Merge branch 'unstable' into stable
This commit is contained in:
commit
5bc0c597c7
|
@ -24,12 +24,13 @@
|
||||||
register: git_config_user_email
|
register: git_config_user_email
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
|
|
||||||
- name: set commit author
|
- name: "set commit author"
|
||||||
set_fact:
|
set_fact:
|
||||||
etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\""
|
commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
||||||
|
commit_email: '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
|
||||||
|
|
||||||
- name: /etc modifications are committed
|
- name: "/etc modifications are committed"
|
||||||
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}"
|
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
|
||||||
args:
|
args:
|
||||||
chdir: /etc
|
chdir: /etc
|
||||||
register: etc_commit_end_run
|
register: etc_commit_end_run
|
||||||
|
|
|
@ -6,7 +6,7 @@ evoacme_acme_dir: /var/lib/letsencrypt
|
||||||
evoacme_csr_dir: /etc/ssl/requests
|
evoacme_csr_dir: /etc/ssl/requests
|
||||||
evoacme_crt_dir: /etc/letsencrypt
|
evoacme_crt_dir: /etc/letsencrypt
|
||||||
evoacme_log_dir: /var/log/evoacme
|
evoacme_log_dir: /var/log/evoacme
|
||||||
evoacme_ssl_minday: 15
|
evoacme_ssl_minday: 30
|
||||||
evoacme_ssl_ct: 'FR'
|
evoacme_ssl_ct: 'FR'
|
||||||
evoacme_ssl_state: 'France'
|
evoacme_ssl_state: 'France'
|
||||||
evoacme_ssl_loc: 'Marseille'
|
evoacme_ssl_loc: 'Marseille'
|
||||||
|
|
|
@ -1,17 +1,14 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Run evoacme script on every configured cert
|
||||||
|
#
|
||||||
|
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||||
|
# Licence: AGPLv3
|
||||||
|
#
|
||||||
|
|
||||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
|
||||||
|
|
||||||
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||||
evoacme $vhost
|
evoacme "$vhost"
|
||||||
done
|
|
||||||
|
|
||||||
# Compatibility with older version of evoacme
|
|
||||||
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do
|
|
||||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
|
|
||||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
|
|
||||||
rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem
|
|
||||||
evoacme $vhost
|
|
||||||
done
|
done
|
||||||
|
|
|
@ -1,62 +1,84 @@
|
||||||
#!/bin/bash
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# evoacme is a shell script to manage Let's Encrypt certificate with
|
||||||
|
# certbot tool but with a dedicated user (no-root) and from a csr
|
||||||
|
#
|
||||||
|
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||||
|
# Licence: AGPLv3
|
||||||
|
#
|
||||||
|
|
||||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
usage() {
|
||||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
echo "Usage: $0 NAME"
|
||||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
echo ""
|
||||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
echo "NAME must be correspond to :"
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
||||||
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
||||||
|
echo ""
|
||||||
|
}
|
||||||
|
|
||||||
vhost=$(basename $1 .conf)
|
mkconf_apache() {
|
||||||
DATE=$(date "+%Y%m%d")
|
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||||
|
apache2ctl -t 2>/dev/null && service apache2 reload
|
||||||
|
}
|
||||||
|
|
||||||
SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs)
|
mkconf_nginx() {
|
||||||
if [ -n "$SSL_EMAIL" ]; then
|
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||||
emailopt="--email $SSL_EMAIL"
|
nginx -t 2>/dev/null && service nginx reload
|
||||||
else
|
}
|
||||||
emailopt="--register-unsafely-without-email"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check master status for evoadmin-cluster
|
mkconf_haproxy() {
|
||||||
if [ -f /home/${vhost}/state ]; then
|
mkdir -p /etc/ssl/haproxy -m 700
|
||||||
grep -q "STATE=master" /home/${vhost}/state
|
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
|
||||||
[ $? -ne 0 ] && exit 0
|
