Merge branch 'unstable' into stable

2017-09-19 00:44:50 +02:00 · 2017-09-19 00:44:50 +02:00 · 5bc0c597c7
parent 62189dbca8 7f9399964b
commit 5bc0c597c7
31 changed files with 318 additions and 223 deletions
--- a/etc-git/tasks/commit.yml
+++ b/etc-git/tasks/commit.yml
@ -24,12 +24,13 @@
  register: git_config_user_email
  ignore_errors: yes

- name: set commit author
+- name: "set commit author"
  set_fact:
-    etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\""
+    commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
+    commit_email:  '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'

- name: /etc modifications are committed
-  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}"
+- name: "/etc modifications are committed"
+  shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
  args:
    chdir: /etc
  register: etc_commit_end_run
--- a/evoacme/defaults/main.yml
+++ b/evoacme/defaults/main.yml
@ -6,7 +6,7 @@ evoacme_acme_dir: /var/lib/letsencrypt
 evoacme_csr_dir: /etc/ssl/requests
 evoacme_crt_dir: /etc/letsencrypt
 evoacme_log_dir: /var/log/evoacme
-evoacme_ssl_minday: 15
+evoacme_ssl_minday: 30
 evoacme_ssl_ct: 'FR'
 evoacme_ssl_state: 'France'
 evoacme_ssl_loc: 'Marseille'
--- a/evoacme/files/certbot.cron
+++ b/evoacme/files/certbot.cron
@ -1,17 +1,14 @@
 #!/bin/sh
+#
+# Run evoacme script on every configured cert
+#
+# Author: Victor Laborie <vlaborie@evolix.fr>
+# Licence: AGPLv3
+#

 [ -f /etc/default/evoacme ] && . /etc/default/evoacme
 [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
-[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'

-find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
-	evoacme $vhost
-done
-
-# Compatibility with older version of evoacme
-find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do
-	[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
-        [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
-	rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem
-	evoacme $vhost
+find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
+	evoacme "$vhost"
 done
--- a/evoacme/files/evoacme.sh
+++ b/evoacme/files/evoacme.sh
@ -1,62 +1,84 @@
-#!/bin/bash
+#!/bin/sh
+#
+# evoacme is a shell script to manage Let's Encrypt certificate with
+# certbot tool but with a dedicated user (no-root) and from a csr
+#
+# Author: Victor Laborie <vlaborie@evolix.fr>
+# Licence: AGPLv3
+#

-[ -f /etc/default/evoacme ] && . /etc/default/evoacme
-[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
-[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
-[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
-[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
-[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
+usage() {
+	echo "Usage: $0 NAME"
+	echo ""
+	echo "NAME must be correspond to :"
+	echo "- a CSR in ${CSR_DIR}/NAME.csr"
+	echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
+	echo ""
+}

-vhost=$(basename $1 .conf)
-DATE=$(date "+%Y%m%d")
+mkconf_apache() {
+        [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
+        apache2ctl -t 2>/dev/null && service apache2 reload
+}

-SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs)
-if [ -n "$SSL_EMAIL" ]; then
-    emailopt="--email $SSL_EMAIL"
-else
-    emailopt="--register-unsafely-without-email"
-fi
+mkconf_nginx() {
+        [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
+        nginx -t 2>/dev/null && service nginx reload
+}

-# Check master status for evoadmin-cluster
-if [ -f /home/${vhost}/state ]; then
-	grep -q "STATE=master" /home/${vhost}/state
-	[ $? -ne 0 ] && exit 0
-fi
+mkconf_haproxy() {
+	mkdir -p /etc/ssl/haproxy -m 700
+	cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
+	[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
+	haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
+}

