Merge branch 'unstable' into stable
This commit is contained in:
commit
5cbad9911f
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -18,6 +18,31 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [9.5.0] - 2018-11-14
|
||||||
|
|
||||||
|
### Added
|
||||||
|
* apache: separate task to update IP whitelist
|
||||||
|
* evolinux-base: install man package
|
||||||
|
* evolinux-users: add newaliases handler
|
||||||
|
* evomaintenance: FROM domain is configurable
|
||||||
|
* fail2ban: separate task to update IP whitelist
|
||||||
|
* nginx: add tag for ips management
|
||||||
|
* nginx: separate task to update IP whitelist
|
||||||
|
* postfix: enable SSL/TLS client
|
||||||
|
* ssl: add an SSL role for certificates deployment
|
||||||
|
* haproxy: add vars for tls configuration
|
||||||
|
* mysql: logdir can be customized
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
* evocheck: update script from upstream
|
||||||
|
* evomaintenance: update script from upstream
|
||||||
|
* mysql: restart service if systemd unit has been patched
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
* packweb-apache: mod-security config is already included elsewhere
|
||||||
|
* redis: for permissions on log and lib directories
|
||||||
|
* redis: fix shell for instance users
|
||||||
|
|
||||||
## [9.4.2] - 2018-10-12
|
## [9.4.2] - 2018-10-12
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
@ -6,6 +6,8 @@ Install Apache
|
||||||
|
|
||||||
Everything is in the `tasks/main.yml` file for now.
|
Everything is in the `tasks/main.yml` file for now.
|
||||||
|
|
||||||
|
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||||
|
|
||||||
## Available variables
|
## Available variables
|
||||||
|
|
||||||
Main variables are :
|
Main variables are :
|
||||||
|
|
|
@ -11,25 +11,8 @@
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
- name: add IP addresses to private IP whitelist
|
- name: Load IP whitelist task
|
||||||
lineinfile:
|
include: ip_whitelist.yml
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
|
||||||
line: "Require ip {{ item }}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
|
||||||
notify: reload apache
|
|
||||||
tags:
|
|
||||||
- apache
|
|
||||||
|
|
||||||
- name: remove IP addresses from private IP whitelist
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
|
||||||
line: "Require ip {{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
|
||||||
notify: reload apache
|
|
||||||
tags:
|
|
||||||
- apache
|
|
||||||
|
|
||||||
- name: include private IP whitelist for server-status
|
- name: include private IP whitelist for server-status
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
23
apache/tasks/ip_whitelist.yml
Normal file
23
apache/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: add IP addresses to private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
|
line: "Require ip {{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
||||||
|
notify: reload apache
|
||||||
|
tags:
|
||||||
|
- apache
|
||||||
|
- ips
|
||||||
|
|
||||||
|
- name: remove IP addresses from private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
|
line: "Require ip {{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
||||||
|
notify: reload apache
|
||||||
|
tags:
|
||||||
|
- apache
|
||||||
|
- ips
|
|
@ -5,7 +5,7 @@
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
# Repository: https://gitlab.evolix.org/evolix/evocheck
|
# Repository: https://gitlab.evolix.org/evolix/evocheck
|
||||||
# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
|
# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
|
@ -105,6 +105,10 @@ IS_EVOBACKUP=1
|
||||||
IS_DUPLICATE_FS_LABEL=1
|
IS_DUPLICATE_FS_LABEL=1
|
||||||
IS_EVOMAINTENANCE_FW=1
|
IS_EVOMAINTENANCE_FW=1
|
||||||
IS_EVOLIX_USER=1
|
IS_EVOLIX_USER=1
|
||||||
|
IS_EVOACME_CRON=1
|
||||||
|
IS_EVOACME_LIVELINKS=1
|
||||||
|
IS_APACHE_CONFENABLED=1
|
||||||
|
IS_MELTDOWN_SPECTRE=1
|
||||||
|
|
||||||
#Proper to OpenBSD
|
#Proper to OpenBSD
|
||||||
IS_SOFTDEP=1
|
IS_SOFTDEP=1
|
||||||
|
@ -143,7 +147,7 @@ is_pack_samba(){
|
||||||
|
|
||||||
is_installed(){
|
is_installed(){
|
||||||
for pkg in $*; do
|
for pkg in $*; do
|
||||||
dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
|
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -359,7 +363,7 @@ if [ -e /etc/debian_version ]; then
|
||||||
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||||
if [ -f "$MINIFW_FILE" ]; then
|
if [ -f "$MINIFW_FILE" ]; then
|
||||||
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||||
if [ "$rulesNumber" -lt 4 ]; then
|
if [ "$rulesNumber" -lt 2 ]; then
|
||||||
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -521,7 +525,9 @@ if [ -e /etc/debian_version ]; then
|
||||||
|
|
||||||
# Check if no package has been upgraded since $limit.
|
# Check if no package has been upgraded since $limit.
|
||||||
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
||||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
if zgrep -hq upgrade /var/log/dpkg.log*; then
|
||||||
|
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||||
|
fi
|
||||||
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||||
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||||
# Manual upgrade process
|
# Manual upgrade process
|
||||||
|
@ -530,8 +536,8 @@ if [ -e /etc/debian_version ]; then
|
||||||
# Regular process
|
# Regular process
|
||||||
limit=$(date +%s -d "now - 90 days")
|
limit=$(date +%s -d "now - 90 days")
|
||||||
fi
|
fi
|
||||||
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
|
if [ -d /var/log/installer ]; then
|
||||||
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
|
install_date=$(stat -c %Z /var/log/installer)
|
||||||
else
|
else
|
||||||
install_date=0
|
install_date=0
|
||||||
fi
|
fi
|
||||||
|
@ -769,6 +775,71 @@ if [ -e /etc/debian_version ]; then
|
||||||
if [ "$IS_EVOLIX_USER" = 1 ]; then
|
if [ "$IS_EVOLIX_USER" = 1 ]; then
|
||||||
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
|
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_EVOACME_CRON" = 1 ]; then
|
||||||
|
if [ -f "/usr/local/sbin/evoacme" ]; then
|
||||||
|
# Old cron file, should be deleted
|
||||||
|
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
|
||||||
|
# evoacme cron file should be present
|
||||||
|
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
|
||||||
|
if [ -x "$(which evoacme)" ]; then
|
||||||
|
# Sometimes evoacme is installed but no certificates has been generated
|
||||||
|
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
|
||||||
|
if [ $numberOfLinks -gt 0 ]; then
|
||||||
|
for live in /etc/letsencrypt/*/live; do
|
||||||
|
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
|
||||||
|
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
|
||||||
|
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
|
||||||
|
certDir=${liveDir%%/live}
|
||||||
|
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
|
||||||
|
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
|
||||||
|
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
|
||||||
|
echo 'IS_EVOACME_LIVELINKS FAILED!'