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
|
||||||
fi
|
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
|
||||||
|
}
|
||||||
|
|
||||||
if [ -h $CRT_DIR/${vhost}/live ]; then
|
main() {
|
||||||
crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"`
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
date_crt=`date -ud "$crt_end_date" +"%s"`
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||||
date_today=`date +'%s'`
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) ))
|
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||||
[ $date_diff -ge $SSL_MINDAY ] && exit 0
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||||
fi
|
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
||||||
|
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
|
||||||
mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE}
|
|
||||||
chown -R acme: $CRT_DIR/${vhost}
|
|
||||||
sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
|
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live
|
|
||||||
which apache2ctl>/dev/null
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
|
|
||||||
apache2ctl -t 2>/dev/null
|
|
||||||
[ $? -eq 0 ] && service apache2 reload
|
|
||||||
fi
|
|
||||||
which nginx>/dev/null
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
|
|
||||||
nginx -t 2>/dev/null
|
|
||||||
[ $? -eq 0 ] && service nginx reload
|
|
||||||
fi
|
|
||||||
|
|
||||||
which haproxy>/dev/null
|
[ "$#" -ne 1 ] && usage && exit 1
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
mkdir -p /etc/ssl/haproxy -m 700
|
vhost=$(basename "$1" .conf)
|
||||||
cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem
|
|
||||||
[ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem
|
# Check master status for evoadmin-cluster
|
||||||
haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null
|
if [ -f "/home/${vhost}/state" ]; then
|
||||||
[ $? -eq 0 ] && service haproxy reload
|
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
||||||
fi
|
fi
|
||||||
exit 0
|
|
||||||
fi
|
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
|
||||||
|
if [ -n "$SSL_EMAIL" ]; then
|
||||||
|
emailopt="-m $SSL_EMAIL"
|
||||||
|
else
|
||||||
|
emailopt="--register-unsafely-without-email"
|
||||||
|
fi
|
||||||
|
DATE=$(date "+%Y%m%d")
|
||||||
|
|
||||||
|
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||||
|
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
|
||||||
|
date_crt=$(date -ud "$crt_end_date" +"%s")
|
||||||
|
date_today=$(date +'%s')
|
||||||
|
date_diff=$(((date_crt - date_today) / (60*60*24)))
|
||||||
|
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
|
||||||
|
fi
|
||||||
|
rm -rf "$CRT_DIR/${vhost}/${DATE}"
|
||||||
|
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||||
|
chown -R acme: "$CRT_DIR/${vhost}"
|
||||||
|
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||||
|
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
|
||||||
|
rm -f "$CRT_DIR/${vhost}/live"
|
||||||
|
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||||
|
which apache2ctl >/dev/null && mkconf_apache
|
||||||
|
which nginx >/dev/null && mkconf_nginx
|
||||||
|
which haproxy >/dev/null && mkconf_haproxy
|
||||||
|
else
|
||||||
|
rmdir "$CRT_DIR/${vhost}/${DATE}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
main "$@"
|
||||||
|
|
|
@ -1,114 +1,151 @@
|
||||||
#!/bin/bash
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# make-csr is a shell script designed to automatically generate a
|
||||||
|
# certificate signing request (CSR) from an Apache or a Nginx vhost
|
||||||
|
#
|
||||||
|
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||||
|
# Licence: AGPLv3
|
||||||
|
#
|
||||||
|
|
||||||
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
get_domains() {
|
||||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
echo "$vhostfile"|grep -q nginx
|
||||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
if [ "$?" -eq 0 ]; then
|
||||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
||||||
|
|
||||||
shopt -s extglob
|
|
||||||
|
|
||||||
vhost=$(basename $1 .conf)
|
|
||||||
vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null)
|
|
||||||
|
|
||||||
if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then
|
|
||||||
echo "$vhost doesn't exist !"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
for vhostfile in "${vhostfiles}"; do
|
|
||||||
break;
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -f $SSL_KEY_DIR/${vhost}.key ]; then
|
|
||||||
read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r
|
|
||||||
echo ""
|
|
||||||
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
rm -f /etc/apache2/ssl/${vhost}.conf
|
|
||||||
rm -f /etc/nginx/ssl/${vhost}.conf
|
echo "$vhostfile" |grep -q apache2
|
||||||
fi
|
if [ "$?" -eq 0 ]; then
|
||||||
|
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
||||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
|
||||||
openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE
|
|
||||||
chown root: $SSL_KEY_DIR/${vhost}.key
|
|
||||||
chmod 600 $SSL_KEY_DIR/${vhost}.key
|
|
||||||
|
|
||||||
nb=0
|
|
||||||
|
|
||||||
echo $vhostfile |grep -q nginx
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq`
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo $vhostfile |grep -q apache2
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
|
||||||
fi
|
|
||||||
|
|
||||||
valid_domains=''
|
|
||||||
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
|
||||||
|
|
||||||
echo "Valid Domain(s) for $vhost :"
|
|
||||||
for domain in $domains
|
|
||||||
do
|
|
||||||
real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
|
|
||||||
for ip in $(echo $srv_ip|xargs -n1); do
|
|
||||||
if [ "${ip}" == "${real_ip}" ]; then
|
|
||||||
valid_domains="$valid_domains $domain"
|
|
||||||
nb=$(( nb + 1 ))
|
|
||||||
echo "- $domain"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $nb -eq 0 ]; then
|
|
||||||
nb=`echo $domains|wc -l`
|
|
||||||
echo "No valid domains : $domains" >&2
|
|
||||||
else
|
|
||||||
domains=$valid_domains
|
|
||||||
fi
|
|
||||||
|
|
||||||
mkdir -p $CSR_DIR -m 0755
|
|
||||||
|
|
||||||
if [ $nb -eq 1 ]; then
|
|
||||||
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domains")) -out $CSR_DIR/${vhost}.csr
|
|
||||||
elif [ $nb -gt 1 ]; then
|
|
||||||
san=''
|
|
||||||
for domain in $domains
|
|
||||||
do
|
|
||||||
san="$san,DNS:$domain"
|
|
||||||
done
|
|
||||||
san=`echo $san|sed 's/,//'`
|
|
||||||
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f $CSR_DIR/${vhost}.csr ]; then
|
|
||||||
chmod 644 $CSR_DIR/${vhost}.csr
|
|
||||||
mkdir -p $SELF_SIGNED_DIR -m 0755
|
|
||||||
openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem
|
|
||||||
if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then
|
|
||||||
chmod 644 $SELF_SIGNED_DIR/${vhost}.pem
|
|
||||||
fi
|
fi
|
||||||
fi
|
valid_domains=""
|
||||||
|
nb=0
|
||||||
|
|
||||||
|
echo "Valid(s) domain(s) in $vhost :"
|
||||||
|
for domain in $domains; do
|
||||||
|
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
|
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
||||||
|
if [ "${ip}" = "${real_ip}" ]; then
|
||||||
|
valid_domains="$valid_domains $domain"
|
||||||
|
nb=$(( nb + 1 ))
|
||||||
|
echo "* $domain -> $real_ip"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$nb" -eq 0 ]; then
|
||||||
|
nb=$(echo "$domains"|wc -l)
|
||||||
|
echo "* No valid domain found"
|
||||||
|
echo "All following(s) domain(s) will be used for CSR creation :"
|
||||||
|
for domain in $domains; do
|
||||||
|
echo "* $domain"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
domains="$valid_domains"
|
||||||
|
fi
|
||||||
|
domains=$(echo "$domains"|xargs -n1)
|
||||||
|
}
|
||||||
|
|
||||||
if [ -d /etc/apache2 ]; then
|
make_key() {
|
||||||
|
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
||||||
|
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
||||||
|
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
||||||
|
}
|
||||||
|
|
||||||
|
make_csr() {
|
||||||
|
domains="$1"
|
||||||
|