-if [ -h $CRT_DIR/${vhost}/live ]; then
-    crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"`
-    date_crt=`date -ud "$crt_end_date" +"%s"`
-    date_today=`date +'%s'`
-    date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) ))
-    [ $date_diff -ge $SSL_MINDAY ] && exit 0
-fi
-
-mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE}
-chown -R acme: $CRT_DIR/${vhost}
-sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
-
-if [ $? -eq 0 ]; then
-	ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live	
-	which apache2ctl>/dev/null
-	if [ $? -eq 0 ]; then
-		[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
-		apache2ctl -t 2>/dev/null
-	        [ $? -eq 0 ] && service apache2 reload
-	fi
-	which nginx>/dev/null
-	if [ $? -eq 0 ]; then
-		[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
-	        nginx -t 2>/dev/null
-	        [ $? -eq 0 ] && service nginx reload
-	fi
+main() {
+	[ -f /etc/default/evoacme ] && . /etc/default/evoacme
+	[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
+	[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
+	[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
+	[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
+	[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
+	[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
 	
-	which haproxy>/dev/null
-	if [ $? -eq 0 ]; then
-		mkdir -p /etc/ssl/haproxy -m 700
-		cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem
-		[ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem
-		haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null
-	        [ $? -eq 0 ] && service haproxy reload
+	[ "$#" -ne 1 ] && usage && exit 1
+
+	vhost=$(basename "$1" .conf)
+
+	# Check master status for evoadmin-cluster
+	if [ -f "/home/${vhost}/state" ]; then
+		grep -q "STATE=master" "/home/${vhost}/state" || exit 0
 	fi
-	exit 0
-fi
+
+	SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
+	if [ -n "$SSL_EMAIL" ]; then
+	    emailopt="-m $SSL_EMAIL"
+	else
+	    emailopt="--register-unsafely-without-email"
+	fi
+	DATE=$(date "+%Y%m%d")
+	
+	if [ -h "$CRT_DIR/${vhost}/live" ]; then
+	    crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
+	    date_crt=$(date -ud "$crt_end_date" +"%s")
+	    date_today=$(date +'%s')
+	    date_diff=$(((date_crt - date_today) / (60*60*24)))
+	    [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
+	fi
+	rm -rf "$CRT_DIR/${vhost}/${DATE}"
+	mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
+	chown -R acme: "$CRT_DIR/${vhost}"
+	sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
+	if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
+		rm -f "$CRT_DIR/${vhost}/live"
+		ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
+		which apache2ctl >/dev/null && mkconf_apache
+		which nginx >/dev/null && mkconf_nginx
+		which haproxy >/dev/null && mkconf_haproxy
+	else
+		rmdir "$CRT_DIR/${vhost}/${DATE}"
+	fi
+}
+
+main "$@"
--- a/evoacme/files/make-csr.sh
+++ b/evoacme/files/make-csr.sh
@ -1,114 +1,151 @@
-#!/bin/bash
+#!/bin/sh
+#
+# make-csr is a shell script designed to automatically generate a 
+# certificate signing request (CSR) from an Apache or a Nginx vhost
+#
+# Author: Victor Laborie <vlaborie@evolix.fr>
+# Licence: AGPLv3
+#

