Merge branch 'unstable' into stable
This commit is contained in:
commit
3029c9ee33
14
.Jenkinsfile
14
.Jenkinsfile
|
@ -6,6 +6,20 @@ pipeline {
|
||||||
}
|
}
|
||||||
|
|
||||||
stages {
|
stages {
|
||||||
|
stage('Anible Lint') {
|
||||||
|
agent {
|
||||||
|
docker {
|
||||||
|
image 'evolix/ansible-lint:latest'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
steps {
|
||||||
|
script {
|
||||||
|
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
|
||||||
|
recordIssues(tools: [ansibleLint()])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
stage('Build tagged docker image') {
|
stage('Build tagged docker image') {
|
||||||
when {
|
when {
|
||||||
buildingTag()
|
buildingTag()
|
||||||
|
|
7
.vscode/settings.json
vendored
Normal file
7
.vscode/settings.json
vendored
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
"files.associations": {
|
||||||
|
"*.yml": "ansible",
|
||||||
|
"*.yaml": "ansible"
|
||||||
|
},
|
||||||
|
"yaml.format.enable": false
|
||||||
|
}
|
59
CHANGELOG.md
59
CHANGELOG.md
|
@ -8,6 +8,7 @@ The **major** part of the version is the year
|
||||||
The **minor** part changes is the month
|
The **minor** part changes is the month
|
||||||
The **patch** part changes is incremented if multiple releases happen the same month
|
The **patch** part changes is incremented if multiple releases happen the same month
|
||||||
|
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -20,6 +21,63 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [23.03] 2023-03-16
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* apache: add task to enable mailgraph on default vhost and index.html
|
||||||
|
* apt: add move-apt-keyrings script/tasks
|
||||||
|
* apt: add tools to migrate sources to deb822 format
|
||||||
|
* fail2ban: add "Internal login failure" to Dovecot filter
|
||||||
|
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
|
||||||
|
* nagios-nrpe: add tasks/files for a wrapper
|
||||||
|
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
|
||||||
|
* php: add `php_version` variable when sury is activated for each Debian version
|
||||||
|
* php: add a way to choose which version to install using sury repository
|
||||||
|
* postfix: Add task to enable mailgraph on packmail
|
||||||
|
* postgresql: configure max_connections
|
||||||
|
* userlogrotate: create dedicated role, separated from packweb-apache
|
||||||
|
* varnish: add `varnish_update_config` variable to disable configuration update
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Use systemd module instead of command
|
||||||
|
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
|
||||||
|
* apt: Use pub.evolix.org instead of pub.evolix.net
|
||||||
|
* bind: refactor role
|
||||||
|
* elasticsearch: Disable garabge collector logging (JDK >= 9)
|
||||||
|
* evolinux-users: Update sudoers template to remove commands allowed without password
|
||||||
|
* listupgrade: upstream release 23.03.3
|
||||||
|
* kvmstats: use virsh domstats | awk to get guests informations
|
||||||
|
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
|
||||||
|
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
|
||||||
|
* postfix: come back to default value of `notify_classes` for pack mails.
|
||||||
|
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
|
||||||
|
* webapps/nextcloud : Change default data directory to be outside web root
|
||||||
|
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
|
||||||
|
* yarn: update apt key
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
* Proper jinja spacing
|
||||||
|
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
|
||||||
|
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
|
||||||
|
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
|
||||||
|
* haproxy: fix missing admin ACL in stats module access permissions
|
||||||
|
* openvpn: fix the client cipher configuration to match the server cipher configuration
|
||||||
|
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
|
||||||
|
* php: install using Sury repositories on Bullseye
|
||||||
|
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
|
||||||
|
* postfix: avoid Amavis transport to be considered dead when restarted.
|
||||||
|
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
|
||||||
|
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
|
||||||
|
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
* evolinux-base: subversion is not installed anymore
|
||||||
|
|
||||||
|
|
||||||
## [22.12] 2022-12-14
|
## [22.12] 2022-12-14
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
@ -34,6 +92,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* packweb-apache: enable `log_forensic` module
|
* packweb-apache: enable `log_forensic` module
|
||||||
* rabbitmq: add link in default page
|
* rabbitmq: add link in default page
|
||||||
* varnish: create special tmp directory for syntax validation
|
* varnish: create special tmp directory for syntax validation
|
||||||
|
* postfix: add localhost.$mydomain to mydestination
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
|
|
@ -3,34 +3,34 @@
|
||||||
- name: Launch new instance(s)
|
- name: Launch new instance(s)
|
||||||
ec2:
|
ec2:
|
||||||
state: present
|
state: present
|
||||||
aws_access_key: "{{aws_access_key}}"
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
aws_secret_key: "{{aws_secret_key}}"
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
region: "{{aws_region}}"
|
region: "{{ aws_region }}"
|
||||||
image: "{{ec2_base_ami}}"
|
image: "{{ ec2_base_ami }}"
|
||||||
instance_type: "{{ec2_instance_type}}"
|
instance_type: "{{ ec2_instance_type }}"
|
||||||
count: "{{ec2_instance_count}}"
|
count: "{{ ec2_instance_count }}"
|
||||||
assign_public_ip: "{{ec2_public_ip}}"
|
assign_public_ip: "{{ ec2_public_ip }}"
|
||||||
group: "{{ec2_security_group.name}}"
|
group: "{{ ec2_security_group.name }}"
|
||||||
key_name: "{{ec2_keyname}}"
|
key_name: "{{ ec2_keyname }}"
|
||||||
wait: yes
|
wait: yes
|
||||||
register: ec2
|
register: ec2
|
||||||
|
|
||||||
- name: Add newly created instance(s) to inventory
|
- name: Add newly created instance(s) to inventory
|
||||||
add_host:
|
add_host:
|
||||||
hostname: "{{item.public_dns_name}}"
|
hostname: "{{ item.public_dns_name }}"
|
||||||
groupname: launched-instances
|
groupname: launched-instances
|
||||||
ansible_user: admin
|
ansible_user: admin
|
||||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
||||||
loop: "{{ec2.instances}}"
|
loop: "{{ ec2.instances }}"
|
||||||
|
|
||||||
- debug:
|
- debug:
|
||||||
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
|
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
|
||||||
loop: "{{ec2.instances}}"
|
loop: "{{ ec2.instances }}"
|
||||||
|
|
||||||
- name: Wait for SSH to come up on all instances (give up after 2m)
|
- name: Wait for SSH to come up on all instances (give up after 2m)
|
||||||
wait_for:
|
wait_for:
|
||||||
state: started
|
state: started
|
||||||
host: "{{item.public_dns_name}}"
|
host: "{{ item.public_dns_name }}"
|
||||||
port: 22
|
port: 22
|
||||||
timeout: 120
|
timeout: 120
|
||||||
loop: "{{ec2.instances}}"
|
loop: "{{ ec2.instances }}"
|
||||||
|
|
|
@ -68,3 +68,10 @@
|
||||||
insertafter: "[apache_*]"
|
insertafter: "[apache_*]"
|
||||||
create: no
|
create: no
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
|
|
||||||
|
- name: add mailgraph URL in index.html
|
||||||
|
lineinfile:
|
||||||
|
dest: /var/www/index.html
|
||||||
|
state: present
|
||||||
|
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
|
||||||
|
insertbefore: "</ul>"
|
||||||
|
|
|
@ -35,6 +35,15 @@
|
||||||
Include /etc/apache2/ipaddr_whitelist.conf
|
Include /etc/apache2/ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
# Mailgraph configuration
|
||||||
|
Alias /mailgraph /usr/share/mailgraph
|
||||||
|
<Directory /usr/share/mailgraph>
|
||||||
|
DirectoryIndex mailgraph.cgi
|
||||||
|
Require all granted
|
||||||
|
Options +FollowSymLinks +ExecCGI
|
||||||
|
AddHandler cgi-script .cgi
|
||||||
|
</Directory>
|
||||||
|
|
||||||
CustomLog /var/log/apache2/access.log vhost_combined
|
CustomLog /var/log/apache2/access.log vhost_combined
|
||||||
ErrorLog /var/log/apache2/error.log
|
ErrorLog /var/log/apache2/error.log
|
||||||
LogLevel warn
|
LogLevel warn
|
||||||
|
@ -118,6 +127,15 @@
|
||||||
Include /etc/apache2/ipaddr_whitelist.conf
|
Include /etc/apache2/ipaddr_whitelist.conf
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
# Mailgraph configuration
|
||||||
|
Alias /mailgraph /usr/share/mailgraph
|
||||||
|
<Directory /usr/share/mailgraph>
|
||||||
|
DirectoryIndex mailgraph.cgi
|
||||||
|
Require all granted
|
||||||
|
Options +FollowSymLinks +ExecCGI
|
||||||
|
AddHandler cgi-script .cgi
|
||||||
|
</Directory>
|
||||||
|
|
||||||
# BEGIN phpMyAdmin section
|
# BEGIN phpMyAdmin section
|
||||||
# END phpMyAdmin section
|
# END phpMyAdmin section
|
||||||
|
|
||||||
|
|
96
apt/files/deb822-migration.py
Normal file
96
apt/files/deb822-migration.py
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
#!/bin/env python3
|
||||||
|
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
|
||||||
|
if len(sys.argv) > 1:
|
||||||
|
src_file = sys.argv[1]
|
||||||
|
else:
|
||||||
|
print("You must provide a source file as first argument", file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if not os.access(src_file, os.R_OK):
|
||||||
|
print(src_file, "is not readable", file=sys.stderr)
|
||||||
|
sys.exit(2)
|
||||||
|
|
||||||
|
pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
|
||||||
|
|
||||||
|
sources = {}
|
||||||
|
|
||||||
|
def split_options(raw):
|
||||||
|
table = str.maketrans({
|
||||||
|
"[": None,
|
||||||
|
"]": None
|
||||||
|
})
|
||||||
|
options = raw.translate(table).split(' ')
|
||||||
|
|
||||||
|
return options
|
||||||
|
|
||||||
|
with open(src_file,'r') as file:
|
||||||
|
for line in file:
|
||||||
|
matches = re.match(pattern, line)
|
||||||
|
if matches is not None:
|
||||||
|
# print(matches.groupdict())
|
||||||
|
uri = matches['uri']
|
||||||
|
|
||||||
|
options = {}
|
||||||
|
if matches.group('options'):
|
||||||
|
for option in split_options(matches['options']):
|
||||||
|
if "=" in option:
|
||||||
|
key, value = option.split("=")
|
||||||
|
options[key] = value
|
||||||
|
|
||||||
|
if uri in sources:
|
||||||
|
sources[uri]["Types"].add(matches["type"])
|
||||||
|
sources[uri]["URIs"] = matches["uri"]
|
||||||
|
sources[uri]["Suites"].add(matches["suite"])
|
||||||
|
sources[uri]["Components"].update(matches["components"].split(' '))
|
||||||
|
else:
|
||||||
|
source = {
|
||||||
|
"Types": {matches['type']},
|
||||||
|
"URIs": matches['uri'],
|
||||||
|
"Enabled": "yes",
|
||||||
|
}
|
||||||
|
|
||||||
|
if matches.group('suite'):
|
||||||
|
source["Suites"] = set(matches['suite'].split(' '))
|
||||||
|
|
||||||
|
if matches.group('components'):
|
||||||
|
source["Components"] = set(matches['components'].split(' '))
|
||||||
|
|
||||||
|
if "arch" in options:
|
||||||
|
if "Architectures" in source:
|
||||||
|
source["Architectures"].append(options["arch"])
|
||||||
|
else:
|
||||||
|
source["Architectures"] = {options["arch"]}
|
||||||
|
|
||||||
|
if "signed-by" in options:
|
||||||
|
if "Signed-by" in source:
|
||||||
|
source["Signed-by"].append(options["signed-by"])
|
||||||
|
else:
|
||||||
|
source["Signed-by"] = {options["signed-by"]}
|
||||||
|
|
||||||
|
if "lang" in options:
|
||||||
|
if "Languages" in source:
|
||||||
|
source["Languages"].append(options["lang"])
|
||||||
|
else:
|
||||||
|
source["Languages"] = {options["lang"]}
|
||||||
|
|
||||||
|
if "target" in options:
|
||||||
|
if "Targets" in source:
|
||||||
|
source["Targets"].append(options["target"])
|
||||||
|
else:
|
||||||
|
source["Targets"] = {options["target"]}
|
||||||
|
|
||||||
|
sources[uri] = source
|
||||||
|
|
||||||
|
for i, (uri, source) in enumerate(sources.items()):
|
||||||
|
if i > 0:
|
||||||
|
print("")
|
||||||
|
for key, value in source.items():
|
||||||
|
if isinstance(value, str):
|
||||||
|
print("{}: {}".format(key, value) )
|
||||||
|
else:
|
||||||
|
print("{}: {}".format(key, ' '.join(value)) )
|
||||||
|
i += 1
|
48
apt/files/deb822-migration.sh
Normal file
48
apt/files/deb822-migration.sh
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
deb822_migrate_script=$(command -v deb822-migration.py)
|
||||||
|
|
||||||
|
if [ -z "${deb822_migrate_script}" ]; then
|
||||||
|
deb822_migrate_script="./deb822-migration.py"
|
||||||
|
fi
|
||||||
|
if [ ! -x "${deb822_migrate_script}" ]; then
|
||||||
|
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
dest_dir="/etc/apt/sources.list.d"
|
||||||
|
rc=0
|
||||||
|
|
||||||
|
migrate_file() {
|
||||||
|
legacy_file=$1
|
||||||
|
deb822_file=$2
|
||||||
|
|
||||||
|
if [ -f "${legacy_file}" ]; then
|
||||||
|
if [ -f "${deb822_file}" ]; then
|
||||||
|
>&2 echo "ERROR: '${deb822_file}' already exists"
|
||||||
|
rc=2
|
||||||
|
else
|
||||||
|
${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
|
||||||
|
if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
|
||||||
|
mv "${legacy_file}" "${legacy_file}.bak"
|
||||||
|
echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
|
||||||
|
else
|
||||||
|
>&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
|
||||||
|
rc=2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
>&2 echo "ERROR: '${legacy_file}' not found"
|
||||||
|
rc=2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2044
|
||||||
|
for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
|
||||||
|
deb822_file=$(basename "${legacy_file}" .list)
|
||||||
|
migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
|
||||||
|
done
|
||||||
|
|
||||||
|
exit ${rc}
|
32
apt/files/move-apt-keyrings.sh
Normal file
32
apt/files/move-apt-keyrings.sh
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
|
||||||
|
#
|
||||||
|
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
|
||||||
|
|
||||||
|
repository_pattern=$1
|
||||||
|
key=$2
|
||||||
|
|
||||||
|
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
|
||||||
|
|
||||||
|
old_key_file="/etc/apt/trusted.gpg.d/${key}"
|
||||||
|
new_key_file="/etc/apt/keyrings/${key}"
|
||||||
|
|
||||||
|
for file in ${found_files}; do
|
||||||
|
if ! grep --quiet "signed-by" "${file}"; then
|
||||||
|
signed_by="signed-by=${new_key_file}"
|
||||||
|
if grep --quiet "deb(-src)? \[" "${file}"; then
|
||||||
|
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
|
||||||
|
else
|
||||||
|
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
|
||||||
|
mv "${old_key_file}" "${new_key_file}"
|
||||||
|
fi
|
||||||
|
if [ -f "${new_key_file}" ]; then
|
||||||
|
chmod 644 "${new_key_file}"
|
||||||
|
chown root: "${new_key_file}"
|
||||||
|
fi
|
87
apt/files/pub_evolix.asc
Normal file
87
apt/files/pub_evolix.asc
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
|
||||||
|
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
|
||||||
|
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
|
||||||
|
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
|
||||||
|
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
|
||||||
|
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
|
||||||
|
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
|
||||||
|
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
|
||||||
|
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
|
||||||
|
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
|
||||||
|
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
|
||||||
|
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
|
||||||
|
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
|
||||||
|
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
|
||||||
|
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
|
||||||
|
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
|
||||||
|
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
|
||||||
|
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
|
||||||
|
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
|
||||||
|
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
|
||||||
|
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
|
||||||
|
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
|
||||||
|
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
|
||||||
|
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
|
||||||
|
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
|
||||||
|
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
|
||||||
|
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
|
||||||
|
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
|
||||||
|
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
|
||||||
|
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
|
||||||
|
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
|
||||||
|
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
|
||||||
|
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
|
||||||
|
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
|
||||||
|
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
|
||||||
|
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
|
||||||
|
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
|
||||||
|
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
|
||||||
|
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
|
||||||
|
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
|
||||||
|
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
|
||||||
|
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
|
||||||
|
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
|
||||||
|
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
|
||||||
|
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
|
||||||
|
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
|
||||||
|
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
|
||||||
|
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
|
||||||
|
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
|
||||||
|
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
|
||||||
|
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
|
||||||
|
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
|
||||||
|
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
|
||||||
|
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
|
||||||
|
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
|
||||||
|
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
|
||||||
|
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
|
||||||
|
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
|
||||||
|
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
|
||||||
|
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
|
||||||
|
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
|
||||||
|
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
|
||||||
|
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
|
||||||
|
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
|
||||||
|
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
|
||||||
|
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
|
||||||
|
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
|
||||||
|
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
|
||||||
|
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
|
||||||
|
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
|
||||||
|
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
|
||||||
|
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
|
||||||
|
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
|
||||||
|
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
|
||||||
|
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
|
||||||
|
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
|
||||||
|
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
|
||||||
|
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
|
||||||
|
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
|
||||||
|
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
|
||||||
|
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
|
||||||
|
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
|
||||||
|
oA9QflpnDubMnCve
|
||||||
|
=ZCml
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -18,8 +18,8 @@
|
||||||
|
|
||||||
- name: Add Evolix GPG key
|
- name: Add Evolix GPG key
|
||||||
copy:
|
copy:
|
||||||
src: reg.asc
|
src: pub_evolix.asc
|
||||||
dest: "{{ apt_keyring_dir }}/reg.asc"
|
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||||
force: yes
|
force: yes
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: "hold packages (apt)"
|
- name: "hold packages (apt)"
|
||||||
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
|
||||||
args:
|
args:
|
||||||
|
@ -76,8 +79,8 @@
|
||||||
- name: Check if Cron is installed
|
- name: Check if Cron is installed
|
||||||
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||||
register: is_cron
|
register: is_cron
|
||||||
changed_when: false
|
changed_when: False
|
||||||
failed_when: false
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- apt
|
- apt
|
||||||
|
|
31
apt/tasks/migrate-to-deb822.yml
Normal file
31
apt/tasks/migrate-to-deb822.yml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: /usr/share/scripts exists
|
||||||
|
file:
|
||||||
|
dest: /usr/share/scripts
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Migration scripts are installed
|
||||||
|
copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "/usr/share/scripts/{{ item }}"
|
||||||
|
force: yes
|
||||||
|
mode: "0755"
|
||||||
|
loop:
|
||||||
|
- deb822-migration.py
|
||||||
|
- deb822-migration.sh
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: Exec migration script
|
||||||
|
command: /usr/share/scripts/deb822-migration.sh
|
||||||
|
ignore_errors: yes
|
||||||
|
tags:
|
||||||
|
- apt
|
52
apt/tasks/move-apt-keyring.yml
Normal file
52
apt/tasks/move-apt-keyring.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: New APT keyrings directory is present
|
||||||
|
file:
|
||||||
|
path: /etc/apt/keyrings
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: /usr/share/scripts exists
|
||||||
|
file:
|
||||||
|
dest: /usr/share/scripts
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
|
||||||
|
- name: migration script is present
|
||||||
|
copy:
|
||||||
|
src: move-apt-keyrings.sh
|
||||||
|
dest: /usr/share/scripts/move-apt-keyrings.sh
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Move repository signing key
|
||||||
|
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
|
||||||
|
loop:
|
||||||
|
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
|
||||||
|
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
||||||
|
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
|
||||||
|
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
|
||||||
|
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
|
||||||
|
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
|
||||||
|
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
|
||||||
|
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
|
||||||
|
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
|
||||||
|
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
|
||||||
|
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
|
||||||
|
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
|
||||||
|
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
|
||||||
|
register: _cmd
|
||||||
|
|
||||||
|
- name: Debug command
|
||||||
|
debug:
|
||||||
|
var: _cmd
|
|
@ -1,7 +1,3 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
{% if ansible_distribution_release == "bookworm" %}
|
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main
|
||||||
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
|
|
||||||
{% else %}
|
|
||||||
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
|
|
||||||
{% endif %}
|
|
||||||
|
|
|
@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
|
||||||
bind_statistics_file: /var/run/named.stats
|
bind_statistics_file: /var/run/named.stats
|
||||||
bind_log_file: /var/log/bind.log
|
bind_log_file: /var/log/bind.log
|
||||||
bind_query_file: /var/log/bind_queries.log
|
bind_query_file: /var/log/bind_queries.log
|
||||||
|
bind_query_file_enabled: False
|
||||||
bind_cache_dir: /var/cache/bind
|
bind_cache_dir: /var/cache/bind
|
||||||
|
|
|
@ -1,19 +1,21 @@
|
||||||
---
|
---
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
command: systemctl daemon-reload
|
systemd:
|
||||||
|
daemon-reload: yes
|
||||||
|
|
||||||
|
|
||||||
- name: restart apparmor
|
- name: restart apparmor
|
||||||
service:
|
systemd:
|
||||||
name: apparmor
|
name: apparmor
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart bind
|
- name: restart bind
|
||||||
service:
|
systemd:
|
||||||
name: bind9
|
name: bind9
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart munin-node
|
- name: restart munin-node
|
||||||
service:
|
systemd:
|
||||||
name: munin-node
|
name: munin-node
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
|
11
bind/tasks/authoritative.yml
Normal file
11
bind/tasks/authoritative.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Set bind configuration for authoritative server
|
||||||
|
template:
|
||||||
|
src: named.conf.options_authoritative.j2
|
||||||
|
dest: /etc/bind/named.conf.options
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart bind
|
|
@ -8,15 +8,23 @@
|
||||||
bind_chroot_path: /var/chroot-bind
|
bind_chroot_path: /var/chroot-bind
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
|
- name: Check AppArmor
|
||||||
|
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: check_apparmor
|
||||||
|
|
||||||
- name: configure apparmor
|
- name: configure apparmor
|
||||||
template:
|
template:
|
||||||
src: apparmor.usr.sbin.named.j2
|
src: apparmor.usr.sbin.named.j2
|
||||||
dest: /etc/apparmor.d/usr.sbin.named
|
dest: /etc/apparmor.d/usr.sbin.named
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0644'
|
mode: "0644"
|
||||||
force: yes
|
force: yes
|
||||||
notify: restart apparmor
|
notify: restart apparmor
|
||||||
|
when: check_apparmor.rc == 0
|
||||||
|
|
||||||
- name: package are installed
|
- name: package are installed
|
||||||
apt:
|
apt:
|
||||||
|
@ -25,39 +33,15 @@
|
||||||
- dnstop
|
- dnstop
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Set bind configuration for recursive server
|
- include: authoritative.yml
|
||||||
template:
|
|
||||||
src: named.conf.options_recursive.j2
|
|
||||||
dest: /etc/bind/named.conf.options
|
|
||||||
owner: bind
|
|
||||||
group: bind
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
notify: restart bind
|
|
||||||
when: bind_recursive_server | bool
|
|
||||||
|
|
||||||
- name: enable zones.rfc1918 for recursive server
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/bind/named.conf.local
|
|
||||||
line: 'include "/etc/bind/zones.rfc1918";'
|
|
||||||
regexp: "zones.rfc1918"
|
|
||||||
notify: restart bind
|
|
||||||
when: bind_recursive_server | bool
|
|
||||||
|
|
||||||
- name: Set bind configuration for authoritative server
|
|
||||||
template:
|
|
||||||
src: named.conf.options_authoritative.j2
|
|
||||||
dest: /etc/bind/named.conf.options
|
|
||||||
owner: bind
|
|
||||||
group: bind
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
notify: restart bind
|
|
||||||
when: bind_authoritative_server | bool
|
when: bind_authoritative_server | bool
|
||||||
|
|
||||||
- name: Create systemd service
|
- include: recursive.yml
|
||||||
|
when: bind_recursive_server | bool
|
||||||
|
|
||||||
|
- name: Create systemd service for Debian 8 (Jessie)
|
||||||
template:
|
template:
|
||||||
src: bind9.service.j2
|
src: bind9.service.jessie.j2
|
||||||
dest: "{{ bind_systemd_service_path }}"
|
dest: "{{ bind_systemd_service_path }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
- bind9_rndc
|
- bind9_rndc
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when:
|
when:
|
||||||
- bind_authoritative_server
|
- bind_authoritative_server | bool
|
||||||
- munin_node_plugins_config.stat.exists
|
- munin_node_plugins_config.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
|
@ -32,10 +32,10 @@
|
||||||
state: link
|
state: link
|
||||||
loop:
|
loop:
|
||||||
- bind9
|
- bind9
|
||||||
- bind9_rndc
|
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when:
|
when:
|
||||||
- bind_recursive_server
|
- bind_recursive_server | bool
|
||||||
|
- bind_query_file_enabled | bool
|
||||||
- munin_node_plugins_config.stat.exists
|
- munin_node_plugins_config.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
|
|
19
bind/tasks/recursive.yml
Normal file
19
bind/tasks/recursive.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
- name: Set bind configuration for recursive server
|
||||||
|
template:
|
||||||
|
src: named.conf.options_recursive.j2
|
||||||
|
dest: /etc/bind/named.conf.options
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart bind
|
||||||
|
|
||||||
|
- name: enable zones.rfc1918 for recursive server
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/bind/named.conf.local
|
||||||
|
line: 'include "/etc/bind/zones.rfc1918";'
|
||||||
|
regexp: "zones.rfc1918"
|
||||||
|
notify: restart bind
|
|
@ -56,7 +56,9 @@
|
||||||
# some people like to put logs in /var/log/named/ instead of having
|
# some people like to put logs in /var/log/named/ instead of having
|
||||||
# syslog do the heavy lifting.
|
# syslog do the heavy lifting.
|
||||||
{{ bind_log_file }} rw,
|
{{ bind_log_file }} rw,
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
{{ bind_query_file }} rw,
|
{{ bind_query_file }} rw,
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# gssapi
|
# gssapi
|
||||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{% if bind_chroot_set %}
|
{% if bind_chroot_set | bool %}
|
||||||
{{ bind_chroot_path }}{{bind_log_file}} {
|
{{ bind_chroot_path }}{{ bind_log_file }} {
|
||||||
{% else %}
|
{% else %}
|
||||||
{{bind_log_file}} {
|
{{ bind_log_file }} {
|
||||||
{% endif %}
|
{% endif %}
|
||||||
weekly
|
weekly
|
||||||
missingok
|
missingok
|
||||||
|
|
|
@ -1,9 +1,17 @@
|
||||||
[bind*]
|
[bind*]
|
||||||
user root
|
user root
|
||||||
|
|
||||||
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
|
{% if bind_query_file_enabled | bool %}
|
||||||
|
{% if bind_chroot_set | bool %}
|
||||||
|
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
|
||||||
|
{% else %}
|
||||||
|
env.logfile {{ bind_query_file }}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if bind_authoritative_server %}
|
{% if bind_authoritative_server %}
|
||||||
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||||
timeout 120
|
timeout 120
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
acl "foo" {
|
// acl "foo" {
|
||||||
::ffff:192.0.2.21; 192.0.2.21;
|
// ::ffff:192.0.2.21; 192.0.2.21;
|
||||||
2001:db8::21;
|
// 2001:db8::21;
|
||||||
};
|
// };
|
||||||
|
|
||||||
options {
|
options {
|
||||||
directory "{{ bind_cache_dir }}";
|
directory "{{ bind_cache_dir }}";
|
||||||
|
@ -20,16 +20,20 @@ options {
|
||||||
|
|
||||||
logging {
|
logging {
|
||||||
category default { default_file; };
|
category default { default_file; };
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
category queries { query_logging; };
|
category queries { query_logging; };
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
channel default_file {
|
channel default_file {
|
||||||
file "{{ bind_log_file }}";
|
file "{{ bind_log_file }}";
|
||||||
severity info;
|
severity info;
|
||||||
};
|
};
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
channel query_logging {
|
channel query_logging {
|
||||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||||
print-category yes;
|
print-category yes;
|
||||||
print-severity yes;
|
print-severity yes;
|
||||||
print-time yes;
|
print-time yes;
|
||||||
};
|
};
|
||||||
|
{% endif %}
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,16 +9,20 @@ options {
|
||||||
|
|
||||||
logging {
|
logging {
|
||||||
category default { default_file; };
|
category default { default_file; };
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
category queries { query_logging; };
|
category queries { query_logging; };
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
channel default_file {
|
channel default_file {
|
||||||
file "{{ bind_log_file }}";
|
file "{{ bind_log_file }}";
|
||||||
severity info;
|
severity info;
|
||||||
};
|
};
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
channel query_logging {
|
channel query_logging {
|
||||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||||
print-category yes;
|
print-category yes;
|
||||||
print-severity yes;
|
print-severity yes;
|
||||||
print-time yes;
|
print-time yes;
|
||||||
};
|
};
|
||||||
|
{% endif %}
|
||||||
};
|
};
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
||||||
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
||||||
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
||||||
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' }
|
||||||
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
||||||
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
# If docher_home sets to /home/, the partition should be mounted with exec option.
|
# If docher_home sets to /home/, the partition should be mounted with exec option.
|
||||||
docker_home: /var/lib/docker
|
docker_home: /var/lib/docker
|
||||||
docker_tmpdir: "{{docker_home}}/tmp"
|
docker_tmpdir: "{{ docker_home }}/tmp"
|
||||||
|
|
||||||
# Chose to use iptables instead of docker-proxy userland process
|
# Chose to use iptables instead of docker-proxy userland process
|
||||||
docker_conf_use_iptables: False
|
docker_conf_use_iptables: False
|
||||||
|
@ -22,7 +22,7 @@ docker_daemon_listening_ip: 0.0.0.0
|
||||||
|
|
||||||
# TLS
|
# TLS
|
||||||
docker_tls_enabled: False
|
docker_tls_enabled: False
|
||||||
docker_tls_path: "{{docker_home}}/tls"
|
docker_tls_path: "{{ docker_home }}/tls"
|
||||||
docker_tls_ca: ca/ca.pem
|
docker_tls_ca: ca/ca.pem
|
||||||
docker_tls_ca_key: ca/ca-key.pem
|
docker_tls_ca_key: ca/ca-key.pem
|
||||||
docker_tls_cert: server/cert.pem
|
docker_tls_cert: server/cert.pem
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
command: systemctl daemon-reload
|
systemd:
|
||||||
|
daemon-reload: yes
|
||||||
|
|
||||||
- name: restart docker
|
- name: restart docker
|
||||||
service:
|
service:
|
||||||
|
|
|
@ -1,40 +1,30 @@
|
||||||
{
|
{
|
||||||
"debug": false,
|
"debug": false
|
||||||
|
|
||||||
{# Docker data-dir (default to /var/lib/docker) #}
|
{# Docker data-dir (default to /var/lib/docker) #}
|
||||||
"data-root": "{{ docker_home }}",
|
,"data-root": "{{ docker_home }}"
|
||||||
|
|
||||||
{# Keep containers running while docker daemon downtime #}
|
{# Keep containers running while docker daemon downtime #}
|
||||||
"live-restore": {{ docker_conf_live_restore | to_json }},,
|
,"live-restore": {{ docker_conf_live_restore | to_json }}
|
||||||
|
|
||||||
{# Turn on user namespace remaping #}
|
{# Turn on user namespace remaping #}
|
||||||
"userns-remap": "default",
|
,"userns-remap": "default"
|
||||||
|
{% if docker_conf_use_iptables %}
|
||||||
{% if docker_conf_use_iptables %}
|
|
||||||
{# Use iptables instead of docker-proxy #}
|
{# Use iptables instead of docker-proxy #}
|
||||||
"userland-proxy": false,
|
,"userland-proxy": false
|
||||||
"iptables": true,
|
,"iptables": true
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{# Disable the possibility for containers processes to gain new privileges #}
|
{# Disable the possibility for containers processes to gain new privileges #}
|
||||||
"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }},
|
,"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}
|
||||||
|
{% if docker_conf_disable_default_networking %}
|
||||||
{% if docker_conf_disable_default_networking %}
|
|
||||||
{# Disable all default network connectivity #}
|
{# Disable all default network connectivity #}
|
||||||
"bridge": "none",
|
,"bridge": "none"
|
||||||
"icc": false,
|
,"icc": false
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if docker_tls_enabled %}
|
||||||
{% if docker_tls_enabled %}
|
,"tls": true
|
||||||
"tls": true,
|
,"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}"
|
||||||
"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",
|
,"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}"
|
||||||
"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}",
|
,"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
|
||||||
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}",
|
{% endif %}
|
||||||
{% endif %}
|
{% if docker_remote_access_enabled %}
|
||||||
|
,"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
|
||||||
{% if docker_remote_access_enabled %}
|
{% endif %}
|
||||||
"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
|
|
||||||
{% else %}
|
|
||||||
"hosts": ["fd://"]
|
|
||||||
{% endif %}
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: elasticsearch_additional_scripts_dir is search ("/usr")
|
when: elasticsearch_additional_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
|
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -118,6 +118,17 @@
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
- name: Disable garbage collector logs (JDK >= 9)
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/elasticsearch/jvm.options
|
||||||
|
regexp: "Xlog:gc"
|
||||||
|
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
|
||||||
|
owner: root
|
||||||
|
group: elasticsearch
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
|
||||||
- name: Configure cluster members
|
- name: Configure cluster members
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/elasticsearch/elasticsearch.yml
|
dest: /etc/elasticsearch/elasticsearch.yml
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
- name: "read the real datadir"
|
- name: "read the real datadir"
|
||||||
command: readlink -f /var/lib/elasticsearch
|
command: readlink -f /var/lib/elasticsearch
|
||||||
changed_when: false
|
changed_when: False
|
||||||
register: elasticsearch_current_real_datadir_test
|
register: elasticsearch_current_real_datadir_test
|
||||||
check_mode: no
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -17,3 +17,4 @@
|
||||||
group: root
|
group: root
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
when: is_cron_installed.rc == 0
|
when: is_cron_installed.rc == 0
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,6 @@ MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }}
|
||||||
# Compress logs
|
# Compress logs
|
||||||
find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
|
find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
|
||||||
find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \;
|
find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \;
|
||||||
find ${LOG_DIR} -type f -user ${USER} -name "*.log.??" -not -name "*.gz" -exec gzip --best {} \;
|
|
||||||
|
|
||||||
# Delete old logs
|
# Delete old logs
|
||||||
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete
|
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete
|
|
@ -2,14 +2,13 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: repository_path is search ("/usr")
|
when: repository_path is search("/usr")
|
||||||
|
|
||||||
- name: "{{ repository_path }} is versioned with git"
|
- name: "{{ repository_path }} is versioned with git"
|
||||||
command: "git init ."
|
command: "git init ."
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
creates: "{{ repository_path }}/.git/"
|
creates: "{{ repository_path }}/.git/"
|
||||||
warn: no
|
|
||||||
register: git_init
|
register: git_init
|
||||||
tags:
|
tags:
|
||||||
- etc-git
|
- etc-git
|
||||||
|
@ -54,7 +53,6 @@
|
||||||
command: "git log"
|
command: "git log"
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
warn: no
|
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
register: git_log
|
register: git_log
|
||||||
|
@ -66,7 +64,6 @@
|
||||||
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
|
||||||
args:
|
args:
|
||||||
chdir: "{{ repository_path }}"
|
chdir: "{{ repository_path }}"
|
||||||
warn: no
|
|
||||||
register: git_commit
|
register: git_commit
|
||||||
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
### File generated by Ansible ###
|
### File generated by Ansible ###
|
||||||
|
|
||||||
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }}}
|
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} }
|
||||||
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }}}
|
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} }
|
||||||
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }}}
|
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} }
|
||||||
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }}}
|
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} }
|
||||||
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
|
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
|
||||||
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }}}
|
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} }
|
||||||
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }}}
|
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} }
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
# Managed by Ansible
|
|
||||||
#
|
|
||||||
# Configuration for evocheck
|
# Configuration for evocheck
|
||||||
# Use this file to change configuration values defined in evocheck.sh
|
# Use this file to change configuration values defined in evocheck.sh
|
||||||
# Ex : IS_TMP_1777=0
|
# Ex : IS_TMP_1777=0
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Linux (Debian) server
|
# Script to verify compliance of a Linux (Debian) server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.11"
|
VERSION="23.03.01"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
158
evocheck/files/evocheck.sh
Normal file → Executable file
158
evocheck/files/evocheck.sh
Normal file → Executable file
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Linux (Debian) server
|
# Script to verify compliance of a Linux (Debian) server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.11"
|
VERSION="23.03.01"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
@ -100,6 +100,17 @@ is_installed(){
|
||||||
|
|
||||||
# logging
|
# logging
|
||||||
|
|
||||||
|
log() {
|
||||||
|
date=$(/bin/date +"${DATE_FORMAT}")
|
||||||
|
if [ "${1}" != '' ]; then
|
||||||
|
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
|
||||||
|
else
|
||||||
|
while read line; do
|
||||||
|
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
|
||||||
|
done < /dev/stdin
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
failed() {
|
failed() {
|
||||||
check_name=$1
|
check_name=$1
|
||||||
shift
|
shift
|
||||||
|
@ -113,6 +124,9 @@ failed() {
|
||||||
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
|
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Always log verbose
|
||||||
|
log "${check_name} FAILED! ${check_comments}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# check functions
|
# check functions
|
||||||
|
@ -131,6 +145,13 @@ check_dpkgwarning() {
|
||||||
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|
||||||
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
|
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
|
||||||
}
|
}
|
||||||
|
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
|
||||||
|
check_localhost_in_postfix_mydestination() {
|
||||||
|
# shellcheck disable=SC2016
|
||||||
|
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then
|
||||||
|
failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then."
|
||||||
|
fi
|
||||||
|
}
|
||||||
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
|
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
|
||||||
check_nrpepostfix() {
|
check_nrpepostfix() {
|
||||||
if is_installed postfix; then
|
if is_installed postfix; then
|
||||||
|
@ -391,7 +412,7 @@ check_log2mailrunning() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_log2mailapache() {
|
check_log2mailapache() {
|
||||||
conf=/etc/log2mail/config/Apache
|
conf=/etc/log2mail/config/apache
|
||||||
if is_pack_web && is_installed log2mail; then
|
if is_pack_web && is_installed log2mail; then
|
||||||
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|
||||||
|| failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache"
|
|| failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache"
|
||||||
|
@ -463,18 +484,26 @@ check_evobackup() {
|
||||||
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
|
||||||
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
|
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
|
||||||
}
|
}
|
||||||
# Vérification de la mise en place de la purge pour fail2ban
|
# Vérification de la mise en place d'un cron de purge de la base SQLite de Fail2ban
|
||||||
check_purge_fail2ban() {
|
check_fail2ban_purge() {
|
||||||
if is_debian_stretch || is_debian_buster; then
|
if is_debian_stretch || is_debian_buster; then
|
||||||
if is_installed fail2ban; then
|
if is_installed fail2ban; then
|
||||||
test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
|
test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
# Vérification qu'il ne reste pas des jails nommées ssh non renommées en sshd
|
||||||
|
check_ssh_fail2ban_jail_renamed() {
|
||||||
|
if is_installed fail2ban && [ -f /etc/fail2ban/jail.local ]; then
|
||||||
|
if grep --quiet --fixed-strings "[ssh]" /etc/fail2ban/jail.local; then
|
||||||
|
failed "IS_SSH_FAIL2BAN_JAIL_RENAMED" "Jail ssh must be renamed sshd in fail2ban >= 0.9."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
|
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
|
||||||
check_evobackup_exclude_mount() {
|
check_evobackup_exclude_mount() {
|
||||||
excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
|
excludes_file=$(mktemp --tmpdir "evocheck.evobackup_exclude_mount.XXXXX")
|
||||||
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
|
files_to_cleanup+=("${excludes_file}")
|
||||||
|
|
||||||
# shellcheck disable=SC2044
|
# shellcheck disable=SC2044
|
||||||
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
|
||||||
|
@ -643,7 +672,7 @@ check_notupgraded() {
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if $upgraded; then
|
if $upgraded; then
|
||||||
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
|
last_upgrade=$(date +%s -d "$(zgrep --no-filename --no-messages upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
|
||||||
fi
|
fi
|
||||||
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||||
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||||
|
@ -841,11 +870,18 @@ check_redis_backup() {
|
||||||
# You could change the default path in /etc/evocheck.cf
|
# You could change the default path in /etc/evocheck.cf
|
||||||
# REDIS_BACKUP_PATH may contain space-separated paths, example:
|
# REDIS_BACKUP_PATH may contain space-separated paths, example:
|
||||||
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
|
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
|
||||||
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"}
|
# Old default path: /home/backup/dump.rdb
|
||||||
|
# New default path: /home/backup/redis/dump.rdb
|
||||||
|
if [ -z "${REDIS_BACKUP_PATH}" ]; then
|
||||||
|
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
|
||||||
|
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
|
||||||
|
fi
|
||||||
|
else
|
||||||
for file in ${REDIS_BACKUP_PATH}; do
|
for file in ${REDIS_BACKUP_PATH}; do
|
||||||
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})"
|
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
check_elastic_backup() {
|
check_elastic_backup() {
|
||||||
if is_installed elasticsearch; then
|
if is_installed elasticsearch; then
|
||||||
|
@ -902,8 +938,8 @@ check_phpevolinuxconf() {
|
||||||
is_debian_buster && phpVersion="7.3"
|
is_debian_buster && phpVersion="7.3"
|
||||||
is_debian_bullseye && phpVersion="7.4"
|
is_debian_bullseye && phpVersion="7.4"
|
||||||
if is_installed php; then
|
if is_installed php; then
|
||||||
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
|
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
|
||||||
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
|
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
|
||||||
} || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config"
|
} || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -929,8 +965,8 @@ check_duplicate_fs_label() {
|
||||||
# Do it only if thereis blkid binary
|
# Do it only if thereis blkid binary
|
||||||
BLKID_BIN=$(command -v blkid)
|
BLKID_BIN=$(command -v blkid)
|
||||||
if [ -n "$BLKID_BIN" ]; then
|
if [ -n "$BLKID_BIN" ]; then
|
||||||
tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX")
|
tmpFile=$(mktemp --tmpdir "evocheck.duplicate_fs_label.XXXXX")
|
||||||
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
|
files_to_cleanup+=("${tmpFile}")
|
||||||
|
|
||||||
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||||
for part in $parts; do
|
for part in $parts; do
|
||||||
|
@ -1097,8 +1133,8 @@ check_evobackup_incs() {
|
||||||
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
|
||||||
if [ -f "${bkctld_cron_file}" ]; then
|
if [ -f "${bkctld_cron_file}" ]; then
|
||||||
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
||||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "'bkctld inc' is missing in ${bkctld_cron_file}"
|
||||||
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "'check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||||
else
|
else
|
||||||
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
|
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
|
||||||
fi
|
fi
|
||||||
|
@ -1129,7 +1165,7 @@ check_chrooted_binary_uptodate() {
|
||||||
for process_name in ${process_list}; do
|
for process_name in ${process_list}; do
|
||||||
# what is the binary path?
|
# what is the binary path?
|
||||||
original_bin=$(command -v "${process_name}")
|
original_bin=$(command -v "${process_name}")
|
||||||
for pid in $(pgrep ${process_name}); do
|
for pid in $(pgrep "${process_name}"); do
|
||||||
process_bin=$(realpath "/proc/${pid}/exe")
|
process_bin=$(realpath "/proc/${pid}/exe")
|
||||||
# Is the process chrooted?
|
# Is the process chrooted?
|
||||||
real_root=$(realpath "/proc/${pid}/root")
|
real_root=$(realpath "/proc/${pid}/root")
|
||||||
|
@ -1157,7 +1193,6 @@ check_nginx_letsencrypt_uptodate() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_lxc_container_resolv_conf() {
|
check_lxc_container_resolv_conf() {
|
||||||
if is_installed lxc; then
|
if is_installed lxc; then
|
||||||
container_list=$(lxc-ls)
|
container_list=$(lxc-ls)
|
||||||
|
@ -1178,6 +1213,38 @@ check_lxc_container_resolv_conf() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
# Check that there are containers if lxc is installed.
|
||||||
|
check_no_lxc_container() {
|
||||||
|
if is_installed lxc; then
|
||||||
|
containers_count=$(lxc-ls | wc -l)
|
||||||
|
if [ "$containers_count" -eq 0 ]; then
|
||||||
|
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
|
||||||
|
check_lxc_php_fpm_service_umask_set() {
|
||||||
|
if is_installed lxc; then
|
||||||
|
php_containers_list=$(lxc-ls --filter php)
|
||||||
|
missing_umask=""
|
||||||
|
for container in $php_containers_list; do
|
||||||
|
# Translate container name in service name
|
||||||
|
if [ "$container" = "php56" ]; then
|
||||||
|
service="php5-fpm"
|
||||||
|
else
|
||||||
|
service="${container:0:4}.${container:4}-fpm"
|
||||||
|
fi
|
||||||
|
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
|
||||||
|
if [ "$umask" != "0007" ]; then
|
||||||
|
missing_umask="${missing_umask} ${container}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -n "${missing_umask}" ]; then
|
||||||
|
failed "IS_LXC_PHP_FPM_SERVICE_UMASK_SET" "UMask is not set to 0007 in PHP-FPM services of theses containers : ${missing_umask}."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
download_versions() {
|
download_versions() {
|
||||||
local file
|
local file
|
||||||
file=${1:-}
|
file=${1:-}
|
||||||
|
@ -1280,8 +1347,8 @@ add_to_path() {
|
||||||
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
||||||
}
|
}
|
||||||
check_versions() {
|
check_versions() {
|
||||||
versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX")
|
versions_file=$(mktemp --tmpdir "evocheck.versions.XXXXX")
|
||||||
files_to_cleanup="${files_to_cleanup} ${versions_file}"
|
files_to_cleanup+=("${versions_file}")
|
||||||
|
|
||||||
download_versions "${versions_file}"
|
download_versions "${versions_file}"
|
||||||
add_to_path "/usr/share/scripts"
|
add_to_path "/usr/share/scripts"
|
||||||
|
@ -1308,8 +1375,8 @@ main() {
|
||||||
# Detect operating system name, version and release
|
# Detect operating system name, version and release
|
||||||
detect_os
|
detect_os
|
||||||
|
|
||||||
main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
|
main_output_file=$(mktemp --tmpdir "evocheck.main.XXXXX")
|
||||||
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
|
files_to_cleanup+=("${main_output_file}")
|
||||||
|
|
||||||
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
|
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
|
||||||
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
|
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
|
||||||
|
@ -1322,6 +1389,7 @@ main() {
|
||||||
|
|
||||||
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
|
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
|
||||||
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
|
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
|
||||||
|
test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination
|
||||||
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
|
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
|
||||||
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
|
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
|
||||||
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
|
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
|
||||||
|
@ -1367,6 +1435,8 @@ main() {
|
||||||
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
|
||||||
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
|
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
|
||||||
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
||||||
|
test "${IS_PURGE_FAIL2BAN:=1}" = 1 && check_fail2ban_purge
|
||||||
|
test "${IS_SSH_FAIL2BAN_JAIL_RENAMED:=1}" = 1 && check_ssh_fail2ban_jail_renamed
|
||||||
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
||||||
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
|
||||||
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
|
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
|
||||||
|
@ -1418,6 +1488,8 @@ main() {
|
||||||
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
||||||
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
||||||
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
|
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
|
||||||
|
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
|
||||||
|
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
|
||||||
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||||
|
|
||||||
if [ -f "${main_output_file}" ]; then
|
if [ -f "${main_output_file}" ]; then
|
||||||
|
@ -1431,9 +1503,12 @@ main() {
|
||||||
|
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
cleanup_temp_files() {
|
cleanup() {
|
||||||
# shellcheck disable=SC2086
|
# Cleanup tmp files
|
||||||
rm -f ${files_to_cleanup}
|
# shellcheck disable=SC2086,SC2317
|
||||||
|
rm -f ${files_to_cleanup[@]}
|
||||||
|
|
||||||
|
log "$PROGNAME exit."
|
||||||
}
|
}
|
||||||
|
|
||||||
PROGNAME=$(basename "$0")
|
PROGNAME=$(basename "$0")
|
||||||
|
@ -1444,17 +1519,23 @@ readonly PROGNAME
|
||||||
ARGS=$@
|
ARGS=$@
|
||||||
readonly ARGS
|
readonly ARGS
|
||||||
|
|
||||||
|
LOGFILE="/var/log/evocheck.log"
|
||||||
|
readonly LOGFILE
|
||||||
|
|
||||||
|
CONFIGFILE="/etc/evocheck.cf"
|
||||||
|
readonly CONFIGFILE
|
||||||
|
|
||||||
|
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
readonly DATEFORMAT
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
export LANGUAGE=C
|
export LANGUAGE=C
|
||||||
|
|
||||||
files_to_cleanup=""
|
|
||||||
# shellcheck disable=SC2064
|
|
||||||
trap cleanup_temp_files 0
|
|
||||||
|
|
||||||
# Source configuration file
|
# Source configuration file
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
|
||||||
|
|
||||||
# Parse options
|
# Parse options
|
||||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
@ -1502,5 +1583,24 @@ while :; do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Keep this after "show_version(); exit 0" which is called by check_versions
|
||||||
|
# to avoid logging exit twice.
|
||||||
|
declare -a files_to_cleanup
|
||||||
|
files_to_cleanup=""
|
||||||
|
# shellcheck disable=SC2064
|
||||||
|
trap cleanup EXIT INT TERM
|
||||||
|
|
||||||
|
log '-----------------------------------------------'
|
||||||
|
log "Running $PROGNAME $VERSION..."
|
||||||
|
|
||||||
|
# Log config file content
|
||||||
|
if [ -f "${CONFIGFILE}" ]; then
|
||||||
|
log "Runtime configuration (${CONFIGFILE}):"
|
||||||
|
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
|
||||||
|
fi
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
main ${ARGS}
|
main ${ARGS}
|
||||||
|
|
||||||
|
log "End of $PROGNAME execution."
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Linux (Debian) server
|
# Script to verify compliance of a Linux (Debian) server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.11"
|
VERSION="23.03.01"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: evocheck_bin_dir is search ("/usr")
|
when: evocheck_bin_dir is search("/usr")
|
||||||
tags:
|
tags:
|
||||||
- evocheck
|
- evocheck
|
||||||
|
|
||||||
|
|
|
@ -23,13 +23,9 @@
|
||||||
|
|
||||||
- name: remount /home
|
- name: remount /home
|
||||||
command: mount -o remount /home
|
command: mount -o remount /home
|
||||||
args:
|
|
||||||
warn: no
|
|
||||||
|
|
||||||
- name: remount /var
|
- name: remount /var
|
||||||
command: mount -o remount /var
|
command: mount -o remount /var
|
||||||
args:
|
|
||||||
warn: no
|
|
||||||
|
|
||||||
|
|
||||||
- name: restart nginx
|
- name: restart nginx
|
||||||
|
|
|
@ -4,6 +4,12 @@
|
||||||
name: dbus
|
name: dbus
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: dbus is enabled and started
|
||||||
|
service:
|
||||||
|
name: dbus
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
||||||
- name: Set hostname "{{ evolinux_hostname }}"
|
- name: Set hostname "{{ evolinux_hostname }}"
|
||||||
hostname:
|
hostname:
|
||||||
name: "{{ evolinux_hostname }}"
|
name: "{{ evolinux_hostname }}"
|
||||||
|
|
|
@ -55,7 +55,6 @@
|
||||||
- mutt
|
- mutt
|
||||||
- tree
|
- tree
|
||||||
- git
|
- git
|
||||||
- subversion
|
|
||||||
- rsync
|
- rsync
|
||||||
- bc
|
- bc
|
||||||
- pinentry-curses
|
- pinentry-curses
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
Defaults umask=0077
|
Defaults umask=0077
|
||||||
|
|
||||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
|
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
|
||||||
User_Alias ADMINS = {{ user.name }}
|
User_Alias ADMINS = {{ user.name }}
|
||||||
|
|
||||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
Defaults umask=0077
|
Defaults umask=0077
|
||||||
|
|
||||||
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
|
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
|
||||||
|
|
||||||
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
|
||||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
[Definition]
|
[Definition]
|
||||||
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
|
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Internal login failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: Sqlite needed
|
- name: Sqlite needed
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
|
@ -6,10 +7,20 @@
|
||||||
|
|
||||||
- name: Register bantime from default config from package
|
- name: Register bantime from default config from package
|
||||||
shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
|
shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
|
||||||
register: default_dbpurgeage
|
register: dbpurgeage
|
||||||
changed_when: false
|
changed_when: False
|
||||||
check_mode: false
|
check_mode: false
|
||||||
|
|
||||||
|
- name:
|
||||||
|
set_fact:
|
||||||
|
dbpurgeage_default : "{{ dbpurgeage.stdout }}"
|
||||||
|
when: dbpurgeage.stdout | regex_search("^\\d+\w+$")
|
||||||
|
|
||||||
|
- name:
|
||||||
|
set_fact:
|
||||||
|
dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
|
||||||
|
when: dbpurgeage.stdout | regex_search("^\\d+$")
|
||||||
|
|
||||||
- name: Add crontab
|
- name: Add crontab
|
||||||
template:
|
template:
|
||||||
src: fail2ban_dbpurge.j2
|
src: fail2ban_dbpurge.j2
|
||||||
|
|
|
@ -97,7 +97,7 @@
|
||||||
marker: "# ANSIBLE MANAGED"
|
marker: "# ANSIBLE MANAGED"
|
||||||
block: |
|
block: |
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
dbpurgeage = {{ fail2ban_recidive_bantime}}
|
dbpurgeage = {{ fail2ban_recidive_bantime }}
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
create: yes
|
create: yes
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
# Juin - Decembre 2022 : #64088
|
# Juin - Decembre 2022 : #64088
|
||||||
# Purge pour Stretch et Buster
|
# Purge pour Stretch et Buster
|
||||||
|
|
||||||
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');"
|
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
|
||||||
|
|
||||||
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
|
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
|
||||||
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )
|
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )
|
||||||
|
|
|
@ -16,7 +16,7 @@ destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
|
||||||
|
|
||||||
# ACTIONS
|
# ACTIONS
|
||||||
banaction = iptables-multiport
|
banaction = iptables-multiport
|
||||||
action = %({{fail2ban_default_action}})s
|
action = %({{ fail2ban_default_action }})s
|
||||||
|
|
||||||
|
|
||||||
[sshd]
|
[sshd]
|
||||||
|
|
|
@ -84,8 +84,8 @@
|
||||||
command: grep logstash-input-beats /usr/share/logstash/Gemfile
|
command: grep logstash-input-beats /usr/share/logstash/Gemfile
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: logstash_plugin_installed
|
register: logstash_plugin_installed
|
||||||
failed_when: false
|
failed_when: False
|
||||||
changed_when: false
|
changed_when: False
|
||||||
when:
|
when:
|
||||||
- filebeat_logstash_plugin | bool
|
- filebeat_logstash_plugin | bool
|
||||||
- logstash_plugin.stat.exists
|
- logstash_plugin.stat.exists
|
||||||
|
|
|
@ -63,7 +63,7 @@ listen stats
|
||||||
acl stats_users http_auth(stats_users)
|
acl stats_users http_auth(stats_users)
|
||||||
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
|
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
|
||||||
{% else %}
|
{% else %}
|
||||||
stats http-request deny if !stats_access_ips
|
stats http-request deny if !stats_access_ips !stats_admin_ips
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
http-request set-log-level silent
|
http-request set-log-level silent
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
|
|
||||||
- name: Install specific openjdk package
|
- name: Install specific openjdk package
|
||||||
apt:
|
apt:
|
||||||
name: "openjdk-{{ java_version}}-jre-headless"
|
name: "openjdk-{{ java_version }}-jre-headless"
|
||||||
default_release: "{{ java_apt_release }}"
|
default_release: "{{ java_apt_release }}"
|
||||||
state: present
|
state: present
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
echo $1 $2 is in $3 state > /var/run/keepalive.state
|
echo $1 $2 is in $3 state > /var/run/keepalive.state
|
||||||
|
chmod og+r /var/run/keepalive.state
|
||||||
|
|
|
@ -126,8 +126,6 @@
|
||||||
|
|
||||||
# - name: Get mount options for /usr partition
|
# - name: Get mount options for /usr partition
|
||||||
# shell: "mount | grep 'on /usr type'"
|
# shell: "mount | grep 'on /usr type'"
|
||||||
# args:
|
|
||||||
# warn: no
|
|
||||||
# register: mount
|
# register: mount
|
||||||
# changed_when: False
|
# changed_when: False
|
||||||
# failed_when: False
|
# failed_when: False
|
||||||
|
|
|
@ -42,25 +42,34 @@ error () {
|
||||||
main() {
|
main() {
|
||||||
for VM in $(virsh list --name --all | sed '/^$/d' | sort)
|
for VM in $(virsh list --name --all | sed '/^$/d' | sort)
|
||||||
do
|
do
|
||||||
echo "$VM"
|
printf '%s ' "${VM}"
|
||||||
|
virsh domstats "${VM}" | awk '
|
||||||
# cpu
|
BEGIN {
|
||||||
virsh vcpucount --current "$VM"
|
FS = "="
|
||||||
|
}
|
||||||
# mem
|
/vcpu\.current/ {
|
||||||
# libvirt stores memory in KiB, POW must be lowered by 1
|
vcpu = $2
|
||||||
virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
|
}
|
||||||
virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
|
/balloon\.current/ {
|
||||||
|
mem = $2
|
||||||
# disk
|
}
|
||||||
for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
|
/balloon\.maximum/ {
|
||||||
do
|
if (!mem)
|
||||||
virsh domblkinfo "$VM" "$BLK" 2>/dev/null
|
mem = $2
|
||||||
done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
|
}
|
||||||
|
/block\.[0-9]+\.physical/ {
|
||||||
# state
|
disksize += $2
|
||||||
virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
|
}
|
||||||
done | xargs -n5 | {
|
/state\.state/ {
|
||||||
|
if ($2 == 1)
|
||||||
|
running = "yes"
|
||||||
|
else
|
||||||
|
running = "no"
|
||||||
|
}
|
||||||
|
END {
|
||||||
|
print vcpu, mem / 1024 ^ 2, disksize / 1024 ^ 3, running
|
||||||
|
}'
|
||||||
|
done | {
|
||||||
echo vm vcpu ram disk running
|
echo vm vcpu ram disk running
|
||||||
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
|
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
|
||||||
test "$SHOW_AVAIL" && {
|
test "$SHOW_AVAIL" && {
|
||||||
|
@ -72,7 +81,19 @@ main() {
|
||||||
column -t
|
column -t
|
||||||
;;
|
;;
|
||||||
'html')
|
'html')
|
||||||
awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
|
awk '
|
||||||
|
BEGIN {
|
||||||
|
print "<html><body>\n<table>"
|
||||||
|
}
|
||||||
|
{
|
||||||
|
printf "<tr>"
|
||||||
|
for(i = 1; i <= NF; i++)
|
||||||
|
printf "<td>%s</td>", $i
|
||||||
|
print "</tr>"
|
||||||
|
}
|
||||||
|
END {
|
||||||
|
print "</table>\n</body></html>"
|
||||||
|
}'
|
||||||
;;
|
;;
|
||||||
'csv')
|
'csv')
|
||||||
tr ' ' ','
|
tr ' ' ','
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
command: cat /root/.ssh/id_rsa.pub
|
command: cat /root/.ssh/id_rsa.pub
|
||||||
register: ssh_keys
|
register: ssh_keys
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: False
|
||||||
|
|
||||||
- name: Print ssh public keys
|
- name: Print ssh public keys
|
||||||
debug:
|
debug:
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: remount-usr
|
name: remount-usr
|
||||||
when: kvm_scripts_dir is search ("/usr")
|
when: kvm_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: add-vm script is present
|
- name: add-vm script is present
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -9,13 +9,13 @@
|
||||||
# - 60 : current release is not in the $r_releases list
|
# - 60 : current release is not in the $r_releases list
|
||||||
# - 70 : at least an upgradable package is not in the $r_packages list
|
# - 70 : at least an upgradable package is not in the $r_packages list
|
||||||
|
|
||||||
VERSION="21.06.3"
|
VERSION="23.03.3"
|
||||||
|
|
||||||
show_version() {
|
show_version() {
|
||||||
cat <<END
|
cat <<END
|
||||||
listupgrade.sh version ${VERSION}
|
listupgrade.sh version ${VERSION}
|
||||||
|
|
||||||
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
Copyright 2018-2023 Evolix <info@evolix.fr>,
|
||||||
Gregory Colpart <reg@evolix.fr>,
|
Gregory Colpart <reg@evolix.fr>,
|
||||||
Romain Dessort <rdessort@evolix.fr>,
|
Romain Dessort <rdessort@evolix.fr>,
|
||||||
Ludovic Poujol <lpoujol@evolix.fr>,
|
Ludovic Poujol <lpoujol@evolix.fr>,
|
||||||
|
@ -84,6 +84,7 @@ Subject: Prochain creneau pour mise a jour de votre serveur ${hostname}
|
||||||
X-Debian-Release: ${local_release}
|
X-Debian-Release: ${local_release}
|
||||||
X-Packages: ${packagesParsable}
|
X-Packages: ${packagesParsable}
|
||||||
X-Date: ${date}
|
X-Date: ${date}
|
||||||
|
X-Listupgrade-Version: ${VERSION}
|
||||||
|
|
||||||
Bonjour,
|
Bonjour,
|
||||||
|
|
||||||
|
@ -100,15 +101,15 @@ semaine prochaine.
|
||||||
|
|
||||||
Voici la listes de packages qui seront mis à jour :
|
Voici la listes de packages qui seront mis à jour :
|
||||||
|
|
||||||
$(cat "${packages}" | sort | uniq)
|
$(sort -h "${packages}" | uniq)
|
||||||
|
|
||||||
Liste des packages dont la mise-à-jour a été manuellement suspendue :
|
Liste des packages dont la mise-à-jour a été manuellement suspendue :
|
||||||
|
|
||||||
$(cat "${packagesHold}" | sort | uniq)
|
$(sort -h "${packagesHold}" | uniq)
|
||||||
|
|
||||||
Liste des services qui seront redémarrés :
|
Liste des services qui seront redémarrés :
|
||||||
|
|
||||||
$(cat "${servicesToRestart}" | sort | uniq)
|
$(sort -h "${servicesToRestart}" | uniq)
|
||||||
|
|
||||||
N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus
|
N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus
|
||||||
tôt possible.
|
tôt possible.
|
||||||
|
@ -181,6 +182,28 @@ main() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local_release=$(cut -f 1 -d . </etc/debian_version)
|
local_release=$(cut -f 1 -d . </etc/debian_version)
|
||||||
|
# In case the version is a release name and not a number
|
||||||
|
case "${local_release}" in
|
||||||
|
*jessie*)
|
||||||
|
local_release=8
|
||||||
|
;;
|
||||||
|
*stretch*)
|
||||||
|
local_release=9
|
||||||
|
;;
|
||||||
|
*buster*)
|
||||||
|
local_release=10
|
||||||
|
;;
|
||||||
|
*bullseye*)
|
||||||
|
local_release=11
|
||||||
|
;;
|
||||||
|
*bookworm*)
|
||||||
|
local_release=12
|
||||||
|
;;
|
||||||
|
*trixie*)
|
||||||
|
local_release=13
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
if force_mode; then
|
if force_mode; then
|
||||||
if ! cron_mode; then
|
if ! cron_mode; then
|
||||||
|
|
|
@ -47,7 +47,7 @@
|
||||||
|
|
||||||
- name: Enable listupgrade cron
|
- name: Enable listupgrade cron
|
||||||
cron:
|
cron:
|
||||||
name: "lisupgrade.sh"
|
name: "listupgrade.sh"
|
||||||
cron_file: "listupgrade"
|
cron_file: "listupgrade"
|
||||||
user: root
|
user: root
|
||||||
job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
|
job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"
|
||||||
|
|
|
@ -7,4 +7,5 @@
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
command: systemctl daemon-reload
|
systemd:
|
||||||
|
daemon-reload: yes
|
|
@ -4,7 +4,7 @@
|
||||||
msg: Please configure var lxc_php_version
|
msg: Please configure var lxc_php_version
|
||||||
when: lxc_php_version is none
|
when: lxc_php_version is none
|
||||||
|
|
||||||
- name: "Update APT cache in container {{lxc_php_version}}"
|
- name: "Update APT cache in container {{ lxc_php_version }}"
|
||||||
lxc_container:
|
lxc_container:
|
||||||
name: "{{ lxc_php_version }}"
|
name: "{{ lxc_php_version }}"
|
||||||
container_command: "apt-get update"
|
container_command: "apt-get update"
|
||||||
|
|
|
@ -20,12 +20,12 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
loop:
|
loop:
|
||||||
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
||||||
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/"
|
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main"
|
||||||
|
|
||||||
- name: copy pub.evolix.net GPG key
|
- name: copy pub.evolix.net GPG key
|
||||||
copy:
|
copy:
|
||||||
src: reg.asc
|
src: pub_evolix.asc
|
||||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
|
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -20,12 +20,12 @@
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
loop:
|
loop:
|
||||||
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
|
||||||
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/"
|
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main"
|
||||||
|
|
||||||
- name: copy pub.evolix.net GPG key
|
- name: copy pub.evolix.net GPG key
|
||||||
copy:
|
copy:
|
||||||
src: reg.asc
|
src: pub_evolix.asc
|
||||||
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
|
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
{{ansible_fqdn}}
|
{{ ansible_fqdn }}
|
||||||
|
|
|
@ -39,4 +39,4 @@
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
|
||||||
- name: "Install Solr {{ solr_version }}"
|
- name: "Install Solr {{ solr_version }}"
|
||||||
command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}"
|
command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: "Check if container {{ name }} exists"
|
- name: "Check if container {{ name }} exists"
|
||||||
command: "lxc-ls {{ name }}"
|
command: "lxc-ls {{ name }}"
|
||||||
changed_when: false
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: container_exists
|
register: container_exists
|
||||||
|
|
||||||
|
@ -56,3 +56,15 @@
|
||||||
lxc_container:
|
lxc_container:
|
||||||
name: "{{ name }}"
|
name: "{{ name }}"
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: "Ensure /etc/profile.d exists in container"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d"
|
||||||
|
mode: '0755'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: "Copy host /etc/profile.d/evolinux into container"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "/etc/profile.d/evolinux.sh"
|
||||||
|
remote_src: true
|
||||||
|
dest: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d/evolinux.sh"
|
||||||
|
|
|
@ -32,8 +32,8 @@
|
||||||
|
|
||||||
- name: Check if root has subuids
|
- name: Check if root has subuids
|
||||||
command: grep '^root:100000:10000$' /etc/subuid
|
command: grep '^root:100000:10000$' /etc/subuid
|
||||||
failed_when: false
|
failed_when: False
|
||||||
changed_when: false
|
changed_when: False
|
||||||
register: root_subuids
|
register: root_subuids
|
||||||
when: lxc_unprivilegied_containers | bool
|
when: lxc_unprivilegied_containers | bool
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
|
|
||||||
- name: Get filesystem options
|
- name: Get filesystem options
|
||||||
command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS
|
command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS
|
||||||
changed_when: false
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: check_fs_options
|
register: check_fs_options
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@
|
||||||
# Description: Firewall designed for standalone server
|
# Description: Firewall designed for standalone server
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
|
|
||||||
VERSION="22.06"
|
VERSION="23.02"
|
||||||
|
|
||||||
NAME="minifirewall"
|
NAME="minifirewall"
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
|
@ -147,6 +147,9 @@ fi
|
||||||
# }
|
# }
|
||||||
## Beware that commands executed from included files are not modified by this trick.
|
## Beware that commands executed from included files are not modified by this trick.
|
||||||
|
|
||||||
|
remove_colors() {
|
||||||
|
sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
|
||||||
|
}
|
||||||
syslog_info() {
|
syslog_info() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
||||||
|
@ -268,9 +271,9 @@ check_unpersisted_state() {
|
||||||
elif [ -z "${diff_bin}" ]; then
|
elif [ -z "${diff_bin}" ]; then
|
||||||
printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
|
printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
|
||||||
else
|
else
|
||||||
# store current state
|
# store current state (without colors)
|
||||||
mkdir -p "$(dirname "${STATE_FILE_CURRENT}")"
|
mkdir -p "$(dirname "${STATE_FILE_CURRENT}")"
|
||||||
status_without_numbers > "${STATE_FILE_CURRENT}"
|
status_without_numbers | remove_colors > "${STATE_FILE_CURRENT}"
|
||||||
|
|
||||||
# clean previous diff file
|
# clean previous diff file
|
||||||
rm -f "${STATE_FILE_DIFF}"
|
rm -f "${STATE_FILE_DIFF}"
|
||||||
|
@ -310,9 +313,9 @@ report_state_changes() {
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Then reset the known state
|
# Then reset the known state (without colors)
|
||||||
mkdir -p "$(dirname "${STATE_FILE_LATEST}")"
|
mkdir -p "$(dirname "${STATE_FILE_LATEST}")"
|
||||||
status_without_numbers > "${STATE_FILE_LATEST}"
|
status_without_numbers | remove_colors > "${STATE_FILE_LATEST}"
|
||||||
|
|
||||||
# But if there is a previous known state
|
# But if there is a previous known state
|
||||||
# let's compare with the new known state
|
# let's compare with the new known state
|
||||||
|
@ -920,8 +923,9 @@ stop() {
|
||||||
|
|
||||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||||
|
|
||||||
|
# Save previous state (without colors)
|
||||||
mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")"
|
mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")"
|
||||||
status_without_numbers > "${STATE_FILE_PREVIOUS}"
|
status_without_numbers | remove_colors > "${STATE_FILE_PREVIOUS}"
|
||||||
|
|
||||||
# Delete all rules
|
# Delete all rules
|
||||||
${IPT} -F INPUT
|
${IPT} -F INPUT
|
||||||
|
|
|
@ -6,6 +6,8 @@
|
||||||
stat:
|
stat:
|
||||||
path: /etc/init.d/minifirewall
|
path: /etc/init.d/minifirewall
|
||||||
register: _minifirewall_check
|
register: _minifirewall_check
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
# Legacy versions of minifirewall don't define the VERSION variable
|
# Legacy versions of minifirewall don't define the VERSION variable
|
||||||
- name: Look for minifirewall version
|
- name: Look for minifirewall version
|
||||||
|
@ -14,6 +16,8 @@
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: False
|
check_mode: False
|
||||||
register: _minifirewall_version_check
|
register: _minifirewall_version_check
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Set install mode to legacy if needed
|
- name: Set install mode to legacy if needed
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -24,21 +28,30 @@
|
||||||
- minifirewall_install_mode != 'modern'
|
- minifirewall_install_mode != 'modern'
|
||||||
- not (minifirewall_force_upgrade_script | bool)
|
- not (minifirewall_force_upgrade_script | bool)
|
||||||
- _minifirewall_version_check.rc == 1 # grep didn't find but the file exists
|
- _minifirewall_version_check.rc == 1 # grep didn't find but the file exists
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Set install mode to modern if not legacy
|
- name: Set install mode to modern if not legacy
|
||||||
set_fact:
|
set_fact:
|
||||||
minifirewall_install_mode: modern
|
minifirewall_install_mode: modern
|
||||||
when: minifirewall_install_mode != 'legacy'
|
when: minifirewall_install_mode != 'legacy'
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Debug install mode
|
- name: Debug install mode
|
||||||
debug:
|
debug:
|
||||||
var: minifirewall_install_mode
|
var: minifirewall_install_mode
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: 'Set minifirewall_restart_handler_name to "noop"'
|
- name: 'Set minifirewall_restart_handler_name to "noop"'
|
||||||
set_fact:
|
set_fact:
|
||||||
minifirewall_restart_handler_name: "restart minifirewall (noop)"
|
minifirewall_restart_handler_name: "restart minifirewall (noop)"
|
||||||
when: not (minifirewall_restart_if_needed | bool)
|
when:
|
||||||
|
- not (minifirewall_restart_if_needed | bool)
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: 'Set minifirewall_restart_handler_name to "legacy"'
|
- name: 'Set minifirewall_restart_handler_name to "legacy"'
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -46,6 +59,8 @@
|
||||||
when:
|
when:
|
||||||
- minifirewall_restart_if_needed | bool
|
- minifirewall_restart_if_needed | bool
|
||||||
- minifirewall_install_mode == 'legacy'
|
- minifirewall_install_mode == 'legacy'
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: 'Set minifirewall_restart_handler_name to "modern"'
|
- name: 'Set minifirewall_restart_handler_name to "modern"'
|
||||||
set_fact:
|
set_fact:
|
||||||
|
@ -53,6 +68,8 @@
|
||||||
when:
|
when:
|
||||||
- minifirewall_restart_if_needed | bool
|
- minifirewall_restart_if_needed | bool
|
||||||
- minifirewall_install_mode != 'legacy'
|
- minifirewall_install_mode != 'legacy'
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
#######################################################################
|
#######################################################################
|
||||||
|
|
||||||
|
@ -62,54 +79,74 @@
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode != 'legacy'
|
- minifirewall_install_mode != 'legacy'
|
||||||
- minifirewall_main_file is defined
|
- minifirewall_main_file is defined
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Install tasks (modern mode)
|
- name: Install tasks (modern mode)
|
||||||
include: install.yml
|
import_tasks: install.yml
|
||||||
when: minifirewall_install_mode != 'legacy'
|
when: minifirewall_install_mode != 'legacy'
|
||||||
|
|
||||||
- name: Install tasks (legacy mode)
|
- name: Install tasks (legacy mode)
|
||||||
include: install.legacy.yml
|
import_tasks: install.legacy.yml
|
||||||
when: minifirewall_install_mode == 'legacy'
|
when: minifirewall_install_mode == 'legacy'
|
||||||
|
|
||||||
- name: Debug minifirewall_update_config
|
- name: Debug minifirewall_update_config
|
||||||
debug:
|
debug:
|
||||||
var: minifirewall_update_config | bool
|
var: minifirewall_update_config | bool
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Config tasks (modern mode)
|
- name: Config tasks (modern mode)
|
||||||
include: config.yml
|
include_tasks: config.yml
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode != 'legacy'
|
- minifirewall_install_mode != 'legacy'
|
||||||
- minifirewall_update_config | bool
|
- minifirewall_update_config | bool
|
||||||
|
tags:
|
||||||
|
- manage
|
||||||
|
|
||||||
- name: Config tasks (legacy mode)
|
- name: Config tasks (legacy mode)
|
||||||
include: config.legacy.yml
|
include_tasks: config.legacy.yml
|
||||||
|
args:
|
||||||
|
apply:
|
||||||
|
tags:
|
||||||
|
- manage
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode == 'legacy'
|
- minifirewall_install_mode == 'legacy'
|
||||||
- minifirewall_update_config | bool
|
- minifirewall_update_config | bool
|
||||||
|
|
||||||
- name: Utils tasks
|
- name: Utils tasks
|
||||||
include: utils.yml
|
include_tasks: utils.yml
|
||||||
|
|
||||||
- name: NRPE tasks
|
- name: NRPE tasks
|
||||||
include: nrpe.yml
|
include_tasks: nrpe.yml
|
||||||
|
|
||||||
- name: Activation tasks
|
- name: Activation tasks
|
||||||
include: activate.yml
|
include_tasks: activate.yml
|
||||||
|
|
||||||
- name: Debug minifirewall_tail_included
|
- name: Debug minifirewall_tail_included
|
||||||
debug:
|
debug:
|
||||||
var: minifirewall_tail_included | bool
|
var: minifirewall_tail_included | bool
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Tail tasks (modern mode)
|
- name: Tail tasks (modern mode)
|
||||||
include: tail.yml
|
include_tasks: tail.yml
|
||||||
|
args:
|
||||||
|
apply:
|
||||||
|
tags:
|
||||||
|
- manage
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode != 'legacy'
|
- minifirewall_install_mode != 'legacy'
|
||||||
- minifirewall_tail_included | bool
|
- minifirewall_tail_included | bool
|
||||||
|
|
||||||
- name: Tail tasks (legacy mode)
|
- name: Tail tasks (legacy mode)
|
||||||
include: tail.legacy.yml
|
include_tasks: tail.legacy.yml
|
||||||
|
args:
|
||||||
|
apply:
|
||||||
|
tags:
|
||||||
|
- manage
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode == 'legacy'
|
- minifirewall_install_mode == 'legacy'
|
||||||
- minifirewall_tail_included | bool
|
- minifirewall_tail_included | bool
|
||||||
|
@ -120,10 +157,14 @@
|
||||||
debug:
|
debug:
|
||||||
var: minifirewall_restart_force | bool
|
var: minifirewall_restart_force | bool
|
||||||
verbosity: 1
|
verbosity: 1
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: Force restart minifirewall (legacy)
|
- name: Force restart minifirewall (legacy)
|
||||||
command: /bin/true
|
command: /bin/true
|
||||||
notify: "restart minifirewall (legacy)"
|
notify: "restart minifirewall (legacy)"
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode == 'legacy'
|
- minifirewall_install_mode == 'legacy'
|
||||||
- minifirewall_restart_force | bool
|
- minifirewall_restart_force | bool
|
||||||
|
@ -131,6 +172,8 @@
|
||||||
- name: Force restart minifirewall (modern)
|
- name: Force restart minifirewall (modern)
|
||||||
command: /bin/true
|
command: /bin/true
|
||||||
notify: "restart minifirewall (modern)"
|
notify: "restart minifirewall (modern)"
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
when:
|
when:
|
||||||
- minifirewall_install_mode != 'legacy'
|
- minifirewall_install_mode != 'legacy'
|
||||||
- minifirewall_restart_force | bool
|
- minifirewall_restart_force | bool
|
|
@ -20,8 +20,8 @@
|
||||||
|
|
||||||
- name: Add MongoDB GPG key
|
- name: Add MongoDB GPG key
|
||||||
copy:
|
copy:
|
||||||
src: "server-{{mongodb_version}}.asc"
|
src: "server-{{ mongodb_version }}.asc"
|
||||||
dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc"
|
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
|
||||||
force: yes
|
force: yes
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -29,16 +29,16 @@
|
||||||
|
|
||||||
- name: Enable APT sources list
|
- name: Enable APT sources list
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
|
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: present
|
state: present
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Disable unsigned APT sources list
|
- name: Disable unsigned APT sources list
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
|
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: absent
|
state: absent
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
- name: Add MongoDB GPG key
|
- name: Add MongoDB GPG key
|
||||||
copy:
|
copy:
|
||||||
src: "server-{{mongodb_version}}.asc"
|
src: "server-{{ mongodb_version }}.asc"
|
||||||
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
|
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
|
||||||
force: yes
|
force: yes
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
|
@ -25,14 +25,14 @@
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: present
|
state: present
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Disable unsigned APT sources list
|
- name: Disable unsigned APT sources list
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: absent
|
state: absent
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
|
|
@ -14,8 +14,8 @@
|
||||||
|
|
||||||
- name: Add MongoDB GPG key
|
- name: Add MongoDB GPG key
|
||||||
copy:
|
copy:
|
||||||
src: "server-{{mongodb_version}}.asc"
|
src: "server-{{ mongodb_version }}.asc"
|
||||||
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
|
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc"
|
||||||
force: yes
|
force: yes
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
owner: root
|
owner: root
|
||||||
|
@ -23,16 +23,16 @@
|
||||||
|
|
||||||
- name: Enable APT sources list
|
- name: Enable APT sources list
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
|
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: present
|
state: present
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Disable APT sources list
|
- name: Disable APT sources list
|
||||||
apt_repository:
|
apt_repository:
|
||||||
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
|
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
|
||||||
state: absent
|
state: absent
|
||||||
filename: "mongodb-org-{{mongodb_version}}"
|
filename: "mongodb-org-{{ mongodb_version }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Scripts directory exists
|
- name: Scripts directory exists
|
||||||
file:
|
file:
|
||||||
|
@ -106,7 +106,7 @@
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: mysqltuner is installed
|
- name: mysqltuner is installed
|
||||||
# copy:
|
# copy:
|
||||||
|
@ -132,7 +132,7 @@
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: mysql-optimize.sh is installed
|
- name: mysql-optimize.sh is installed
|
||||||
copy:
|
copy:
|
||||||
|
@ -203,7 +203,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Install my-add.sh
|
- name: Install my-add.sh
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -50,8 +50,10 @@ mysql_restart_if_needed: True
|
||||||
|
|
||||||
mysql_performance_schema: True
|
mysql_performance_schema: True
|
||||||
|
|
||||||
|
mysql_skip_enabled: False
|
||||||
|
|
||||||
# replication variables:
|
# replication variables:
|
||||||
mysql_replication: false
|
mysql_replication: False
|
||||||
mysql_log_bin: null
|
mysql_log_bin: null
|
||||||
mysql_binlog_format: mixed
|
mysql_binlog_format: mixed
|
||||||
mysql_server_id: null
|
mysql_server_id: null
|
||||||
|
|
47
mysql/files/mysql_skip.sh
Normal file
47
mysql/files/mysql_skip.sh
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# File containing error messages to skip (one per line).
|
||||||
|
error_messages="/etc/mysql_skip.conf"
|
||||||
|
|
||||||
|
# Sleep interval between 2 check.
|
||||||
|
sleep_interval="1"
|
||||||
|
|
||||||
|
# Exit when Seconds_Behind_Master reached 0.
|
||||||
|
exit_when_uptodate="false"
|
||||||
|
|
||||||
|
# Options to pass to mysql.
|
||||||
|
#mysql_opt="-P 3307"
|
||||||
|
|
||||||
|
# File to log skipped queries to (leave empty for no logs).
|
||||||
|
log_file="/var/log/mysql_skip.log"
|
||||||
|
|
||||||
|
mysql_skip_error() {
|
||||||
|
error="$1"
|
||||||
|
|
||||||
|
error="$(date --iso-8601=seconds) Skiping: $error"
|
||||||
|
printf "Skipping: $error\n"
|
||||||
|
mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;'
|
||||||
|
|
||||||
|
[ -n "$log_file" ] && echo "$error" >>"$log_file"
|
||||||
|
}
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')"
|
||||||
|
seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}')
|
||||||
|
last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')"
|
||||||
|
|
||||||
|
if [ "$seconds_behind_master" = "0" ]; then
|
||||||
|
#printf 'Replication is up to date!\n'
|
||||||
|
if [ "$exit_when_uptodate" = "true" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ -z "$last_SQL_error" ]; then
|
||||||
|
sleep $sleep_interval
|
||||||
|
|
||||||
|
elif echo "$last_SQL_error" |grep -q -f $error_messages; then
|
||||||
|
mysql_skip_error "$last_SQL_error"
|
||||||
|
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
done
|
|
@ -45,3 +45,5 @@
|
||||||
- include_tasks: log2mail.yml
|
- include_tasks: log2mail.yml
|
||||||
|
|
||||||
- include_tasks: utils.yml
|
- include_tasks: utils.yml
|
||||||
|
|
||||||
|
- include_tasks: mysql_skip.yml
|
||||||
|
|
54
mysql/tasks/mysql_skip.yml
Normal file
54
mysql/tasks/mysql_skip.yml
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Copy script mysql_skip.sh into /usr/local/bin/"
|
||||||
|
copy:
|
||||||
|
src: mysql_skip.sh
|
||||||
|
dest: "/usr/local/bin/mysql_skip.sh"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0700"
|
||||||
|
force: yes
|
||||||
|
tags:
|
||||||
|
- mysql_skip
|
||||||
|
|
||||||
|
- name: "Copy config file for mysql_skip.sh"
|
||||||
|
template:
|
||||||
|
src: mysql_skip.conf.j2
|
||||||
|
dest: "/etc/mysql_skip.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
tags:
|
||||||
|
- mysql_skip
|
||||||
|
|
||||||
|
- name: "Create log file for mysql_skip.sh"
|
||||||
|
file:
|
||||||
|
path: "/var/log/mysql_skip.log"
|
||||||
|
state: touch
|
||||||
|
owner: root
|
||||||
|
group: adm
|
||||||
|
mode: "0640"
|
||||||
|
tags:
|
||||||
|
- mysql_skip
|
||||||
|
|
||||||
|
- name: "Copy logrotate file for mysql_skip.sh"
|
||||||
|
template:
|
||||||
|
src: mysql_skip.logrotate.j2
|
||||||
|
dest: "/etc/logrotate.d/mysql_skip"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
tags:
|
||||||
|
- mysql_skip
|
||||||
|
|
||||||
|
- name: "Copy mysql_skip.sh systemd unit"
|
||||||
|
template:
|
||||||
|
src: mysql_skip.systemd.j2
|
||||||
|
dest: /etc/systemd/system/mysql_skip.service
|
||||||
|
force: yes
|
||||||
|
|
||||||
|
- name: "Start or stop systemd unit"
|
||||||
|
systemd:
|
||||||
|
name: mysql_skip
|
||||||
|
daemon_reload: yes
|
||||||
|
state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}"
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Ensure scripts directory exists
|
- name: Ensure scripts directory exists
|
||||||
file:
|
file:
|
||||||
|
@ -96,7 +96,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Install mysqltuner
|
- name: Install mysqltuner
|
||||||
# copy:
|
# copy:
|
||||||
|
@ -132,7 +132,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Optimize script for MySQL
|
- name: Optimize script for MySQL
|
||||||
copy:
|
copy:
|
||||||
|
@ -196,7 +196,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: _mysql_scripts_dir is search ("/usr")
|
when: _mysql_scripts_dir is search("/usr")
|
||||||
|
|
||||||
- name: Install my-add.sh
|
- name: Install my-add.sh
|
||||||
copy:
|
copy:
|
||||||
|
|
1
mysql/templates/mysql_skip.conf.j2
Normal file
1
mysql/templates/mysql_skip.conf.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
## Put your matched patern here ##
|
10
mysql/templates/mysql_skip.logrotate.j2
Normal file
10
mysql/templates/mysql_skip.logrotate.j2
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
/var/log/mysql_skip.log {
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
monthly
|
||||||
|
rotate 12
|
||||||
|
compress
|
||||||
|
create 640 root adm
|
||||||
|
dateext
|
||||||
|
dateformat -%Y%m%d%H
|
||||||
|
}
|
16
mysql/templates/mysql_skip.systemd.j2
Normal file
16
mysql/templates/mysql_skip.systemd.j2
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Script for skip define mysql replication errors
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/bin/mysql_skip.sh
|
||||||
|
Type=simple
|
||||||
|
User=root
|
||||||
|
Group=root
|
||||||
|
PIDFile=/run/mysql_skip.pid
|
||||||
|
ExecStop=/bin/kill -- $MAINPID
|
||||||
|
KillMode=process
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5s
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ansible_managed}}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
[mysqld]
|
[mysqld]
|
||||||
{% if mysql_log_bin %}
|
{% if mysql_log_bin %}
|
||||||
|
|
83
nagios-nrpe/files/alerts_switch
Normal file
83
nagios-nrpe/files/alerts_switch
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# https://forge.evolix.org/projects/evolix-private/repository
|
||||||
|
#
|
||||||
|
# You should not alter this file.
|
||||||
|
# If you need to, create and customize a copy.
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
readonly PROGNAME=$(basename $0)
|
||||||
|
readonly PROGDIR=$(readlink -m $(dirname $0))
|
||||||
|
readonly ARGS="$@"
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "$PROGNAME action prefix"
|
||||||
|
}
|
||||||
|
|
||||||
|
disable_alerts () {
|
||||||
|
disabled_file="$1_disabled"
|
||||||
|
enabled_file="$1_enabled"
|
||||||
|
|
||||||
|
if [ -e "${enabled_file}" ]; then
|
||||||
|
mv "${enabled_file}" "${disabled_file}"
|
||||||
|
else
|
||||||
|
touch "${disabled_file}"
|
||||||
|
chmod 0644 "${disabled_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
enable_alerts () {
|
||||||
|
disabled_file="$1_disabled"
|
||||||
|
enabled_file="$1_enabled"
|
||||||
|
|
||||||
|
if [ -e "${disabled_file}" ]; then
|
||||||
|
mv "${disabled_file}" "${enabled_file}"
|
||||||
|
else
|
||||||
|
touch "${enabled_file}"
|
||||||
|
chmod 0644 "${enabled_file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
now () {
|
||||||
|
date --iso-8601=seconds
|
||||||
|
}
|
||||||
|
|
||||||
|
log_disable () {
|
||||||
|
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
|
||||||
|
}
|
||||||
|
|
||||||
|
log_enable () {
|
||||||
|
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
|
||||||
|
}
|
||||||
|
|
||||||
|
main () {
|
||||||
|
local action=$1
|
||||||
|
local prefix=$2
|
||||||
|
|
||||||
|
local base_dir="/var/lib/misc"
|
||||||
|
mkdir -p "${base_dir}"
|
||||||
|
|
||||||
|
local file_path="${base_dir}/${prefix}_alerts"
|
||||||
|
local log_file="/var/log/${prefix}_alerts.log"
|
||||||
|
|
||||||
|
case "$action" in
|
||||||
|
enable)
|
||||||
|
enable_alerts ${file_path}
|
||||||
|
log_enable ${log_file}
|
||||||
|
;;
|
||||||
|
disable)
|
||||||
|
disable_alerts ${file_path}
|
||||||
|
log_disable ${log_file}
|
||||||
|
;;
|
||||||
|
help)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
>&2 echo "Unknown action '$action'"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
main $ARGS
|
217
nagios-nrpe/files/alerts_wrapper
Normal file
217
nagios-nrpe/files/alerts_wrapper
Normal file
|
@ -0,0 +1,217 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# https://forge.evolix.org/projects/evolix-private/repository
|
||||||
|
#
|
||||||
|
# You should not alter this file.
|
||||||
|
# If you need to, create and customize a copy.
|
||||||
|
|
||||||
|
VERSION="21.04"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
|
# base functions
|
||||||
|
|
||||||
|
show_version() {
|
||||||
|
cat <<END
|
||||||
|
alerts_wrapper version ${VERSION}
|
||||||
|
|
||||||
|
Copyright 2018-2021 Evolix <info@evolix.fr>,
|
||||||
|
Jérémy Lecour <jlecour@evolix.fr>
|
||||||
|
and others.
|
||||||
|
|
||||||
|
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||||
|
and you are welcome to redistribute it under certain conditions.
|
||||||
|
See the GNU General Public License v3.0 for details.
|
||||||
|
END
|
||||||
|
}
|
||||||
|
show_help() {
|
||||||
|
cat <<END
|
||||||
|
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
|
||||||
|
|
||||||
|
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
|
||||||
|
or alerts_wrapper --name=check_name command with optional arguments
|
||||||
|
or alerts_wrapper check_name command with optional arguments
|
||||||
|
|
||||||
|
Options
|
||||||
|
--limit max age of the "check file" ;
|
||||||
|
can be "1d" for 1 day, "5m" for 5 minutes…
|
||||||
|
or more complex expressions like "1w2d10m42s"
|
||||||
|
--name check name
|
||||||
|
-h, --help print this message and exit
|
||||||
|
-V, --version print version and exit
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
time_in_seconds() {
|
||||||
|
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
|
||||||
|
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
|
||||||
|
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
|
||||||
|
echo "${1} * 3600" | xargs expr
|
||||||
|
else
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
delay_from_alerts_disabled_file() {
|
||||||
|
last_change=$(stat -c %Z "${alerts_disabled_file}")
|
||||||
|
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
|
||||||
|
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
|
||||||
|
|
||||||
|
echo $(( last_change - limit_date ))
|
||||||
|
}
|
||||||
|
|
||||||
|
enable_check() {
|
||||||
|
if [ "$(id -u)" -eq "0" ] ; then
|
||||||
|
/usr/local/bin/alerts_switch enable "${check_name}"
|
||||||
|
else
|
||||||
|
sudo /usr/local/bin/alerts_switch enable "${check_name}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
${check_command} > "${check_stdout}"
|
||||||
|
check_rc=$?
|
||||||
|
readonly check_rc
|
||||||
|
|
||||||
|
delay=0
|
||||||
|
|
||||||
|
if [ -e "${alerts_disabled_file}" ]; then
|
||||||
|
delay=$(delay_from_alerts_disabled_file)
|
||||||
|
|
||||||
|
if [ "${delay}" -le "0" ]; then
|
||||||
|
enable_check
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -e "${alerts_disabled_file}" ]; then
|
||||||
|
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
|
||||||
|
readonly formatted_last_change
|
||||||
|
|
||||||
|
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
|
||||||
|
if [ ${check_rc} = 0 ]; then
|
||||||
|
# Nagios OK
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
# Nagios WARNING
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
cat "${check_stdout}"
|
||||||
|
exit ${check_rc}
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Default: 1 day before re-enabling the check
|
||||||
|
wrapper_limit_default="1d"
|
||||||
|
readonly wrapper_limit_default
|
||||||
|
|
||||||
|
if [[ "${1}" =~ -.* ]]; then
|
||||||
|
# parse options
|
||||||
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
while :; do
|
||||||
|
case $1 in
|
||||||
|
-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-V|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
--limit)
|
||||||
|
# with value separated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
wrapper_limit=$2
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--limit=?*)
|
||||||
|
# with value speparated by =
|
||||||
|
wrapper_limit=${1#*=}
|
||||||
|
;;
|
||||||
|
--limit=)
|
||||||
|
# without value
|
||||||
|
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--name)
|
||||||
|
# with value separated by space
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
check_name=$2
|
||||||
|
shift
|
||||||
|
else
|
||||||
|
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
--name=?*)
|
||||||
|
# with value speparated by =
|
||||||
|
check_name=${1#*=}
|
||||||
|
;;
|
||||||
|
--name=)
|
||||||
|
# without value
|
||||||
|
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
--)
|
||||||
|
# End of all options.
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-?*)
|
||||||
|
# ignore unknown options
|
||||||
|
printf 'WARN: Unknown option : %s\n' "$1" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
# The rest is the command
|
||||||
|
check_command="$*"
|
||||||
|
else
|
||||||
|
# no option is passed (backward compatibility with previous version)
|
||||||
|
# treat the first argument as check_name and the rest as the command
|
||||||
|
check_name="${1}"
|
||||||
|
shift
|
||||||
|
check_command="$*"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Default values or errors
|
||||||
|
if [ -z "${wrapper_limit}" ]; then
|
||||||
|
wrapper_limit="${wrapper_limit_default}"
|
||||||
|
fi
|
||||||
|
if [ -z "${check_name}" ]; then
|
||||||
|
printf 'ERROR: You must specify a check name, with --name.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${check_command}" ]; then
|
||||||
|
printf 'ERROR: You must specify a command to execute.\n' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
readonly check_name
|
||||||
|
readonly check_command
|
||||||
|
readonly wrapper_limit
|
||||||
|
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
|
||||||
|
readonly alerts_disabled_file
|
||||||
|
|
||||||
|
check_file="/var/lib/misc/${check_name}_alerts_disabled"
|
||||||
|
readonly check_file
|
||||||
|
|
||||||
|
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
|
||||||
|
readonly check_stdout
|
||||||
|
|
||||||
|
# shellcheck disable=SC2064
|
||||||
|
trap "rm ${check_stdout}" EXIT
|
||||||
|
|
||||||
|
main
|
|
@ -59,9 +59,9 @@ delay_from_check_file() {
|
||||||
|
|
||||||
enable_check() {
|
enable_check() {
|
||||||
if [ "$(id -u)" -eq "0" ] ; then
|
if [ "$(id -u)" -eq "0" ] ; then
|
||||||
/usr/share/scripts/alerts_switch enable "${check_name}"
|
/usr/local/bin/alerts_switch enable "${check_name}"
|
||||||
else
|
else
|
||||||
sudo /usr/share/scripts/alerts_switch enable "${check_name}"
|
sudo /usr/local/bin/alerts_switch enable "${check_name}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -56,20 +56,20 @@ for pool_file in $POOL_FILES; do
|
||||||
|
|
||||||
if [ "${ret}" -ge 2 ]; then
|
if [ "${ret}" -ge 2 ]; then
|
||||||
nb_crit=$((nb_crit + 1))
|
nb_crit=$((nb_crit + 1))
|
||||||
output="${output}${result}\n"
|
|
||||||
[ "${return}" -le 2 ] && return=2
|
[ "${return}" -le 2 ] && return=2
|
||||||
elif [ "${ret}" -ge 1 ]; then
|
elif [ "${ret}" -ge 1 ]; then
|
||||||
nb_warn=$((nb_warn + 1))
|
nb_warn=$((nb_warn + 1))
|
||||||
output="${output}${result}\n"
|
|
||||||
[ "${return}" -le 1 ] && return=1
|
[ "${return}" -le 1 ] && return=1
|
||||||
else
|
else
|
||||||
nb_ok=$((nb_ok + 1))
|
nb_ok=$((nb_ok + 1))
|
||||||
output="${output}$(echo "$result" | cut -d '|' -f1)\n"
|
|
||||||
[ "${return}" -le 0 ] && return=0
|
[ "${return}" -le 0 ] && return=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
result_status=$(echo ${result} | awk -F' - ' '{ print $1}')
|
||||||
|
result_content=$(echo ${result} | awk -F' - ' '{ print $2}')
|
||||||
|
output="${output}${result_status} - ${pool_file} - ${result_content}\n"
|
||||||
|
|
||||||
done;
|
done
|
||||||
|
|
||||||
|
|
||||||
[ "${return}" -ge 0 ] && header="OK"
|
[ "${return}" -ge 0 ] && header="OK"
|
||||||
|
|
|
@ -1,94 +1,190 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
# shellcheck disable=SC2207,SC2009,SC2076
|
||||||
|
|
||||||
# README
|
usage() {
|
||||||
#
|
cat << EOL
|
||||||
# Variable to adjust : is_master and vrrpd_processes.
|
Usage :
|
||||||
# vrrpd_processes is the number of vrrpd processes that should run on the server.
|
|
||||||
# is_master defines whether the vrrpd group should be master (1) or backup (0).
|
|
||||||
#
|
|
||||||
# If some instances have to be master and some other have to be backup,
|
|
||||||
# then the value of is_master is 2 and the states has to be precised in arguments.
|
|
||||||
# e.g. : ./check_vrrpd master backup master
|
|
||||||
# The order is defined by the output order of `ps auwx | grep vrrp`
|
|
||||||
|
|
||||||
RC=0
|
$0 --master X,Y --backup Z
|
||||||
IFS='
|
|
||||||
'
|
|
||||||
|
|
||||||
is_master=2 # 1 if master ; 0 if backup ; 2 if mixed master and backup, in this case, it has to be precised in arguments
|
-m|--master ID_MASTER # VRRP ID that should be master, separated by a comma ","
|
||||||
vrrpd_processes=3 # number of vrrpd processes that should be running
|
-b|--backup ID_BACKUP # VRRP ID that should be backup, separated by a comma ","
|
||||||
is_vrrpd_running=$(sudo /usr/lib/nagios//plugins/check_procs -C vrrpd -c $vrrpd_processes:$vrrpd_processes)
|
[--vrrpd] # Check for vrrpd daemon (default)
|
||||||
rc_is_vrrpd_running=$?
|
[--uvrrpd] # Check for uvrrpd daemon
|
||||||
IP_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $--NF}'; done))
|
EOL
|
||||||
INT_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $13}'; done))
|
}
|
||||||
ID_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $19}'; done))
|
|
||||||
|
|
||||||
if [[ $rc_is_vrrpd_running -ne 0 ]]; then
|
unset ID_master
|
||||||
echo $is_vrrpd_running instead of $vrrpd_processes
|
unset ID_backup
|
||||||
|
vrrpd_option="unset"
|
||||||
|
uvrrpd_option="unset"
|
||||||
|
unset critical_output
|
||||||
|
critical_state="unset"
|
||||||
|
unset warning_output
|
||||||
|
warning_state="unset"
|
||||||
|
unset ok_output
|
||||||
|
ok_state="unset"
|
||||||
|
exit_code=0
|
||||||
|
used_daemon="vrrpd"
|
||||||
|
IFS="
|
||||||
|
"
|
||||||
|
|
||||||
|
# If no argument then show usage
|
||||||
|
if [ "$#" -eq 0 ]; then
|
||||||
|
usage
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for i in $(seq 0 $((${#ID_vrrpd[*]}-1))); do
|
while :; do
|
||||||
ifconfig vrrp_${ID_vrrpd[$i]}_${INT_vrrpd[$i]} >/dev/null 2>&1
|
case $1 in
|
||||||
# If has interface
|
-h|-\?|--help) # Call a "usage" function to display a synopsis, then exit.
|
||||||
if [[ $? -eq 0 ]]; then
|
usage
|
||||||
# If has to be master : OK
|
exit
|
||||||
if [[ $is_master -eq 1 ]]; then
|
;;
|
||||||
echo OK - ${IP_vrrpd[$i]} exists and is master
|
-m|--master) # Takes an option argument, ensuring it has been specified.
|
||||||
# If has to be backup : KO
|
if [ -n "$2" ]; then
|
||||||
elif [[ $is_master -eq 0 ]]; then
|
ID_master=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
|
||||||
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
|
shift
|
||||||
RC=2
|
|
||||||
# We retrieve the state it should be from args
|
|
||||||
elif [[ $is_master -eq 2 ]]; then
|
|
||||||
arg=$(($i+1))
|
|
||||||
state=${!arg}
|
|
||||||
# If has to be master : OK
|
|
||||||
if [[ $state = master ]]; then
|
|
||||||
echo OK - ${IP_vrrpd[$i]} exists and is master
|
|
||||||
# If has to be backup : KO
|
|
||||||
elif [[ $state = backup ]]; then
|
|
||||||
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
|
|
||||||
RC=2
|
|
||||||
else
|
else
|
||||||
echo "CRITICAL - The arguments have to be master or backup. Exiting"
|
printf 'ERROR: "--master" requires a non-empty option argument.\n' >&2
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
# Unknown
|
;;
|
||||||
|
-b|--backup) # Takes an option argument, ensuring it has been specified.
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
ID_backup=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
|
||||||
|
shift
|
||||||
else
|
else
|
||||||
RC=3
|
printf 'ERROR: "--backup" requires a non-empty option argument.\n' >&2
|
||||||
fi
|
|
||||||
# If hasn't interface
|
|
||||||
elif [[ $? -ne 0 ]]; then
|
|
||||||
# If has to be master : KO
|
|
||||||
if [[ $is_master -eq 1 ]]; then
|
|
||||||
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
|
|
||||||
RC=2
|
|
||||||
# If has to be backup : OK
|
|
||||||
elif [[ $is_master -eq 0 ]]; then
|
|
||||||
echo OK - ${IP_vrrpd[$i]} is backup
|
|
||||||
# We retrieve the state it should be from args
|
|
||||||
elif [[ $is_master -eq 2 ]]; then
|
|
||||||
arg=$(($i+1))
|
|
||||||
state=${!arg}
|
|
||||||
# If has to be master : KO
|
|
||||||
if [[ $state = master ]]; then
|
|
||||||
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
|
|
||||||
RC=2
|
|
||||||
# If has to be backup : OK
|
|
||||||
elif [[ $state = backup ]]; then
|
|
||||||
echo OK - ${IP_vrrpd[$i]} is backup
|
|
||||||
else
|
|
||||||
echo "CRITICAL - The arguments have to be master or backup. Exiting"
|
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
# Unknown
|
;;
|
||||||
else
|
--vrrpd)
|
||||||
RC=3
|
used_daemon="vrrpd"
|
||||||
fi
|
vrrpd_option="set"
|
||||||
# Unknown
|
;;
|
||||||
else
|
--uvrrpd)
|
||||||
RC=3
|
used_daemon="uvrrpd"
|
||||||
fi
|
uvrrpd_option="set"
|
||||||
|
;;
|
||||||
|
-?*)
|
||||||
|
printf 'WARNING: Unknown option (ignored): %s\n' "$1" >&2
|
||||||
|
;;
|
||||||
|
*) # Default case: If no more options then break out of the loop.
|
||||||
|
break
|
||||||
|
esac
|
||||||
|
shift
|
||||||
done
|
done
|
||||||
exit $RC
|
|
||||||
|
# Make sure that each given ID is given once only
|
||||||
|
all_ID=("${ID_master[@]}" "${ID_backup[@]}")
|
||||||
|
uniqueNum=$(printf '%s\n' "${all_ID[@]}"|awk '!($0 in seen){seen[$0];c++} END {print c}')
|
||||||
|
if [ "$uniqueNum" != ${#all_ID[@]} ]; then
|
||||||
|
echo "ERROR : At least one VRRP ID is given multiple times"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure --vrrpd and --uvrrpd are not both set
|
||||||
|
if [ $vrrpd_option = "set" ] && [ $uvrrpd_option = "set" ]; then
|
||||||
|
echo "ERROR : You cannot set both parameters --vrrpd and --uvrrpd"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure no sysclt parameter "rp_filter" is set to 1
|
||||||
|
if grep -q 1 /proc/sys/net/ipv4/conf/*/rp_filter; then
|
||||||
|
critical_output="${critical_output}CRITICAL - rp_filter is set to 1 at least for one interface\n"
|
||||||
|
critical_state="set"
|
||||||
|
fi
|
||||||
|
|
||||||
|
vrrpd_processes_number=$((${#ID_master[@]}+${#ID_backup[@]})) # Number of vrrpd processes that should be running = length of arrays ID_master + ID_backup
|
||||||
|
regex_ipv4="((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])"
|
||||||
|
regex_ipv6="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
|
||||||
|
vrrpd_processes=$(ps auwx | grep "$used_daemon" | grep -v -e grep -e check)
|
||||||
|
ID_running_vrrpd=($(for i in ${vrrpd_processes}; do echo "$i" | grep -Eo -- "-v [0-9]+" | awk '{print $2}'; done))
|
||||||
|
|
||||||
|
# Check the number of running vrrpd processes in comparison to the number of ID given
|
||||||
|
if ! sudo /usr/lib/nagios/plugins/check_procs -C "$used_daemon" -c $vrrpd_processes_number:$vrrpd_processes_number >/dev/null; then
|
||||||
|
critical_output="${critical_output}CRITICAL : $vrrpd_processes_number VRRP ID are given but $(ps auwx | grep "$used_daemon" | grep -v -e grep -e check -c) $used_daemon processes are running\n"
|
||||||
|
if pgrep uvrrp >/dev/null && [ $uvrrpd_option = "unset" ]; then
|
||||||
|
critical_output="${critical_output}It seems that uvrrpd is running. Use parameter --uvrrpd\n"
|
||||||
|
fi
|
||||||
|
critical_state="set"
|
||||||
|
fi
|
||||||
|
|
||||||
|
IFS=" "
|
||||||
|
|
||||||
|
# For each ID_master, make sure a process exist
|
||||||
|
if [ ${#ID_master[@]} -ne 0 ]; then
|
||||||
|
for i in "${ID_master[@]}"; do
|
||||||
|
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface exists
|
||||||
|
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
|
||||||
|
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
|
||||||
|
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
|
||||||
|
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
|
||||||
|
if [ "$used_daemon" = "vrrpd" ]; then
|
||||||
|
int_name="vrrp_${i}_${INT_current_vrrpd}"
|
||||||
|
elif [ "$used_daemon" = "uvrrpd" ]; then
|
||||||
|
int_name="${INT_current_vrrpd}_${i}"
|
||||||
|
fi
|
||||||
|
if /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
|
||||||
|
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is master\n"
|
||||||
|
ok_state="set"
|
||||||
|
else
|
||||||
|
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is backup while it should be master\n"
|
||||||
|
warning_state="set"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
|
||||||
|
critical_state="set"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For each ID_backup, make sure a process exist
|
||||||
|
if [ ${#ID_backup[@]} -ne 0 ]; then
|
||||||
|
for i in "${ID_backup[@]}"; do
|
||||||
|
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface does not exist
|
||||||
|
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
|
||||||
|
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
|
||||||
|
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
|
||||||
|
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
|
||||||
|
if [ "$used_daemon" = "vrrpd" ]; then
|
||||||
|
int_name="vrrp_${i}_${INT_current_vrrpd}"
|
||||||
|
elif [ "$used_daemon" = "uvrrpd" ]; then
|
||||||
|
int_name="${INT_current_vrrpd}_${i}"
|
||||||
|
fi
|
||||||
|
if ! /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
|
||||||
|
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is backup\n"
|
||||||
|
ok_state="set"
|
||||||
|
else
|
||||||
|
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is master while it should be backup\n"
|
||||||
|
warning_state="set"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
|
||||||
|
critical_state="set"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make $exit_code the highest set
|
||||||
|
if [ "$critical_state" = "set" ]; then
|
||||||
|
exit_code=2
|
||||||
|
elif [ "$warning_state" = "set" ]; then
|
||||||
|
exit_code=1
|
||||||
|
elif [ "$ok_state" = "set" ]; then
|
||||||
|
exit_code=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Echo most critical output first, least last
|
||||||
|
if [ -n "$critical_output" ]; then
|
||||||
|
echo -e "$critical_output" | grep -v "^$"
|
||||||
|
fi
|
||||||
|
if [ -n "$warning_output" ]; then
|
||||||
|
echo -e "$warning_output" | grep -v "^$"
|
||||||
|
fi
|
||||||
|
if [ -n "$ok_output" ]; then
|
||||||
|
echo -e "$ok_output" | grep -v "^$"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit $exit_code
|
||||||
|
|
|
@ -58,7 +58,7 @@
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
when: nagios_plugins_directory is search ("/usr")
|
when: nagios_plugins_directory is search("/usr")
|
||||||
tags:
|
tags:
|
||||||
- nagios-nrpe
|
- nagios-nrpe
|
||||||
- nagios-plugins
|
- nagios-plugins
|
||||||
|
@ -83,3 +83,5 @@
|
||||||
notify: restart nagios-nrpe-server
|
notify: restart nagios-nrpe-server
|
||||||
tags:
|
tags:
|
||||||
- nagios-nrpe
|
- nagios-nrpe
|
||||||
|
|
||||||
|
- include_tasks: wrapper.yml
|
42
nagios-nrpe/tasks/wrapper.yml
Normal file
42
nagios-nrpe/tasks/wrapper.yml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
- name: "Remount /usr if needed"
|
||||||
|
include_role:
|
||||||
|
name: remount-usr
|
||||||
|
|
||||||
|
- name: check if old script is present
|
||||||
|
stat:
|
||||||
|
path: /usr/share/scripts/alerts_switch
|
||||||
|
register: old_alerts_switch
|
||||||
|
|
||||||
|
- name: alerts_switch is at the right place
|
||||||
|
command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
|
||||||
|
args:
|
||||||
|
creates: /usr/local/bin/alerts_switch
|
||||||
|
when: old_alerts_switch.stat.exists
|
||||||
|
|
||||||
|
- name: "copy alerts_switch"
|
||||||
|
copy:
|
||||||
|
src: alerts_switch
|
||||||
|
dest: /usr/local/bin/alerts_switch
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0750"
|
||||||
|
force: yes
|
||||||
|
|
||||||
|
- name: "symlink for backward compatibility"
|
||||||
|
file:
|
||||||
|
src: /usr/local/bin/alerts_switch
|
||||||
|
dest: /usr/share/scripts/alerts_switch
|
||||||
|
state: link
|
||||||
|
when: old_alerts_switch.stat.exists
|
||||||
|
|
||||||
|
- name: "copy alerts_wrapper"
|
||||||
|
copy:
|
||||||
|
src: alerts_wrapper
|
||||||
|
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
|
||||||
|
owner: root
|
||||||
|
group: staff
|
||||||
|
mode: "0755"
|
||||||
|
force: yes
|
|
@ -3,7 +3,7 @@
|
||||||
shell: grep nameserver /etc/resolv.conf | awk '{ print $2 }'
|
shell: grep nameserver /etc/resolv.conf | awk '{ print $2 }'
|
||||||
register: grep_nameserver
|
register: grep_nameserver
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: False
|
||||||
tags:
|
tags:
|
||||||
- nameserver
|
- nameserver
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
|
|
||||||
- name: list newrelic config files
|
- name: list newrelic config files
|
||||||
shell: "find /etc/php* -type f -name newrelic.ini"
|
shell: "find /etc/php* -type f -name newrelic.ini"
|
||||||
changed_when: false
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
register: find_newrelic_ini
|
register: find_newrelic_ini
|
||||||
|
|
||||||
|
|
|
@ -18,15 +18,11 @@
|
||||||
shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*"
|
shell: "chown --verbose www-data:munin /var/log/munin/munin-cgi-*"
|
||||||
register: command_result
|
register: command_result
|
||||||
changed_when: "'changed' in command_result.stdout"
|
changed_when: "'changed' in command_result.stdout"
|
||||||
args:
|
|
||||||
warn: no
|
|
||||||
|
|
||||||
- name: Mode for munin-cgi is set to 660
|
- name: Mode for munin-cgi is set to 660
|
||||||
shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*"
|
shell: "chmod --verbose 660 /var/log/munin/munin-cgi-*"
|
||||||
register: command_result
|
register: command_result
|
||||||
changed_when: "'changed' in command_result.stdout"
|
changed_when: "'changed' in command_result.stdout"
|
||||||
args:
|
|
||||||
warn: no
|
|
||||||
|
|
||||||
- name: Systemd unit for Munin-fcgi is installed
|
- name: Systemd unit for Munin-fcgi is installed
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -158,86 +158,63 @@ V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao
|
||||||
umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS
|
umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS
|
||||||
Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s
|
Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s
|
||||||
d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV
|
d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV
|
||||||
m5Tx4w2uF4/n3FBnABEBAAGJBEQEGAECAA8FAlwsRBECGwIFCQIKEgACKQkQFkaw
|
m5Tx4w2uF4/n3FBnABEBAAGJBFsEGAEIACYCGwIWIQRy7PRqVrStOckHu7cWRrAb
|
||||||
G4blAxDBXSAEGQECAAYFAlwsRBEACgkQI+cWZ4i2Ph6B0g//cPis3v2M6XvAbVoM
|
huUDEAUCY897hAUJDUbR8wIpwV0gBBkBAgAGBQJcLEQRAAoJECPnFmeItj4egdIP
|
||||||
3GIMXnsVj1WAHuwA/ja7UfZJ9+kV/PiMLkAbW0fBj0/y0O3Ry12VVQGXhC+Vo4j6
|
/3D4rN79jOl7wG1aDNxiDF57FY9VgB7sAP42u1H2SffpFfz4jC5AG1tHwY9P8tDt
|
||||||
C8qwFP4OXa6EsxHXuvWMIztBaX1Kav613aXBtxp6tTrud0FFUh4sDc1RREb3tMr6
|
0ctdlVUBl4QvlaOI+gvKsBT+Dl2uhLMR17r1jCM7QWl9Smr+td2lwbcaerU67ndB
|
||||||
y5cvFJgnrdWcX1gsl6ODcgWBGNc6ZX7H7j48hMR6KmNeZocW7p8W+BgDQJqXYwVN
|
RVIeLA3NUURG97TK+suXLxSYJ63VnF9YLJejg3IFgRjXOmV+x+4+PITEeipjXmaH
|
||||||
L15qOHzVAh0dWsFLE9gwBTmDCY03x9arxSNDGCXyxt6E77LbNVIoSRlEbkvi6j33
|
Fu6fFvgYA0Cal2MFTS9eajh81QIdHVrBSxPYMAU5gwmNN8fWq8UjQxgl8sbehO+y
|
||||||
nEbuERICYl6CltXQCyiVKjheJcLMjbgv5+bLCv2zfeJ/WyOmOGKpHRu+lBV1Gvli
|
2zVSKEkZRG5L4uo995xG7hESAmJegpbV0AsolSo4XiXCzI24L+fmywr9s33if1sj
|
||||||
RxUblVlmjWPhYPBZXGyjII16Tqr+ilREcZFW+STccbrVct75JWLbxwlEmix+W1Hw
|
pjhiqR0bvpQVdRr5YkcVG5VZZo1j4WDwWVxsoyCNek6q/opURHGRVvkk3HG61XLe
|
||||||
SRCR+KHx3Cur4ZPMOBlPsFilOOsNa7ROUB56t7zv21Ef3BeeaCd9c4kzNGN8d1ic
|
+SVi28cJRJosfltR8EkQkfih8dwrq+GTzDgZT7BYpTjrDWu0TlAeere879tRH9wX
|
||||||
EqSXoWWPqgST0LZPtZyqWZVnWrHChVHfrioxhSnw8O3wY1A2GSahiCSvvjvOeEoJ
|
nmgnfXOJMzRjfHdYnBKkl6Flj6oEk9C2T7WcqlmVZ1qxwoVR364qMYUp8PDt8GNQ
|
||||||
yU21ZMw6AVyHCh6v42oYadBfGgFwNo5OCMhNxNy/CcUrBSDqyLVTM5QlNsT75Ys7
|
NhkmoYgkr747znhKCclNtWTMOgFchwoer+NqGGnQXxoBcDaOTgjITcTcvwnFKwUg
|
||||||
kHHnc+Jk+xx4JpiyNCz5LzcPhlwpqnJQcjJdY1hDhK75Ormj/NfCMeZ8g1aVPX4x
|
6si1UzOUJTbE++WLO5Bx53PiZPsceCaYsjQs+S83D4ZcKapyUHIyXWNYQ4Su+Tq5
|
||||||
Eq8AMyZYhZ5/lmM+13Rdv8ZW6FK7HQ/+IAKzntxOjw0MzCXkksKdmIOZ2bLeOVI8
|
o/zXwjHmfINWlT1+MRKvADMmWIWef5ZjPtd0Xb/GVuhSCRAWRrAbhuUDEHSxD/9M
|
||||||
aSLaUmoT5CLuoia9g7iFHlYrSY+01riRrAaPtYx0x8onfyVxL9dlW/Fv5+qc1fF5
|
5il+6iZDsLMFQvsZJjRWnquPxRXBfyA3aiLJXsmMwWfSdEjS3JKq2hrOKVT3FgkN
|
||||||
FxdhyIgdqgzm82TnXHu/haUxYmUvNrbsmmNl5UTTOf+YQHMccKFdYfZ2rCBtbN2n
|
CHBxhPREIPEhlE7EsGmdYvvzceYeM8LuK4DVMIjjpsIlxyS+h3iQNamoITbwuZyc
|
||||||
iXG1tuz2+k83pozu4mJ1rOOLNAsQoY3yR6OODte1FyOgp7blwDhTIoQb8/UiJ7CM
|
Hgv9FGVOElrtntqPY6BZWBdK1ZVAT3Q4hf1+o2UZ6o5gcmu6rR5wlgsqdGc5XCev
|
||||||
BI3OPrfoXFAnhYoxeRSAN4UFu9/HIkqfaQgRPCZS1gNerWF6r6yz9AZWUZqjSJss
|
YVaJ7qQXvLhU0gzWyJ1p//d4DQUqrXW9+1bFg/gwPFn+ZBoO40/IovwoIdo1xX4p
|
||||||
jBqXCtK9bGbTYBZk+pw3H9Nd0RJ2WJ9qPqmlmUr1wdqct0ChsJx1xAT86QrssicJ
|
KgH47aXFRHB53LhNtve422XDEuQnBTwNucvxAA91TmFt1BDVy1VCEwlDaKMS4Tuw
|
||||||
/HFFmF45hlnGkHUBWLaVJt8YkLb/DqOIbVbwyCLQtJ80VQLEeupfmu5QNsTpntRY
|
xrBEBKwsuBqelJPEcDzzt+yvc3jPoVrNrC5zLpAF3VPCUCkf21tbqYroFy/UfQls
|
||||||
NKf8cr00uc8vSYXYFRxa5H5oRT1eoFEEjDDvokNnHXfT+Hya44IjYpzaqvAgeDp6
|
O26iJhfPxoLEGtuCYt+DrpnR/1DteKqtett+Z1nJ9JEZAxk8QjdcpdMa5kBtC1hd
|
||||||
sYlOdtWIv/V3s+trxACwTkRN7zw3lLTbT8PK9szK0fYZ5KHG1/AKH+mbZ6qNc/25
|
vb9f8ySSxv91RtzmyehIc7TBogwK+mydWMskTmNAl4ecGepfghPfA5JDW0NUm/Vv
|
||||||
PNbAFRtttLGuEIC3HJ12IAp2JdjioeD2OnWLu4ZeCT2CKKFsleZPrSyCrn3gyZPm
|
/DAylze+BXzXPBeMXDAsHOcf4A8QVht9jX5a03QpPcFcXUYFjtItrjeDyzlSBp3K
|
||||||
fYvv5h2JbQNO6uweOrZENWX5SU43OBoplbuKJZsMP6p6NahuGnIeJLlv509JYAf/
|
8B9ECMy2+ke0U0jupNWlFxxzR15e+rEi450ilL/wKm7Va5VhQuNlXToIZJdQg/3e
|
||||||
HN4ARyvvOpOJBFsEGAEIACYCGwIWIQRy7PRqVrStOckHu7cWRrAbhuUDEAUCYA3F
|
n2jb+0Wye2SNCdPjF8663z+VwaZDVaDXqnT72wEJv7kCDQRcN/VvARAAoEHIkyjF
|
||||||
QQUJB6PoMAIpwV0gBBkBAgAGBQJcLEQRAAoJECPnFmeItj4egdIP/3D4rN79jOl7
|
DsfoCxA/b2qNjz+l8OI2WhAMdqxReg7JN9R61qbetj9RYIcWswPSO84c0ioRUk+x
|
||||||
wG1aDNxiDF57FY9VgB7sAP42u1H2SffpFfz4jC5AG1tHwY9P8tDt0ctdlVUBl4Qv
|
JavEFh/6Lg00QKwJKPf0kd1Us6SfqklxGczOaWNLyiM7JthFRNMp0qVX6NjLqGoC
|
||||||
laOI+gvKsBT+Dl2uhLMR17r1jCM7QWl9Smr+td2lwbcaerU67ndBRVIeLA3NUURG
|
NO+d/+nNk6s2x4rLECj/EROmE3ZQQEo5nBXmPlhXpVem23rGfXEQvXDNqFmvqrP+
|
||||||
97TK+suXLxSYJ63VnF9YLJejg3IFgRjXOmV+x+4+PITEeipjXmaHFu6fFvgYA0Ca
|
Befn/+aDpo89QIm3sE8G0LfgcajIdSfgLH+NJTvOVAtXXVXJPK39Njr1aBzWTbWh
|
||||||
l2MFTS9eajh81QIdHVrBSxPYMAU5gwmNN8fWq8UjQxgl8sbehO+y2zVSKEkZRG5L
|
LS2bji7DwP7hshdh7DE2rS623vlzvkkrms8oKkiRpKATdhQ8CEx+mhTFKCj6GtNq
|
||||||
4uo995xG7hESAmJegpbV0AsolSo4XiXCzI24L+fmywr9s33if1sjpjhiqR0bvpQV
|
hwttCbf98N9GpiHD0has65YtgQQjk2pLR62rZf6czagRfKbFQzXjl2JxS/bsHVhT
|
||||||
dRr5YkcVG5VZZo1j4WDwWVxsoyCNek6q/opURHGRVvkk3HG61XLe+SVi28cJRJos
|
khyJFqgDcHCSXe7K8uGTAE2AkakGhGyDJYqGVSl0w5IAU8dqDQMc0IpsVMbFk4nX
|
||||||
fltR8EkQkfih8dwrq+GTzDgZT7BYpTjrDWu0TlAeere879tRH9wXnmgnfXOJMzRj
|
4GgOwixwrzrgCh0jRi+EwUHJYZHBAyzNCkr++D25R0gwNhPMjSKe8Ks6G3hH3XP/
|
||||||
fHdYnBKkl6Flj6oEk9C2T7WcqlmVZ1qxwoVR364qMYUp8PDt8GNQNhkmoYgkr747
|
ZVlceW/gPfxRixUTk/q7s3xPpPhLMREEpKS1aGcmYxEkrkVBDAzNYKdKP1MYwLn4
|
||||||
znhKCclNtWTMOgFchwoer+NqGGnQXxoBcDaOTgjITcTcvwnFKwUg6si1UzOUJTbE
|
lh4yNFXWlTClnDyI6UODTHwt8xDddtnT9u+U+xc6OJiYcCOstl+ovS9HmM/Kt9VT
|
||||||
++WLO5Bx53PiZPsceCaYsjQs+S83D4ZcKapyUHIyXWNYQ4Su+Tq5o/zXwjHmfINW
|
EX9cckEEL1IS+9esQMr4b5X02Y1q9Q2uEucAEQEAAYkEWwQYAQgAJgIbAhYhBHLs
|
||||||
lT1+MRKvADMmWIWef5ZjPtd0Xb/GVuhSCRAWRrAbhuUDEMTLEACyFHe0SPm4rMMA
|
9GpWtK05yQe7txZGsBuG5QMQBQJjz3uOBQkNOyCfAinBXSAEGQECAAYFAlw39W8A
|
||||||
E6dyadTJP8wRoI2epQciRqitIhANhmJ244WyqPWV3tDTgH/TaWPV7DerL6d2jOnw
|
CgkQT3dnk2lHW6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992
|
||||||
mdfT5JeXkWrGf5Gxwz619UFx/S4VpPOQf4eJb1Z9WaOdQ87A9+BwwO8d+2XROhMm
|
E2Fw00okPGtuPdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rL
|
||||||
iAetVo6jhvil0xR5t9HYg/uUSUu+tlHXlwPjdlYHUwUnt8HftoefWLXJj8ADHir1
|
BST3BB1sejZppmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhU
|
||||||
slw7jjFR/INE2dWqk6Lx2Ala+3yHN7/vpfOYvY4EyTvIeyLSoVn0fzUrsIv3HQSR
|
H9CyGWS/YlGciomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOk
|
||||||
WogO3MykjkiMjNbhdH8CXbEiQ1MiFKsugyi0kY6HOIe3//+cZ4xXlQLsLRnV3xm9
|
SX4qWyIjC5Ke5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJ
|
||||||
e/xGOte4M8o05JaUCrcsCmubOnqUIaZmDF9bITHI7bhkxLkvXopoxx4UodiL4PPG
|
QAZ80trNxrJI7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR
|
||||||
OarAdRD2Y73eI7W6QhqZt8267tsLx4qe0q8/pCr7gX60E9hOSx2NszyS0FPME2CI
|
8+9uuRyP8Mcwz/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2
|
||||||
4vxVR+GxS8gzp5hFQ8OUaSC9a6eb4YI66bDhkRog0GrMagX3JJI2172blRyp8Fe7
|
jd8SauCQFlmOfvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi
|
||||||
DAEUOb/xCcaKdv6waT+pqtrOaxDArDVRPVVqDlr1fY0lJis92ycBk4Gs8pAYiMEZ
|
8CLoGW1Ksh9thQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9
|
||||||
lGUoh5MouBEPP7HtfZTMlsQm8J5hq3cJ+AxUPSbGTWUCql7hGpT4S97mpyATuLnW
|
fzClt/Nt0h721fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoM
|
||||||
qLZmBgDHhpHEmUQmONKSSpzSjjAS6LkCDQRcN/VvARAAoEHIkyjFDsfoCxA/b2qN
|
SngP8xzKnhU5FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIAJ
|
||||||
jz+l8OI2WhAMdqxReg7JN9R61qbetj9RYIcWswPSO84c0ioRUk+xJavEFh/6Lg00
|
EBZGsBuG5QMQ0SIQAMFN0FlUSP5TiKrTFMj79TcCLDeAvk8+h7nNj/dlgDpRl4kp
|
||||||
QKwJKPf0kd1Us6SfqklxGczOaWNLyiM7JthFRNMp0qVX6NjLqGoCNO+d/+nNk6s2
|
r+XO/a0VTwK8XVszNA43FDuT0WORPG73LYlgJi5gdLeWoXaEnW1f+ZyR2uc8/UNu
|
||||||
x4rLECj/EROmE3ZQQEo5nBXmPlhXpVem23rGfXEQvXDNqFmvqrP+Befn/+aDpo89
|
8nwv2dPLefLbhrWpkQbcriOt5FHL61Z8CqYa67vm2Lkr1yD+y3XFAuB2j3hbB1pF
|
||||||
QIm3sE8G0LfgcajIdSfgLH+NJTvOVAtXXVXJPK39Njr1aBzWTbWhLS2bji7DwP7h
|
xmc3wvkY+ZMA3fMb+ZbAlV9ylNn4MWzK2Z1hzC0G33Ym6z8SbqljvTn0ABS8BI0g
|
||||||
shdh7DE2rS623vlzvkkrms8oKkiRpKATdhQ8CEx+mhTFKCj6GtNqhwttCbf98N9G
|
cJaPtSV7+rq+a/YOCBudSY1qBLCHGvpkByispqKjguS/95+37zcqEbTCTX9S5XmS
|
||||||
piHD0has65YtgQQjk2pLR62rZf6czagRfKbFQzXjl2JxS/bsHVhTkhyJFqgDcHCS
|
lsKFY08+6rq7yu8ptLkbg/RuXLzAvn6g56zFQlPeR+BIrKeCbWRu9hx4kSS6uN22
|
||||||
Xe7K8uGTAE2AkakGhGyDJYqGVSl0w5IAU8dqDQMc0IpsVMbFk4nX4GgOwixwrzrg
|
MgYgv7l9ohNTzRxnugHnnerdyElDge50AQeFR43bdHEhvyumPLjaJ2WbSHtxRkLw
|
||||||
Ch0jRi+EwUHJYZHBAyzNCkr++D25R0gwNhPMjSKe8Ks6G3hH3XP/ZVlceW/gPfxR
|
HcXOlx6lL/i2DJeLMaCshITV6TfvubVYG8djMUogWiXK0T74oocPSs00HDNs7OPy
|
||||||
ixUTk/q7s3xPpPhLMREEpKS1aGcmYxEkrkVBDAzNYKdKP1MYwLn4lh4yNFXWlTCl
|
9W44ZAFknGvoaTOEYxNgSI84yUf2304IhP+U9pYcRnJwJM4pOzcXZxPibrQf2Ex9
|
||||||
nDyI6UODTHwt8xDddtnT9u+U+xc6OJiYcCOstl+ovS9HmM/Kt9VTEX9cckEEL1IS
|
XZXRkb9jkfYMvs0XBnCTUnSl5WVVlNHo2oUC2/mwuc321M6ucf7uDwN6FdPQVlJh
|
||||||
+9esQMr4b5X02Y1q9Q2uEucAEQEAAYkEWwQYAQgAJgIbAhYhBHLs9GpWtK05yQe7
|
1qXVLvbNiyYug0lvwXsyfwu6IX+wl+kAP5NrRYuX8H+L0eauTGrRsld7OZ3H
|
||||||
txZGsBuG5QMQBQJgDcVSBQkHmDbjAinBXSAEGQECAAYFAlw39W8ACgkQT3dnk2lH
|
=e4wy
|
||||||
W6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992E2Fw00okPGtu
|
|
||||||
PdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rLBST3BB1sejZp
|
|
||||||
pmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhUH9CyGWS/YlGc
|
|
||||||
iomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOkSX4qWyIjC5Ke
|
|
||||||
5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJQAZ80trNxrJI
|
|
||||||
7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR8+9uuRyP8Mcw
|
|
||||||
z/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2jd8SauCQFlmO
|
|
||||||
fvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi8CLoGW1Ksh9t
|
|
||||||
hQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9fzClt/Nt0h72
|
|
||||||
1fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoMSngP8xzKnhU5
|
|
||||||
FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIAJEBZGsBuG5QMQ
|
|
||||||
U8oQAMjiPEOFmgRcuhvhlzXT53d/1b8sfG4MV9c45xKE65L+kPoSGzvNWYumB2Kw
|
|
||||||
Qzf8tWu+6PmOljj1Ofyilqm3bblOasHWgDGPTSOcBaVhl8nZrS3o2fzZy7aQKYE3
|
|
||||||
gQBZ6+jzhHQzrnQURpR+s/mdSO3+Gs+6kBmh9dkIQ8U1cfaAbZgy17BipPZkpwjr
|
|
||||||
ltTcDyJniQyEm7L6yV6MWt2TiFUA5IvyH+hTSKrLHnR7+lYDEo28wV8f8UcLrUpQ
|
|
||||||
joiCOWZeNCubaIxHHoGtCE+zkhSsuW9lGSX0rzQlmx1vclrYwyMKhlpDOqy8kzdI
|
|
||||||
Ws7VF3vCXRi6fWSA7apRtQQ7PbuZOOyYTaEkEuJ5CfWhFGy3eikiXilPk05ECZd3
|
|
||||||
/uMB1dmPFKT+MbUDCA/b8amfkNTLg+RFNX+5isMLkrJ+8k13ueTp/PToGMIkYsbR
|
|
||||||
+HRm0HmrdqGFPl7o+0xXUT4wGbQD8QfK81lzH1QQhsu+12OsFt+jQC3IDYiXOUBk
|
|
||||||
zgkwMlt8C0vU0i/EElpqx/0n19iHv7XvPn5q0MdNBS5pW+DOho0D+z+NM9MWpYUu
|
|
||||||
ymC/28jo8Olju+9DZuZwEUEbptmltcA8UQ5r4FHx4m3sfCmCs1QUeb8TPNL0x8OA
|
|
||||||
XnADXbxMgGYTNX7YvdUw3a8M73stqnN9M8lUXln7ulOCee2z
|
|
||||||
=IgpF
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -89,13 +89,13 @@
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/default/minifirewall"
|
path: "/etc/default/minifirewall"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: False
|
||||||
register: minifirewall_config
|
register: minifirewall_config
|
||||||
|
|
||||||
- name: Retrieve the default interface
|
- name: Retrieve the default interface
|
||||||
shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
|
shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: False
|
||||||
register: minifirewall_int
|
register: minifirewall_int
|
||||||
when: minifirewall_config.stat.exists
|
when: minifirewall_config.stat.exists
|
||||||
|
|
||||||
|
@ -176,7 +176,7 @@
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/nagios/nrpe.d/evolix.cfg"
|
path: "/etc/nagios/nrpe.d/evolix.cfg"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
changed_when: false
|
changed_when: False
|
||||||
register: nrpe_evolix_config
|
register: nrpe_evolix_config
|
||||||
|
|
||||||
- name: Install NRPE check dependencies
|
- name: Install NRPE check dependencies
|
||||||
|
|
|
@ -132,7 +132,7 @@
|
||||||
|
|
||||||
- name: Configure NRPE OpenVPN check
|
- name: Configure NRPE OpenVPN check
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "/etc/nrpe.d/zzz_evolix.cfg"
|
dest: "/etc/nrpe.d/evolix.cfg"
|
||||||
regexp: '^command\[check_openvpn\]='
|
regexp: '^command\[check_openvpn\]='
|
||||||
line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
||||||
create: yes
|
create: yes
|
||||||
|
|
|
@ -9,5 +9,5 @@ nobind
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
|
|
||||||
cipher AES-256-CBC
|
cipher AES-256-GCM
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue