diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index e83d85c6..c11b453c 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -24,12 +24,13 @@ register: git_config_user_email ignore_errors: yes -- name: set commit author +- name: "set commit author" set_fact: - etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\"" + commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}' + commit_email: '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}' -- name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" +- name: "/etc modifications are committed" + shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\"" args: chdir: /etc register: etc_commit_end_run diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index 0cdffca9..4194b5aa 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -6,7 +6,7 @@ evoacme_acme_dir: /var/lib/letsencrypt evoacme_csr_dir: /etc/ssl/requests evoacme_crt_dir: /etc/letsencrypt evoacme_log_dir: /var/log/evoacme -evoacme_ssl_minday: 15 +evoacme_ssl_minday: 30 evoacme_ssl_ct: 'FR' evoacme_ssl_state: 'France' evoacme_ssl_loc: 'Marseille' diff --git a/evoacme/files/certbot.cron b/evoacme/files/certbot.cron index 84a22241..a7c4eef2 100755 --- a/evoacme/files/certbot.cron +++ b/evoacme/files/certbot.cron @@ -1,17 +1,14 @@ #!/bin/sh +# +# Run evoacme script on every configured cert +# +# Author: Victor Laborie +# Licence: AGPLv3 +# [ -f /etc/default/evoacme ] && . /etc/default/evoacme [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' -find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do - evoacme $vhost -done - -# Compatibility with older version of evoacme -find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf - rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem - evoacme $vhost +find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do + evoacme "$vhost" done diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index d0940944..ffbf22ac 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -1,62 +1,84 @@ -#!/bin/bash +#!/bin/sh +# +# evoacme is a shell script to manage Let's Encrypt certificate with +# certbot tool but with a dedicated user (no-root) and from a csr +# +# Author: Victor Laborie +# Licence: AGPLv3 +# -[ -f /etc/default/evoacme ] && . /etc/default/evoacme -[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' -[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' -[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' -[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' +usage() { + echo "Usage: $0 NAME" + echo "" + echo "NAME must be correspond to :" + echo "- a CSR in ${CSR_DIR}/NAME.csr" + echo "- a KEY in ${SSL_KEY_DIR}/NAME.key" + echo "" +} -vhost=$(basename $1 .conf) -DATE=$(date "+%Y%m%d") +mkconf_apache() { + [ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf" + apache2ctl -t 2>/dev/null && service apache2 reload +} -SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs) -if [ -n "$SSL_EMAIL" ]; then - emailopt="--email $SSL_EMAIL" -else - emailopt="--register-unsafely-without-email" -fi +mkconf_nginx() { + [ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf" + nginx -t 2>/dev/null && service nginx reload +} -# Check master status for evoadmin-cluster -if [ -f /home/${vhost}/state ]; then - grep -q "STATE=master" /home/${vhost}/state - [ $? -ne 0 ] && exit 0 -fi +mkconf_haproxy() { + mkdir -p /etc/ssl/haproxy -m 700 + cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem" + [ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem" + haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload +} -if [ -h $CRT_DIR/${vhost}/live ]; then - crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"` - date_crt=`date -ud "$crt_end_date" +"%s"` - date_today=`date +'%s'` - date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) )) - [ $date_diff -ge $SSL_MINDAY ] && exit 0 -fi - -mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE} -chown -R acme: $CRT_DIR/${vhost} -sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util) - -if [ $? -eq 0 ]; then - ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live - which apache2ctl>/dev/null - if [ $? -eq 0 ]; then - [ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf - apache2ctl -t 2>/dev/null - [ $? -eq 0 ] && service apache2 reload - fi - which nginx>/dev/null - if [ $? -eq 0 ]; then - [ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf - nginx -t 2>/dev/null - [ $? -eq 0 ] && service nginx reload - fi +main() { + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + [ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam' + [ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme' - which haproxy>/dev/null - if [ $? -eq 0 ]; then - mkdir -p /etc/ssl/haproxy -m 700 - cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem - [ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem - haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null - [ $? -eq 0 ] && service haproxy reload + [ "$#" -ne 1 ] && usage && exit 1 + + vhost=$(basename "$1" .conf) + + # Check master status for evoadmin-cluster + if [ -f "/home/${vhost}/state" ]; then + grep -q "STATE=master" "/home/${vhost}/state" || exit 0 fi - exit 0 -fi + + SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs) + if [ -n "$SSL_EMAIL" ]; then + emailopt="-m $SSL_EMAIL" + else + emailopt="--register-unsafely-without-email" + fi + DATE=$(date "+%Y%m%d") + + if [ -h "$CRT_DIR/${vhost}/live" ]; then + crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//") + date_crt=$(date -ud "$crt_end_date" +"%s") + date_today=$(date +'%s') + date_diff=$(((date_crt - date_today) / (60*60*24))) + [ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0 + fi + rm -rf "$CRT_DIR/${vhost}/${DATE}" + mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}" + chown -R acme: "$CRT_DIR/${vhost}" + sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util" + if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then + rm -f "$CRT_DIR/${vhost}/live" + ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx + which haproxy >/dev/null && mkconf_haproxy + else + rmdir "$CRT_DIR/${vhost}/${DATE}" + fi +} + +main "$@" diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 5b2c9298..844847ab 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -1,114 +1,151 @@ -#!/bin/bash +#!/bin/sh +# +# make-csr is a shell script designed to automatically generate a +# certificate signing request (CSR) from an Apache or a Nginx vhost +# +# Author: Victor Laborie +# Licence: AGPLv3 +# -[ -f /etc/default/evoacme ] && source /etc/default/evoacme -[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' -[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' -[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' - -shopt -s extglob - -vhost=$(basename $1 .conf) -vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null) - -if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then - echo "$vhost doesn't exist !" - exit 1 -fi - -for vhostfile in "${vhostfiles}"; do - break; -done - -if [ -f $SSL_KEY_DIR/${vhost}.key ]; then - read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r - echo "" - if [[ ! $REPLY =~ ^[Yy]$ ]]; then - exit 1 +get_domains() { + echo "$vhostfile"|grep -q nginx + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq) fi - rm -f /etc/apache2/ssl/${vhost}.conf - rm -f /etc/nginx/ssl/${vhost}.conf -fi - -SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) -openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE -chown root: $SSL_KEY_DIR/${vhost}.key -chmod 600 $SSL_KEY_DIR/${vhost}.key - -nb=0 - -echo $vhostfile |grep -q nginx -if [ $? -eq 0 ]; then - domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq` -fi - -echo $vhostfile |grep -q apache2 -if [ $? -eq 0 ]; then - domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq` -fi - -valid_domains='' -srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") - -echo "Valid Domain(s) for $vhost :" -for domain in $domains -do - real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+") - for ip in $(echo $srv_ip|xargs -n1); do - if [ "${ip}" == "${real_ip}" ]; then - valid_domains="$valid_domains $domain" - nb=$(( nb + 1 )) - echo "- $domain" - fi - done -done - -if [ $nb -eq 0 ]; then - nb=`echo $domains|wc -l` - echo "No valid domains : $domains" >&2 -else - domains=$valid_domains -fi - -mkdir -p $CSR_DIR -m 0755 - -if [ $nb -eq 1 ]; then - openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domains")) -out $CSR_DIR/${vhost}.csr -elif [ $nb -gt 1 ]; then - san='' - for domain in $domains - do - san="$san,DNS:$domain" - done - san=`echo $san|sed 's/,//'` - openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr -fi - -if [ -f $CSR_DIR/${vhost}.csr ]; then - chmod 644 $CSR_DIR/${vhost}.csr - mkdir -p $SELF_SIGNED_DIR -m 0755 - openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem - if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then - chmod 644 $SELF_SIGNED_DIR/${vhost}.pem + + echo "$vhostfile" |grep -q apache2 + if [ "$?" -eq 0 ]; then + domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq) fi -fi + valid_domains="" + nb=0 + + echo "Valid(s) domain(s) in $vhost :" + for domain in $domains; do + real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+") + for ip in $(echo "$SRV_IP"|xargs -n1); do + if [ "${ip}" = "${real_ip}" ]; then + valid_domains="$valid_domains $domain" + nb=$(( nb + 1 )) + echo "* $domain -> $real_ip" + fi + done + done + + if [ "$nb" -eq 0 ]; then + nb=$(echo "$domains"|wc -l) + echo "* No valid domain found" + echo "All following(s) domain(s) will be used for CSR creation :" + for domain in $domains; do + echo "* $domain" + done + else + domains="$valid_domains" + fi + domains=$(echo "$domains"|xargs -n1) +} -if [ -d /etc/apache2 ]; then +make_key() { + openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null + chown root: "$SSL_KEY_DIR/${vhost}.key" + chmod 600 "$SSL_KEY_DIR/${vhost}.key" +} + +make_csr() { + domains="$1" + nb=$(echo "$domains"|wc -l) + config_file="/tmp/make-csr-${vhost}.conf" + + mkdir -p "$CSR_DIR" -m 0755 + + if [ "$nb" -eq 1 ]; then + cat /etc/letsencrypt/openssl.cnf - > "$config_file" < "$config_file" < "$CSR_DIR/${vhost}.csr" + fi + + if [ -f "$CSR_DIR/${vhost}.csr" ]; then + chmod 644 "$CSR_DIR/${vhost}.csr" + mkdir -p "$SELF_SIGNED_DIR" -m 0755 + openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem" + [ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem" + fi +} + +mkconf_apache() { mkdir -p /etc/apache2/ssl - if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then - cat > /etc/apache2/ssl/${vhost}.conf < "/etc/apache2/ssl/${vhost}.conf" < /etc/nginx/ssl/${vhost}.conf < "/etc/nginx/ssl/${vhost}.conf" <&2 + exit 1 + fi + vhost=$(basename "$1" .conf) + local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+") + + [ -f /etc/default/evoacme ] && . /etc/default/evoacme + [ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private' + [ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests' + [ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt' + [ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed' + SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs) + [ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip" + + vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1) + + if [ ! -h "$vhostfile" ]; then + echo "$vhost is not a valid virtualhost !" >&2 + exit 1 + fi + + if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then + echo "$vhost key already exist, overwrite it ? (y)" + read REPLY + [ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0 + rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf" + [ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live" + fi + + get_domains + make_key + make_csr "$domains" + which apache2ctl >/dev/null && mkconf_apache + which nginx >/dev/null && mkconf_nginx +} + +main "$@" diff --git a/evoacme/files/sudoers b/evoacme/files/sudoers deleted file mode 100644 index 4a43bce3..00000000 --- a/evoacme/files/sudoers +++ /dev/null @@ -1 +0,0 @@ -acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 930f1f25..01e61fdb 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -10,7 +10,7 @@ - name: Copy make-csr.sh script copy: src: files/make-csr.sh - dest: /usr/local/bin/make-csr + dest: /usr/local/sbin/make-csr owner: root group: root mode: "0755" @@ -18,7 +18,15 @@ - name: Copy evoacme script copy: src: files/evoacme.sh - dest: /usr/local/bin/evoacme + dest: /usr/local/sbin/evoacme owner: root group: root mode: "0755" + +- name: Delete scripts in old location + file: + path: "/usr/local/bin/{{ item }}" + state: absent + with_items: + - 'make-csr' + - 'evoacme' diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index c455cafb..2b7273b5 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,7 +1,6 @@ --- - -- fail: - msg: You must provide at least 1 ssh trusted IP +- debug: + msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!" when: evolinux_ssh_password_auth_addresses == [] - name: Security directives for Evolinux @@ -16,6 +15,7 @@ insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd + when: not evolinux_ssh_password_auth_addresses == [] # - name: verify Match Address directive # command: "grep 'Match Address' /etc/ssh/sshd_config" diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 94bd3cb4..69e1e8fe 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -6,7 +6,7 @@ minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" -minifirewall_trusted_ips: [] +minifirewall_trusted_ips: ["0.0.0.0/0"] minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 0d91945f..80acf5d0 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -28,6 +28,9 @@ - fail: msg: You must provide at least 1 trusted IP when: minifirewall_trusted_ips == [] +- debug: + msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!" + when: minifirewall_trusted_ips == ["0.0.0.0/0"] - name: Configure IP addresses blockinfile: diff --git a/mysql/files/evolinux-defaults.cnf b/mysql/files/evolinux-defaults.cnf index 9e3f87d4..395ccac4 100644 --- a/mysql/files/evolinux-defaults.cnf +++ b/mysql/files/evolinux-defaults.cnf @@ -8,7 +8,8 @@ back_log = 100 # Maximum d'erreurs avant de blacklister un hote max_connect_errors = 10 # Loguer les requetes trop longues -slow_query_log = /var/log/mysql/mysql-slow.log +slow_query_log = 1 +slow_query_log_file = /var/log/mysql/mysql-slow.log long_query_time = 10 ###### Tailles @@ -57,3 +58,5 @@ innodb_thread_concurrency = 16 # charset utf8 par defaut character-set-server=utf8 collation-server=utf8_general_ci +# Patch MySQL 5.5.53 +secure-file-priv = "" diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 35d5b5bf..80375330 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -13,3 +13,7 @@ service: name: mysql state: restarted + +- name: reload systemd + command: systemctl daemon-reload + diff --git a/mysql/tasks/config_jessie.yml b/mysql/tasks/config_jessie.yml index fbd85f01..dcb83a61 100644 --- a/mysql/tasks/config_jessie.yml +++ b/mysql/tasks/config_jessie.yml @@ -1,5 +1,5 @@ --- -- name: Copy MySQL defaults config file +- name: "Copy MySQL defaults config file (jessie)" copy: src: evolinux-defaults.cnf dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf @@ -10,13 +10,13 @@ tags: - mysql -- name: Copy MySQL custom config file +- name: "Copy MySQL custom config file (jessie)" template: src: evolinux-custom.cnf.j2 dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf owner: root group: root - mode: "0640" + mode: "0644" force: no tags: - mysql diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index a937c03d..22b2d312 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -1,5 +1,5 @@ --- -- name: Copy MySQL defaults config file +- name: "Copy MySQL defaults config file (Debian 9 or later)" copy: src: evolinux-defaults.cnf dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf @@ -10,13 +10,25 @@ tags: - mysql -- name: Copy MySQL custom config file +- name: "Copy MySQL custom config file (Debian 9 or later)" template: src: evolinux-custom.cnf.j2 dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf owner: root group: root - mode: "0640" + mode: "0644" force: no tags: - mysql + +- name: "Create a system config directory for systemd overrides (Debian 9 or later)" + file: + path: /etc/systemd/system/mariadb.service.d + state: directory + +- name: "Override MariaDB systemd unit (Debian 9 or later)" + template: + src: mariadb.systemd.j2 + dest: /etc/systemd/system/mariadb.service.d/evolinux.conf + force: yes + notify: reload systemd diff --git a/mysql/templates/mariadb.systemd.j2 b/mysql/templates/mariadb.systemd.j2 new file mode 100644 index 00000000..44f1f6e8 --- /dev/null +++ b/mysql/templates/mariadb.systemd.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +[Service] +ProtectHome=false diff --git a/nginx/files/apt/nginx_preferences b/nginx/files/apt/nginx_preferences index 5ff68c38..e8f693bd 100644 --- a/nginx/files/apt/nginx_preferences +++ b/nginx/files/apt/nginx_preferences @@ -1,3 +1,3 @@ -Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libssl1.0.0 +Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0 Pin: release a=jessie-backports Pin-Priority: 999 diff --git a/nginx/tasks/main_minimal.yml b/nginx/tasks/main_minimal.yml index 1cded8ea..281aed7f 100644 --- a/nginx/tasks/main_minimal.yml +++ b/nginx/tasks/main_minimal.yml @@ -24,7 +24,7 @@ - name: Enable default vhost file: src: /etc/nginx/sites-available/evolinux-default.minimal.conf - dest: /etc/nginx/sites-enabled/default.conf + dest: /etc/nginx/sites-enabled/default state: link notify: reload nginx tags: diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 380bd0e7..61a0846f 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,5 +1,4 @@ --- -ntpd_only_local: True ntpd_servers: - 'ntp.evolix.net' ntpd_acls: diff --git a/ntpd/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 index 272bb43c..e57dad33 100644 --- a/ntpd/templates/ntp.conf.j2 +++ b/ntpd/templates/ntp.conf.j2 @@ -2,11 +2,6 @@ driftfile /var/lib/ntp/ntp.drift -{% if ntpd_only_local is defined and ntpd_only_local %} -# Only listen on 127.0.0.1 and ::1 -interface ignore wildcard - -{% endif %} # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ @@ -23,7 +18,6 @@ filegen clockstats file clockstats type day enable # pool: #server pool.ntp.org - {% for server in ntpd_servers %} server {{ server }} {% endfor %} diff --git a/php/tasks/apache.yml b/php/tasks/apache.yml index 32e79b4c..179eb1fc 100644 --- a/php/tasks/apache.yml +++ b/php/tasks/apache.yml @@ -55,7 +55,8 @@ copy: dest: "{{ php_apache_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/fpm.yml b/php/tasks/fpm.yml index b3971763..6c31ff5f 100644 --- a/php/tasks/fpm.yml +++ b/php/tasks/fpm.yml @@ -59,7 +59,7 @@ copy: dest: "{{ phpini_fpm_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: Set default PHP FPM values @@ -85,7 +85,8 @@ copy: dest: "{{ php_fpm_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony" diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 5f31671d..62e68aa8 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -50,7 +50,7 @@ copy: dest: "{{ phpini_cli_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. force: no - name: "Set custom values for PHP to enable Symfony (jessie)" diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 3cb5cf60..d566ab23 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -51,7 +51,8 @@ copy: dest: "{{ phpini_cli_custom_file }}" content: | - # Put customized values here. + ; Put customized values here. + ; default_charset = "ISO-8859-1" force: no - name: "Set custom values for PHP to enable Symfony (Debian 9 or later)" diff --git a/squid/tasks/logrotate.yml b/squid/tasks/logrotate.yml index 8464d309..975c3a96 100644 --- a/squid/tasks/logrotate.yml +++ b/squid/tasks/logrotate.yml @@ -2,5 +2,5 @@ - name: logrotate configuration template: src: logrotate.j2 - dest: /etc/logrotate.d/{{ squid_daemoname }} + dest: /etc/logrotate.d/{{ squid_daemon_name }} force: no diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 542730bb..7c080b44 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -7,12 +7,12 @@ - name: "Set squid name (jessie)" set_fact: - squid_daemoname: squid3 + squid_daemon_name: squid3 when: ansible_distribution_release == "jessie" - name: "Set squid name (Debian 9 or later)" set_fact: - squid_daemoname: squid + squid_daemon_name: squid when: ansible_distribution_major_version | version_compare('9', '>=') - name: "Install Squid packages" @@ -20,7 +20,7 @@ name: '{{ item }}' state: present with_items: - - "{{ squid_daemoname }}" + - "{{ squid_daemon_name }}" - squidclient - name: "Set alternative config file (Debian 9 or later)" @@ -40,6 +40,7 @@ copy: src: whitelist-evolinux.conf dest: /etc/squid3/whitelist.conf + force: no notify: "reload squid3" when: ansible_distribution_release == "jessie" @@ -113,7 +114,17 @@ force: no when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=') -- name: add some URL in whitelist +- name: add some URL in whitelist (Debian 8) + lineinfile: + insertafter: EOF + dest: /etc/squid3/whitelist.conf + line: "{{ item }}" + state: present + with_items: '{{ squid_whitelist_items }}' + notify: "reload squid3" + when: ansible_distribution_major_version == '8' + +- name: add some URL in whitelist (Debian 9 or later) lineinfile: insertafter: EOF dest: /etc/squid/evolinux-whitelist-custom.conf diff --git a/squid/templates/log2mail.j2 b/squid/templates/log2mail.j2 index 7a025676..f01256c5 100644 --- a/squid/templates/log2mail.j2 +++ b/squid/templates/log2mail.j2 @@ -1,4 +1,4 @@ -file = /var/log/{{ squid_daemoname }}/access.log +file = /var/log/{{ squid_daemon_name }}/access.log pattern = "TCP_DENIED" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} template = /etc/log2mail/mail diff --git a/squid/templates/logrotate.j2 b/squid/templates/logrotate.j2 index 118e837b..12597d7b 100644 --- a/squid/templates/logrotate.j2 +++ b/squid/templates/logrotate.j2 @@ -1,4 +1,4 @@ -/var/log/{{ squid_daemoname }}/*.log { +/var/log/{{ squid_daemon_name }}/*.log { monthly compress rotate 12 @@ -6,6 +6,6 @@ create 640 proxy adm sharedscripts postrotate - test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate + test ! -e /var/run/{{ squid_daemon_name }}.pid || /usr/sbin/{{ squid_daemon_name }} -k rotate endscript } diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 798f7aec..ffd80889 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -34,10 +34,10 @@ tags: - varnish -- name: Modify Varnish configuration files +- name: Override Varnish systemd unit template: src: varnish.conf.j2 - dest: /etc/systemd/system/varnish.service.d/varnish.conf + dest: /etc/systemd/system/varnish.service.d/evolinux.conf force: yes notify: reload systemd tags: diff --git a/varnish/templates/varnish.conf.j2 b/varnish/templates/varnish.conf.j2 index a60462e2..275e8909 100644 --- a/varnish/templates/varnish.conf.j2 +++ b/varnish/templates/varnish.conf.j2 @@ -1,7 +1,5 @@ # {{ ansible_managed }} [Service] -ExecStart= ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} -ExecReload= ExecReload=/etc/varnish/reload-vcl.sh diff --git a/webapps/evoadmin-web/tasks/user.yml b/webapps/evoadmin-web/tasks/user.yml index 00d151ae..c5e5a35b 100644 --- a/webapps/evoadmin-web/tasks/user.yml +++ b/webapps/evoadmin-web/tasks/user.yml @@ -12,12 +12,24 @@ name: www-evoadmin state: present +- name: "Create www-evoadmin and add to group shadow (jessie)" + user: + name: www-evoadmin + groups: shadow + append: yes + when: ansible_distribution_release == "jessie" + +- name: "Create www-evoadmin (Debian 9 or later)" + user: + name: www-evoadmin + when: ansible_distribution_major_version | version_compare('9', '>=') + - name: Install Git apt: name: git state: present -- name: Clone evoadmin repository +- name: "Clone evoadmin repository (jessie)" git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root}}" @@ -27,7 +39,7 @@ become_user: "{{ evoadmin_username }}" when: ansible_distribution_release == "jessie" -- name: Clone evoadmin repository +- name: "Clone evoadmin repository (Debian 9 or later)" git: repo: https://forge.evolix.org/evoadmin-web.git dest: "{{ evoadmin_document_root}}" @@ -61,12 +73,6 @@ with_items: - "{{ evoadmin_home_dir}}/www" -- name: Add www-evoadmin to group shadow - user: - name: www-evoadmin - groups: shadow - append: yes - - name: Add evoadmin sudoers file template: src: sudoers.j2 diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 75584a35..0944c2cd 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,9 +46,3 @@ owner: evoadmin group: evoadmin force: no - -- name: add www-evoadmin to shadow group - user: - name: www-evoadmin - groups: shadow - append: yes