-[ -f /etc/default/evoacme ] && source /etc/default/evoacme
-[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
-[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
-[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
-
-shopt -s extglob
-
-vhost=$(basename $1 .conf)
-vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null)
-
-if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then
-	echo "$vhost doesn't exist !"
-	exit 1
-fi
-
-for vhostfile in "${vhostfiles}"; do
-	break;
-done
-
-if [ -f $SSL_KEY_DIR/${vhost}.key ]; then
-	read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r
-	echo ""
-	if [[ ! $REPLY =~ ^[Yy]$ ]]; then
-		exit 1
+get_domains() {
+	echo "$vhostfile"|grep -q nginx
+	if [ "$?" -eq 0 ]; then
+		domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
 	fi
-	rm -f /etc/apache2/ssl/${vhost}.conf
-	rm -f /etc/nginx/ssl/${vhost}.conf
-fi
-
-SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
-openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE
-chown root: $SSL_KEY_DIR/${vhost}.key
-chmod 600 $SSL_KEY_DIR/${vhost}.key
-
-nb=0
-
-echo $vhostfile |grep -q nginx
-if [ $? -eq 0 ]; then
-	domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq`
-fi
-
-echo $vhostfile |grep -q apache2
-if [ $? -eq 0 ]; then
-	domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
-fi
-
-valid_domains=''
-srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
-
-echo "Valid Domain(s) for $vhost :"
-for domain in $domains
-do
-	real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
-	for ip in $(echo $srv_ip|xargs -n1); do
-		if [ "${ip}" == "${real_ip}" ]; then
-                        valid_domains="$valid_domains $domain"
-	                nb=$(( nb  + 1 ))
-			echo "- $domain"
-		fi
-	done
-done
-
-if [ $nb -eq 0 ]; then
-        nb=`echo $domains|wc -l`
-	echo "No valid domains : $domains" >&2
-else
-        domains=$valid_domains
-fi
-
-mkdir -p $CSR_DIR -m 0755
-
-if [ $nb -eq 1 ]; then
-	openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domains")) -out $CSR_DIR/${vhost}.csr
-elif [ $nb -gt 1 ]; then
-	san=''
-	for domain in $domains
-	do
-	        san="$san,DNS:$domain"
-	done
-	san=`echo $san|sed 's/,//'`
-	openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr
-fi
-
-if [ -f $CSR_DIR/${vhost}.csr ]; then
-	chmod 644 $CSR_DIR/${vhost}.csr
-	mkdir -p $SELF_SIGNED_DIR -m 0755
-	openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem
-	if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then
-		chmod 644 $SELF_SIGNED_DIR/${vhost}.pem
+	
+	echo "$vhostfile" |grep -q apache2
+	if [ "$?" -eq 0 ]; then
+		domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
 	fi
-fi
+	valid_domains=""
+	nb=0
+	
+	echo "Valid(s) domain(s) in $vhost :"
+	for domain in $domains; do
+		real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
+		for ip in $(echo "$SRV_IP"|xargs -n1); do
+			if [ "${ip}" = "${real_ip}" ]; then
+	                        valid_domains="$valid_domains $domain"
+		                nb=$(( nb  + 1 ))
+				echo "* $domain -> $real_ip"
+			fi
+		done
+	done
+	
+	if [ "$nb" -eq 0 ]; then
+	        nb=$(echo "$domains"|wc -l)
+		echo "* No valid domain found"
+		echo "All following(s) domain(s) will be used for CSR creation :"
+		for domain in $domains; do
+			echo "* $domain"
+		done
+	else
+		domains="$valid_domains"
+	fi
+	domains=$(echo "$domains"|xargs -n1)
+}

-if [ -d /etc/apache2 ]; then
+make_key() {
+	openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
+	chown root: "$SSL_KEY_DIR/${vhost}.key"
+	chmod 600 "$SSL_KEY_DIR/${vhost}.key"
+}
+
+make_csr() {
+	domains="$1"
+	nb=$(echo "$domains"|wc -l)
+	config_file="/tmp/make-csr-${vhost}.conf"
+
+	mkdir -p "$CSR_DIR" -m 0755
+	
+	if [ "$nb" -eq 1 ]; then
+		cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
+CN=$domains
+EOF
+		openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
+	elif [ "$nb" -gt 1 ]; then
+		san=''
+		for domain in $domains
+		do
+		        san="$san,DNS:$domain"
+		done
+		san=$(echo "$san"|sed 's/,//')
+		cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
+[SAN]
+subjectAltName=$san
+EOF
+		openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
+	fi
+	
+	if [ -f "$CSR_DIR/${vhost}.csr" ]; then
+		chmod 644 "$CSR_DIR/${vhost}.csr"
+		mkdir -p "$SELF_SIGNED_DIR" -m 0755
+		openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
+		[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
+	fi
+}
+
+mkconf_apache() {
 	mkdir -p /etc/apache2/ssl
-	if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then
-		cat > /etc/apache2/ssl/${vhost}.conf <<EOF
+	if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
+		cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
 SSLEngine On
 SSLCertificateFile    $SELF_SIGNED_DIR/${vhost}.pem
 SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
 EOF
+	else
+		sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
 	fi
-fi
+}

-if [ -d /etc/nginx ]; then
+mkconf_nginx() {
 	mkdir -p /etc/nginx/ssl
-	if [ ! -f /etc/nginx/ssl/${vhost}.conf ]; then
-		cat > /etc/nginx/ssl/${vhost}.conf <<EOF
+	if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
+		cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
 ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
 ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
 EOF
+	else
+		sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
 	fi
-fi
+}
+
+main() {
+	if [ "$#" -ne 1 ]; then
+		echo "You need to provide one argument !" >&2
+		exit 1
+	fi
+	vhost=$(basename "$1" .conf)
+	local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
+
+	[ -f /etc/default/evoacme ] && . /etc/default/evoacme
+	[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
+	[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
+	[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
+	[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
+	SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
+	[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
+	
+	vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
+	
+	if [ ! -h "$vhostfile" ]; then
+		echo "$vhost is not a valid virtualhost !" >&2
+		exit 1
+	fi
+
+	if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
+		echo "$vhost key already exist, overwrite it ? (y)"
+		read REPLY
+		[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
+		rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
+		[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
+	fi
+
+	get_domains
+	make_key
+	make_csr "$domains"
+	which apache2ctl >/dev/null && mkconf_apache
+        which nginx >/dev/null && mkconf_nginx
+}
+
+main "$@"
--- a/evoacme/files/sudoers
+++ b/evoacme/files/sudoers
@ -1 +0,0 @@
-acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto
--- a/evoacme/tasks/scripts.yml
+++ b/evoacme/tasks/scripts.yml
@ -10,7 +10,7 @@
 - name: Copy make-csr.sh script
  copy:
    src: files/make-csr.sh
-    dest: /usr/local/bin/make-csr
+    dest: /usr/local/sbin/make-csr
    owner: root
    group: root
    mode: "0755"
@ -18,7 +18,15 @@
 - name: Copy evoacme script
  copy:
    src: files/evoacme.sh
-    dest: /usr/local/bin/evoacme
+    dest: /usr/local/sbin/evoacme
    owner: root
    group: root
    mode: "0755"
+
+- name: Delete scripts in old location
+  file:
+    path: "/usr/local/bin/{{ item }}"
+    state: absent
+  with_items:
+  - 'make-csr'
+  - 'evoacme'
--- a/evolinux-base/tasks/ssh.yml
+++ b/evolinux-base/tasks/ssh.yml
@ -1,7 +1,6 @@
 ---
-
- fail:
-    msg: You must provide at least 1 ssh trusted IP
+- debug:
+    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
  when: evolinux_ssh_password_auth_addresses == []

 - name: Security directives for Evolinux
@ -16,6 +15,7 @@
    insertafter: EOF
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
+  when: not evolinux_ssh_password_auth_addresses == []

 # - name: verify Match Address directive
 #   command: "grep 'Match Address' /etc/ssh/sshd_config"
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -6,7 +6,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
 minifirewall_int: "{{ ansible_default_ipv4.interface }}"
 minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
-minifirewall_trusted_ips: []
+minifirewall_trusted_ips: ["0.0.0.0/0"]
 minifirewall_privilegied_ips: []

 minifirewall_protected_ports_tcp: [22]
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@ -28,6 +28,9 @@
 - fail:
    msg: You must provide at least 1 trusted IP
  when: minifirewall_trusted_ips == []
+- debug:
+    msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
+  when: minifirewall_trusted_ips == ["0.0.0.0/0"]

 - name: Configure IP addresses
  blockinfile:
--- a/mysql/files/evolinux-defaults.cnf
+++ b/mysql/files/evolinux-defaults.cnf
@ -8,7 +8,8 @@ back_log = 100
 # Maximum d'erreurs avant de blacklister un hote
 max_connect_errors = 10
 # Loguer les requetes trop longues
-slow_query_log = /var/log/mysql/mysql-slow.log
+slow_query_log = 1
+slow_query_log_file = /var/log/mysql/mysql-slow.log
 long_query_time = 10

 ###### Tailles
@ -57,3 +58,5 @@ innodb_thread_concurrency = 16
 # charset utf8 par defaut
 character-set-server=utf8
 collation-server=utf8_general_ci
+# Patch MySQL 5.5.53
+secure-file-priv = ""
--- a/mysql/handlers/main.yml
+++ b/mysql/handlers/main.yml
@ -13,3 +13,7 @@
  service:
    name: mysql
    state: restarted
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
--- a/mysql/tasks/config_jessie.yml
+++ b/mysql/tasks/config_jessie.yml
@ -1,5 +1,5 @@
 ---
- name: Copy MySQL defaults config file
+- name: "Copy MySQL defaults config file (jessie)"
  copy:
    src: evolinux-defaults.cnf
    dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
@ -10,13 +10,13 @@
  tags:
    - mysql

- name: Copy MySQL custom config file
+- name: "Copy MySQL custom config file (jessie)"
  template:
    src: evolinux-custom.cnf.j2
    dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
    owner: root
    group: root
-    mode: "0640"
+    mode: "0644"
    force: no
  tags:
    - mysql
--- a/mysql/tasks/config_stretch.yml
+++ b/mysql/tasks/config_stretch.yml
@ -1,5 +1,5 @@
 ---
- name: Copy MySQL defaults config file
+- name: "Copy MySQL defaults config file (Debian 9 or later)"
  copy:
    src: evolinux-defaults.cnf
    dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf
@ -10,13 +10,25 @@
  tags:
    - mysql

- name: Copy MySQL custom config file
+- name: "Copy MySQL custom config file (Debian 9 or later)"
  template:
    src: evolinux-custom.cnf.j2
    dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf
    owner: root
    group: root
-    mode: "0640"
+    mode: "0644"
    force: no
  tags:
    - mysql
+
+- name: "Create a system config directory for systemd overrides (Debian 9 or later)"
+  file:
+    path: /etc/systemd/system/mariadb.service.d
+    state: directory
+
+- name: "Override MariaDB systemd unit (Debian 9 or later)"
+  template:
+    src: mariadb.systemd.j2
+    dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
+    force: yes
+  notify: reload systemd
--- a/mysql/templates/mariadb.systemd.j2
+++ b/mysql/templates/mariadb.systemd.j2
@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+[Service]
+ProtectHome=false
--- a/nginx/files/apt/nginx_preferences
+++ b/nginx/files/apt/nginx_preferences
@ -1,3 +1,3 @@
-Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libssl1.0.0
+Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0
 Pin: release a=jessie-backports
 Pin-Priority: 999
--- a/nginx/tasks/main_minimal.yml
+++ b/nginx/tasks/main_minimal.yml
@ -24,7 +24,7 @@
 - name: Enable default vhost
  file:
    src: /etc/nginx/sites-available/evolinux-default.minimal.conf
-    dest: /etc/nginx/sites-enabled/default.conf
+    dest: /etc/nginx/sites-enabled/default
    state: link
  notify: reload nginx
  tags:
--- a/ntpd/defaults/main.yml
+++ b/ntpd/defaults/main.yml
@ -1,5 +1,4 @@
 ---
-ntpd_only_local: True
 ntpd_servers:
 - 'ntp.evolix.net'
 ntpd_acls:
--- a/ntpd/templates/ntp.conf.j2
+++ b/ntpd/templates/ntp.conf.j2
@ -2,11 +2,6 @@

 driftfile /var/lib/ntp/ntp.drift

-{% if ntpd_only_local is defined and ntpd_only_local %}
-# Only listen on 127.0.0.1 and ::1
-interface ignore wildcard
-
-{% endif %}
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/