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
|
||||||
|
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
|
||||||
|
# must be replaced by conf-available/ and config files symlinked
|
||||||
|
# to conf-enabled/
|
||||||
|
if is_debianversion jessie || is_debianversion stretch; then
|
||||||
|
if [ -f /etc/apache2/apache2.conf ]; then
|
||||||
|
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||||
|
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
|
||||||
|
echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
|
||||||
|
# For Stretch, detection is easy as the kernel use
|
||||||
|
# /sys/devices/system/cpu/vulnerabilities/
|
||||||
|
if is_debianversion stretch; then
|
||||||
|
for vuln in meltdown spectre_v1 spectre_v2; do
|
||||||
|
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||||
|
done
|
||||||
|
# For Jessie this is quite complicated to verify and we need to use kernel config file
|
||||||
|
elif is_debianversion jessie; then
|
||||||
|
if grep -q BOOT_IMAGE= /proc/cmdline; then
|
||||||
|
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
|
||||||
|
kernelVer=${kernelPath##*/vmlinuz-}
|
||||||
|
kernelConfig="config-${kernelVer}"
|
||||||
|
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
|
||||||
|
if [ -f /boot/$kernelConfig ]; then
|
||||||
|
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||||
|
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@
|
||||||
- curl
|
- curl
|
||||||
- telnet
|
- telnet
|
||||||
- traceroute
|
- traceroute
|
||||||
|
- man
|
||||||
when: evolinux_packages_diagnostic
|
when: evolinux_packages_diagnostic
|
||||||
|
|
||||||
- name: Install/Update hardware tools
|
- name: Install/Update hardware tools
|
||||||
|
|
|
@ -3,3 +3,7 @@
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: newaliases
|
||||||
|
command: newaliases
|
||||||
|
changed_when: False
|
||||||
|
|
|
@ -22,7 +22,8 @@ evomaintenance_pg_passwd: Null
|
||||||
evomaintenance_pg_db: Null
|
evomaintenance_pg_db: Null
|
||||||
evomaintenance_pg_table: Null
|
evomaintenance_pg_table: Null
|
||||||
|
|
||||||
evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}"
|
evomaintenance_from_domain: "{{ evolinux_internal_fqdn }}"
|
||||||
|
evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
|
||||||
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
|
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
|
||||||
|
|
||||||
evomaintenance_urgency_from: mama.doe@example.com
|
evomaintenance_urgency_from: mama.doe@example.com
|
||||||
|
|
|
@ -185,7 +185,7 @@ fi
|
||||||
SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
|
SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
|
||||||
|
|
||||||
PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
|
PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
|
||||||
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet
|
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST}
|
||||||
|
|
||||||
# send mail
|
# send mail
|
||||||
MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
|
MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
|
||||||
|
|
|
@ -6,6 +6,8 @@ Install Fail2ban.
|
||||||
|
|
||||||
Everything is in the `tasks/main.yml` file.
|
Everything is in the `tasks/main.yml` file.
|
||||||
|
|
||||||
|
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||||
|
|
||||||
## Available variables
|
## Available variables
|
||||||
|
|
||||||
Main variables are :
|
Main variables are :
|
||||||
|
|
10
fail2ban/tasks/ip_whitelist.yml
Normal file
10
fail2ban/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
- name: Update ignoreips lists
|
||||||
|
ini_file:
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
section: "[DEFAULT]"
|
||||||
|
option: "ignoreips"
|
||||||
|
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||||
|
notify: restart fail2ban
|
||||||
|
tags:
|
||||||
|
- fail2ban
|
|
@ -28,13 +28,8 @@
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
||||||
- name: update ignoreips lists
|
- name: Include ignoredips update task
|
||||||
ini_file:
|
include: ip_whitelist.yml
|
||||||
dest: /etc/fail2ban/jail.local
|
|
||||||
section: "[DEFAULT]"
|
|
||||||
option: "ignoreips"
|
|
||||||
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
|
||||||
notify: restart fail2ban
|
|
||||||
when: fail2ban_force_update_ignore_ips
|
when: fail2ban_force_update_ignore_ips
|
||||||
tags:
|
tags:
|
||||||
- fail2ban
|
- fail2ban
|
||||||
|
|
21
haproxy/vars/main.yml
Normal file
21
haproxy/vars/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
haproxy_ssl_old: |
|
||||||
|
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => old profile
|
||||||
|
tune.ssl.default-dh-param 1024
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||||
|
ssl-default-bind-options no-tls-tickets
|
||||||
|
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||||
|
ssl-default-server-options no-tls-tickets
|
||||||
|
haproxy_ssl_intermediate: |
|
||||||
|
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => intermediate profile
|
||||||
|
tune.ssl.default-dh-param 2048
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||||
|
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||||
|
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||||
|
haproxy_ssl_modern: |
|
||||||
|
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => modern profile
|
||||||
|
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||||
|
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
@ -13,6 +13,7 @@ mysql_replace_root_with_mysqladmin: True
|
||||||
|
|
||||||
mysql_custom_datadir: ''
|
mysql_custom_datadir: ''
|
||||||
mysql_custom_tmpdir: ''
|
mysql_custom_tmpdir: ''
|
||||||
|
mysql_custom_logdir: ''
|
||||||
|
|
||||||
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
|
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
|
||||||
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
|
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
|
||||||
|
|
|
@ -37,8 +37,9 @@
|
||||||
force: yes
|
force: yes
|
||||||
register: mariadb_systemd_override
|
register: mariadb_systemd_override
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd and restart MariaDB
|
||||||
systemd:
|
systemd:
|
||||||
name: mysql
|
name: mysql
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
||||||
|
notify: "{{ mysql_restart_handler_name }}"
|
||||||
when: mariadb_systemd_override.changed
|
when: mariadb_systemd_override.changed
|
||||||
|
|
45
mysql/tasks/logdir.yml
Normal file
45
mysql/tasks/logdir.yml
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: "Is {{ mysql_custom_logdir }} present ?"
|
||||||
|
stat:
|
||||||
|
path: "{{ mysql_custom_logdir }}"
|
||||||
|
check_mode: no
|
||||||
|
register: mysql_custom_logdir_test
|
||||||
|
|
||||||
|
- name: "read the real logdir"
|
||||||
|
command: readlink -f /var/log/mysql
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: mysql_current_real_logdir_test
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
when: mysql_custom_logdir != ''
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: MySQL is stopped
|
||||||
|
service:
|
||||||
|
name: mysql
|
||||||
|
state: stopped
|
||||||
|
|
||||||
|
- name: Move MySQL logdir to {{ mysql_custom_logdir }}
|
||||||
|
command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }}
|
||||||
|
args:
|
||||||
|
creates: "{{ mysql_custom_logdir }}"
|
||||||
|
|
||||||
|
- name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql
|
||||||
|
file:
|
||||||
|
src: "{{ mysql_custom_logdir }}"
|
||||||
|
dest: '/var/log/mysql'
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: MySQL is started
|
||||||
|
service:
|
||||||
|
name: mysql
|
||||||
|
state: started
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
when:
|
||||||
|
- mysql_custom_logdir != ''
|
||||||
|
- mysql_custom_logdir != mysql_current_real_logdir_test.stdout
|
||||||
|
- not mysql_custom_logdir_test.stat.exists
|
|
@ -23,6 +23,8 @@
|
||||||
|
|
||||||
- include: datadir.yml
|
- include: datadir.yml
|
||||||
|
|
||||||
|
- include: logdir.yml
|
||||||
|
|
||||||
- include: tmpdir.yml
|
- include: tmpdir.yml
|
||||||
|
|
||||||
- include: nrpe.yml
|
- include: nrpe.yml
|
||||||
|
|
|
@ -12,6 +12,8 @@ The minimal mode is for servers without real web apps, and only access to munin
|
||||||
|
|
||||||
The regular mode is for full fledged web services with optimized defaults.
|
The regular mode is for full fledged web services with optimized defaults.
|
||||||
|
|
||||||
|
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||||
|
|
||||||
## Available variables
|
## Available variables
|
||||||
|
|
||||||
Main variables are :
|
Main variables are :
|
||||||
|
|
23
nginx/tasks/ip_whitelist.yml
Normal file
23
nginx/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: add IP addresses to private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
|
line: "allow {{ item }};"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- ips
|
||||||
|
|
||||||
|
- name: remove IP addresses from private IP whitelist
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
|
line: "allow {{ item }};"
|
||||||
|
state: absent
|
||||||
|
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
||||||
|
notify: reload nginx
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- ips
|
|
@ -49,26 +49,10 @@
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
|
- ips
|
||||||
|
|
||||||
- name: add IP addresses to private IP whitelist
|
- name: Include IP address whitelist task
|
||||||
lineinfile:
|
include: ip_whitelist.yml
|
||||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
|
||||||
line: "allow {{ item }};"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: remove IP addresses from private IP whitelist
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
|
||||||
line: "allow {{ item }};"
|
|
||||||
state: absent
|
|
||||||
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
|
||||||
notify: reload nginx
|
|
||||||
tags:
|
|
||||||
- nginx
|
|
||||||
|
|
||||||
- name: Copy private_htpasswd
|
- name: Copy private_htpasswd
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -18,7 +18,7 @@ SecUploadKeepFiles Off
|
||||||
# default action
|
# default action
|
||||||
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
|
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
|
||||||
|
|
||||||
SecAuditEngine RelevantOnly
|
SecAuditEngine Off
|
||||||
#SecAuditLogRelevantStatus "^[45]"
|
#SecAuditLogRelevantStatus "^[45]"
|
||||||
# use only one log file
|
# use only one log file
|
||||||
SecAuditLogType Serial
|
SecAuditLogType Serial
|
||||||
|
@ -39,10 +39,9 @@ SecTmpDir /tmp
|
||||||
# RULES
|
# RULES
|
||||||
#########
|
#########
|
||||||
|
|
||||||
# File name
|
# Removed because it does not play well with apache-itk
|
||||||
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
|
# Can be removed when modsecurity 2.9.3 hits debian
|
||||||
# Complete URI
|
# See https://github.com/SpiderLabs/ModSecurity/issues/712
|
||||||
SecRule REQUEST_URI "modsecuritytest2" "id:2"
|
SecRuleRemoveById "910000-910999"
|
||||||
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
|
|
||||||
|
|
||||||
</IfModule>
|
</IfModule>
|
||||||
|
|
|
@ -71,3 +71,9 @@
|
||||||
|
|
||||||
- include: fhs_retrictions.yml
|
- include: fhs_retrictions.yml
|
||||||
when: packweb_fhs_retrictions
|
when: packweb_fhs_retrictions
|
||||||
|
|
||||||
|
- name: Periodically cache ftp directory sizes for ftpadmin.sh
|
||||||
|
cron:
|
||||||
|
name: "ProFTPd directory size caching"
|
||||||
|
special_time: daily
|
||||||
|
job: "/usr/share/scripts/evoadmin/stats.sh"
|
||||||
|
|
|
@ -13,6 +13,12 @@ recipient_delimiter = +
|
||||||
inet_interfaces = all
|
inet_interfaces = all
|
||||||
inet_protocols = ipv4
|
inet_protocols = ipv4
|
||||||
disable_vrfy_command = yes
|
disable_vrfy_command = yes
|
||||||
|
# enable SSL/TLS client
|
||||||
|
smtp_tls_security_level = may
|
||||||
|
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||||
|
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_loglevel = 1
|
||||||
|
|
||||||
{% if postfix_slow_transport_include == True %}
|
{% if postfix_slow_transport_include == True %}
|
||||||
# Slow transports configuration
|
# Slow transports configuration
|
||||||
|
|
|
@ -389,11 +389,19 @@ strict_rfc821_envelopes = yes
|
||||||
# Section : Chiffrement
|
# Section : Chiffrement
|
||||||
#######################
|
#######################
|
||||||
|
|
||||||
|
smtpd_tls_security_level = may
|
||||||
|
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||||
|
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||||||
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||||
|
smtpd_tls_loglevel = 1
|
||||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
smtpd_use_tls=yes
|
|
||||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
smtp_tls_security_level = may
|
||||||
|
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||||
|
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_loglevel = 1
|
||||||
|
|
||||||
# SASL
|
# SASL
|
||||||
smtpd_sasl_auth_enable = yes
|
smtpd_sasl_auth_enable = yes
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
group: "redis-{{ redis_instance_name }}"
|
group: "redis-{{ redis_instance_name }}"
|
||||||
state: present
|
state: present
|
||||||
system: True
|
system: True
|
||||||
shell: '/bin/falase'
|
shell: '/bin/false'
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
||||||
|
@ -60,7 +60,9 @@
|
||||||
owner: "redis-{{ redis_instance_name }}"
|
owner: "redis-{{ redis_instance_name }}"
|
||||||
group: "redis-{{ redis_instance_name }}"
|
group: "redis-{{ redis_instance_name }}"
|
||||||
with_items:
|
with_items:
|
||||||
|
- "/var/lib/redis"
|
||||||
- "{{ redis_dbdir }}"
|
- "{{ redis_dbdir }}"
|
||||||
|
- "/var/log/redis"
|
||||||
- "{{ redis_logfile | dirname }}"
|
- "{{ redis_logfile | dirname }}"
|
||||||
tags:
|
tags:
|
||||||
- redis
|
- redis
|
||||||
|
|
9
ssl/README.md
Normal file
9
ssl/README.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# ssl
|
||||||
|
|
||||||
|
Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy).
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
* `ssl_cert`: name of SSL certificate which is going to be deployed
|
||||||
|
|
||||||
|
eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp}
|
5
ssl/handlers/main.yml
Normal file
5
ssl/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: reload haproxy
|
||||||
|
service:
|
||||||
|
name: haproxy
|
||||||
|
state: reloaded
|
20
ssl/meta/main.yml
Normal file
20
ssl/meta/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Evolix
|
||||||
|
description: Deployment of SSL certificate, key and dhparams
|
||||||
|
|
||||||
|
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||||
|
|
||||||
|
license: GPLv2
|
||||||
|
|
||||||
|
min_ansible_version: 2.2
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- jessie
|
||||||
|
- stretch
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line.
|
||||||
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
# to this list.
|
33
ssl/tasks/haproxy.yml
Normal file
33
ssl/tasks/haproxy.yml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
- name: Concatenate SSL certificate, key and dhparam
|
||||||
|
set_fact:
|
||||||
|
ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n"
|
||||||
|
with_fileglob:
|
||||||
|
- "ssl/{{ ssl_cert }}.pem"
|
||||||
|
- "ssl/{{ ssl_cert }}.key"
|
||||||
|
- "ssl/{{ ssl_cert }}.dhp"
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Create haproxy ssl directory
|
||||||
|
file:
|
||||||
|
dest: /etc/haproxy/ssl
|
||||||
|
state: directory
|
||||||
|
mode: "0700"
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy concatenated certificate and key
|
||||||
|
copy:
|
||||||
|
content: "{{ ssl_cat }}"
|
||||||
|
dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem"
|
||||||
|
mode: "0600"
|
||||||
|
notify: reload haproxy
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Reset ssl_cat variable
|
||||||
|
set_fact:
|
||||||
|
ssl_cat: ""
|
||||||
|
tags:
|
||||||
|
- ssl
|
39
ssl/tasks/main.yml
Normal file
39
ssl/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
- name: Copy SSL certificate
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.pem"
|
||||||
|
dest: "/etc/ssl/certs/{{ ssl_cert }}.pem"
|
||||||
|
mode: "0644"
|
||||||
|
register: ssl_copy_cert
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy SSL key
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.key"
|
||||||
|
dest: "/etc/ssl/private/{{ ssl_cert }}.key"
|
||||||
|
mode: "0600"
|
||||||
|
register: ssl_copy_key
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy SSL dhparam
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.dhp"
|
||||||
|
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
|
||||||
|
mode: "0644"
|
||||||
|
register: ssl_copy_dhp
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Check if Haproxy is installed
|
||||||
|
command: dpkg -l haproxy
|
||||||
|
register: haproxy_check
|
||||||
|
check_mode: False
|
||||||
|
changed_when: False
|
||||||
|
failed_when: False
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- include: haproxy.yml
|
||||||
|
when: haproxy_check.rc == 0
|
Loading…
Reference in a new issue