evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable

Browse source
This commit is contained in:
Jérémy Lecour 2018-11-14 17:15:38 +01:00 committed by Jérémy Lecour
parent 48c2496deb d5e34a58d2
commit 5cbad9911f
32 changed files with 391 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
CHANGELOG.md
View file

@ -18,6 +18,31 @@ The **patch** part changes incrementally at each release.
### Security
## [9.5.0] - 2018-11-14
### Added
* apache: separate task to update IP whitelist
* evolinux-base: install man package
* evolinux-users: add newaliases handler
* evomaintenance: FROM domain is configurable
* fail2ban: separate task to update IP whitelist
* nginx: add tag for ips management
* nginx: separate task to update IP whitelist
* postfix: enable SSL/TLS client
* ssl: add an SSL role for certificates deployment
* haproxy: add vars for tls configuration
* mysql: logdir can be customized
### Changed
* evocheck: update script from upstream
* evomaintenance: update script from upstream
* mysql: restart service if systemd unit has been patched
### Fixed
* packweb-apache: mod-security config is already included elsewhere
* redis: for permissions on log and lib directories
* redis: fix shell for instance users
## [9.4.2] - 2018-10-12
### Added

2
apache/README.md
View file

@ -6,6 +6,8 @@ Install Apache
Everything is in the `tasks/main.yml` file for now.
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
## Available variables
Main variables are :

23
apache/tasks/auth.yml
View file

@ -10,26 +10,9 @@
force: no
tags:
- apache
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
with_items: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent
with_items: "{{ apache_ipaddr_whitelist_absent }}"
notify: reload apache
tags:
- apache
- name: Load IP whitelist task
include: ip_whitelist.yml
- name: include private IP whitelist for server-status
lineinfile:

23
apache/tasks/ip_whitelist.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
with_items: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: absent
with_items: "{{ apache_ipaddr_whitelist_absent }}"
notify: reload apache
tags:
- apache
- ips

83
evocheck/files/evocheck.sh
View file

@ -5,7 +5,7 @@
# powered by Evolix
# Repository: https://gitlab.evolix.org/evolix/evocheck
# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd
# Disable LANG*
export LANG=C
@ -105,6 +105,10 @@ IS_EVOBACKUP=1
IS_DUPLICATE_FS_LABEL=1
IS_EVOMAINTENANCE_FW=1
IS_EVOLIX_USER=1
IS_EVOACME_CRON=1
IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1
#Proper to OpenBSD
IS_SOFTDEP=1
@ -143,7 +147,7 @@ is_pack_samba(){
is_installed(){
for pkg in $*; do
dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
done
}
@ -359,7 +363,7 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 4 ]; then
if [ "$rulesNumber" -lt 2 ]; then
echo 'IS_EVOMAINTENANCE_FW FAILED!'
fi
fi
@ -521,7 +525,9 @@ if [ -e /etc/debian_version ]; then
# Check if no package has been upgraded since $limit.
if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
if zgrep -hq upgrade /var/log/dpkg.log*; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
fi
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
@ -530,8 +536,8 @@ if [ -e /etc/debian_version ]; then
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
if [ -d /var/log/installer ]; then
install_date=$(stat -c %Z /var/log/installer)
else
install_date=0
fi
@ -769,6 +775,71 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_EVOLIX_USER" = 1 ]; then
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
fi
if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
fi
fi
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
if [ -x "$(which evoacme)" ]; then
# Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ $numberOfLinks -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
certDir=${liveDir%%/live}
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
echo 'IS_EVOACME_LIVELINKS FAILED!'
break
fi
done
fi
fi
fi
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked
# to conf-enabled/
if is_debianversion jessie || is_debianversion stretch; then
if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
echo 'IS_APACHE_CONFENABLED FAILED!'
fi
fi
fi
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/
if is_debianversion stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
done
# For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debianversion jessie; then
if grep -q BOOT_IMAGE= /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f /boot/$kernelConfig ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
fi
fi
fi
fi
fi

2
evolinux-base/tasks/etc-evolinux.yml
View file

@ -1,6 +1,6 @@
---
### This is taken care of by the evolinux-todo role
### This is taken care of by the evolinux-todo role
# - name: /etc/evolinux exists
# file:
# dest: /etc/evolinux

1
evolinux-base/tasks/packages.yml
View file

@ -33,6 +33,7 @@
- curl
- telnet
- traceroute
- man
when: evolinux_packages_diagnostic
- name: Install/Update hardware tools

4
evolinux-users/handlers/main.yml
View file

@ -3,3 +3,7 @@
service:
name: sshd
state: reloaded
- name: newaliases
command: newaliases
changed_when: False

3
evomaintenance/defaults/main.yml
View file

@ -22,7 +22,8 @@ evomaintenance_pg_passwd: Null
evomaintenance_pg_db: Null
evomaintenance_pg_table: Null
evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}"
evomaintenance_from_domain: "{{ evolinux_internal_fqdn }}"
evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
evomaintenance_urgency_from: mama.doe@example.com

2
evomaintenance/files/evomaintenance.sh
View file

@ -185,7 +185,7 @@ fi
SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST}
# send mail
MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")

2
fail2ban/README.md
View file

@ -6,6 +6,8 @@ Install Fail2ban.
Everything is in the `tasks/main.yml` file.
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
## Available variables
Main variables are :

10
fail2ban/tasks/ip_whitelist.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: Update ignoreips lists
ini_file:
dest: /etc/fail2ban/jail.local
section: "[DEFAULT]"
option: "ignoreips"
value: "{{ fail2ban_ignore_ips | join(' ') }}"
notify: restart fail2ban
tags:
- fail2ban

9
fail2ban/tasks/main.yml
View file

@ -28,13 +28,8 @@
tags:
- fail2ban
- name: update ignoreips lists
ini_file:
dest: /etc/fail2ban/jail.local
section: "[DEFAULT]"
option: "ignoreips"
value: "{{ fail2ban_ignore_ips | join(' ') }}"
notify: restart fail2ban
- name: Include ignoredips update task
include: ip_whitelist.yml
when: fail2ban_force_update_ignore_ips
tags:
- fail2ban

21
haproxy/vars/main.yml Normal file
View file

@ -0,0 +1,21 @@
---
haproxy_ssl_old: |
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => old profile
tune.ssl.default-dh-param 1024
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
ssl-default-bind-options no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
ssl-default-server-options no-tls-tickets
haproxy_ssl_intermediate: |
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => intermediate profile
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
haproxy_ssl_modern: |
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => modern profile
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

2
minifirewall/tasks/nrpe.yml
View file

@ -41,7 +41,7 @@
stat:
path: /etc/nagios/nrpe.d/evolix.cfg
register: nrpe_evolix_cfg
- name: check_minifirewall is available for NRPE
lineinfile:
dest: /etc/nagios/nrpe.d/evolix.cfg

1
mysql/defaults/main.yml
View file

@ -13,6 +13,7 @@ mysql_replace_root_with_mysqladmin: True
mysql_custom_datadir: ''
mysql_custom_tmpdir: ''
mysql_custom_logdir: ''
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'

3
mysql/tasks/config_stretch.yml
View file

@ -37,8 +37,9 @@
force: yes
register: mariadb_systemd_override
- name: reload systemd
- name: reload systemd and restart MariaDB
systemd:
name: mysql
daemon_reload: yes
notify: "{{ mysql_restart_handler_name }}"
when: mariadb_systemd_override.changed

45
mysql/tasks/logdir.yml Normal file
View file

@ -0,0 +1,45 @@
---
- block:
- name: "Is {{ mysql_custom_logdir }} present ?"
stat:
path: "{{ mysql_custom_logdir }}"
check_mode: no
register: mysql_custom_logdir_test
- name: "read the real logdir"
command: readlink -f /var/log/mysql
changed_when: False
check_mode: no
register: mysql_current_real_logdir_test
tags:
- mysql
when: mysql_custom_logdir != ''
- block:
- name: MySQL is stopped
service:
name: mysql
state: stopped
- name: Move MySQL logdir to {{ mysql_custom_logdir }}
command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }}
args:
creates: "{{ mysql_custom_logdir }}"
- name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql
file:
src: "{{ mysql_custom_logdir }}"
dest: '/var/log/mysql'
state: link
- name: MySQL is started
service:
name: mysql
state: started
tags:
- mysql
when:
- mysql_custom_logdir != ''
- mysql_custom_logdir != mysql_current_real_logdir_test.stdout
- not mysql_custom_logdir_test.stat.exists

2
mysql/tasks/main.yml
View file

@ -23,6 +23,8 @@
- include: datadir.yml
- include: logdir.yml
- include: tmpdir.yml
- include: nrpe.yml

2
nginx/README.md
View file

@ -12,6 +12,8 @@ The minimal mode is for servers without real web apps, and only access to munin
The regular mode is for full fledged web services with optimized defaults.
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
## Available variables
Main variables are :

23
nginx/tasks/ip_whitelist.yml Normal file
View file

@ -0,0 +1,23 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_ipaddr_whitelist_present }}"
notify: reload nginx
tags:
- nginx
- ips
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: absent
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
notify: reload nginx
tags:
- nginx
- ips

22
nginx/tasks/main_regular.yml
View file

@ -49,26 +49,10 @@
notify: reload nginx
tags:
- nginx
- ips
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_ipaddr_whitelist_present }}"
notify: reload nginx
tags:
- nginx
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: absent
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
notify: reload nginx
tags:
- nginx
- name: Include IP address whitelist task
include: ip_whitelist.yml
- name: Copy private_htpasswd
copy:

11
packweb-apache/files/evolinux-modsec.conf
View file

@ -18,7 +18,7 @@ SecUploadKeepFiles Off
# default action
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
SecAuditEngine RelevantOnly
SecAuditEngine Off
#SecAuditLogRelevantStatus "^[45]"
# use only one log file
SecAuditLogType Serial
@ -39,10 +39,9 @@ SecTmpDir /tmp
# RULES
#########
# File name
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
# Complete URI
SecRule REQUEST_URI "modsecuritytest2" "id:2"
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
# Removed because it does not play well with apache-itk
# Can be removed when modsecurity 2.9.3 hits debian
# See https://github.com/SpiderLabs/ModSecurity/issues/712
SecRuleRemoveById "910000-910999"
</IfModule>

6
packweb-apache/tasks/main.yml
View file

@ -71,3 +71,9 @@
- include: fhs_retrictions.yml
when: packweb_fhs_retrictions
- name: Periodically cache ftp directory sizes for ftpadmin.sh
cron:
name: "ProFTPd directory size caching"
special_time: daily
job: "/usr/share/scripts/evoadmin/stats.sh"

6
postfix/templates/evolinux_main.cf.j2
View file

@ -13,6 +13,12 @@ recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
disable_vrfy_command = yes
# enable SSL/TLS client
smtp_tls_security_level = may
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
{% if postfix_slow_transport_include == True %}
# Slow transports configuration

12
postfix/templates/packmail_main.cf.j2
View file

@ -389,11 +389,19 @@ strict_rfc821_envelopes = yes
# Section : Chiffrement
#######################
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
# SASL
smtpd_sasl_auth_enable = yes

8
redis/tasks/instances.yml
View file

@ -38,7 +38,7 @@
group:
name: "redis-{{ redis_instance_name }}"
state: present
system: True
system: True
tags:
- redis
@ -47,8 +47,8 @@
name: "redis-{{ redis_instance_name }}"
group: "redis-{{ redis_instance_name }}"
state: present
system: True
shell: '/bin/falase'
system: True
shell: '/bin/false'
tags:
- redis
@ -60,7 +60,9 @@
owner: "redis-{{ redis_instance_name }}"
group: "redis-{{ redis_instance_name }}"
with_items:
- "/var/lib/redis"
- "{{ redis_dbdir }}"
- "/var/log/redis"
- "{{ redis_logfile | dirname }}"
tags:
- redis

9
ssl/README.md Normal file
View file

@ -0,0 +1,9 @@
# ssl
Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy).
## Available variables
* `ssl_cert`: name of SSL certificate which is going to be deployed
eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp}

5
ssl/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: reload haproxy
service:
name: haproxy
state: reloaded

20
ssl/meta/main.yml Normal file
View file

@ -0,0 +1,20 @@
galaxy_info:
author: Evolix
description: Deployment of SSL certificate, key and dhparams
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

33
ssl/tasks/haproxy.yml Normal file
View file

@ -0,0 +1,33 @@
---
- name: Concatenate SSL certificate, key and dhparam
set_fact:
ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n"
with_fileglob:
- "ssl/{{ ssl_cert }}.pem"
- "ssl/{{ ssl_cert }}.key"
- "ssl/{{ ssl_cert }}.dhp"
tags:
- ssl
- name: Create haproxy ssl directory
file:
dest: /etc/haproxy/ssl
state: directory
mode: "0700"
tags:
- ssl
- name: Copy concatenated certificate and key
copy:
content: "{{ ssl_cat }}"
dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem"
mode: "0600"
notify: reload haproxy
tags:
- ssl
- name: Reset ssl_cat variable
set_fact:
ssl_cat: ""
tags:
- ssl

39
ssl/tasks/main.yml Normal file
View file

@ -0,0 +1,39 @@
---
- name: Copy SSL certificate
copy:
src: "ssl/{{ ssl_cert }}.pem"
dest: "/etc/ssl/certs/{{ ssl_cert }}.pem"
mode: "0644"
register: ssl_copy_cert
tags:
- ssl
- name: Copy SSL key
copy:
src: "ssl/{{ ssl_cert }}.key"
dest: "/etc/ssl/private/{{ ssl_cert }}.key"
mode: "0600"
register: ssl_copy_key
tags:
- ssl
- name: Copy SSL dhparam
copy:
src: "ssl/{{ ssl_cert }}.dhp"
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
mode: "0644"
register: ssl_copy_dhp
tags:
- ssl
- name: Check if Haproxy is installed
command: dpkg -l haproxy
register: haproxy_check
check_mode: False
changed_when: False
failed_when: False
tags:
- ssl
- include: haproxy.yml
when: haproxy_check.rc == 0