@ -23,7 +18,6 @@ filegen clockstats file clockstats type day enable
 # pool: <http://www.pool.ntp.org/join.html>

 #server pool.ntp.org
-
 {% for server in ntpd_servers %}
 server {{ server }}
 {% endfor %}
--- a/php/tasks/apache.yml
+++ b/php/tasks/apache.yml
@ -55,7 +55,8 @@
  copy:
    dest: "{{ php_apache_custom_file }}"
    content: |
-      # Put customized values here.
+      ; Put customized values here.
+      ; default_charset = "ISO-8859-1"
    force: no

 - name: "Set custom values for PHP to enable Symfony"
--- a/php/tasks/fpm.yml
+++ b/php/tasks/fpm.yml
@ -59,7 +59,7 @@
  copy:
    dest: "{{ phpini_fpm_custom_file }}"
    content: |
-      # Put customized values here.
+      ; Put customized values here.
    force: no

 - name: Set default PHP FPM values
@ -85,7 +85,8 @@
  copy:
    dest: "{{ php_fpm_custom_file }}"
    content: |
-      # Put customized values here.
+      ; Put customized values here.
+      ; default_charset = "ISO-8859-1"
    force: no

 - name: "Set custom values for PHP to enable Symfony"
--- a/php/tasks/php_jessie.yml
+++ b/php/tasks/php_jessie.yml
@ -50,7 +50,7 @@
  copy:
    dest: "{{ phpini_cli_custom_file }}"
    content: |
-      # Put customized values here.
+      ; Put customized values here.
    force: no

 - name: "Set custom values for PHP to enable Symfony (jessie)"
--- a/php/tasks/php_stretch.yml
+++ b/php/tasks/php_stretch.yml
@ -51,7 +51,8 @@
  copy:
    dest: "{{ phpini_cli_custom_file }}"
    content: |
-      # Put customized values here.
+      ; Put customized values here.
+      ; default_charset = "ISO-8859-1"
    force: no

 - name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
--- a/squid/tasks/logrotate.yml
+++ b/squid/tasks/logrotate.yml
@ -2,5 +2,5 @@
 - name: logrotate configuration
  template:
    src: logrotate.j2
-    dest: /etc/logrotate.d/{{ squid_daemoname }}
+    dest: /etc/logrotate.d/{{ squid_daemon_name }}
    force: no
--- a/squid/tasks/main.yml
+++ b/squid/tasks/main.yml
@ -7,12 +7,12 @@

 - name: "Set squid name (jessie)"
  set_fact:
-    squid_daemoname: squid3
+    squid_daemon_name: squid3
  when: ansible_distribution_release == "jessie"

 - name: "Set squid name (Debian 9 or later)"
  set_fact:
-    squid_daemoname: squid
+    squid_daemon_name: squid
  when: ansible_distribution_major_version | version_compare('9', '>=')

 - name: "Install Squid packages"
@ -20,7 +20,7 @@
    name: '{{ item }}'
    state: present
  with_items:
-  - "{{ squid_daemoname }}"
+  - "{{ squid_daemon_name }}"
  - squidclient

 - name: "Set alternative config file (Debian 9 or later)"
@ -40,6 +40,7 @@
  copy:
    src: whitelist-evolinux.conf
    dest: /etc/squid3/whitelist.conf
+    force: no
  notify: "reload squid3"
  when: ansible_distribution_release == "jessie"

@ -113,7 +114,17 @@
    force: no
  when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')