nb=$(echo "$domains"|wc -l)
|
||||||
|
config_file="/tmp/make-csr-${vhost}.conf"
|
||||||
|
|
||||||
|
mkdir -p "$CSR_DIR" -m 0755
|
||||||
|
|
||||||
|
if [ "$nb" -eq 1 ]; then
|
||||||
|
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||||
|
CN=$domains
|
||||||
|
EOF
|
||||||
|
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
||||||
|
elif [ "$nb" -gt 1 ]; then
|
||||||
|
san=''
|
||||||
|
for domain in $domains
|
||||||
|
do
|
||||||
|
san="$san,DNS:$domain"
|
||||||
|
done
|
||||||
|
san=$(echo "$san"|sed 's/,//')
|
||||||
|
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||||
|
[SAN]
|
||||||
|
subjectAltName=$san
|
||||||
|
EOF
|
||||||
|
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
||||||
|
chmod 644 "$CSR_DIR/${vhost}.csr"
|
||||||
|
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
||||||
|
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||||
|
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
mkconf_apache() {
|
||||||
mkdir -p /etc/apache2/ssl
|
mkdir -p /etc/apache2/ssl
|
||||||
if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then
|
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
||||||
cat > /etc/apache2/ssl/${vhost}.conf <<EOF
|
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
||||||
SSLEngine On
|
SSLEngine On
|
||||||
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
||||||
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
||||||
EOF
|
EOF
|
||||||
|
else
|
||||||
|
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||||
fi
|
fi
|
||||||
fi
|
}
|
||||||
|
|
||||||
if [ -d /etc/nginx ]; then
|
mkconf_nginx() {
|
||||||
mkdir -p /etc/nginx/ssl
|
mkdir -p /etc/nginx/ssl
|
||||||
if [ ! -f /etc/nginx/ssl/${vhost}.conf ]; then
|
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
||||||
cat > /etc/nginx/ssl/${vhost}.conf <<EOF
|
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
||||||
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
||||||
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
||||||
EOF
|
EOF
|
||||||
|
else
|
||||||
|
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||||
fi
|
fi
|
||||||
fi
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
if [ "$#" -ne 1 ]; then
|
||||||
|
echo "You need to provide one argument !" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
vhost=$(basename "$1" .conf)
|
||||||
|
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||||
|
|
||||||
|
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||||
|
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||||
|
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||||
|
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||||
|
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||||
|
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||||
|
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
||||||
|
|
||||||
|
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
||||||
|
|
||||||
|
if [ ! -h "$vhostfile" ]; then
|
||||||
|
echo "$vhost is not a valid virtualhost !" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
||||||
|
echo "$vhost key already exist, overwrite it ? (y)"
|
||||||
|
read REPLY
|
||||||
|
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
||||||
|
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
||||||
|
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
||||||
|
fi
|
||||||
|
|
||||||
|
get_domains
|
||||||
|
make_key
|
||||||
|
make_csr "$domains"
|
||||||
|
which apache2ctl >/dev/null && mkconf_apache
|
||||||
|
which nginx >/dev/null && mkconf_nginx
|
||||||
|
}
|
||||||
|
|
||||||
|
main "$@"
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto
|
|
|
@ -10,7 +10,7 @@
|
||||||
- name: Copy make-csr.sh script
|
- name: Copy make-csr.sh script
|
||||||
copy:
|
copy:
|
||||||
src: files/make-csr.sh
|
src: files/make-csr.sh
|
||||||
dest: /usr/local/bin/make-csr
|
dest: /usr/local/sbin/make-csr
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
@ -18,7 +18,15 @@
|
||||||
- name: Copy evoacme script
|
- name: Copy evoacme script
|
||||||
copy:
|
copy:
|
||||||
src: files/evoacme.sh
|
src: files/evoacme.sh
|
||||||
dest: /usr/local/bin/evoacme
|
dest: /usr/local/sbin/evoacme
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Delete scripts in old location
|
||||||
|
file:
|
||||||
|
path: "/usr/local/bin/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- 'make-csr'
|
||||||
|
- 'evoacme'
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
---
|
---
|
||||||
|
- debug:
|
||||||
- fail:
|
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||||
msg: You must provide at least 1 ssh trusted IP
|
|
||||||
when: evolinux_ssh_password_auth_addresses == []
|
when: evolinux_ssh_password_auth_addresses == []
|
||||||
|
|
||||||
- name: Security directives for Evolinux
|
- name: Security directives for Evolinux
|
||||||
|
@ -16,6 +15,7 @@
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
notify: reload sshd
|
notify: reload sshd
|
||||||
|
when: not evolinux_ssh_password_auth_addresses == []
|
||||||
|
|
||||||
# - name: verify Match Address directive
|
# - name: verify Match Address directive
|
||||||
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
||||||
|
|
|
@ -6,7 +6,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
|
||||||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||||
minifirewall_ipv6: "on"
|
minifirewall_ipv6: "on"
|
||||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||||
minifirewall_trusted_ips: []
|
minifirewall_trusted_ips: ["0.0.0.0/0"]
|
||||||
minifirewall_privilegied_ips: []
|
minifirewall_privilegied_ips: []
|
||||||
|
|
||||||
minifirewall_protected_ports_tcp: [22]
|
minifirewall_protected_ports_tcp: [22]
|
||||||
|
|
|
@ -28,6 +28,9 @@
|
||||||
- fail:
|
- fail:
|
||||||
msg: You must provide at least 1 trusted IP
|
msg: You must provide at least 1 trusted IP
|
||||||
when: minifirewall_trusted_ips == []
|
when: minifirewall_trusted_ips == []
|
||||||
|
- debug:
|
||||||
|
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
||||||
|
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
||||||
|
|
||||||
- name: Configure IP addresses
|
- name: Configure IP addresses
|
||||||
blockinfile:
|
blockinfile:
|
||||||
|
|
|
@ -8,7 +8,8 @@ back_log = 100
|
||||||
# Maximum d'erreurs avant de blacklister un hote
|
# Maximum d'erreurs avant de blacklister un hote
|
||||||
max_connect_errors = 10
|
max_connect_errors = 10
|
||||||
# Loguer les requetes trop longues
|
# Loguer les requetes trop longues
|
||||||
slow_query_log = /var/log/mysql/mysql-slow.log
|
slow_query_log = 1
|
||||||
|
slow_query_log_file = /var/log/mysql/mysql-slow.log
|
||||||
long_query_time = 10
|
long_query_time = 10
|
||||||
|
|
||||||
###### Tailles
|
###### Tailles
|
||||||
|
@ -57,3 +58,5 @@ innodb_thread_concurrency = 16
|
||||||
# charset utf8 par defaut
|
# charset utf8 par defaut
|
||||||
character-set-server=utf8
|
character-set-server=utf8
|
||||||
collation-server=utf8_general_ci
|
collation-server=utf8_general_ci
|
||||||
|
# Patch MySQL 5.5.53
|
||||||
|
secure-file-priv = ""
|
||||||
|
|
|
@ -13,3 +13,7 @@
|
||||||
service:
|
service:
|
||||||
name: mysql
|
name: mysql
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: reload systemd
|
||||||
|
command: systemctl daemon-reload
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Copy MySQL defaults config file
|
- name: "Copy MySQL defaults config file (jessie)"
|
||||||
copy:
|
copy:
|
||||||
src: evolinux-defaults.cnf
|
src: evolinux-defaults.cnf
|
||||||
dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
|
dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
|
||||||
|
@ -10,13 +10,13 @@
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
|
|
||||||
- name: Copy MySQL custom config file
|
- name: "Copy MySQL custom config file (jessie)"
|
||||||
template:
|
template:
|
||||||
src: evolinux-custom.cnf.j2
|
src: evolinux-custom.cnf.j2
|
||||||
dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
|
dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0644"
|
||||||
force: no
|
force: no
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Copy MySQL defaults config file
|
- name: "Copy MySQL defaults config file (Debian 9 or later)"
|
||||||
copy:
|
copy:
|
||||||
src: evolinux-defaults.cnf
|
src: evolinux-defaults.cnf
|
||||||
dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf
|
dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf
|
||||||
|
@ -10,13 +10,25 @@
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
|
|
||||||
- name: Copy MySQL custom config file
|
- name: "Copy MySQL custom config file (Debian 9 or later)"
|
||||||
template:
|
template:
|
||||||
src: evolinux-custom.cnf.j2
|
src: evolinux-custom.cnf.j2
|
||||||
dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf
|
dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0644"
|
||||||
force: no
|
force: no
|
||||||
tags:
|
tags:
|
||||||
- mysql
|
- mysql
|
||||||
|
|
||||||
|
- name: "Create a system config directory for systemd overrides (Debian 9 or later)"
|
||||||
|
file:
|
||||||
|
path: /etc/systemd/system/mariadb.service.d
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: "Override MariaDB systemd unit (Debian 9 or later)"
|
||||||
|
template:
|
||||||
|
src: mariadb.systemd.j2
|
||||||
|
dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
|
||||||
|
force: yes
|
||||||
|
notify: reload systemd
|
||||||
|
|
4
mysql/templates/mariadb.systemd.j2
Normal file
4
mysql/templates/mariadb.systemd.j2
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ProtectHome=false
|
|
@ -1,3 +1,3 @@
|
||||||
Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libssl1.0.0
|
Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0
|
||||||
Pin: release a=jessie-backports
|
Pin: release a=jessie-backports
|
||||||
Pin-Priority: 999
|
Pin-Priority: 999
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
- name: Enable default vhost
|
- name: Enable default vhost
|
||||||
file:
|
file:
|
||||||
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
|
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
|
||||||
dest: /etc/nginx/sites-enabled/default.conf
|
dest: /etc/nginx/sites-enabled/default
|
||||||
state: link
|
state: link
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
---
|
---
|
||||||
ntpd_only_local: True
|
|
||||||
ntpd_servers:
|
ntpd_servers:
|
||||||
- 'ntp.evolix.net'
|
- 'ntp.evolix.net'
|
||||||
ntpd_acls:
|
ntpd_acls:
|
||||||
|
|
|
@ -2,11 +2,6 @@
|
||||||
|
|
||||||
driftfile /var/lib/ntp/ntp.drift
|
driftfile /var/lib/ntp/ntp.drift
|
||||||
|
|
||||||
{% if ntpd_only_local is defined and ntpd_only_local %}
|
|
||||||
# Only listen on 127.0.0.1 and ::1
|
|
||||||
interface ignore wildcard
|
|
||||||
|
|
||||||
{% endif %}
|
|
||||||
# Enable this if you want statistics to be logged.
|
# Enable this if you want statistics to be logged.
|
||||||
#statsdir /var/log/ntpstats/
|
#statsdir /var/log/ntpstats/
|
||||||
|
|
||||||
|
@ -23,7 +18,6 @@ filegen clockstats file clockstats type day enable
|
||||||
# pool: <http://www.pool.ntp.org/join.html>
|
# pool: <http://www.pool.ntp.org/join.html>
|
||||||
|
|
||||||
#server pool.ntp.org
|
#server pool.ntp.org
|
||||||
|
|
||||||
{% for server in ntpd_servers %}
|
{% for server in ntpd_servers %}
|
||||||
server {{ server }}
|
server {{ server }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
@ -55,7 +55,8 @@
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ php_apache_custom_file }}"
|
dest: "{{ php_apache_custom_file }}"
|
||||||
content: |
|
content: |
|
||||||
# Put customized values here.
|
; Put customized values here.
|
||||||
|
; default_charset = "ISO-8859-1"
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: "Set custom values for PHP to enable Symfony"
|
- name: "Set custom values for PHP to enable Symfony"
|
||||||
|
|
|
@ -59,7 +59,7 @@
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ phpini_fpm_custom_file }}"
|
dest: "{{ phpini_fpm_custom_file }}"
|
||||||
content: |
|
content: |
|
||||||
# Put customized values here.
|
; Put customized values here.
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: Set default PHP FPM values
|
- name: Set default PHP FPM values
|
||||||
|
@ -85,7 +85,8 @@
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ php_fpm_custom_file }}"
|
dest: "{{ php_fpm_custom_file }}"
|
||||||
content: |
|
content: |
|
||||||
# Put customized values here.
|
; Put customized values here.
|
||||||
|
; default_charset = "ISO-8859-1"
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: "Set custom values for PHP to enable Symfony"
|
- name: "Set custom values for PHP to enable Symfony"
|
||||||
|
|
|
@ -50,7 +50,7 @@
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ phpini_cli_custom_file }}"
|
dest: "{{ phpini_cli_custom_file }}"
|
||||||
content: |
|
content: |
|
||||||
# Put customized values here.
|
; Put customized values here.
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: "Set custom values for PHP to enable Symfony (jessie)"
|
- name: "Set custom values for PHP to enable Symfony (jessie)"
|
||||||
|
|
|
@ -51,7 +51,8 @@
|
||||||
copy:
|
copy:
|
||||||
dest: "{{ phpini_cli_custom_file }}"
|
dest: "{{ phpini_cli_custom_file }}"
|
||||||
content: |
|
content: |
|
||||||
# Put customized values here.
|
; Put customized values here.
|
||||||
|
; default_charset = "ISO-8859-1"
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
|
- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
|
||||||
|
|
|
@ -2,5 +2,5 @@
|
||||||
- name: logrotate configuration
|
- name: logrotate configuration
|
||||||
template:
|
template:
|
||||||
src: logrotate.j2
|
src: logrotate.j2
|
||||||
dest: /etc/logrotate.d/{{ squid_daemoname }}
|
dest: /etc/logrotate.d/{{ squid_daemon_name }}
|
||||||
force: no
|
force: no
|
||||||
|
|
|
@ -7,12 +7,12 @@
|
||||||
|
|
||||||
- name: "Set squid name (jessie)"
|
- name: "Set squid name (jessie)"
|
||||||
set_fact:
|
set_fact:
|
||||||
squid_daemoname: squid3
|
squid_daemon_name: squid3
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "Set squid name (Debian 9 or later)"
|
- name: "Set squid name (Debian 9 or later)"
|
||||||
set_fact:
|
set_fact:
|
||||||
squid_daemoname: squid
|
squid_daemon_name: squid
|
||||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: "Install Squid packages"
|
- name: "Install Squid packages"
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ squid_daemoname }}"
|
- "{{ squid_daemon_name }}"
|
||||||
- squidclient
|
- squidclient
|
||||||
|
|
||||||
- name: "Set alternative config file (Debian 9 or later)"
|
- name: "Set alternative config file (Debian 9 or later)"
|
||||||
|
@ -40,6 +40,7 @@
|
||||||
copy:
|
copy:
|
||||||
src: whitelist-evolinux.conf
|
src: whitelist-evolinux.conf
|
||||||
dest: /etc/squid3/whitelist.conf
|
dest: /etc/squid3/whitelist.conf
|
||||||
|
force: no
|
||||||
notify: "reload squid3"
|
notify: "reload squid3"
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
@ -113,7 +114,17 @@
|
||||||
force: no
|
force: no
|
||||||
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: add some URL in whitelist
|
- name: add some URL in whitelist (Debian 8)
|
||||||
|
lineinfile:
|
||||||
|
insertafter: EOF
|
||||||
|
dest: /etc/squid3/whitelist.conf
|
||||||
|
line: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items: '{{ squid_whitelist_items }}'
|
||||||
|
notify: "reload squid3"
|
||||||
|
when: ansible_distribution_major_version == '8'
|
||||||
|
|
||||||
|
- name: add some URL in whitelist (Debian 9 or later)
|
||||||
lineinfile:
|
lineinfile:
|
||||||
insertafter: EOF
|
insertafter: EOF
|
||||||
dest: /etc/squid/evolinux-whitelist-custom.conf
|
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
file = /var/log/{{ squid_daemoname }}/access.log
|
file = /var/log/{{ squid_daemon_name }}/access.log
|
||||||
pattern = "TCP_DENIED"
|
pattern = "TCP_DENIED"
|
||||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||||
template = /etc/log2mail/mail
|
template = /etc/log2mail/mail
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/var/log/{{ squid_daemoname }}/*.log {
|
/var/log/{{ squid_daemon_name }}/*.log {
|
||||||
monthly
|
monthly
|
||||||
compress
|
compress
|
||||||
rotate 12
|
rotate 12
|
||||||
|
@ -6,6 +6,6 @@
|
||||||
create 640 proxy adm
|
create 640 proxy adm
|
||||||
sharedscripts
|
sharedscripts
|
||||||
postrotate
|
postrotate
|
||||||
test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
|
test ! -e /var/run/{{ squid_daemon_name }}.pid || /usr/sbin/{{ squid_daemon_name }} -k rotate
|
||||||
endscript
|
endscript
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,10 +34,10 @@
|
||||||
tags:
|
tags:
|
||||||
- varnish
|
- varnish
|
||||||
|
|
||||||
- name: Modify Varnish configuration files
|
- name: Override Varnish systemd unit
|
||||||
template:
|
template:
|
||||||
src: varnish.conf.j2
|
src: varnish.conf.j2
|
||||||
dest: /etc/systemd/system/varnish.service.d/varnish.conf
|
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||||
force: yes
|
force: yes
|
||||||
notify: reload systemd
|
notify: reload systemd
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=
|
|
||||||
ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
||||||
ExecReload=
|
|
||||||
ExecReload=/etc/varnish/reload-vcl.sh
|
ExecReload=/etc/varnish/reload-vcl.sh
|
||||||
|
|
|
@ -12,12 +12,24 @@
|
||||||
name: www-evoadmin
|
name: www-evoadmin
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: "Create www-evoadmin and add to group shadow (jessie)"
|
||||||
|
user:
|
||||||
|
name: www-evoadmin
|
||||||
|
groups: shadow
|
||||||
|
append: yes
|
||||||
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
|
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||||
|
user:
|
||||||
|
name: www-evoadmin
|
||||||
|
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||||
|
|
||||||
- name: Install Git
|
- name: Install Git
|
||||||
apt:
|
apt:
|
||||||
name: git
|
name: git
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Clone evoadmin repository
|
- name: "Clone evoadmin repository (jessie)"
|
||||||
git:
|
git:
|
||||||
repo: https://forge.evolix.org/evoadmin-web.git
|
repo: https://forge.evolix.org/evoadmin-web.git
|
||||||
dest: "{{ evoadmin_document_root}}"
|
dest: "{{ evoadmin_document_root}}"
|
||||||
|
@ -27,7 +39,7 @@
|
||||||
become_user: "{{ evoadmin_username }}"
|
become_user: "{{ evoadmin_username }}"
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: Clone evoadmin repository
|
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||||
git:
|
git:
|
||||||
repo: https://forge.evolix.org/evoadmin-web.git
|
repo: https://forge.evolix.org/evoadmin-web.git
|
||||||
dest: "{{ evoadmin_document_root}}"
|
dest: "{{ evoadmin_document_root}}"
|
||||||
|
@ -61,12 +73,6 @@
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ evoadmin_home_dir}}/www"
|
- "{{ evoadmin_home_dir}}/www"
|
||||||
|
|
||||||
- name: Add www-evoadmin to group shadow
|
|
||||||
user:
|
|
||||||
name: www-evoadmin
|
|
||||||
groups: shadow
|
|
||||||
append: yes
|
|
||||||
|
|
||||||
- name: Add evoadmin sudoers file
|
- name: Add evoadmin sudoers file
|
||||||
template:
|
template:
|
||||||
src: sudoers.j2
|
src: sudoers.j2
|
||||||
|
|
|
@ -46,9 +46,3 @@
|
||||||
owner: evoadmin
|
owner: evoadmin
|
||||||
group: evoadmin
|
group: evoadmin
|
||||||
force: no
|
force: no
|
||||||
|
|
||||||
- name: add www-evoadmin to shadow group
|
|
||||||
user:
|
|
||||||
name: www-evoadmin
|
|
||||||
groups: shadow
|
|
||||||
append: yes
|
|
||||||
|
|
Loading…
Reference in a new issue