From 6e6820805d914ef2186dd4262a7690aa3be2fcac Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 19 Oct 2018 10:31:45 +0200 Subject: [PATCH 01/29] nginx: add tag for ips management --- CHANGELOG.md | 1 + nginx/tasks/main_regular.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27e6e8ae..0550b77e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +nginx: add tag for ips management ### Changed diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 559bc5d1..3168529a 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -49,6 +49,7 @@ notify: reload nginx tags: - nginx + - ips - name: add IP addresses to private IP whitelist lineinfile: @@ -59,6 +60,7 @@ notify: reload nginx tags: - nginx + - ips - name: remove IP addresses from private IP whitelist lineinfile: @@ -69,6 +71,7 @@ notify: reload nginx tags: - nginx + - ips - name: Copy private_htpasswd copy: From 83e9f126697e7a754566fa671f3112f0eb40fba5 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 23 Oct 2018 11:38:52 +0200 Subject: [PATCH 02/29] evolinux-base: install man package --- CHANGELOG.md | 1 + evolinux-base/tasks/packages.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0550b77e..ac885f65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added nginx: add tag for ips management +evolinux-base: install man package ### Changed diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 74b41667..e50045ed 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -33,6 +33,7 @@ - curl - telnet - traceroute + - man when: evolinux_packages_diagnostic - name: Install/Update hardware tools From 1871352fe8e4ac49582d4eb9f48ed59e1892ecde Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 31 Oct 2018 02:14:16 +0100 Subject: [PATCH 03/29] enable SSL/TLS client, cf https://wiki.evolix.org/HowtoPostfix#ssltls --- postfix/templates/evolinux_main.cf.j2 | 6 ++++++ postfix/templates/packmail_main.cf.j2 | 12 ++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/postfix/templates/evolinux_main.cf.j2 b/postfix/templates/evolinux_main.cf.j2 index e42a413f..b4499958 100644 --- a/postfix/templates/evolinux_main.cf.j2 +++ b/postfix/templates/evolinux_main.cf.j2 @@ -13,6 +13,12 @@ recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 disable_vrfy_command = yes +# enable SSL/TLS client +smtp_tls_security_level = may +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols=!SSLv2,!SSLv3 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_loglevel = 1 {% if postfix_slow_transport_include == True %} # Slow transports configuration diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index 9f14ec50..bee7fe53 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -389,11 +389,19 @@ strict_rfc821_envelopes = yes # Section : Chiffrement ####################### +smtpd_tls_security_level = may +smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtpd_tls_protocols=!SSLv2,!SSLv3 +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtpd_tls_loglevel = 1 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + +smtp_tls_security_level = may +smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 +smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_loglevel = 1 # SASL smtpd_sasl_auth_enable = yes From c03be65ed97b0f191ba7ff900472e65882c157a6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Nov 2018 10:13:11 +0100 Subject: [PATCH 04/29] evomaintenance: update script from upstream --- CHANGELOG.md | 1 + evomaintenance/files/evomaintenance.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac885f65..03498e41 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ nginx: add tag for ips management evolinux-base: install man package ### Changed +evomaintenance: update script from upstream ### Fixed diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 2e01c022..1d22d711 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -185,7 +185,7 @@ fi SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"` PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')" -echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet +echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} # send mail MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@") From 3d764549846f0a96d3019aad1739550930934fd1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Nov 2018 10:14:49 +0100 Subject: [PATCH 05/29] update CHANGELOG for postfix --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 03498e41..85f28058 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,8 +11,9 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added -nginx: add tag for ips management evolinux-base: install man package +nginx: add tag for ips management +postfix: enable SSL/TLS client ### Changed evomaintenance: update script from upstream From b776fc3da297c12c18a9b45369bc49f12dd66380 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Mon, 29 Oct 2018 16:53:46 -0400 Subject: [PATCH 06/29] Make ip whitelist tasks more flexible Now the list of whitelisted ip addresses can be updated simply by including the specific tasks in an external playbook without polluting our role list. This change takes effect for nginx, apache and fail2ban. --- apache/tasks/auth.yml | 11 +++-------- apache/tasks/ip_whitelist.yml | 10 ++++++++++ fail2ban/tasks/ip_whitelist.yml | 10 ++++++++++ fail2ban/tasks/main.yml | 9 ++------- nginx/tasks/ip_whitelist.yml | 10 ++++++++++ nginx/tasks/main_regular.yml | 11 +++-------- 6 files changed, 38 insertions(+), 23 deletions(-) create mode 100644 apache/tasks/ip_whitelist.yml create mode 100644 fail2ban/tasks/ip_whitelist.yml create mode 100644 nginx/tasks/ip_whitelist.yml diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 03598682..f024f9cb 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -10,14 +10,9 @@ force: no tags: - apache - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/apache2/ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: present - with_items: "{{ apache_ipaddr_whitelist_present }}" - notify: reload apache + +- name: Load IP whitelist task + include: ip_whitelist.yml tags: - apache diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml new file mode 100644 index 00000000..c6dd0cc9 --- /dev/null +++ b/apache/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/apache2/ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: present + with_items: "{{ apache_ipaddr_whitelist_present }}" + notify: reload apache + tags: + - apache \ No newline at end of file diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml new file mode 100644 index 00000000..3bdd05f3 --- /dev/null +++ b/fail2ban/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: Update ignoreips lists + ini_file: + dest: /etc/fail2ban/jail.local + section: "[DEFAULT]" + option: "ignoreips" + value: "{{ fail2ban_ignore_ips | join(' ') }}" + notify: restart fail2ban + tags: + - fail2ban diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index db6af2d4..f8b20694 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -28,13 +28,8 @@ tags: - fail2ban -- name: update ignoreips lists - ini_file: - dest: /etc/fail2ban/jail.local - section: "[DEFAULT]" - option: "ignoreips" - value: "{{ fail2ban_ignore_ips | join(' ') }}" - notify: restart fail2ban +- name: Include ignoredips update task + include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips tags: - fail2ban diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml new file mode 100644 index 00000000..3b443f65 --- /dev/null +++ b/nginx/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/ipaddr_whitelist + line: "allow {{ item }};" + state: present + with_items: "{{ nginx_ipaddr_whitelist_present }}" + notify: reload nginx + tags + - nginx diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 3168529a..5aff5ae4 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -50,14 +50,9 @@ tags: - nginx - ips - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/ipaddr_whitelist - line: "allow {{ item }};" - state: present - with_items: "{{ nginx_ipaddr_whitelist_present }}" - notify: reload nginx + +- name: Include IP address whitelist task + include: ip_whitelist.yml tags: - nginx - ips From 24ddc78a23e59c51ba6a4216c46cb36983e8051b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Nov 2018 18:15:17 +0100 Subject: [PATCH 07/29] apache/nginx: IP adresses can also be removed --- apache/tasks/auth.yml | 12 ------------ apache/tasks/ip_whitelist.yml | 15 ++++++++++++++- nginx/tasks/ip_whitelist.yml | 15 ++++++++++++++- nginx/tasks/main_regular.yml | 16 +--------------- 4 files changed, 29 insertions(+), 29 deletions(-) diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index f024f9cb..b785c704 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -13,18 +13,6 @@ - name: Load IP whitelist task include: ip_whitelist.yml - tags: - - apache - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/apache2/ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: absent - with_items: "{{ apache_ipaddr_whitelist_absent }}" - notify: reload apache - tags: - - apache - name: include private IP whitelist for server-status lineinfile: diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml index c6dd0cc9..ac2b6f87 100644 --- a/apache/tasks/ip_whitelist.yml +++ b/apache/tasks/ip_whitelist.yml @@ -1,4 +1,5 @@ --- + - name: add IP addresses to private IP whitelist lineinfile: dest: /etc/apache2/ipaddr_whitelist.conf @@ -7,4 +8,16 @@ with_items: "{{ apache_ipaddr_whitelist_present }}" notify: reload apache tags: - - apache \ No newline at end of file + - apache + - ips + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/apache2/ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: absent + with_items: "{{ apache_ipaddr_whitelist_absent }}" + notify: reload apache + tags: + - apache + - ips diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml index 3b443f65..10cdcc37 100644 --- a/nginx/tasks/ip_whitelist.yml +++ b/nginx/tasks/ip_whitelist.yml @@ -1,4 +1,5 @@ --- + - name: add IP addresses to private IP whitelist lineinfile: dest: /etc/nginx/snippets/ipaddr_whitelist @@ -6,5 +7,17 @@ state: present with_items: "{{ nginx_ipaddr_whitelist_present }}" notify: reload nginx - tags + tags: - nginx + - ips + +- name: remove IP addresses from private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/ipaddr_whitelist + line: "allow {{ item }};" + state: absent + with_items: "{{ nginx_ipaddr_whitelist_absent }}" + notify: reload nginx + tags: + - nginx + - ips diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 5aff5ae4..f3c31d56 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -50,23 +50,9 @@ tags: - nginx - ips - + - name: Include IP address whitelist task include: ip_whitelist.yml - tags: - - nginx - - ips - -- name: remove IP addresses from private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/ipaddr_whitelist - line: "allow {{ item }};" - state: absent - with_items: "{{ nginx_ipaddr_whitelist_absent }}" - notify: reload nginx - tags: - - nginx - - ips - name: Copy private_htpasswd copy: From 2f9348e3d1c27ea79fd7b84cc693e7e4047f0c63 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Nov 2018 18:16:29 +0100 Subject: [PATCH 08/29] update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85f28058..27a28c6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,8 +11,11 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added +apache: separate task to update IP whitelist evolinux-base: install man package +fail2ban: separate task to update IP whitelist nginx: add tag for ips management +nginx: separate task to update IP whitelist postfix: enable SSL/TLS client ### Changed From 06a0f0d9b7a116e328b8811126f3fa80add1e2d8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 2 Nov 2018 18:18:22 +0100 Subject: [PATCH 09/29] apache/nginx/fail2ban: mention ip_whitelist.yml in README.md --- apache/README.md | 2 ++ fail2ban/README.md | 2 ++ nginx/README.md | 2 ++ 3 files changed, 6 insertions(+) diff --git a/apache/README.md b/apache/README.md index 40e17499..c6f6a91e 100644 --- a/apache/README.md +++ b/apache/README.md @@ -6,6 +6,8 @@ Install Apache Everything is in the `tasks/main.yml` file for now. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : diff --git a/fail2ban/README.md b/fail2ban/README.md index 99ab0ae3..3689aa48 100644 --- a/fail2ban/README.md +++ b/fail2ban/README.md @@ -6,6 +6,8 @@ Install Fail2ban. Everything is in the `tasks/main.yml` file. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : diff --git a/nginx/README.md b/nginx/README.md index 96d061ed..48a875ce 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -12,6 +12,8 @@ The minimal mode is for servers without real web apps, and only access to munin The regular mode is for full fledged web services with optimized defaults. +An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role. + ## Available variables Main variables are : From 4a411685ffcd322f440a910b192f201aaebe739f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Nov 2018 10:39:30 +0100 Subject: [PATCH 10/29] evomaintenance: FROM domain is configurable --- CHANGELOG.md | 1 + evomaintenance/defaults/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27a28c6d..bb526f88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added apache: separate task to update IP whitelist evolinux-base: install man package +evomaintenance: FROM domain is configurable fail2ban: separate task to update IP whitelist nginx: add tag for ips management nginx: separate task to update IP whitelist diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml index 6ad55a9b..462f25a6 100644 --- a/evomaintenance/defaults/main.yml +++ b/evomaintenance/defaults/main.yml @@ -22,7 +22,8 @@ evomaintenance_pg_passwd: Null evomaintenance_pg_db: Null evomaintenance_pg_table: Null -evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}" +evomaintenance_from_domain: "{{ evolinux_internal_fqdn }}" +evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}" evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>" evomaintenance_urgency_from: mama.doe@example.com From c6a504c6c5e564b35019ad1ddff911a2b6503afd Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 6 Nov 2018 16:15:42 +0100 Subject: [PATCH 11/29] Add an SSL role for certificates deployment --- CHANGELOG.md | 1 + ssl/README.md | 9 +++++++++ ssl/meta/main.yml | 20 ++++++++++++++++++++ ssl/tasks/haproxy.yml | 32 ++++++++++++++++++++++++++++++++ ssl/tasks/main.yml | 38 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 100 insertions(+) create mode 100644 ssl/README.md create mode 100644 ssl/meta/main.yml create mode 100644 ssl/tasks/haproxy.yml create mode 100644 ssl/tasks/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index bb526f88..13212732 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ fail2ban: separate task to update IP whitelist nginx: add tag for ips management nginx: separate task to update IP whitelist postfix: enable SSL/TLS client +ssl: add an SSL role for certificates deployment ### Changed evomaintenance: update script from upstream diff --git a/ssl/README.md b/ssl/README.md new file mode 100644 index 00000000..d7894047 --- /dev/null +++ b/ssl/README.md @@ -0,0 +1,9 @@ +# ssl + +Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy). + +## Available variables + +* `ssl_cert`: name of SSL certificate which is going to be deployed + +eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp} diff --git a/ssl/meta/main.yml b/ssl/meta/main.yml new file mode 100644 index 00000000..11377af9 --- /dev/null +++ b/ssl/meta/main.yml @@ -0,0 +1,20 @@ +galaxy_info: + author: Evolix + description: Deployment of SSL certificate, key and dhparams + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - jessie + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml new file mode 100644 index 00000000..4f99fa1d --- /dev/null +++ b/ssl/tasks/haproxy.yml @@ -0,0 +1,32 @@ +--- +- name: Concatenate SSL certificate, key and dhparam + set_fact: + ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n" + with_fileglob: + - "ssl/{{ ssl_cert }}.pem" + - "ssl/{{ ssl_cert }}.key" + - "ssl/{{ ssl_cert }}.dhp" + tags: + - ssl + +- name: Create haproxy ssl directory + file: + dest: /etc/haproxy/ssl + mode: "0700" + tags: + - ssl + +- name: Copy concatenated certificate and key + copy: + content: "{{ ssl_cat }}" + dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem" + mode: "0600" + notify: reload haproxy + tags: + - ssl + +- name: Reset ssl_cat variable + set_fact: + ssl_cat: "" + tags: + - ssl diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml new file mode 100644 index 00000000..0ce74b86 --- /dev/null +++ b/ssl/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Copy SSL certificate + copy: + src: "ssl/{{ ssl_cert }}.pem" + dest: "/etc/ssl/certs/{{ ssl_cert }}.pem" + mode: "0644" + register: ssl_copy_cert + tags: + - ssl + +- name: Copy SSL key + copy: + src: "ssl/{{ ssl_cert }}.key" + dest: "/etc/ssl/private/{{ ssl_cert }}.key" + mode: "0600" + register: ssl_copy_key + tags: + - ssl + +- name: Copy SSL dhparam + copy: + src: "ssl/{{ ssl_cert }}.dhp" + dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp" + mode: "0644" + register: ssl_copy_dhp + tags: + - ssl + +- name: Check if Haproxy is installed + command: dpkg -l haproxy + register: haproxy_check + check_mode: False + changed_when: False + tags: + - ssl + +- include: haproxy.yml + when: haproxy_check.rc == 0 From 9ee245942d8ecb6bd48b9e963f2eed4d1f271420 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 6 Nov 2018 16:21:16 +0100 Subject: [PATCH 12/29] ssl: haproxy package check must no fail --- ssl/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml index 0ce74b86..a739f449 100644 --- a/ssl/tasks/main.yml +++ b/ssl/tasks/main.yml @@ -31,6 +31,7 @@ register: haproxy_check check_mode: False changed_when: False + failed_when: False tags: - ssl From df48a60684336f118c6d391f9616a3071a3d2f97 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Nov 2018 13:38:07 +0100 Subject: [PATCH 13/29] evocheck: update script from upstream --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 83 +++++++++++++++++++++++++++++++++++--- 2 files changed, 78 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13212732..933eb1b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ postfix: enable SSL/TLS client ssl: add an SSL role for certificates deployment ### Changed +evocheck: update script from upstream evomaintenance: update script from upstream ### Fixed diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 200f0471..a8be7eec 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -5,7 +5,7 @@ # powered by Evolix # Repository: https://gitlab.evolix.org/evolix/evocheck -# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03 +# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd # Disable LANG* export LANG=C @@ -105,6 +105,10 @@ IS_EVOBACKUP=1 IS_DUPLICATE_FS_LABEL=1 IS_EVOMAINTENANCE_FW=1 IS_EVOLIX_USER=1 +IS_EVOACME_CRON=1 +IS_EVOACME_LIVELINKS=1 +IS_APACHE_CONFENABLED=1 +IS_MELTDOWN_SPECTRE=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -143,7 +147,7 @@ is_pack_samba(){ is_installed(){ for pkg in $*; do - dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1 + dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1 done } @@ -359,7 +363,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then if [ -f "$MINIFW_FILE" ]; then rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") - if [ "$rulesNumber" -lt 4 ]; then + if [ "$rulesNumber" -lt 2 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' fi fi @@ -521,7 +525,9 @@ if [ -e /etc/debian_version ]; then # Check if no package has been upgraded since $limit. if [ "$IS_NOTUPGRADED" = 1 ]; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + if zgrep -hq upgrade /var/log/dpkg.log*; then + last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + fi if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then # Manual upgrade process @@ -530,8 +536,8 @@ if [ -e /etc/debian_version ]; then # Regular process limit=$(date +%s -d "now - 90 days") fi - if [ -f /var/log/evolinux/00_prepare_system.log ]; then - install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log) + if [ -d /var/log/installer ]; then + install_date=$(stat -c %Z /var/log/installer) else install_date=0 fi @@ -769,6 +775,71 @@ if [ -e /etc/debian_version ]; then if [ "$IS_EVOLIX_USER" = 1 ]; then getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!' fi + + if [ "$IS_EVOACME_CRON" = 1 ]; then + if [ -f "/usr/local/sbin/evoacme" ]; then + # Old cron file, should be deleted + test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!' + # evoacme cron file should be present + test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!' + fi + fi + + if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then + if [ -x "$(which evoacme)" ]; then + # Sometimes evoacme is installed but no certificates has been generated + numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) + if [ $numberOfLinks -gt 0 ]; then + for live in /etc/letsencrypt/*/live; do + actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11) + actualCertDate=$(cut -d'/' -f5 <<< $actualLink) + liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9) + certDir=${liveDir%%/live} + lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) + lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) + if [[ "$actualCertDate" != "$lastCertDate" ]]; then + echo 'IS_EVOACME_LIVELINKS FAILED!' + break + fi + done + fi + fi + fi + + if [ "$IS_APACHE_CONFENABLED" = 1 ]; then + # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ + # must be replaced by conf-available/ and config files symlinked + # to conf-enabled/ + if is_debianversion jessie || is_debianversion stretch; then + if [ -f /etc/apache2/apache2.conf ]; then + test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!' + grep -q 'Include conf.d' /etc/apache2/apache2.conf && \ + echo 'IS_APACHE_CONFENABLED FAILED!' + fi + fi + fi + + if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then + # For Stretch, detection is easy as the kernel use + # /sys/devices/system/cpu/vulnerabilities/ + if is_debianversion stretch; then + for vuln in meltdown spectre_v1 spectre_v2; do + test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!' + done + # For Jessie this is quite complicated to verify and we need to use kernel config file + elif is_debianversion jessie; then + if grep -q BOOT_IMAGE= /proc/cmdline; then + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + # Sometimes autodetection of kernel config file fail, so we test if the file really exists. + if [ -f /boot/$kernelConfig ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + fi + fi + fi + fi fi From cfb87a7b6519b6aad063e5c8158637177cb56b0a Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Tue, 13 Nov 2018 11:05:56 +0100 Subject: [PATCH 14/29] haproxy: add vars for tls configuration Permit simply include of TLS configuration, eg. in [global] : {{ haproxy_ssl_intermediate | indent(width=4) }} --- CHANGELOG.md | 1 + haproxy/vars/main.yml | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 haproxy/vars/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 933eb1b6..8172b893 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ nginx: add tag for ips management nginx: separate task to update IP whitelist postfix: enable SSL/TLS client ssl: add an SSL role for certificates deployment +haproxy: add vars for tls configuration ### Changed evocheck: update script from upstream diff --git a/haproxy/vars/main.yml b/haproxy/vars/main.yml new file mode 100644 index 00000000..83bcbe1c --- /dev/null +++ b/haproxy/vars/main.yml @@ -0,0 +1,21 @@ +--- +haproxy_ssl_old: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => old profile + tune.ssl.default-dh-param 1024 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + ssl-default-bind-options no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + ssl-default-server-options no-tls-tickets +haproxy_ssl_intermediate: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => intermediate profile + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-bind-options no-sslv3 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + ssl-default-server-options no-sslv3 no-tls-tickets +haproxy_ssl_modern: | + # TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => modern profile + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets From 9f2727f55f1246baedd0580dbf42bbf27f08c6ae Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Fri, 2 Nov 2018 17:31:22 -0400 Subject: [PATCH 15/29] Removes modsecurity audit log and rules 910* and 901* --- packweb-apache/files/evolinux-modsec.conf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf index d78c0d9f..d78a715d 100644 --- a/packweb-apache/files/evolinux-modsec.conf +++ b/packweb-apache/files/evolinux-modsec.conf @@ -18,7 +18,7 @@ SecUploadKeepFiles Off # default action SecDefaultAction "log,auditlog,deny,status:406,phase:2" -SecAuditEngine RelevantOnly +SecAuditEngine Off #SecAuditLogRelevantStatus "^[45]" # use only one log file SecAuditLogType Serial @@ -45,4 +45,13 @@ SecRule REQUEST_FILENAME "modsecuritytest1" "id:1" SecRule REQUEST_URI "modsecuritytest2" "id:2" SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3" +Include /usr/share/modsecurity-crs/owasp-crs.load + +# Removed because it does not play well with apache-itk +SecRuleRemoveById "901000-901999" + +# Removed because IP reputation based blocking is hard to predict +# and reason about +SecRuleRemoveById "910000-910999" + From a1973ebbb3ebbfcbea1a46c52a67bd242864c718 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Wed, 7 Nov 2018 17:45:02 +0100 Subject: [PATCH 16/29] We misunsderstood how modsecurity used the init rules They do not modify files and are necessary for the core rules to function. --- packweb-apache/files/evolinux-modsec.conf | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf index d78a715d..fcb4ba19 100644 --- a/packweb-apache/files/evolinux-modsec.conf +++ b/packweb-apache/files/evolinux-modsec.conf @@ -39,19 +39,12 @@ SecTmpDir /tmp # RULES ######### -# File name -SecRule REQUEST_FILENAME "modsecuritytest1" "id:1" -# Complete URI -SecRule REQUEST_URI "modsecuritytest2" "id:2" -SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3" - Include /usr/share/modsecurity-crs/owasp-crs.load -# Removed because it does not play well with apache-itk -SecRuleRemoveById "901000-901999" -# Removed because IP reputation based blocking is hard to predict -# and reason about +# Removed because it does not play well with apache-itk +# Can be removed when modsecurity 2.9.3 hits debian +# See https://github.com/SpiderLabs/ModSecurity/issues/712 SecRuleRemoveById "910000-910999" From 9198c1e2c04651f314c989af44c965ab6af798af Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Tue, 13 Nov 2018 16:56:31 -0500 Subject: [PATCH 17/29] ansible-lint does not like trailing whitespace --- evolinux-base/tasks/etc-evolinux.yml | 2 +- minifirewall/tasks/nrpe.yml | 2 +- redis/tasks/instances.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/evolinux-base/tasks/etc-evolinux.yml b/evolinux-base/tasks/etc-evolinux.yml index d6562e68..fddc82a8 100644 --- a/evolinux-base/tasks/etc-evolinux.yml +++ b/evolinux-base/tasks/etc-evolinux.yml @@ -1,6 +1,6 @@ --- -### This is taken care of by the evolinux-todo role +### This is taken care of by the evolinux-todo role # - name: /etc/evolinux exists # file: # dest: /etc/evolinux diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml index 3893e5c9..20629ad0 100644 --- a/minifirewall/tasks/nrpe.yml +++ b/minifirewall/tasks/nrpe.yml @@ -41,7 +41,7 @@ stat: path: /etc/nagios/nrpe.d/evolix.cfg register: nrpe_evolix_cfg - + - name: check_minifirewall is available for NRPE lineinfile: dest: /etc/nagios/nrpe.d/evolix.cfg diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 151f47b4..983fda06 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -38,7 +38,7 @@ group: name: "redis-{{ redis_instance_name }}" state: present - system: True + system: True tags: - redis @@ -47,7 +47,7 @@ name: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" state: present - system: True + system: True shell: '/bin/falase' tags: - redis From 3eadd7d54472ebc3f763c0e38e18aacd12a05485 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Fri, 9 Nov 2018 18:56:55 +0100 Subject: [PATCH 18/29] Rajout d'un cron a packweb pour ftpd The cronjob that maintains file size caches for ftpadmin is not present in the packweb, which leads to things like spinon-www0 listing all directories as being 0 octets big. --- packweb-apache/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index b24c9ae6..230fb41a 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -71,3 +71,9 @@ - include: fhs_retrictions.yml when: packweb_fhs_retrictions + +- name: Periodically cache ftp directory sizes for ftpadmin.sh + cron: + name: "ProFTPd directory size caching" + special_time: daily + job: "/usr/share/scripts/evoadmin/stats.sh" From a4fde275460fd10ea3bbc8b3d8567bdfc0faf1d1 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 14 Nov 2018 15:20:03 +0100 Subject: [PATCH 19/29] ssl: add missing state parameter --- ssl/tasks/haproxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml index 4f99fa1d..2ba30ac9 100644 --- a/ssl/tasks/haproxy.yml +++ b/ssl/tasks/haproxy.yml @@ -12,6 +12,7 @@ - name: Create haproxy ssl directory file: dest: /etc/haproxy/ssl + state: directory mode: "0700" tags: - ssl From c60f30b106c498341542ade92ebe73f290ec2f14 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 15:33:43 +0100 Subject: [PATCH 20/29] redis: fix permissions for multiples instances --- redis/tasks/instances.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 983fda06..924649e6 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -60,7 +60,9 @@ owner: "redis-{{ redis_instance_name }}" group: "redis-{{ redis_instance_name }}" with_items: + - "/var/lib/redis" - "{{ redis_dbdir }}" + - "/var/log/redis" - "{{ redis_logfile | dirname }}" tags: - redis From e89da9146b3aa60c57373e20333c3f6d63bc988b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 15:34:03 +0100 Subject: [PATCH 21/29] redis: fix shell for redis users --- redis/tasks/instances.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis/tasks/instances.yml b/redis/tasks/instances.yml index 924649e6..02fe4892 100644 --- a/redis/tasks/instances.yml +++ b/redis/tasks/instances.yml @@ -48,7 +48,7 @@ group: "redis-{{ redis_instance_name }}" state: present system: True - shell: '/bin/falase' + shell: '/bin/false' tags: - redis From 3425711ecf440b024d15e7495e397a226be6a65b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 15:35:11 +0100 Subject: [PATCH 22/29] redis: update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8172b893..47611945 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,8 @@ evocheck: update script from upstream evomaintenance: update script from upstream ### Fixed +* redis: for permissions on log and lib directories +* redis: fix shell for instance users ### Security From f5f1e885f7b6e558de91033b2de2f8e9ace7f6b1 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 14 Nov 2018 15:39:13 +0100 Subject: [PATCH 23/29] ssl: add handler for haproxy reload --- ssl/handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ssl/handlers/main.yml diff --git a/ssl/handlers/main.yml b/ssl/handlers/main.yml new file mode 100644 index 00000000..3393e45a --- /dev/null +++ b/ssl/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload haproxy + service: + name: haproxy + state: reloaded From 6b769f5d77dfa78f5197c4bd28beb4eb1f1a6fdb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 16:10:38 +0100 Subject: [PATCH 24/29] mysql: restart MySQL if systemd unit has changed --- mysql/tasks/config_stretch.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mysql/tasks/config_stretch.yml b/mysql/tasks/config_stretch.yml index e7ce1772..0725ee1f 100644 --- a/mysql/tasks/config_stretch.yml +++ b/mysql/tasks/config_stretch.yml @@ -37,8 +37,9 @@ force: yes register: mariadb_systemd_override -- name: reload systemd +- name: reload systemd and restart MariaDB systemd: name: mysql daemon_reload: yes + notify: "{{ mysql_restart_handler_name }}" when: mariadb_systemd_override.changed From bd1b1a777503f1cb810bedd234bea0c0bb29ddfa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 16:11:42 +0100 Subject: [PATCH 25/29] update CHANGELOG --- CHANGELOG.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47611945..072bfcd6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,19 +11,20 @@ The **patch** part changes incrementally at each release. ## [Unreleased] ### Added -apache: separate task to update IP whitelist -evolinux-base: install man package -evomaintenance: FROM domain is configurable -fail2ban: separate task to update IP whitelist -nginx: add tag for ips management -nginx: separate task to update IP whitelist -postfix: enable SSL/TLS client -ssl: add an SSL role for certificates deployment -haproxy: add vars for tls configuration +* apache: separate task to update IP whitelist +* evolinux-base: install man package +* evomaintenance: FROM domain is configurable +* fail2ban: separate task to update IP whitelist +* nginx: add tag for ips management +* nginx: separate task to update IP whitelist +* postfix: enable SSL/TLS client +* ssl: add an SSL role for certificates deployment +* haproxy: add vars for tls configuration ### Changed -evocheck: update script from upstream -evomaintenance: update script from upstream +* evocheck: update script from upstream +* evomaintenance: update script from upstream +* mysql: restart service if systemd unit has been patched ### Fixed * redis: for permissions on log and lib directories From 5056f93283e26bfd91b74e284679e4c219aeba8e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 16:13:02 +0100 Subject: [PATCH 26/29] mysql: logdir can be customized --- CHANGELOG.md | 1 + mysql/defaults/main.yml | 1 + mysql/tasks/logdir.yml | 45 +++++++++++++++++++++++++++++++++++++++++ mysql/tasks/main.yml | 2 ++ 4 files changed, 49 insertions(+) create mode 100644 mysql/tasks/logdir.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 072bfcd6..3019d2ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ The **patch** part changes incrementally at each release. * postfix: enable SSL/TLS client * ssl: add an SSL role for certificates deployment * haproxy: add vars for tls configuration +* mysql: logdir can be customized ### Changed * evocheck: update script from upstream diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 52bf8b07..c2cfa4b0 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -13,6 +13,7 @@ mysql_replace_root_with_mysqladmin: True mysql_custom_datadir: '' mysql_custom_tmpdir: '' +mysql_custom_logdir: '' mysql_thread_cache_size: '{{ ansible_processor_cores }}' mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M' diff --git a/mysql/tasks/logdir.yml b/mysql/tasks/logdir.yml new file mode 100644 index 00000000..a1b3a8d8 --- /dev/null +++ b/mysql/tasks/logdir.yml @@ -0,0 +1,45 @@ +--- + +- block: + - name: "Is {{ mysql_custom_logdir }} present ?" + stat: + path: "{{ mysql_custom_logdir }}" + check_mode: no + register: mysql_custom_logdir_test + + - name: "read the real logdir" + command: readlink -f /var/log/mysql + changed_when: False + check_mode: no + register: mysql_current_real_logdir_test + tags: + - mysql + when: mysql_custom_logdir != '' + +- block: + - name: MySQL is stopped + service: + name: mysql + state: stopped + + - name: Move MySQL logdir to {{ mysql_custom_logdir }} + command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }} + args: + creates: "{{ mysql_custom_logdir }}" + + - name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql + file: + src: "{{ mysql_custom_logdir }}" + dest: '/var/log/mysql' + state: link + + - name: MySQL is started + service: + name: mysql + state: started + tags: + - mysql + when: + - mysql_custom_logdir != '' + - mysql_custom_logdir != mysql_current_real_logdir_test.stdout + - not mysql_custom_logdir_test.stat.exists diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml index 9f9c07f4..8e14c8de 100644 --- a/mysql/tasks/main.yml +++ b/mysql/tasks/main.yml @@ -23,6 +23,8 @@ - include: datadir.yml +- include: logdir.yml + - include: tmpdir.yml - include: nrpe.yml From 2f8cad3c7c5b83c0004729f76a4b427fba661fe5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 17:04:03 +0100 Subject: [PATCH 27/29] packweb-apache: mod-security config is already included elsewhere --- CHANGELOG.md | 1 + packweb-apache/files/evolinux-modsec.conf | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3019d2ec..70889e3d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,6 +28,7 @@ The **patch** part changes incrementally at each release. * mysql: restart service if systemd unit has been patched ### Fixed +* packweb-apache: mod-security config is already included elsewhere * redis: for permissions on log and lib directories * redis: fix shell for instance users diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf index fcb4ba19..4cc0c777 100644 --- a/packweb-apache/files/evolinux-modsec.conf +++ b/packweb-apache/files/evolinux-modsec.conf @@ -39,9 +39,6 @@ SecTmpDir /tmp # RULES ######### -Include /usr/share/modsecurity-crs/owasp-crs.load - - # Removed because it does not play well with apache-itk # Can be removed when modsecurity 2.9.3 hits debian # See https://github.com/SpiderLabs/ModSecurity/issues/712 From b3f9932c4d0b2d3421401dd1becb4d3291c50184 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 17:04:51 +0100 Subject: [PATCH 28/29] evolinux-users: add newaliases handler --- CHANGELOG.md | 1 + evolinux-users/handlers/main.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70889e3d..bf1b3e04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * apache: separate task to update IP whitelist * evolinux-base: install man package +* evolinux-users: add newaliases handler * evomaintenance: FROM domain is configurable * fail2ban: separate task to update IP whitelist * nginx: add tag for ips management diff --git a/evolinux-users/handlers/main.yml b/evolinux-users/handlers/main.yml index 290a2c8c..a94909a5 100644 --- a/evolinux-users/handlers/main.yml +++ b/evolinux-users/handlers/main.yml @@ -3,3 +3,7 @@ service: name: sshd state: reloaded + +- name: newaliases + command: newaliases + changed_when: False From d5e34a58d29ef81c2900489dbf5f32c1648e4c20 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 14 Nov 2018 17:15:25 +0100 Subject: [PATCH 29/29] Release 9.5.0 --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf1b3e04..bb77041b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,16 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.5.0] - 2018-11-14 + ### Added * apache: separate task to update IP whitelist * evolinux-base: install man package @@ -33,8 +43,6 @@ The **patch** part changes incrementally at each release. * redis: for permissions on log and lib directories * redis: fix shell for instance users -### Security - ## [9.4.2] - 2018-10-12 ### Added