- name: add some URL in whitelist
+- name: add some URL in whitelist (Debian 8)
+  lineinfile:
+    insertafter: EOF
+    dest: /etc/squid3/whitelist.conf
+    line: "{{ item }}"
+    state: present
+  with_items: '{{ squid_whitelist_items }}'
+  notify: "reload squid3"
+  when: ansible_distribution_major_version == '8'
+
+- name: add some URL in whitelist (Debian 9 or later)
  lineinfile:
    insertafter: EOF
    dest: /etc/squid/evolinux-whitelist-custom.conf
--- a/squid/templates/log2mail.j2
+++ b/squid/templates/log2mail.j2
@ -1,4 +1,4 @@
-file = /var/log/{{ squid_daemoname }}/access.log
+file = /var/log/{{ squid_daemon_name }}/access.log
 pattern = "TCP_DENIED"
 mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
 template = /etc/log2mail/mail
--- a/squid/templates/logrotate.j2
+++ b/squid/templates/logrotate.j2
@ -1,4 +1,4 @@
-/var/log/{{ squid_daemoname }}/*.log {
+/var/log/{{ squid_daemon_name }}/*.log {
    monthly
    compress
    rotate 12
@ -6,6 +6,6 @@
    create 640 proxy adm
    sharedscripts
    postrotate
-        test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
+        test ! -e /var/run/{{ squid_daemon_name }}.pid || /usr/sbin/{{ squid_daemon_name }} -k rotate
    endscript
 }
--- a/varnish/tasks/main.yml
+++ b/varnish/tasks/main.yml
@ -34,10 +34,10 @@
  tags:
  - varnish

- name: Modify Varnish configuration files
+- name: Override Varnish systemd unit
  template:
    src: varnish.conf.j2
-    dest: /etc/systemd/system/varnish.service.d/varnish.conf
+    dest: /etc/systemd/system/varnish.service.d/evolinux.conf
    force: yes
  notify: reload systemd
  tags:
--- a/varnish/templates/varnish.conf.j2
+++ b/varnish/templates/varnish.conf.j2
@ -1,7 +1,5 @@
 # {{ ansible_managed }}

 [Service]
-ExecStart=
 ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
-ExecReload=
 ExecReload=/etc/varnish/reload-vcl.sh
--- a/webapps/evoadmin-web/tasks/user.yml
+++ b/webapps/evoadmin-web/tasks/user.yml
@ -12,12 +12,24 @@
    name: www-evoadmin
    state: present

+- name: "Create www-evoadmin and add to group shadow (jessie)"
+  user:
+    name: www-evoadmin
+    groups: shadow
+    append: yes
+  when: ansible_distribution_release == "jessie"
+
+- name: "Create www-evoadmin (Debian 9 or later)"
+  user:
+    name: www-evoadmin
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
 - name: Install Git
  apt:
    name: git
    state: present

- name: Clone evoadmin repository
+- name: "Clone evoadmin repository (jessie)"
  git:
    repo: https://forge.evolix.org/evoadmin-web.git
    dest: "{{ evoadmin_document_root}}"
@ -27,7 +39,7 @@
  become_user: "{{ evoadmin_username }}"
  when: ansible_distribution_release == "jessie"

- name: Clone evoadmin repository
+- name: "Clone evoadmin repository (Debian 9 or later)"
  git:
    repo: https://forge.evolix.org/evoadmin-web.git
    dest: "{{ evoadmin_document_root}}"
@ -61,12 +73,6 @@
  with_items:
  - "{{ evoadmin_home_dir}}/www"

- name: Add www-evoadmin to group shadow
-  user:
-    name: www-evoadmin
-    groups: shadow
-    append: yes
-
 - name: Add evoadmin sudoers file
  template:
    src: sudoers.j2
--- a/webapps/evoadmin-web/tasks/web.yml
+++ b/webapps/evoadmin-web/tasks/web.yml
@ -46,9 +46,3 @@
    owner: evoadmin
    group: evoadmin
    force: no
-
- name: add www-evoadmin to shadow group
-  user:
-    name: www-evoadmin
-    groups: shadow
-    append: yes
				`@ -1 +0,0 @@`
				`acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto`