Browse Source

Merge pull request 'Release 10.0.0' (#100) from unstable into stable

stable
Jérémy Lecour 2 weeks ago
parent
commit
3a26f18201
100 changed files with 2311 additions and 747 deletions
  1. +1
    -0
      .gitignore
  2. +112
    -0
      CHANGELOG.md
  3. +3
    -4
      amavis/tasks/main.yml
  4. +1
    -1
      amazon-ec2/README
  5. +4
    -4
      amazon-ec2/amazon-ec2-evolinux.yml
  6. +7
    -3
      apache/files/save_apache_status.sh
  7. +13
    -15
      apache/tasks/main.yml
  8. +6
    -8
      apache/tasks/munin.yml
  9. +10
    -0
      apache/templates/evolinux-default.conf.j2
  10. +3
    -0
      apt/files/buster_backports_preferences
  11. +1
    -1
      apt/tasks/backports.yml
  12. +3
    -1
      apt/tasks/basics.yml
  13. +1
    -1
      apt/tasks/evolix_public.yml
  14. +28
    -8
      apt/tasks/hold_packages.yml
  15. +1
    -1
      apt/tasks/main.yml
  16. +3
    -1
      bind/defaults/main.yml
  17. +23
    -24
      bind/tasks/main.yml
  18. +21
    -4
      bind/tasks/munin.yml
  19. +5
    -1
      bind/templates/logrotate_bind.j2
  20. +0
    -10
      bind/templates/logrotate_bind_chroot.j2
  21. +5
    -2
      bind/templates/munin-env_bind9.j2
  22. +4
    -4
      bind/templates/named.conf.options_authoritative.j2
  23. +14
    -6
      bind/templates/named.conf.options_recursive.j2
  24. +3
    -0
      certbot/defaults/main.yml
  25. +11
    -0
      certbot/files/cron_jessie
  26. +44
    -0
      certbot/files/hooks/apache.sh
  27. +44
    -0
      certbot/files/hooks/dovecot.sh
  28. +75
    -0
      certbot/files/hooks/haproxy.sh
  29. +44
    -0
      certbot/files/hooks/nginx.sh
  30. +44
    -0
      certbot/files/hooks/postfix.sh
  31. +37
    -0
      certbot/files/hooks/z-commit-etc.sh
  32. +23
    -0
      certbot/handlers/main.yml
  33. +51
    -0
      certbot/tasks/acme-challenge.yml
  34. +6
    -0
      certbot/tasks/install-package.yml
  35. +35
    -0
      certbot/tasks/install-sources.yml
  36. +44
    -0
      certbot/tasks/main.yml
  37. +12
    -0
      certbot/templates/acme-challenge/apache.conf.j2
  38. +5
    -0
      certbot/templates/acme-challenge/nginx.conf.j2
  39. +1
    -1
      clamav/meta/main.yml
  40. +13
    -15
      clamav/tasks/main.yml
  41. +2
    -2
      docker-host/tasks/jessie_backports.yml
  42. +11
    -14
      docker-host/tasks/main.yml
  43. +13
    -14
      dovecot/tasks/main.yml
  44. +7
    -6
      dovecot/tasks/munin.yml
  45. +1
    -1
      drbd/tasks/nagios.yml
  46. +3
    -4
      drbd/tasks/packages.yml
  47. +1
    -1
      elasticsearch/README.md
  48. +1
    -1
      elasticsearch/defaults/main.yml
  49. +1
    -1
      elasticsearch/meta/main.yml
  50. +2
    -2
      elasticsearch/tasks/additional_scripts.yml
  51. +31
    -29
      elasticsearch/tasks/datadir.yml
  52. +7
    -0
      elasticsearch/tasks/logs.yml
  53. +21
    -20
      elasticsearch/tasks/plugin_head.yml
  54. +44
    -43
      elasticsearch/tasks/tmpdir.yml
  55. +2
    -2
      etc-git/README.md
  56. +4
    -2
      etc-git/tasks/commit.yml
  57. +29
    -71
      etc-git/tasks/main.yml
  58. +73
    -0
      etc-git/tasks/repository.yml
  59. +4
    -5
      evoacme/README.md
  60. +31
    -12
      evoacme/files/evoacme.sh
  61. +2
    -0
      evoacme/files/hooks/reload_apache
  62. +3
    -0
      evoacme/files/hooks/reload_dovecot
  63. +2
    -0
      evoacme/files/hooks/reload_nginx
  64. +3
    -0
      evoacme/files/hooks/reload_postfix
  65. +51
    -24
      evoacme/files/make-csr.sh
  66. +42
    -18
      evoacme/files/vhost-domains.sh
  67. +15
    -14
      evoacme/tasks/certbot.yml
  68. +1
    -1
      evoacme/tasks/main.yml
  69. +1
    -1
      evoacme/templates/nginx.conf.j2
  70. +23
    -0
      evobackup-client/README.md
  71. +15
    -0
      evobackup-client/defaults/main.yml
  72. +16
    -0
      evobackup-client/handlers/main.yml
  73. +57
    -0
      evobackup-client/tasks/jail.yml
  74. +26
    -0
      evobackup-client/tasks/main.yml
  75. +22
    -0
      evobackup-client/tasks/open_ssh_ports.yml
  76. +31
    -0
      evobackup-client/tasks/ssh_key.yml
  77. +16
    -0
      evobackup-client/tasks/upload_scripts.yml
  78. +11
    -0
      evobackup-client/tasks/verify_ssh.yml
  79. +305
    -0
      evobackup-client/templates/zzz_evobackup.default.sh.j2
  80. +1
    -1
      evocheck/README.md
  81. +325
    -167
      evocheck/files/evocheck.sh
  82. +8
    -0
      evocheck/tasks/cron.yml
  83. +2
    -2
      evocheck/tasks/install_local.yml
  84. +3
    -2
      evocheck/templates/crontab.j2
  85. +11
    -1
      evolinux-base/defaults/main.yml
  86. +3
    -0
      evolinux-base/files/deny.sh
  87. +19
    -0
      evolinux-base/files/hpePublicKey2048_key1.pub
  88. +18
    -18
      evolinux-base/tasks/default_www.yml
  89. +1
    -1
      evolinux-base/tasks/etc-evolinux.yml
  90. +11
    -0
      evolinux-base/tasks/fstab.yml
  91. +69
    -50
      evolinux-base/tasks/hardware.yml
  92. +6
    -0
      evolinux-base/tasks/logs.yml
  93. +19
    -12
      evolinux-base/tasks/main.yml
  94. +70
    -62
      evolinux-base/tasks/packages.yml
  95. +8
    -10
      evolinux-base/tasks/postfix.yml
  96. +7
    -1
      evolinux-base/tasks/root.yml
  97. +5
    -5
      evolinux-base/tasks/ssh.yml
  98. +28
    -10
      evolinux-base/tasks/system.yml
  99. +1
    -1
      evolinux-base/templates/hardware/cciss-vol-statusd.j2
  100. +5
    -1
      evolinux-base/templates/logs/zsyslog.j2

+ 1
- 0
.gitignore View File

@@ -1,3 +1,4 @@
.kitchen/
.kateproject.d
.vagrant/
*.swp

+ 112
- 0
CHANGELOG.md View File

@@ -16,8 +16,120 @@ The **patch** part changes incrementally at each release.

### Fixed

### Removed

### Security

## [10.0.0] - 2020-05-13

### Added
* apache: the default VHost doesn't redirect to https for ".well-known" paths
* apt: added buster backports prerferences
* apt: check if cron is installed before adding a cron job
* apt: remove jessie/buster sources from Gandi servers
* apt: verify that /etc/evolinux is present
* certbot : new role to install and configure certbot
* etc-git: add versioning for /usr/share/scripts on Debian 10+
* evoacme: upstream version 19.11
* evolinux-base: default value for "evolinux_ssh_group"
* evolinux-base: install /sbin/deny
* evolinux-base: install Evocheck (default: `True`)
* evolinux-base: on debian 10 and later, add noexec on /dev/shm
* evolinux-base: on debian 10 and later, add /usr/share/scripts in root's PATH
* evolinux-base: remove the chrony package
* evomaintenance: don't configure firewall for database if not necessary
* generate-ldif: support MariaDB 10.3
* haproxy: add a variable to keep the existing configuration
* java: add Java 11 as possible version to install
* listupgrade: install old-kernel-autoremoval script
* minifirewall: add a variable to force the check scripts update
* mongodb: mongodb: compatibility with Debian 10
* mysql-oracle: backport tasks from mysql role
* mysql: activate binary logs by specifying log_bin path
* mysql: specify a custom server_id
* networkd-to-ifconfig: add variables for configuration by variables
* packweb-apache: Deploy opcache.php to give some insights on PHP's opcache status
* php: variable to install the mysqlnd module instead of the default mysql module
* postgresql : variable to install PostGIS (default: `False`)
* redis: rewrite of the role (separate instances, better systemd units…)
* webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
* webapps/evoadmin-web Overload templates if needed
* evolinux-base: install ssacli for HP Smart Array
* evobackup-client role to configure a machine for backups with bkctld(8)
* bind: enable query logging for recursive resolvers
* bind: enable logrotate for recursive resolvers
* bind: enable bind9 munin plugin for recursive resolvers

### Changed
* replace version_compare() with version()s
* removed some deprecations for Ansible 2.7
* apache: improve permissions in save_apache_status script
* apt: hold packages only if package is installed
* bind: the munin task was present, but not included
* bind: change name of logrotate file to bind9
* certbot: commit hook must be executed at the end
* elasticsearch: listen on local interface only by default
* evocheck: upstream version 20.04.4
* evocheck: cron jobs execute in verbose
* evolinux-base: use "evolinux_internal_group" for SSH authentication
* evolinux-base: Don't customize the logcheck recipient by default.
* evolinux-base: configure cciss-vol-statusd in the proper file
* evomaintenance: upstream release 0.6.3
* evomaintenance: Turn on API by default (instead of DB)
* evomaintenance: install PG dependencies only when needed
* listupgrade: update from upstream
* lxc: rely on lxc_container module instead of command module
* lxc: remove useless loop in apt execution
* lxc: update our default template to be compatible with Debian 10
* lxc-php: refactor tasks for better maintainability
* lxc-php: Use OpenSMTPD for Stretch/Buster containers, and ssmtp for Jessie containers
* lxc-solr: changed default Solr version to 8.4.1
* minifirewall: better alert5 activation
* minifirewall: no http filtering by default
* minifirewall: /bin/true command doesn't report "changed" anymore
* nagios-nrpe: update check_redis_instances (same as redis role)
* nagios-nrpe: change default haproxy socket path
* nagios-nrpe: check_mode per cpu dynamically
* nodejs: change default version to 12 (new LTS)
* packweb-apache: Do the install & conffigure phpContainer script (instead of evoadmin-web role)
* php: By default, allow 128M for OpCache (instead of 64M)
* php: Don't set a chroot for the default fpm pool
* php: Make sure the default pool we define can be fully functionnal witout debian's default pool file
* php: Change the default pool names to something more explicit (and same for the variables names)
* php: Add a task to remove Debian's default FPM pool file (off by default)
* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only)
* postgresql : changed logrotate config to 10 days (and fixed permissions)
* rbenv: changed default Ruby version to 2.7.0
* squid: Remove wait time when we turn off squid
* squid: compatibility wit Debian 10
* tomcat: package version derived from Debian version if missing
* varnish: remove custom ExecReload= script for Debian 10+

### Fixed
* etc-git: fix warnings ansible-lint
* evoadmin-web: Put the php config at the right place for Buster
* lxc: Don't stop the container if it already exists
* lxc: Fix container existance check to be able to run in check_mode
* lxc-php: Don't remove the default pool
* minifirewall: fix warnings ansible-lint
* nginx: fix munin fcgi not working (missing chmod 660 on logs)
* php: add missing handler for php7.3-fpm
* roundcube: fix typo for roundcube vhost
* tomcat: fix typo for default tomcat_version
* evolinux-base: Fix our zsyslog rotate config that doesn't work on Debian 10
* certbot: Properly evaluate when apache is installed
* evolinux-base: Don't make alert5.service executable as systemd will complain
* webapps/evoadmin-web: Set default evoadmin_mail_tpl_force to True to fix a regression where the mail template would not get updated because the file is created before the role is first run.
* minifirewall: Backport changes from minifirewall (properly open outgoing smtp(s))
* minifirewall: Properly detect alert5.sh to turn on firewall at boot
* packweb-apache: Add missing dependency to evoacme role
* php: Chose the debian version repo archive for packages.sury.org
* php: update surry_post.yml to match current latest PHP release
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available

### Removed
* clamav : do not install the zoo package anymore

## [9.10.1] - 2019-06-21

### Changed


+ 3
- 4
amavis/tasks/main.yml View File

@@ -1,11 +1,10 @@
---
- name: install Amavis
apt:
name: "{{ item }}"
name:
- postgrey
- amavisd-new
state: present
with_items:
- postgrey
- amavisd-new
tags:
- amavis



+ 1
- 1
amazon-ec2/README View File

@@ -52,7 +52,7 @@ In your main evolinux playbook put this play before Evolinux one:

tasks:
- include_role:
name: amazon-ec2
name: evolix/amazon-ec2
tasks_from: create-instance.yml
```



+ 4
- 4
amazon-ec2/amazon-ec2-evolinux.yml View File

@@ -10,10 +10,10 @@

tasks:
- include_role:
name: amazon-ec2
name: evolix/amazon-ec2
tasks_from: setup.yml
- include_role:
name: amazon-ec2
name: evolix/amazon-ec2
tasks_from: create-instance.yml

- name: Install Evolinux
@@ -52,11 +52,11 @@

post_tasks:
- include_role:
name: etc-git
name: evolix/etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible post-run Evolinux playbook"

- include_role:
name: evocheck
name: evolix/evocheck
tasks_from: exec.yml

+ 7
- 3
apache/files/save_apache_status.sh View File

@@ -7,11 +7,15 @@ URL="http://127.0.0.1/server-status"
TS=`date +%Y%m%d%H%M%S`
FILE="${DIR}/${TS}.html"

mkdir -p "${DIR}"

wget -q -O "${FILE}" "${URL}"
if [ ! -d "${DIR}" ]; then
mkdir -p "${DIR}"
chown root:adm "${DIR}"
chmod 750 "${DIR}"
fi

wget -q -U "save_apache_status" -O "${FILE}" "${URL}"
chmod 640 "${FILE}"
chown root:adm "${FILE}"

find "${DIR}" -type f -mtime +1 -delete



+ 13
- 15
apache/tasks/main.yml View File

@@ -2,28 +2,26 @@

- name: packages are installed (Debian 9 or later)
apt:
name: '{{ item }}'
name:
- apache2
- libapache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
state: present
with_items:
- apache2
- libapache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
tags:
- apache
- packages
when: ansible_distribution_major_version | version_compare('9', '>=')
when: ansible_distribution_major_version is version('9', '>=')

- name: packages are installed (jessie)
apt:
name: '{{ item }}'
name:
- apache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
state: present
with_items:
- apache2-mpm-itk
- libapache2-mod-evasive
- apachetop
- libwww-perl
tags:
- apache
- packages
@@ -140,7 +138,7 @@
- apache

- include_role:
name: remount-usr
name: evolix/remount-usr
tags:
- apache



+ 6
- 8
apache/tasks/munin.yml View File

@@ -2,11 +2,10 @@

- name: "Install munin-node and core plugins packages"
apt:
name: "{{ item }}"
name:
- munin-node
- munin-plugins-core
state: present
with_items:
- munin-node
- munin-plugins-core
tags:
- apache
- munin
@@ -27,11 +26,10 @@

- name: "Install fcgi packages for Munin graphs"
apt:
name: "{{ item }}"
name:
- libapache2-mod-fcgid
- libcgi-fast-perl
state: present
with_items:
- libapache2-mod-fcgid
- libcgi-fast-perl
notify: reload apache
tags:
- apache


+ 10
- 0
apache/templates/evolinux-default.conf.j2 View File

@@ -43,6 +43,7 @@
RewriteEngine on
# Redirect to HTTPS, execpt for munin, because some plugins
# can't handle HTTPS! :(
RewriteCond %{REQUEST_URI} !^/.well-known.*$ [NC] [OR]
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
@@ -107,6 +108,15 @@
Require all denied
Include /etc/apache2/ipaddr_whitelist.conf
</Directory>
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Options +ExecCGI
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
Require all denied
Include /etc/apache2/ipaddr_whitelist.conf
</Location>

# BEGIN phpMyAdmin section
# END phpMyAdmin section


+ 3
- 0
apt/files/buster_backports_preferences View File

@@ -0,0 +1,3 @@
Package: *
Pin: release a=buster-backports
Pin-Priority: 50

+ 1
- 1
apt/tasks/backports.yml View File

@@ -40,6 +40,6 @@
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list | changed or apt_backports_config | changed
when: apt_backports_list is changed or apt_backports_config is changed
tags:
- apt

+ 3
- 1
apt/tasks/basics.yml View File

@@ -16,7 +16,9 @@
state: absent
with_items:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-jessie.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-buster.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist
tags:
@@ -25,6 +27,6 @@
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list | changed
when: apt_basic_list is changed
tags:
- apt

+ 1
- 1
apt/tasks/evolix_public.yml View File

@@ -28,6 +28,6 @@
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public | changed
when: apt_evolix_public is changed
tags:
- apt

+ 28
- 8
apt/tasks/hold_packages.yml View File

@@ -1,10 +1,19 @@
---

- name: "hold packages (apt)"
shell: "(apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }}"
shell: "(dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
register: apt_mark
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
with_items: "{{ apt_hold_packages }}"
changed_when: "item + ' set on hold.' in apt_mark.stdout"
failed_when: apt_mark.rc != 0 and not apt_mark.stdout == ''
loop: "{{ apt_hold_packages }}"
tags:
- apt

- name: "/etc/evolinux is present"
file:
dest: /etc/evolinux
mode: "0700"
state: directory
tags:
- apt

@@ -14,15 +23,16 @@
line: "{{ item }}"
create: True
state: present
with_items: "{{ apt_hold_packages }}"
loop: "{{ apt_hold_packages }}"
tags:
- apt

- name: "unhold packages (apt)"
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
shell: "(dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }})"
register: apt_mark
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
with_items: "{{ apt_unhold_packages }}"
changed_when: "'Canceled hold on' + item in apt_mark.stdout"
failed_when: apt_mark.rc != 0 and not apt_mark.stdout = ''
loop: "{{ apt_unhold_packages }}"
tags:
- apt

@@ -32,7 +42,7 @@
line: "{{ item }}"
create: True
state: absent
with_items: "{{ apt_unhold_packages }}"
loop: "{{ apt_unhold_packages }}"
tags:
- apt

@@ -55,6 +65,15 @@
tags:
- apt

- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: false
failed_when: false
check_mode: no
tags:
- apt

- name: Check for held packages (script)
cron:
cron_file: apt-hold-packages
@@ -67,5 +86,6 @@
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
when: is_cron.rc == 0
tags:
- apt

+ 1
- 1
apt/tasks/main.yml View File

@@ -4,7 +4,7 @@
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
- ansible_distribution != "Debian" or ansible_distribution_major_version is version('8', '<')
tags:
- apt



+ 3
- 1
bind/defaults/main.yml View File

@@ -2,8 +2,10 @@
bind_recursive_server: False
bind_authoritative_server: True
bind_chroot_set: True
bind_chroot_path: /var/chroot-bind
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
#bind_chroot_path: /var/chroot-bind
bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind

+ 23
- 24
bind/tasks/main.yml View File

@@ -1,10 +1,19 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables
set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
when: bind_chroot_set

- name: package are installed
apt:
name: '{{ item }}'
name:
- bind9
- dnstop
state: present
with_items:
- bind9
- dnstop

- name: Set bind configuration for recursive server
template:
@@ -49,23 +58,23 @@
- restart bind
when: ansible_distribution_release == "jessie"

- name: touch /var/log/bind.log if non chroot
- name: "touch {{ bind_log_file }} if non chroot"
file:
path: /var/log/bind.log
path: "{{ bind_log_file }}"
owner: bind
group: adm
mode: "0640"
state: touch
when: bind_chroot_set == False
when: not bind_chroot_set

- name: touch /var/log/bind_queries.log if non chroot
- name: "touch {{ bind_query_file }} if non chroot"
file:
path: /var/log/bind_queries.log
path: "{{ bind_query_file }}"
owner: bind
group: adm
mode: "0640"
state: touch
when: bind_authoritative_server and bind_chroot_set == False
when: not bind_chroot_set

- name: send chroot-bind.sh in /root
copy:
@@ -95,24 +104,14 @@
notify: restart bind
when: bind_chroot_set

- name: logrotate for non chroot bind
- name: logrotate for bind
template:
src: logrotate_bind
dest: /etc/logrotate.d/bind
src: logrotate_bind.j2
dest: /etc/logrotate.d/bind9
owner: root
group: root
mode: "0644"
force: yes
notify: restart bind
when: bind_chroot_set == False

- name: logrotate for chroot bind
template:
src: logrotate_bind_chroot.j2
dest: /etc/logrotate.d/bind
owner: root
group: root
mode: "0644"
force: yes
notify: restart bind
when: bind_chroot_set
- include: munin.yml

+ 21
- 4
bind/tasks/munin.yml View File

@@ -8,9 +8,8 @@
tags:
- bind
- munin
when: bind_authoritative_server

- name: Enable munin plugins
- name: Enable munin plugins for authoritative server
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
@@ -19,7 +18,25 @@
- bind9
- bind9_rndc
notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
when:
- bind_authoritative_server
- munin_node_plugins_config.stat.exists
tags:
- bind
- munin

- name: Enable munin plugins for recursive server
file:
src: "/usr/share/munin/plugins/{{ item }}"
dest: "/etc/munin/plugins/{{ item }}"
state: link
with_items:
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_recursive_server
- munin_node_plugins_config.stat.exists
tags:
- bind
- munin
@@ -33,7 +50,7 @@
mode: "0644"
force: yes
notify: restart munin-node
when: bind_authoritative_server and munin_node_plugins_config.stat.exists
when: munin_node_plugins_config.stat.exists
tags:
- bind
- munin

bind/templates/logrotate_bind → bind/templates/logrotate_bind.j2 View File

@@ -1,4 +1,8 @@
/var/log/bind.log {
{% if bind_chroot_set %}
{{ bind_chroot_path }}{{bind_log_file}} {
{% else %}
{{bind_log_file}} {
{% endif %}
weekly
missingok
rotate 52

+ 0
- 10
bind/templates/logrotate_bind_chroot.j2 View File

@@ -1,10 +0,0 @@
{{ bind_chroot_path }}/var/log/bind.log {
weekly
missingok
rotate 52
create 640 bind bind
sharedscripts
postrotate
rndc reload > /dev/null
endscript
}

+ 5
- 2
bind/templates/munin-env_bind9.j2 View File

@@ -1,6 +1,9 @@
[bind*]
user root
env.logfile {{ bind_query_file }}
env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}

env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
{% if bind_authoritative_server %}
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
{% endif %}
env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120

+ 4
- 4
bind/templates/named.conf.options_authoritative.j2 View File

@@ -4,11 +4,11 @@ acl "foo" {
};

options {
directory "/var/cache/bind";
directory "{{ bind_cache_dir }}";
version "Bingo";
auth-nxdomain no;
masterfile-format text;
statistics-file "/var/run/named.stats";
statistics-file "{{ bind_statistics_file }}";

listen-on-v6 { any; };
listen-on { any; };
@@ -23,11 +23,11 @@ logging {
category queries { query_logging; };

channel default_file {
file "/var/log/bind.log";
file "{{ bind_log_file }}";
severity info;
};
channel query_logging {
file "/var/log/bind_queries.log" versions 2 size 128M;
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;


+ 14
- 6
bind/templates/named.conf.options_recursive.j2 View File

@@ -1,5 +1,5 @@
options {
directory "/var/cache/bind";
directory "{{ bind_cache_dir }}";
version "Bingo";
auth-nxdomain no;
listen-on-v6 { ::1; };
@@ -8,9 +8,17 @@ options {
};

logging {
category default { default_file; };
channel default_file {
file "/var/log/bind.log";
severity info;
};
category default { default_file; };
category queries { query_logging; };

channel default_file {
file "{{ bind_log_file }}";
severity info;
};
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
};

+ 3
- 0
certbot/defaults/main.yml View File

@@ -0,0 +1,3 @@
---

certbot_work_dir: /var/lib/letsencrypt

+ 11
- 0
certbot/files/cron_jessie View File

@@ -0,0 +1,11 @@
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew

+ 44
- 0
certbot/files/hooks/apache.sh View File

@@ -0,0 +1,44 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof apache2)" && test -n "${apache2ctl_bin}"
}
config_check() {
${apache2ctl_bin} configtest > /dev/null 2>&1
}
letsencrypt_used() {
grep -q -r -E "letsencrypt" /etc/apache2/
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Apache detected... reloading"
systemctl reload apache2
else
error "Apache config is broken, you must fix it !"
fi
else
debug "Apache doesn't use Let's Encrypt certificate. Skip."
fi
else
debug "Apache is not running or missing. Skip."
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly apache2ctl_bin=$(command -v apache2ctl)

main

+ 44
- 0
certbot/files/hooks/dovecot.sh View File

@@ -0,0 +1,44 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof dovecot)" && test -n "${doveconf_bin}"
}
config_check() {
${doveconf_bin} > /dev/null 2>&1
}
letsencrypt_used() {
${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Dovecot detected... reloading"
systemctl reload dovecot
else
error "Dovecot config is broken, you must fix it !"
fi
else
debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
fi
else
debug "Dovecot is not running or missing. Skip."
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly doveconf_bin=$(command -v doveconf)

main

+ 75
- 0
certbot/files/hooks/haproxy.sh View File

@@ -0,0 +1,75 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
}
found_renewed_lineage() {
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
}
config_check() {
${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1
}
concat_files() {
# shellcheck disable=SC2174
mkdir --mode=700 --parents "${haproxy_cert_dir}"
chown root: "${haproxy_cert_dir}"

debug "Concatenating certificate files to ${haproxy_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}"
}
cert_and_key_mismatch() {
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)

test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
}
main() {
if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!"
fi

if daemon_found_and_running; then
if found_renewed_lineage; then
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"

concat_files

if cert_and_key_mismatch; then
mv "${haproxy_cert_file}" "${failed_cert_file}"
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
fi

if config_check; then
debug "HAProxy detected... reloading"
systemctl reload haproxy
else
error "HAProxy config is broken, you must fix it !"
fi
else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi
else
debug "HAProxy is not running or missing. Skip."
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly haproxy_bin=$(command -v haproxy)
readonly haproxy_cert_dir="/etc/ssl/haproxy"

main

+ 44
- 0
certbot/files/hooks/nginx.sh View File

@@ -0,0 +1,44 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof nginx)" && test -n "${nginx_bin}"
}
config_check() {
${nginx_bin} -t > /dev/null 2>&1
}
letsencrypt_used() {
grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Nginx detected... reloading"
systemctl reload nginx
else
error "Nginx config is broken, you must fix it !"
fi
else
debug "Nginx doesn't use Let's Encrypt certificate. Skip."
fi
else
debug "Nginx is not running or missing. Skip."
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly nginx_bin=$(command -v nginx)

main

+ 44
- 0
certbot/files/hooks/postfix.sh View File

@@ -0,0 +1,44 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
daemon_found_and_running() {
test -n "$(pidof master)" && test -n "${postconf_bin}"
}
config_check() {
${postconf_bin} > /dev/null 2>&1
}
letsencrypt_used() {
${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Postfix detected... reloading"
systemctl reload postfix
else
error "Postfix config is broken, you must fix it !"
fi
else
debug "Postfix doesn't use Let's Encrypt certificate. Skip."
fi
else
debug "Postfix is not running or missing. Skip."
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly postconf_bin=$(command -v postconf)

main

+ 37
- 0
certbot/files/hooks/z-commit-etc.sh View File

@@ -0,0 +1,37 @@
#!/bin/sh

error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
main() {
export GIT_DIR="/etc/.git"
export GIT_WORK_TREE="/etc"

if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
changed_lines=$(${git_bin} status --porcelain | wc -l | tr -d ' ')

if [ "${changed_lines}" != "0" ]; then
debug "Committing for ${RENEWED_DOMAINS}"
${git_bin} add --all
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet
else
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi
fi
}

readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}

readonly git_bin=$(command -v git)
readonly letsencrypt_dir=/etc/letsencrypt

main

+ 23
- 0
certbot/handlers/main.yml View File

@@ -0,0 +1,23 @@
---

- name: reload nginx
service:
name: nginx
state: reloaded

- name: reload apache
service:
name: apache2
state: reloaded

- name: reload haproxy
service:
name: haproxy
state: reloaded

- name: systemd daemon-reload
systemd:
daemon_reload: yes

- name: install certbot-auto
command: /usr/local/bin/certbot --install-only

+ 51
- 0
certbot/tasks/acme-challenge.yml View File

@@ -0,0 +1,51 @@
---

- name: Certbot work directory is present
file:
dest: "{{ certbot_work_dir }}"
state: directory
mode: "0755"

- name: Check if Nginx is installed
stat:
path: /etc/nginx
register: is_nginx

- name: ACME challenge for Nginx is installed
template:
src: acme-challenge/nginx.conf.j2
dest: /etc/nginx/snippets/letsencrypt.conf
force: yes
notify: reload nginx
when: is_nginx.stat.exists

- name: Check if Apache is installed
stat:
path: /usr/sbin/apachectl
register: is_apache

- name: ACME challenge for Apache
block:
- name: ACME challenge for Apache is installed
template:
src: acme-challenge/apache.conf.j2
dest: /etc/apache2/conf-available/letsencrypt.conf
force: yes
notify: reload apache

- name: ACME challenge for Apache is enabled
command: "a2enconf letsencrypt"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
notify: reload apache
when: is_apache.stat.exists

- name: Check if HAProxy is installed
stat:
path: /etc/haproxy
register: is_haproxy

- name: ACME challenge for HAProxy is installed
debug:
msg: "ACME challenge configuration for HAProxy must be configured manually"
when: is_haproxy.stat.exists

+ 6
- 0
certbot/tasks/install-package.yml View File

@@ -0,0 +1,6 @@
---

- name: certbot package is installed
apt:
name: certbot
state: latest

+ 35
- 0
