checksums of known main.cf files + debug: + var: main_cf_known_checksums - name: create minimal main.cf ansible.builtin.template: @@ -15,6 +13,6 @@ mode: "0644" force: true notify: restart postfix - when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) + when: (postfix_force_main_cf | bool) or (main_cf_checksum.stdout in main_cf_known_checksums) tags: - postfix diff --git a/postfix/tasks/packmail-spam.yml b/postfix/tasks/packmail-spam.yml index 114be769..f90f8cae 100644 --- a/postfix/tasks/packmail-spam.yml +++ b/postfix/tasks/packmail-spam.yml @@ -1,8 +1,6 @@ --- -- name: "mount /usr in rw" - ansible.builtin.command: - cmd: 'mount -o remount,rw /usr' - changed_when: False +- ansible.builtin.include_role: + name: evolix/remount-usr tags: postfix - name: copy spam.sh script diff --git a/postfix/tasks/packmail.yml b/postfix/tasks/packmail.yml index 6562e0d3..692024fa 100644 --- a/postfix/tasks/packmail.yml +++ b/postfix/tasks/packmail.yml @@ -1,11 +1,9 @@ --- -- name: ensure packages are installed +- name: Complementary packmail packages are installed ansible.builtin.apt: name: - - postfix - postfix-ldap - postfix-policyd-spf-python - - mailgraph state: present tags: - postfix @@ -24,6 +22,10 @@ enabled: yes state: started +- name: display checksums of known main.cf files + debug: + var: main_cf_known_checksums + - name: create packmail main.cf ansible.builtin.template: src: packmail_main.cf.j2 @@ -33,7 +35,7 @@ mode: "0644" force: true notify: restart postfix - when: (postfix_force_main_cf | bool) or (postfix_maincf_md5_jessie in default_main_cf.stdout) or (postfix_maincf_md5_stretch in default_main_cf.stdout) + when: (postfix_force_main_cf | bool) or (main_cf_checksum.stdout in main_cf_known_checksums) tags: - postfix diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 65c95866..4bcbb2dd 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -66,7 +66,7 @@ smtpd_banner = $myhostname ESMTP mail server # Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE] #par defaut, = [retour de la commande Unix hostname] -myhostname = {{ ansible_fqdn }} +myhostname = {{ postfix_hostname }} # Variable indiquant le domaine dans lequel se trouve la machine #par defaut, = [partie domain de la variable $myhostname] diff --git a/postfix/vars/main.yml b/postfix/vars/main.yml index e8a773c9..8d612f2e 100644 --- a/postfix/vars/main.yml +++ b/postfix/vars/main.yml @@ -1,5 +1,9 @@ --- -## MD5 hash of default main.cf filter, obtained with this command : -# grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum - -postfix_maincf_md5_jessie: "5450c05d65878e99dad696c7c722e511" -postfix_maincf_md5_stretch: "30022953f1f61f002bfb72e163ecb27e" +# Output of default main.cf: +# grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | sha1sum | cut -d " " -f1 +main_cf_known_checksums: + - 72bd6999f053ea89b359e233cf252616ee6e2fbb # bookworm + - efd078215285ad520addee5b11af869717627b95 # bullseye + - c7d1e008120565927b213be1bf646fddfa949dc6 # buster + - 8b4de47321a9c003bf414a683c0d056b4469b325 # stretch + - f72feb50754830a7d8ae46f28e86d758881bcfc3 # jessie From 63745c26974e934c55a2ed8c9a4ece86016c171d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:21:15 +0100 Subject: [PATCH 130/151] apt: remove duplicate extension --- .../{extended-lts.oneline.yml.yml => extended-lts.oneline.yml} | 0 apt/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename apt/tasks/{extended-lts.oneline.yml.yml => extended-lts.oneline.yml} (100%) diff --git a/apt/tasks/extended-lts.oneline.yml.yml b/apt/tasks/extended-lts.oneline.yml similarity index 100% rename from apt/tasks/extended-lts.oneline.yml.yml rename to apt/tasks/extended-lts.oneline.yml diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index c20abe54..bc65d7b9 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -81,7 +81,7 @@ - ansible_distribution_major_version is version('12', '>=') - name: Install Extended-LTS repositories (Debian < 10) - ansible.builtin.import_tasks: extended-lts.oneline.yml.yml + ansible.builtin.import_tasks: extended-lts.oneline.yml tags: - apt when: From 112bc2133adddf80478f56fc9bfe7f8cc3ee2e54 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:22:18 +0100 Subject: [PATCH 131/151] dovecot: combine similar tasks --- dovecot/tasks/munin.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/dovecot/tasks/munin.yml b/dovecot/tasks/munin.yml index c86d8c72..4c3daf4a 100644 --- a/dovecot/tasks/munin.yml +++ b/dovecot/tasks/munin.yml @@ -9,20 +9,18 @@ - name: Munin plugins are present and configured block: - - name: Disable dovecot plugin + - name: Disable Dovecot plugin ansible.builtin.file: path: /etc/munin/plugins/dovecot state: absent - - name: Remove old dovecot plugin conf + - name: Remove old Dovecot plugin conf ansible.builtin.file: - path: /etc/munin/plugin-conf.d/dovecot - state: absent - - - name: Remove old dovecot plugin conf - ansible.builtin.file: - path: /etc/munin/plugin-conf.d/z-evolinux-dovecot + path: "/etc/munin/plugin-conf.d/{{ item }}" state: absent + loop: + - dovecot + - z-evolinux-dovecot - name: "Remount /usr if needed" ansible.builtin.include_role: From 8dd9c64cbc20cd438e83f7ec7d5d7e96f3bd885f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:34:22 +0100 Subject: [PATCH 132/151] nagios-nrpe: multi-line list --- nagios-nrpe/defaults/main.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index 8ac9c3f4..c8695bc8 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -8,8 +8,17 @@ nagios_nrpe_default_ntp_server: "pool.ntp.org" nagios_nrpe_ntp_server: Null # Use nagios_nrpe_processes to override -nagios_nrpe_processes_default_before_debian_12: [ cron rsyslogd ntpd munin-node ] -nagios_nrpe_processes_default: [ cron rsyslogd systemd-timesyn munin-node ] +nagios_nrpe_processes_default_before_debian_12: + - cron + - rsyslogd + - ntpd + - munin-node +nagios_nrpe_processes_default: + - cron + - rsyslogd + - systemd-timesyn + - munin-node + # Built dynamically : nagios_nrpe_processes: Null From ff233b65a6534445663d767cb92a7f1d08741fd7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:39:38 +0100 Subject: [PATCH 133/151] remove check-mode protection for handlers handlers are not supposed to be executed in check-mode since no change should happen in check-mode. If there is a corner case we should deal with it at the source, not at the handler level. --- filebeat/handlers/main.yml | 1 - nginx/handlers/main.yml | 3 --- 2 files changed, 4 deletions(-) diff --git a/filebeat/handlers/main.yml b/filebeat/handlers/main.yml index 8456ee33..c5f7001f 100644 --- a/filebeat/handlers/main.yml +++ b/filebeat/handlers/main.yml @@ -4,4 +4,3 @@ ansible.builtin.systemd: name: filebeat state: restarted - when: not ansible_check_mode diff --git a/nginx/handlers/main.yml b/nginx/handlers/main.yml index af2cabf0..bdd5f477 100644 --- a/nginx/handlers/main.yml +++ b/nginx/handlers/main.yml @@ -3,16 +3,13 @@ ansible.builtin.service: name: nginx state: restarted - when: not ansible_check_mode - name: reload nginx ansible.builtin.service: name: nginx state: reloaded - when: not ansible_check_mode - name: restart munin ansible.builtin.service: name: munin-node state: restarted - when: not ansible_check_mode From 12993a8d7cb85dd382d8c1aa40f6ca700cb7e1a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:40:55 +0100 Subject: [PATCH 134/151] vrrpd: configure minifirewall --- CHANGELOG.md | 1 + vrrpd/defaults/main.yml | 5 ++++- vrrpd/handlers/main.yml | 15 +++++++++++++++ vrrpd/tasks/ip.yml | 39 +++++++++++++++++++++++++++++++++++++-- vrrpd/tasks/main.yml | 3 ++- 5 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 vrrpd/handlers/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index c22a6afa..bd3a156e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * check_free_space: added role * nagios-nrpe: new check_pressure_{cpu,io,mem} * generateldif: new Services for check_pressure_{cpu,io,mem} +* vrrpd: configure minifirewall ### Changed diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml index d5b5b3b4..1c7abb10 100644 --- a/vrrpd/defaults/main.yml +++ b/vrrpd/defaults/main.yml @@ -11,4 +11,7 @@ vrrp_addresses: [] # label: Null # use this name is syslog messages (helps when several vrid are running) # ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server # state: Null # 'started' or 'stopped' -# } \ No newline at end of file +# } + +minifirewall_restart_if_needed: True +minifirewall_restart_force: False diff --git a/vrrpd/handlers/main.yml b/vrrpd/handlers/main.yml new file mode 100644 index 00000000..63cfcd86 --- /dev/null +++ b/vrrpd/handlers/main.yml @@ -0,0 +1,15 @@ +--- + +- name: restart minifirewall + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: + - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + - "'minifirewall started' not in minifirewall_init_restart.stdout" + +- name: restart minifirewall (noop) + ansible.builtin.meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index b46a8954..81c9f08f 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -18,5 +18,40 @@ enabled: yes state: "{{ vrrp_address.state }}" when: - - vrrp_systemd_unit is changed - - not ansible_check_mode \ No newline at end of file + - vrrp_systemd_unit is changed + - not ansible_check_mode + +- name: Check if a recent minifirewall is present + ansible.builtin.stat: + path: /etc/minifirewall.d/ + register: _minifirewall_dir + +- ansible.builtin.set_fact: + minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" + +- name: VRRP output is authorized in minifirewall + lineinfile: + path: /etc/minifirewall.d/vrrpd + line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}" + regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$" + create: yes + mode: "0600" + owner: "root" + group: "root" + notify: "{{ minifirewall_restart_handler_name }}" + when: _minifirewall_dir.stat.exists + +- name: VRRP input is authorized in minifirewall + lineinfile: + path: /etc/minifirewall.d/vrrpd + line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}" + regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}" + create: yes + mode: "0600" + owner: "root" + group: "root" + loop: "{{ vrrp_address.peers | default([]) }}" + loop_control: + loop_var: peer + notify: "{{ minifirewall_restart_handler_name }}" + when: _minifirewall_dir.stat.exists diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 86390a2f..78b0ee3b 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Install Evolix public repositry ansible.builtin.include_role: name: evolix/apt @@ -71,4 +72,4 @@ ansible.builtin.include: ip.yml loop: "{{ vrrp_addresses }}" loop_control: - loop_var: "vrrp_address" \ No newline at end of file + loop_var: "vrrp_address" From ba827b79d96c85d40f126c8c0a210762e84c20c3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:41:58 +0100 Subject: [PATCH 135/151] sort CHANGELOG --- CHANGELOG.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd3a156e..6ec52a01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,24 +16,24 @@ The **patch** part changes is incremented if multiple releases happen the same m * Preliminary work for php83 * apt: add task file to install ELTS repository (default: False) * autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation +* check_free_space: added role * etc-git: add /var/chroot-bind/etc/bind repo +* fail2ban: add script unban_ip +* generateldif: new Services for check_pressure_{cpu,io,mem} * kvm-host: Automatically add an LVM filter when LVM is present * lxc-php: Allow one to install php83 on Bookworm container * minifirewall: Fix nagios check for old versions of minifirewall * mongodb: add gpg key for 7.0 * nagios-nrpe: add check_sentinel for monitoring Redis Sentinel +* nagios-nrpe: new check_pressure_{cpu,io,mem} * remount-usr: do not try to remount /usr RW if /usr is not a mounted partition +* vrrpd: configure minifirewall * vrrpd: test if interface exists before deleting it * webapps/evoadmin-mail: package installed via public.evolix.org/evolix repo starting with Bookworm +* webapps/nextcloud: Add condition for archive tasks * webapps/nextcloud: Add condition for config tasks * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user * webapps/nextcloud: Set ownership and permissions of data directory -* webapps/nextcloud: Add condition for archive tasks -* fail2ban: add script unban_ip -* check_free_space: added role -* nagios-nrpe: new check_pressure_{cpu,io,mem} -* generateldif: new Services for check_pressure_{cpu,io,mem} -* vrrpd: configure minifirewall ### Changed @@ -76,32 +76,32 @@ The **patch** part changes is incremented if multiple releases happen the same m * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o * apt: use archive.debian.org with Stretch * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) +* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). +* dovecot: fix missing default mails * dovecot: fix plugin dovecot1 * evoadmin-web: Fix PHP version for Bookworm * evolinux-base: fix hardware.yml (wrong repo, missing update cache) * evolinux-base: start to install linux-image-cloud-amd64 with Buster * fail2ban: fix template marker +* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. * nagios: fix default file to monitor for check_clamav_db +* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode +* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) * nginx: keep indentation * nginx: take care of « already defined » and « not yet defined » server status suffix in check mode * php: Bullseye/Sury > Honor the php_version asked in the pub.evolix.org repository * php: drop apt_preferences(5) file for sury +* postfix: remove dependency on evolinux_fqdn var * proftpd: set missing default listen IP for SFTP +* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL) * ssl: no not execute haproxy tasks and reload if haproxy is disabled * unbound: Add a apt cache validity to enforce an apt update if needed * webapps/nextcloud: added check that nextcloud uid is over 3000 * webapps/nextcloud: fix Add Ceph volume to fstab : missing UUID= in src * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid -* minifirewall: ports 25, 53, 443, 993, 995 not opened publicly by default anymore, ports 20, 21, 110, 143 not opened semi-publicly by default anymore. -* dovecot: add missing LDAP conf iterate_filter to exclude disabled accounts in users list (caused « User no longer exists » errors in commands listing users like « doveadm user -u '*' » or « doveadm expunge -u "*" mailbox INBOX savedbefore 7d »). -* dovecot: fix missing default mails * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) -* nginx: fix mistake between "check_mode: no" and "when: not ansible_check_mode" (fail in check mode) -* nginx: add "when: not ansible_check_mode" in various tasks to prevent fail in check mode -* postfix: remove dependency on evolinux_fqdn var -* roundcube: set default SMTP port to 25 instead of 587, which failed because of missing SSL conf (local connexion does not need SSL) ### Removed From 8f865846055ea916ec45b525a83d44f268777597 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:44:48 +0100 Subject: [PATCH 136/151] nginx: different way of dealing with check-mode --- nginx/tasks/ip_whitelist.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml index 6186b419..537e4a66 100644 --- a/nginx/tasks/ip_whitelist.yml +++ b/nginx/tasks/ip_whitelist.yml @@ -5,8 +5,8 @@ dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: present + create: yes loop: "{{ nginx_ipaddr_whitelist_present }}" - when: not ansible_check_mode notify: reload nginx tags: - nginx @@ -18,7 +18,6 @@ line: "allow {{ item }};" state: absent loop: "{{ nginx_ipaddr_whitelist_absent }}" - when: not ansible_check_mode notify: reload nginx tags: - nginx From 2768b3146f1b1ba4d1af43b7b00fb70b3856381d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:46:20 +0100 Subject: [PATCH 137/151] nginx: simpler regex for settings --- nginx/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 5d2f56cf..e8009804 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -20,7 +20,7 @@ - name: customize worker_connections ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf - regexp: '^(\s*)(worker_connections)\s+.+;' + regexp: '^(\s*)worker_connections\s+.+;' line: '\1worker_connections 1024;' insertafter: 'events \{' backrefs: yes @@ -31,7 +31,7 @@ - name: use epoll ansible.builtin.lineinfile: dest: /etc/nginx/nginx.conf - regexp: '^(\s*)(use)\s+.+;' + regexp: '^(\s*)use\s+.+;' line: '\1use epoll;' insertafter: 'events \{' backrefs: yes From 5df27a4bc59533b2c0d98bd736e7b5080ac512d6 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Tue, 6 Feb 2024 10:29:52 +0100 Subject: [PATCH 138/151] Add variables for generate "ldap_suffix" in amavis role. --- CHANGELOG.md | 1 + amavis/defaults/main.yml | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 amavis/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ec52a01..fa5acba1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -102,6 +102,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) +* amavis: Add variables for generate "ldap_suffix" ### Removed diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml new file mode 100644 index 00000000..82f29666 --- /dev/null +++ b/amavis/defaults/main.yml @@ -0,0 +1,3 @@ +ldap_hostname: "{{ ansible_hostname }}" +ldap_domain: "{{ ansible_domain }}" +ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" From 75650032d4256c28c7abf6def9f1f8c990d22a3f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 13:33:10 +0100 Subject: [PATCH 139/151] postfix: default to evolinux_fqdn --- postfix/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml index 4632d79b..53ae5360 100644 --- a/postfix/defaults/main.yml +++ b/postfix/defaults/main.yml @@ -1,5 +1,5 @@ --- -postfix_hostname: "{{ evolinux_hostname }}.{{ evolinux_domain }}" +postfix_hostname: "{{ evolinux_fqdn }}" postfix_force_main_cf: False postfix_packmail: False postfix_slow_transport_include: False From 47d7141a66e306244cc03f26c671dcafa01b9c81 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 13:59:28 +0100 Subject: [PATCH 140/151] evoadmin-mail: apt modules already knows how to download packages --- webapps/evoadmin-mail/tasks/main.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index a1dd361b..76b1b8f6 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -4,17 +4,9 @@ ansible.builtin.include_role: name: evolix/remount-usr -- name: Get evoadmin-mail package - ansible.builtin.get_url: - url: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-2_all.deb - dest: /tmp/evoadmin-mail.deb - when: ansible_distribution_major_version is version('12', '<') - tags: - - evoadmin-mail - - name: Install evoadmin-mail package ansible.builtin.apt: - deb: /tmp/evoadmin-mail.deb + deb: https://pub.evolix.org/evolix/pool/main/e/evoadmin-mail/evoadmin-mail_1.0.9-2_all.deb state: present when: ansible_distribution_major_version is version('12', '<') tags: From 3bb29aa6bad0e3437df938ac6b7152170c3a95b5 Mon Sep 17 00:00:00 2001 From: William Hirigoyen Date: Wed, 7 Feb 2024 11:32:41 +0100 Subject: [PATCH 141/151] proftpd: fix error when no SSH key is provided --- CHANGELOG.md | 3 ++- proftpd/tasks/accounts.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa5acba1..952dd072 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -102,7 +102,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * webapps/nextcloud: fix misplaced gid attribute * webapps/nextcloud: fix missing gid * webapps/roundcube & evoadminmail: make roles more idempotent (were failing when played twice) -* amavis: Add variables for generate "ldap_suffix" +* amavis: Add variables for generate "ldap_suffix" +* proftpd: fix error when no SSH key is provided ### Removed diff --git a/proftpd/tasks/accounts.yml b/proftpd/tasks/accounts.yml index 99b036c9..fc97b55b 100644 --- a/proftpd/tasks/accounts.yml +++ b/proftpd/tasks/accounts.yml @@ -73,5 +73,6 @@ when: - proftpd_sftp_enable | bool - proftpd_sftp_use_publickeys | bool + - _proftpd_account.sshkeys is defined tags: - proftpd From 8af6cdc4d6c1f188dc03dbad624b08dc23fce898 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 15:31:40 +0100 Subject: [PATCH 142/151] apache: create ip_whitelist file if missing --- apache/tasks/ip_whitelist.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index 5060f56e..bb7e8f46 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -5,6 +5,7 @@ dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present + create: yes loop: "{{ apache_ipaddr_whitelist_present }}" notify: reload apache tags: From ef2e65287ec5e1256544cfc6d53ac253236cd954 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 15:38:23 +0100 Subject: [PATCH 143/151] YAML header --- amavis/defaults/main.yml | 2 ++ dovecot/tasks/main.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/amavis/defaults/main.yml b/amavis/defaults/main.yml index 82f29666..c353a3ba 100644 --- a/amavis/defaults/main.yml +++ b/amavis/defaults/main.yml @@ -1,3 +1,5 @@ +--- + ldap_hostname: "{{ ansible_hostname }}" ldap_domain: "{{ ansible_domain }}" ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 6c4e7608..d7fec0ff 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -1,3 +1,5 @@ +--- + - name: ensure packages are installed ansible.builtin.apt: name: From 4fb49dd6c90786ba3dd10e97e6fb368b1fc7f0ca Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 15:39:05 +0100 Subject: [PATCH 144/151] nginx: clarify intent regarding check mode --- nginx/tasks/munin_vhost.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx/tasks/munin_vhost.yml b/nginx/tasks/munin_vhost.yml index eb08cd72..2c9261f4 100644 --- a/nginx/tasks/munin_vhost.yml +++ b/nginx/tasks/munin_vhost.yml @@ -30,7 +30,10 @@ ansible.builtin.copy: src: systemd/spawn-fcgi-munin-graph.service dest: /etc/systemd/system/spawn-fcgi-munin-graph.service + force: yes +# WARN: there is no (apparent) way to check if the service exists +# so we disable this task in check mode. - name: Systemd unit for Munin-fcgi is started ansible.builtin.systemd: name: spawn-fcgi-munin-graph From d40177802476b9a1f58871eb3197c741eb130113 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 15:43:23 +0100 Subject: [PATCH 145/151] remount-usr: back to a simpler implementation --- remount-usr/tasks/main.yml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/remount-usr/tasks/main.yml b/remount-usr/tasks/main.yml index 18dfe6ce..034a66f5 100644 --- a/remount-usr/tasks/main.yml +++ b/remount-usr/tasks/main.yml @@ -2,27 +2,17 @@ # findmnt returns 0 on hit, 1 on miss # If the return code is higher than 1, it's a blocking failure -- name: "check if /usr is a mountpoint" - ansible.builtin.shell: "findmnt -n /usr &> /dev/null" - register: usr_mount_exists - failed_when: False - check_mode: False - changed_when: False - - name: "check if /usr is a read-only partition" ansible.builtin.command: cmd: 'findmnt /usr --noheadings --options ro' - register: usr_partition - when: usr_mount_exists.rc == 0 changed_when: False failed_when: usr_partition.rc > 1 + register: usr_partition check_mode: False - name: "mount /usr in rw" ansible.builtin.command: - cmd: 'mount -o remount,rw /usr' - when: - - usr_mount_exists.rc == 0 - - usr_partition.rc == 0 + cmd: 'mount --options remount,rw /usr' + when: usr_partition.rc == 0 notify: remount usr changed_when: False From ae665ea1786cd5786cffe5587eb31e67d7f667f6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 16:01:37 +0100 Subject: [PATCH 146/151] spamassassin: optimize tasks --- spamassasin/tasks/main.yml | 44 +++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index fbcd6e5c..0ee6f76a 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -1,51 +1,47 @@ --- -- name: install SpamAssasin - ansible.builtin.apt: - name: - - spamassassin - state: present + +- name: For Debian < 12 + set_fact: + spamassassin_restart_handler: restart spamassassin + spamassassin_package_name: spamassassin + tags: + - spamassassin when: ansible_distribution_major_version is version('12', '<') + +# the package is called "spamd" after Debian 12 +- name: For Debian >= 12 + set_fact: + spamassassin_restart_handler: restart spamd + spamassassin_package_name: spamd tags: - spamassassin + when: ansible_distribution_major_version is version('12', '>=') -- name: install spamd +- name: Install SpamAssassin ansible.builtin.apt: name: - - spamd + - "{{ spamassassin_package_name }}" state: present - when: ansible_distribution_major_version is version('12', '>=') tags: - spamassassin -- name: configure SpamAssasin +- name: Configure SpamAssassin ansible.builtin.copy: src: spamassassin.cf dest: /etc/spamassassin/local_evolix.cf mode: "0644" - notify: restart spamassassin - when: ansible_distribution_major_version is version('12', '<') + notify: "{{ spamassassin_restart_handler }}" tags: - spamassassin -- name: configure spamd - ansible.builtin.copy: - src: spamassassin.cf - dest: /etc/spamassassin/local_evolix.cf - mode: "0644" - notify: restart spamd - when: ansible_distribution_major_version is version('12', '>=') - tags: - - spamassassin - -- name: enable SpamAssasin +- name: Enable SpamAssassin ansible.builtin.replace: dest: /etc/default/spamassassin regexp: 'ENABLED=0' replace: 'ENABLED=1' - notify: restart spamassassin - when: ansible_distribution_major_version is version('12', '<') tags: - spamassassin + when: ansible_distribution_major_version is version('12', '<') - name: add amavis user to debian-spamd group ansible.builtin.user: From fe5a61289bc44581aac71ce8935bb16399a8fdfc Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 16:12:32 +0100 Subject: [PATCH 147/151] whitespaces --- amavis/tasks/main.yml | 8 ++++---- dovecot/tasks/main.yml | 20 +++++++++++--------- ldap/tasks/nagios.yml | 2 +- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/amavis/tasks/main.yml b/amavis/tasks/main.yml index da46721e..e9f67b4d 100644 --- a/amavis/tasks/main.yml +++ b/amavis/tasks/main.yml @@ -6,7 +6,7 @@ - amavisd-new state: present tags: - - amavis + - amavis - name: configure Amavis ansible.builtin.template: @@ -15,7 +15,7 @@ mode: "0644" notify: restart amavis tags: - - amavis + - amavis - name: Install purge custom cron ansible.builtin.copy: @@ -23,5 +23,5 @@ dest: /etc/cron.daily/amavis_purge_virusmails mode: "0755" tags: - - amavis - - amavis_purge_cron + - amavis + - amavis_purge_cron diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index d7fec0ff..3260e80e 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -10,7 +10,7 @@ - dovecot-managesieved state: present tags: - - dovecot + - dovecot - name: Generate 4096 bits Diffie-Hellman parameters (may take several minutes) community.crypto.openssl_dhparam: @@ -23,7 +23,7 @@ regexp: "[^#]!include auth-system.conf.ext" replace: "#!include auth-system.conf.ext" tags: - - dovecot + - dovecot - name: update ldap auth ansible.builtin.lineinfile: @@ -43,7 +43,7 @@ when: ldap_suffix is defined notify: reload dovecot tags: - - dovecot + - dovecot - name: create vmail group ansible.builtin.group: @@ -51,7 +51,7 @@ gid: "{{ dovecot_vmail_gid }}" system: True tags: - - dovecot + - dovecot - name: create vmail user ansible.builtin.user: @@ -61,7 +61,7 @@ shell: /bin/false system: True tags: - - dovecot + - dovecot - name: deploy evolix config for Dovecot ansible.builtin.template: @@ -70,7 +70,7 @@ mode: "0644" notify: reload dovecot tags: - - dovecot + - dovecot - name: deploy file for custom configuration ansible.builtin.template: @@ -79,7 +79,7 @@ mode: "0644" notify: reload dovecot tags: - - dovecot + - dovecot - ansible.builtin.include: munin.yml tags: @@ -89,7 +89,8 @@ ansible.builtin.apt: name: log2mail state: present - tags: dovecot + tags: + - dovecot - name: dovecot is configured in log2mail ansible.builtin.blockinfile: @@ -104,5 +105,6 @@ mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail notify: restart log2mail - tags: dovecot + tags: + - dovecot diff --git a/ldap/tasks/nagios.yml b/ldap/tasks/nagios.yml index 58120baa..183ba258 100644 --- a/ldap/tasks/nagios.yml +++ b/ldap/tasks/nagios.yml @@ -73,4 +73,4 @@ ansible.builtin.command: cmd: "slappasswd -s {{ ldap_nagios_password }}" register: ldap_nagios_password_ssha - changed_when: False \ No newline at end of file + changed_when: False From 0b859fd1a430de46305b53ddf1d30cc5f8618b89 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 16:14:29 +0100 Subject: [PATCH 148/151] dovecot: add variables for LDAP --- CHANGELOG.md | 1 + dovecot/defaults/main.yml | 6 ++++++ dovecot/tasks/main.yml | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 952dd072..f4d899a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * apt: Disable archive repository for Debian 8 * apt: Use the GPG version of the key for Debian 8-9 * bind: Update role for Buster, Bullseye and Bookworm support +* dovecot: add variables for LDAP * dovecot: Munin plugin conf path is now `/etc/munin/plugin-conf.d/zzz-dovecot` (instead of `z-evolinux-dovecot`) * evocheck: upstream release 24.01 * evolinux-base: dump-server-state upstream release 23.11 diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 77bbfa05..e190adb6 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -2,5 +2,11 @@ general_alert_email: "root@localhost" log2mail_alert_email: Null + dovecot_vmail_uid: 5000 dovecot_vmail_gid: 5000 + +ldap_hostname: "{{ ansible_hostname }}" +ldap_domain: "{{ ansible_domain }}" +ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" +ldap_enabled: False diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 3260e80e..8589a701 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -35,12 +35,12 @@ - { key: 'hosts', value: '127.0.0.1' } - { key: 'auth_bind', value: 'yes' } - { key: 'ldap_version', value: 3 } - - { key: 'base', value: "{{ ldap_suffix }}" } + - { key: 'base', value: "{{ ldap_suffix | mandatory }}" } - { key: 'user_attrs', value: 'homeDirectory=home' } - { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' } - { key: 'pass_attrs', value: 'uid=user,userPassword=password' } - { key: 'iterate_filter', value: '(&(isActive=TRUE))' } - when: ldap_suffix is defined + when: ldap_enabled | bool | default(False) notify: reload dovecot tags: - dovecot From 2e9b6c0680e33b7011adab1a629cabcd745e3ca4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 7 Feb 2024 16:15:32 +0100 Subject: [PATCH 149/151] amavis/ldap: make ldap_suffix mandatory --- CHANGELOG.md | 2 ++ amavis/templates/amavis.conf.j2 | 2 +- ldap/tasks/nagios.yml | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4d899a6..c747fbc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * add-vm.sh: allow VM name max length > 20 +* amavis: make ldap_suffix mandatory * apache : fix goaway pattern for bad bots * apache : rename MaxRequestsPerChild to MaxConnectionsPerChild (new name) * apache: use backward compatible Redirect directive @@ -50,6 +51,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: dump-server-state upstream release 23.11 * evolinux-base: use separate default config file for rsyslog * kvmstats: use .capacity instead of .physical for disk size +* ldap: make ldap_suffix mandatory * listupgrade : old-kernel-removal.sh upstream release 24.01 * log2mail: move custom config in separate file * lxc: init /etc git repository in lxc container diff --git a/amavis/templates/amavis.conf.j2 b/amavis/templates/amavis.conf.j2 index cbe597a2..8bc9bae8 100644 --- a/amavis/templates/amavis.conf.j2 +++ b/amavis/templates/amavis.conf.j2 @@ -44,7 +44,7 @@ $max_servers = 2; $enable_ldap = 1; $default_ldap = { hostname => '127.0.0.1', tls => 0, - base => '{{ ldap_suffix }}', scope => 'sub', + base => '{{ ldap_suffix | mandatory }}', scope => 'sub', query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))' }; diff --git a/ldap/tasks/nagios.yml b/ldap/tasks/nagios.yml index 183ba258..1fa17241 100644 --- a/ldap/tasks/nagios.yml +++ b/ldap/tasks/nagios.yml @@ -50,8 +50,8 @@ mode: "0640" loop: - { option: 'hostname', value: '127.0.0.1' } - - { option: 'base', value: "{{ ldap_suffix }}" } - - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" } + - { option: 'base', value: "{{ ldap_suffix | mandatory }}" } + - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix | mandatory }}" } - { option: 'pass', value: "{{ ldap_nagios_password }}" } when: not nagios_monitoring_plugins_path.stat.exists From eb3aac9d3ed0a4bb6ff8e6a617a3141f6a4520f0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 8 Feb 2024 08:33:49 +0100 Subject: [PATCH 150/151] update CHANGELOG --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c747fbc0..e27f9e71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added -* Preliminary work for php83 +* Support for PHP 8.3 with bookworm LXC containers * apt: add task file to install ELTS repository (default: False) * autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation * check_free_space: added role @@ -68,6 +68,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * unbound: Big cleanup * unbound: Move generated config file to `/etc/unbound/unbound.conf.d/evolinux.conf` * unbound: Use root hints provided by debian package dns-root-data instead of downloading them +* vrrpd: replace switch script with custom one (fix MAC issue, use `ip(8)`, shell cleanup…) * vrrpd: variable to force update the switch script (default: false) * webapps/nextcloud: Add Ceph volume to fstab * webapps/nextcloud: Set home directory's mode @@ -75,7 +76,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Fixed * Add php-fpm82 to LDAP when relevant -* check stat.exists before stat.isdir +* Check stat.exists before stat.isdir * apache: fix MaxRequestsPerChild value to be sync with wiki.e.o * apt: use archive.debian.org with Stretch * certbot: fix hook for dovecot when more than one certificate is used (eg. different certificates for POP3 and IMAP) From d4fcc6f8f4159948145a1c3ed5e6b89031f7ae83 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 8 Feb 2024 09:27:08 +0100 Subject: [PATCH 151/151] Release 24.02 --- CHANGELOG.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e27f9e71..ba289fd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [24.02] 2024-02-08 + +### Added + * Support for PHP 8.3 with bookworm LXC containers * apt: add task file to install ELTS repository (default: False) * autosysadmin: Add a role to automatically deploy autosysadmin on evolixisation @@ -114,8 +126,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * evolinux-base: no need to remove update-evobackup-canary from sbin anymore * evolinux-base: no need to symlink backup-server-state to dump-server-state anymore -### Security - ## [23.10] 2023-10-14 ### Added