certbot/tasks/install-sources.yml View File

@@ -0,0 +1,35 @@
---

- name: certbot package is removed
apt:
name: certbot
state: absent

- include_role:
name: evolix/remount-usr

- name: Certbot script is downloaded
get_url:
url: https://dl.eff.org/certbot-auto
dest: /usr/local/bin/certbot
mode: '0755'
owner: root
group: root
force: no
notify: install certbot-auto

- name: systemd artefacts are absent
file:
dest: "{{ item }}"
state: absent
loop:
- /etc/systemd/system/certbot.service
- /etc/systemd/system/certbot.service.d
- /etc/systemd/system/certbot.timer
notify: systemd daemon-reload

- name: custom crontab is present
copy:
src: cron_jessie
dest: /etc/cron.d/certbot
force: yes

+ 44
- 0
certbot/tasks/main.yml View File

@@ -0,0 +1,44 @@
---

- name: "System compatibility checks"
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '>=')
msg: only compatible with Debian 9+

- name: Install from sources on Debian 8
include: install-sources.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('8', '=')

- name: Install package on Debian 9+
include: install-package.yml
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version is version('9', '>=')

- include: acme-challenge.yml

- name: Deploy hooks are present
copy:
src: hooks/
dest: /etc/letsencrypt/renewal-hooks/deploy/
mode: "0700"
owner: root
group: root

- name: Move commit-etc.sh to z-commit-etc.sh if present
command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
args:
removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh

- name: "certbot lock is ignored by Git"
lineinfile:
dest: /etc/.gitignore
line: letsencrypt/.certbot.lock
create: yes
owner: root
mode: "0600"

+ 12
- 0
certbot/templates/acme-challenge/apache.conf.j2 View File

@@ -0,0 +1,12 @@
<IfModule jk_module>
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
</IfModule>
<IfModule proxy_module>
ProxyPass /.well-known/acme-challenge/ !
</IfModule>
Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
<Directory "/var/lib/letsencrypt/.well-known/acme-challenge">
Options -Indexes
Allow from all
Require all granted
</Directory>

+ 5
- 0
certbot/templates/acme-challenge/nginx.conf.j2 View File

@@ -0,0 +1,5 @@
location ~ /.well-known/acme-challenge {
alias {{ certbot_work_dir }}/;
try_files $uri =404;
allow all;
}

+ 1
- 1
clamav/meta/main.yml View File

@@ -1,3 +1,3 @@
---
dependencies:
- { role: amavis }
- { role: evolix/amavis }

+ 13
- 15
clamav/tasks/main.yml View File

@@ -74,22 +74,20 @@

- name: install ClamAV
apt:
name: "{{ item }}"
name:
- clamav-daemon
- clamav
- clamdscan
- clamav-freshclam
- arc
- arj
- pax
- bzip2
- cabextract
- rpm
- lzop
- razor
state: present
with_items:
- clamav-daemon
- clamav
- clamdscan
- clamav-freshclam
- arc
- arj
- zoo
- pax
- bzip2
- cabextract
- rpm
- lzop
- razor
tags:
- clamav



+ 2
- 2
docker-host/tasks/jessie_backports.yml View File

@@ -1,6 +1,6 @@
---
- include_role:
name: apt
name: evolix/apt
tasks_from: backports.yml
tags:
- packages
@@ -18,6 +18,6 @@
- name: update apt
apt:
update_cache: yes
when: docker_apt_preferences | changed
when: docker_apt_preferences is changed
tags:
- packages

+ 11
- 14
docker-host/tasks/main.yml View File

@@ -2,22 +2,20 @@
---
- name: Remove older docker packages
apt:
name: '{{ item }}'
name:
- docker
- docker-engine
- docker.io
state: absent
with_items:
- docker
- docker-engine
- docker.io

- name: Install source requirements
apt:
name: '{{ item }}'
name:
- apt-transport-https
- ca-certificates
- gnupg2
state: present
update_cache: yes
with_items:
- apt-transport-https
- ca-certificates
- gnupg2

- name: Add Docker repository
apt_repository:
@@ -36,11 +34,10 @@

- name: Install docker and python-docker
apt:
name: "{{ item }}"
name:
- docker-ce
- python-docker
update_cache: yes
with_items:
- docker-ce
- python-docker

- name: Copy Docker daemon configuration file
template:


+ 13
- 14
dovecot/tasks/main.yml View File

@@ -1,13 +1,12 @@
- name: ensure packages are installed
apt:
name: '{{ item }}'
name:
- dovecot-ldap
- dovecot-imapd
- dovecot-pop3d
- dovecot-sieve
- dovecot-managesieved
state: present
with_items:
- dovecot-ldap
- dovecot-imapd
- dovecot-pop3d
- dovecot-sieve
- dovecot-managesieved
tags:
- dovecot

@@ -26,13 +25,13 @@
regexp: "^#*{{ item.key }}"
state: present
with_items:
- { key: 'hosts', value: '127.0.0.1' }
- { key: 'auth_bind', value: 'yes' }
- { key: 'ldap_version', value: 3 }
- { key: 'base', value: "{{ ldap_suffix }}" }
- { key: 'user_attrs', value: 'homeDirectory=home' }
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
- { key: 'hosts', value: '127.0.0.1' }
- { key: 'auth_bind', value: 'yes' }
- { key: 'ldap_version', value: 3 }
- { key: 'base', value: "{{ ldap_suffix }}" }
- { key: 'user_attrs', value: 'homeDirectory=home' }
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
when: ldap_suffix is defined
notify: reload dovecot
tags:


+ 7
- 6
dovecot/tasks/munin.yml View File

@@ -6,12 +6,13 @@
check_mode: no
register: munin_node_plugins_config

- block:
- name: Install munin plugin
copy:
src: munin_plugin
dest: /etc/munin/plugins/dovecot
mode: "0755"
- name: Munin plugins are present and configured
block:
- name: Install munin plugin
copy:
src: munin_plugin
dest: /etc/munin/plugins/dovecot
mode: "0755"

# TODO : add in /etc/munin/plugin-conf.d/munin-node
# [dovecot]


+ 1
- 1
drbd/tasks/nagios.yml View File

@@ -9,7 +9,7 @@
- drbd

- include_role:
name: remount-usr
name: evolix/remount-usr
tags:
- drbd



+ 3
- 4
drbd/tasks/packages.yml View File

@@ -1,9 +1,8 @@
- name: Install dependency
apt:
name: "{{ item }}"
with_items:
- drbd-utils
- lvm2
name:
- drbd-utils
- lvm2
tags:
- drbd



+ 1
- 1
elasticsearch/README.md View File

@@ -27,7 +27,7 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
* `elasticsearch_jvm_xmx`: maximum heap size reserved for the JVM (default: `2g`).
* `elasticsearch_restart_on_upgrade`: restart the service after package upgrade (default: `true`)

By default, Elasticsearch will listen to the public interfaces (`_site_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host), so you will have to secure it, with firewall rules for example.
By default, Elasticsearch will listen to the local interface (`_local_` cf. https://www.elastic.co/guide/en/elasticsearch/reference/5.0/important-settings.html#network.host).

## Curator



+ 1
- 1
elasticsearch/defaults/main.yml View File

@@ -5,7 +5,7 @@ elasticsearch_cluster_name: Null
elasticsearch_cluster_members: Null
elasticsearch_minimum_master_nodes: Null
elasticsearch_node_name: "${HOSTNAME}"
elasticsearch_network_host: "[_site_, _local_]"
elasticsearch_network_host: "[_local_]"
elasticsearch_network_publish_host: Null
elasticsearch_http_publish_host: Null
elasticsearch_custom_datadir: Null


+ 1
- 1
elasticsearch/meta/main.yml View File

@@ -25,4 +25,4 @@ galaxy_info:
# alphanumeric characters. Maximum 20 tags per role.

dependencies:
- { role: java, alternative: 'openjdk', java_version: 8 }
- { role: evolix/java, alternative: 'openjdk' }

+ 2
- 2
elasticsearch/tasks/additional_scripts.yml View File

@@ -1,8 +1,8 @@
---

- include_role:
name: remount-usr
when: elasticsearch_additional_scripts_dir | search ("/usr")
name: evolix/remount-usr
when: elasticsearch_additional_scripts_dir is search ("/usr")

- name: "{{ elasticsearch_additional_scripts_dir }} exists"
file:


+ 31
- 29
elasticsearch/tasks/datadir.yml View File

@@ -1,44 +1,46 @@
---

- block:
- name: "Is custom datadir present ?"
stat:
path: "{{ elasticsearch_custom_datadir }}"
register: elasticsearch_custom_datadir_test
check_mode: no
- name: Set real datadir value when customized
block:
- name: "Is custom datadir present ?"
stat:
path: "{{ elasticsearch_custom_datadir }}"
register: elasticsearch_custom_datadir_test
check_mode: no

- name: "read the real datadir"
command: readlink -f /var/lib/elasticsearch
changed_when: false
register: elasticsearch_current_real_datadir_test
check_mode: no
- name: "read the real datadir"
command: readlink -f /var/lib/elasticsearch
changed_when: false
register: elasticsearch_current_real_datadir_test
check_mode: no
tags:
- elasticsearch
when:
- elasticsearch_custom_datadir != ''
- elasticsearch_custom_datadir != None

- block:
- name: elasticsearch is stopped
service:
name: elasticsearch
state: stopped
- name: Datadir is moved to custom path
block:
- name: elasticsearch is stopped
service:
name: elasticsearch
state: stopped

- name: Move elasticsearch datadir to custom datadir
command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }}
args:
creates: "{{ elasticsearch_custom_datadir }}"
- name: Move elasticsearch datadir to custom datadir
command: mv {{ elasticsearch_current_real_datadir_test.stdout }} {{ elasticsearch_custom_datadir }}
args:
creates: "{{ elasticsearch_custom_datadir }}"

- name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch
file:
src: "{{ elasticsearch_custom_datadir }}"
dest: '/var/lib/elasticsearch'
state: link
- name: Symlink {{ elasticsearch_custom_datadir }} to /var/lib/elasticsearch
file:
src: "{{ elasticsearch_custom_datadir }}"
dest: '/var/lib/elasticsearch'
state: link

- name: elasticsearch is started
service:
name: elasticsearch
state: started
- name: elasticsearch is started
service:
name: elasticsearch
state: started
tags:
- elasticsearch
when:


+ 7
- 0
elasticsearch/tasks/logs.yml View File

@@ -1,5 +1,11 @@
---

- name: Check if cron is installed
shell: "dpkg -l cron 2> /dev/null | grep -q -E '^(i|h)i'"
failed_when: False
changed_when: False
register: is_cron_installed

- name: "log rotation script"
template:
src: rotate_elasticsearch_logs.j2
@@ -7,3 +13,4 @@
owner: root
group: root
mode: "0750"
when: is_cron_installed.rc == 0

+ 21
- 20
elasticsearch/tasks/plugin_head.yml View File

@@ -8,28 +8,29 @@
system: yes
shell: /bin/false

- block:
- name: Head repository is checked-out
git:
repo: "https://github.com/mobz/elasticsearch-head.git"
dest: "{{ elasticsearch_plugin_head_clone_dir }}"
clone: yes
tags:
- packages
- name: Head plugin is installed
block:
- name: Head repository is checked-out
git:
repo: "https://github.com/mobz/elasticsearch-head.git"
dest: "{{ elasticsearch_plugin_head_clone_dir }}"
clone: yes
tags:
- packages

- name: Create tmpdir
file:
dest: "{{ elasticsearch_plugin_head_tmp_dir }}"
state: directory
- name: Create tmpdir
file:
dest: "{{ elasticsearch_plugin_head_tmp_dir }}"
state: directory

- name: NPM packages for head are installed
npm:
path: "{{ elasticsearch_plugin_head_clone_dir }}"
tags:
- packages
- npm
environment:
TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}"
- name: NPM packages for head are installed
npm:
path: "{{ elasticsearch_plugin_head_clone_dir }}"
tags:
- packages
- npm
environment:
TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}"
become_user: "{{ elasticsearch_plugin_head_owner }}"
become: yes



+ 44
- 43
elasticsearch/tasks/tmpdir.yml View File

@@ -7,50 +7,51 @@
changed_when: False
check_mode: no

- block:
- name: "Create {{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
file:
path: "{{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
owner: elasticsearch
group: elasticsearch
mode: "0755"
state: directory
tags:
- elasticsearch
- name: Tmpdir is moved to custom path
block:
- name: "Create {{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
file:
path: "{{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
owner: elasticsearch
group: elasticsearch
mode: "0755"
state: directory
tags:
- elasticsearch

- name: change JVM tmpdir (< 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '<')
- name: change JVM tmpdir (< 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version is version('6', '<')

- name: check if ES_TMPDIR is available (>= 6.x)
lineinfile:
dest: /etc/default/elasticsearch
line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
regexp: "^ES_TMPDIR="
insertafter: "JAVA_HOME"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '>=')
- name: check if ES_TMPDIR is available (>= 6.x)
lineinfile:
dest: /etc/default/elasticsearch
line: "ES_TMPDIR={{ elasticsearch_custom_tmpdir or elasticsearch_default_tmpdir | mandatory }}"
regexp: "^ES_TMPDIR="
insertafter: "JAVA_HOME"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version is version('6', '>=')

- name: change JVM tmpdir (>= 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version | version_compare('6', '>=')
- name: change JVM tmpdir (>= 6.x)
lineinfile:
dest: /etc/elasticsearch/jvm.options
line: "-Djava.io.tmpdir=${ES_TMPDIR}"
regexp: "^-Djava.io.tmpdir="
insertafter: "## JVM configuration"
notify:
- restart elasticsearch
tags:
- elasticsearch
when: elastic_stack_version is version('6', '>=')
when: (elasticsearch_custom_tmpdir != '' and elasticsearch_custom_tmpdir != None) or fstab_tmp_noexec.rc == 0

+ 2
- 2
etc-git/README.md View File

@@ -14,7 +14,7 @@ There is also an independant task that can be executed to commit changes made in

pre_tasks:
- include_role:
name: etc-git
name: evolix/etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible pre-run my splendid playbook"
@@ -24,7 +24,7 @@ There is also an independant task that can be executed to commit changes made in

post_tasks:
- include_role:
name: etc-git
name: evolix/etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible post-run my splendid playbook"


+ 4
- 2
etc-git/tasks/commit.yml View File

@@ -31,7 +31,7 @@
- name: "set commit author"
set_fact:
commit_author: '{% if ansible_env.SUDO_USER is not defined %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
commit_email: '{% if git_config_user_email.config_value is not defined or git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
commit_email: '{% if git_config_user_email.config_value is not defined or not git_config_user_email.config_value %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' # noqa 204
tags:
- etc-git
- commit-etc
@@ -41,7 +41,9 @@
args:
chdir: /etc
register: etc_commit_end_run
when: not ansible_check_mode and git_status.stdout != ""
when:
- not ansible_check_mode
- git_status.stdout
ignore_errors: yes
tags:
- etc-git


+ 29
- 71
etc-git/tasks/main.yml View File

@@ -7,80 +7,37 @@
tags:
- etc-git

- name: /etc is versioned with git
command: "git init ."
args:
chdir: /etc
creates: /etc/.git/
warn: no
register: git_init
tags:
- etc-git

- name: Git user.email is configured
git_config:
name: user.email
repo: /etc
scope: local
value: "root@{{ ansible_fqdn | default('localhost') }}"
tags:
- etc-git
- include: repository.yml
vars:
repository_path: "/etc"
gitignore_items:
- "aliases.db"
- "*.swp"
- "postfix/sa-blacklist.access"
- "postfix/*.db"
- "postfix/spamd.cidr"
- "evobackup/.keep-*"
- "letsencrypt/.certbot.lock"

- name: /etc/.git is restricted to root
file:
path: /etc/.git
owner: root
mode: "0700"
state: directory
tags:
- etc-git

- name: /etc/.gitignore is present
copy:
src: gitignore
dest: /etc/.gitignore
owner: root
mode: "0600"
force: no
tags:
- etc-git
- name: verify /usr/share/scripts presence
stat:
path: /usr/share/scripts
register: _usr_share_scripts

- name: Some entries MUST be in the /etc/.gitignore file
lineinfile:
dest: /etc/.gitignore
line: "{{ item }}"
with_items:
- "aliases.db"
- "*.swp"
- "postfix/sa-blacklist.access"
- "postfix/*.db"
- "postfix/spamd.cidr"
- "evobackup/.keep-*"
- "letsencrypt/.certbot.lock"
tags:
- etc-git
- include: repository.yml
vars:
repository_path: "/usr/share/scripts"
gitignore_items: []
when:
- _usr_share_scripts.stat.isdir
- ansible_distribution_major_version is version('10', '>=')

- name: does /etc/ have any commit?
command: "git log"
args:
chdir: /etc
warn: no
changed_when: False
- name: Check if cron is installed
shell: "dpkg -l cron 2> /dev/null | grep -q -E '^(i|h)i'"
failed_when: False
register: git_log
changed_when: False
check_mode: no
tags:
- etc-git

- name: initial commit is present?
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: /etc
warn: no
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
tags:
- etc-git
register: is_cron_installed

- name: Optimize script is installed in monthly crontab
copy:
@@ -88,6 +45,7 @@
dest: /etc/cron.monthly/optimize-etc-git
mode: "0750"
force: no
when: is_cron_installed.rc == 0
tags:
- etc-git

@@ -96,7 +54,7 @@
src: etc-git-status.j2
dest: /etc/cron.d/etc-git-status
mode: "0644"
when: etc_git_monitor_status
when: is_cron_installed.rc == 0 and etc_git_monitor_status
tags:
- etc-git

@@ -104,6 +62,6 @@
file:
dest: /etc/cron.d/etc-git-status
state: absent
when: not etc_git_monitor_status
when: is_cron_installed.rc == 0 and not etc_git_monitor_status
tags:
- etc-git

+ 73
- 0
etc-git/tasks/repository.yml View File

@@ -0,0 +1,73 @@
---

- include_role:
name: evolix/remount-usr
when: repository_path is search ("/usr")

- name: "{{ repository_path }} is versioned with git"
command: "git init ."
args:
chdir: "{{ repository_path }}"
creates: "{{ repository_path }}/.git/"
warn: no
register: git_init
tags:
- etc-git

- name: Git user.email is configured
git_config:
name: user.email
repo: "{{ repository_path }}"
scope: local
value: "root@{{ ansible_fqdn | default('localhost') }}"
tags:
- etc-git

- name: "{{ repository_path }}/.git is restricted to root"
file:
path: "{{ repository_path }}/.git"
owner: root
mode: "0700"
state: directory
tags:
- etc-git

- name: "{{ repository_path }}/.gitignore is present"
copy:
src: gitignore
dest: "{{ repository_path }}/.gitignore"
owner: root
mode: "0600"
force: no
tags:
- etc-git

- name: "Some entries MUST be in the {{ repository_path }}/.gitignore file"
lineinfile:
dest: "{{ repository_path }}/.gitignore"
line: "{{ item }}"
with_items: "{{ gitignore_items | default([]) }}"
tags:
- etc-git

- name: "does {{ repository_path }}/ have any commit?"
command: "git log"
args:
chdir: "{{ repository_path }}"
warn: no
changed_when: False
failed_when: False
register: git_log
check_mode: no
tags:
- etc-git

- name: initial commit is present?
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: "{{ repository_path }}"
warn: no
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init.changed)
tags:
- etc-git