Merge branch 'unstable' into stable
This commit is contained in:
commit
5cbad9911f
25
CHANGELOG.md
25
CHANGELOG.md
|
@ -18,6 +18,31 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Security
|
||||
|
||||
## [9.5.0] - 2018-11-14
|
||||
|
||||
### Added
|
||||
* apache: separate task to update IP whitelist
|
||||
* evolinux-base: install man package
|
||||
* evolinux-users: add newaliases handler
|
||||
* evomaintenance: FROM domain is configurable
|
||||
* fail2ban: separate task to update IP whitelist
|
||||
* nginx: add tag for ips management
|
||||
* nginx: separate task to update IP whitelist
|
||||
* postfix: enable SSL/TLS client
|
||||
* ssl: add an SSL role for certificates deployment
|
||||
* haproxy: add vars for tls configuration
|
||||
* mysql: logdir can be customized
|
||||
|
||||
### Changed
|
||||
* evocheck: update script from upstream
|
||||
* evomaintenance: update script from upstream
|
||||
* mysql: restart service if systemd unit has been patched
|
||||
|
||||
### Fixed
|
||||
* packweb-apache: mod-security config is already included elsewhere
|
||||
* redis: for permissions on log and lib directories
|
||||
* redis: fix shell for instance users
|
||||
|
||||
## [9.4.2] - 2018-10-12
|
||||
|
||||
### Added
|
||||
|
|
|
@ -6,6 +6,8 @@ Install Apache
|
|||
|
||||
Everything is in the `tasks/main.yml` file for now.
|
||||
|
||||
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
|
|
@ -11,25 +11,8 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- name: Load IP whitelist task
|
||||
include: ip_whitelist.yml
|
||||
|
||||
- name: include private IP whitelist for server-status
|
||||
lineinfile:
|
||||
|
|
23
apache/tasks/ip_whitelist.yml
Normal file
23
apache/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- ips
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
- ips
|
|
@ -5,7 +5,7 @@
|
|||
# powered by Evolix
|
||||
|
||||
# Repository: https://gitlab.evolix.org/evolix/evocheck
|
||||
# Commit: d5a02b343f2e8e9a0b6fcd10b6b5a5d1e8c9af03
|
||||
# Commit: 956877442a3f43243fed89c491d9bdddd1ac77cd
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
|
@ -105,6 +105,10 @@ IS_EVOBACKUP=1
|
|||
IS_DUPLICATE_FS_LABEL=1
|
||||
IS_EVOMAINTENANCE_FW=1
|
||||
IS_EVOLIX_USER=1
|
||||
IS_EVOACME_CRON=1
|
||||
IS_EVOACME_LIVELINKS=1
|
||||
IS_APACHE_CONFENABLED=1
|
||||
IS_MELTDOWN_SPECTRE=1
|
||||
|
||||
#Proper to OpenBSD
|
||||
IS_SOFTDEP=1
|
||||
|
@ -143,7 +147,7 @@ is_pack_samba(){
|
|||
|
||||
is_installed(){
|
||||
for pkg in $*; do
|
||||
dpkg -l $pkg 2>/dev/null |grep -q -E '^(i|h)i' || return 1
|
||||
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -359,7 +363,7 @@ if [ -e /etc/debian_version ]; then
|
|||
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||
if [ -f "$MINIFW_FILE" ]; then
|
||||
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||
if [ "$rulesNumber" -lt 4 ]; then
|
||||
if [ "$rulesNumber" -lt 2 ]; then
|
||||
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
@ -521,7 +525,9 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
# Check if no package has been upgraded since $limit.
|
||||
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
if zgrep -hq upgrade /var/log/dpkg.log*; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
fi
|
||||
if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
# Manual upgrade process
|
||||
|
@ -530,8 +536,8 @@ if [ -e /etc/debian_version ]; then
|
|||
# Regular process
|
||||
limit=$(date +%s -d "now - 90 days")
|
||||
fi
|
||||
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
|
||||
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
|
||||
if [ -d /var/log/installer ]; then
|
||||
install_date=$(stat -c %Z /var/log/installer)
|
||||
else
|
||||
install_date=0
|
||||
fi
|
||||
|
@ -769,6 +775,71 @@ if [ -e /etc/debian_version ]; then
|
|||
if [ "$IS_EVOLIX_USER" = 1 ]; then
|
||||
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOACME_CRON" = 1 ]; then
|
||||
if [ -f "/usr/local/sbin/evoacme" ]; then
|
||||
# Old cron file, should be deleted
|
||||
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
|
||||
# evoacme cron file should be present
|
||||
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
|
||||
if [ -x "$(which evoacme)" ]; then
|
||||
# Sometimes evoacme is installed but no certificates has been generated
|
||||
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
|
||||
if [ $numberOfLinks -gt 0 ]; then
|
||||
for live in /etc/letsencrypt/*/live; do
|
||||
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
|
||||
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
|
||||
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
|
||||
certDir=${liveDir%%/live}
|
||||
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
|
||||
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
|
||||
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
|
||||
echo 'IS_EVOACME_LIVELINKS FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
|
||||
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
|
||||
# must be replaced by conf-available/ and config files symlinked
|
||||
# to conf-enabled/
|
||||
if is_debianversion jessie || is_debianversion stretch; then
|
||||
if [ -f /etc/apache2/apache2.conf ]; then
|
||||
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
|
||||
echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
|
||||
# For Stretch, detection is easy as the kernel use
|
||||
# /sys/devices/system/cpu/vulnerabilities/
|
||||
if is_debianversion stretch; then
|
||||
for vuln in meltdown spectre_v1 spectre_v2; do
|
||||
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
done
|
||||
# For Jessie this is quite complicated to verify and we need to use kernel config file
|
||||
elif is_debianversion jessie; then
|
||||
if grep -q BOOT_IMAGE= /proc/cmdline; then
|
||||
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
|
||||
kernelVer=${kernelPath##*/vmlinuz-}
|
||||
kernelConfig="config-${kernelVer}"
|
||||
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
|
||||
if [ -f /boot/$kernelConfig ]; then
|
||||
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
- curl
|
||||
- telnet
|
||||
- traceroute
|
||||
- man
|
||||
when: evolinux_packages_diagnostic
|
||||
|
||||
- name: Install/Update hardware tools
|
||||
|
|
|
@ -3,3 +3,7 @@
|
|||
service:
|
||||
name: sshd
|
||||
state: reloaded
|
||||
|
||||
- name: newaliases
|
||||
command: newaliases
|
||||
changed_when: False
|
||||
|
|
|
@ -22,7 +22,8 @@ evomaintenance_pg_passwd: Null
|
|||
evomaintenance_pg_db: Null
|
||||
evomaintenance_pg_table: Null
|
||||
|
||||
evomaintenance_from: "evomaintenance@{{ evolinux_internal_fqdn }}"
|
||||
evomaintenance_from_domain: "{{ evolinux_internal_fqdn }}"
|
||||
evomaintenance_from: "evomaintenance@{{ evomaintenance_from_domain }}"
|
||||
evomaintenance_full_from: "Evomaintenance <{{ evomaintenance_from }}>"
|
||||
|
||||
evomaintenance_urgency_from: mama.doe@example.com
|
||||
|
|
|
@ -185,7 +185,7 @@ fi
|
|||
SQL_TEXTE=`echo "${TEXTE}" | sed "s/'/''/g"`
|
||||
|
||||
PG_QUERY="INSERT INTO evomaint(hostname,userid,ipaddress,begin_date,end_date,details) VALUES ('${HOSTNAME}','${USER}','${IP}','${BEGIN_DATE}',now(),'${SQL_TEXTE}')"
|
||||
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST} --quiet
|
||||
echo "${PG_QUERY}" | psql ${PGDB} ${PGTABLE} -h ${PGHOST}
|
||||
|
||||
# send mail
|
||||
MAIL_TEXTE=$(echo "${TEXTE}" | sed -e "s@/@\\\\\/@g ; s@&@\\\\&@")
|
||||
|
|
|
@ -6,6 +6,8 @@ Install Fail2ban.
|
|||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
|
10
fail2ban/tasks/ip_whitelist.yml
Normal file
10
fail2ban/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: Update ignoreips lists
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: "[DEFAULT]"
|
||||
option: "ignoreips"
|
||||
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
|
@ -28,13 +28,8 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: update ignoreips lists
|
||||
ini_file:
|
||||
dest: /etc/fail2ban/jail.local
|
||||
section: "[DEFAULT]"
|
||||
option: "ignoreips"
|
||||
value: "{{ fail2ban_ignore_ips | join(' ') }}"
|
||||
notify: restart fail2ban
|
||||
- name: Include ignoredips update task
|
||||
include: ip_whitelist.yml
|
||||
when: fail2ban_force_update_ignore_ips
|
||||
tags:
|
||||
- fail2ban
|
||||
|
|
21
haproxy/vars/main.yml
Normal file
21
haproxy/vars/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
haproxy_ssl_old: |
|
||||
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => old profile
|
||||
tune.ssl.default-dh-param 1024
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||
ssl-default-bind-options no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP
|
||||
ssl-default-server-options no-tls-tickets
|
||||
haproxy_ssl_intermediate: |
|
||||
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => intermediate profile
|
||||
tune.ssl.default-dh-param 2048
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-bind-options no-sslv3 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
||||
ssl-default-server-options no-sslv3 no-tls-tickets
|
||||
haproxy_ssl_modern: |
|
||||
# TLS configuration : https://mozilla.github.io/server-side-tls/ssl-config-generator/ => modern profile
|
||||
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
|
@ -13,6 +13,7 @@ mysql_replace_root_with_mysqladmin: True
|
|||
|
||||
mysql_custom_datadir: ''
|
||||
mysql_custom_tmpdir: ''
|
||||
mysql_custom_logdir: ''
|
||||
|
||||
mysql_thread_cache_size: '{{ ansible_processor_cores }}'
|
||||
mysql_innodb_buffer_pool_size: '{{ (ansible_memtotal_mb * 0.3) | int }}M'
|
||||
|
|
|
@ -37,8 +37,9 @@
|
|||
force: yes
|
||||
register: mariadb_systemd_override
|
||||
|
||||
- name: reload systemd
|
||||
- name: reload systemd and restart MariaDB
|
||||
systemd:
|
||||
name: mysql
|
||||
daemon_reload: yes
|
||||
notify: "{{ mysql_restart_handler_name }}"
|
||||
when: mariadb_systemd_override.changed
|
||||
|
|
45
mysql/tasks/logdir.yml
Normal file
45
mysql/tasks/logdir.yml
Normal file
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- name: "Is {{ mysql_custom_logdir }} present ?"
|
||||
stat:
|
||||
path: "{{ mysql_custom_logdir }}"
|
||||
check_mode: no
|
||||
register: mysql_custom_logdir_test
|
||||
|
||||
- name: "read the real logdir"
|
||||
command: readlink -f /var/log/mysql
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: mysql_current_real_logdir_test
|
||||
tags:
|
||||
- mysql
|
||||
when: mysql_custom_logdir != ''
|
||||
|
||||
- block:
|
||||
- name: MySQL is stopped
|
||||
service:
|
||||
name: mysql
|
||||
state: stopped
|
||||
|
||||
- name: Move MySQL logdir to {{ mysql_custom_logdir }}
|
||||
command: mv {{ mysql_current_real_logdir_test.stdout }} {{ mysql_custom_logdir }}
|
||||
args:
|
||||
creates: "{{ mysql_custom_logdir }}"
|
||||
|
||||
- name: Symlink {{ mysql_custom_logdir }} to /var/log/mysql
|
||||
file:
|
||||
src: "{{ mysql_custom_logdir }}"
|
||||
dest: '/var/log/mysql'
|
||||
state: link
|
||||
|
||||
- name: MySQL is started
|
||||
service:
|
||||
name: mysql
|
||||
state: started
|
||||
tags:
|
||||
- mysql
|
||||
when:
|
||||
- mysql_custom_logdir != ''
|
||||
- mysql_custom_logdir != mysql_current_real_logdir_test.stdout
|
||||
- not mysql_custom_logdir_test.stat.exists
|
|
@ -23,6 +23,8 @@
|
|||
|
||||
- include: datadir.yml
|
||||
|
||||
- include: logdir.yml
|
||||
|
||||
- include: tmpdir.yml
|
||||
|
||||
- include: nrpe.yml
|
||||
|
|
|
@ -12,6 +12,8 @@ The minimal mode is for servers without real web apps, and only access to munin
|
|||
|
||||
The regular mode is for full fledged web services with optimized defaults.
|
||||
|
||||
An `ip_whitelist.yml` standalone task file is available to update IP adresses whitelist without rolling the whole role.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
|
23
nginx/tasks/ip_whitelist.yml
Normal file
23
nginx/tasks/ip_whitelist.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: present
|
||||
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
- ips
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: absent
|
||||
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
- ips
|
|
@ -49,26 +49,10 @@
|
|||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
- ips
|
||||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: present
|
||||
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: absent
|
||||
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
- name: Include IP address whitelist task
|
||||
include: ip_whitelist.yml
|
||||
|
||||
- name: Copy private_htpasswd
|
||||
copy:
|
||||
|
|
|
@ -18,7 +18,7 @@ SecUploadKeepFiles Off
|
|||
# default action
|
||||
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
|
||||
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditEngine Off
|
||||
#SecAuditLogRelevantStatus "^[45]"
|
||||
# use only one log file
|
||||
SecAuditLogType Serial
|
||||
|
@ -39,10 +39,9 @@ SecTmpDir /tmp
|
|||
# RULES
|
||||
#########
|
||||
|
||||
# File name
|
||||
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
|
||||
# Complete URI
|
||||
SecRule REQUEST_URI "modsecuritytest2" "id:2"
|
||||
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
|
||||
# Removed because it does not play well with apache-itk
|
||||
# Can be removed when modsecurity 2.9.3 hits debian
|
||||
# See https://github.com/SpiderLabs/ModSecurity/issues/712
|
||||
SecRuleRemoveById "910000-910999"
|
||||
|
||||
</IfModule>
|
||||
|
|
|
@ -71,3 +71,9 @@
|
|||
|
||||
- include: fhs_retrictions.yml
|
||||
when: packweb_fhs_retrictions
|
||||
|
||||
- name: Periodically cache ftp directory sizes for ftpadmin.sh
|
||||
cron:
|
||||
name: "ProFTPd directory size caching"
|
||||
special_time: daily
|
||||
job: "/usr/share/scripts/evoadmin/stats.sh"
|
||||
|
|
|
@ -13,6 +13,12 @@ recipient_delimiter = +
|
|||
inet_interfaces = all
|
||||
inet_protocols = ipv4
|
||||
disable_vrfy_command = yes
|
||||
# enable SSL/TLS client
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_loglevel = 1
|
||||
|
||||
{% if postfix_slow_transport_include == True %}
|
||||
# Slow transports configuration
|
||||
|
|
|
@ -389,11 +389,19 @@ strict_rfc821_envelopes = yes
|
|||
# Section : Chiffrement
|
||||
#######################
|
||||
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
smtpd_tls_loglevel = 1
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
|
||||
smtp_tls_security_level = may
|
||||
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_protocols=!SSLv2,!SSLv3
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_loglevel = 1
|
||||
|
||||
# SASL
|
||||
smtpd_sasl_auth_enable = yes
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
group: "redis-{{ redis_instance_name }}"
|
||||
state: present
|
||||
system: True
|
||||
shell: '/bin/falase'
|
||||
shell: '/bin/false'
|
||||
tags:
|
||||
- redis
|
||||
|
||||
|
@ -60,7 +60,9 @@
|
|||
owner: "redis-{{ redis_instance_name }}"
|
||||
group: "redis-{{ redis_instance_name }}"
|
||||
with_items:
|
||||
- "/var/lib/redis"
|
||||
- "{{ redis_dbdir }}"
|
||||
- "/var/log/redis"
|
||||
- "{{ redis_logfile | dirname }}"
|
||||
tags:
|
||||
- redis
|
||||
|
|
9
ssl/README.md
Normal file
9
ssl/README.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
# ssl
|
||||
|
||||
Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy).
|
||||
|
||||
## Available variables
|
||||
|
||||
* `ssl_cert`: name of SSL certificate which is going to be deployed
|
||||
|
||||
eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp}
|
5
ssl/handlers/main.yml
Normal file
5
ssl/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: reload haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: reloaded
|
20
ssl/meta/main.yml
Normal file
20
ssl/meta/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Deployment of SSL certificate, key and dhparams
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
33
ssl/tasks/haproxy.yml
Normal file
33
ssl/tasks/haproxy.yml
Normal file
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
- name: Concatenate SSL certificate, key and dhparam
|
||||
set_fact:
|
||||
ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n"
|
||||
with_fileglob:
|
||||
- "ssl/{{ ssl_cert }}.pem"
|
||||
- "ssl/{{ ssl_cert }}.key"
|
||||
- "ssl/{{ ssl_cert }}.dhp"
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Create haproxy ssl directory
|
||||
file:
|
||||
dest: /etc/haproxy/ssl
|
||||
state: directory
|
||||
mode: "0700"
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Copy concatenated certificate and key
|
||||
copy:
|
||||
content: "{{ ssl_cat }}"
|
||||
dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem"
|
||||
mode: "0600"
|
||||
notify: reload haproxy
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Reset ssl_cat variable
|
||||
set_fact:
|
||||
ssl_cat: ""
|
||||
tags:
|
||||
- ssl
|
39
ssl/tasks/main.yml
Normal file
39
ssl/tasks/main.yml
Normal file
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
- name: Copy SSL certificate
|
||||
copy:
|
||||
src: "ssl/{{ ssl_cert }}.pem"
|
||||
dest: "/etc/ssl/certs/{{ ssl_cert }}.pem"
|
||||
mode: "0644"
|
||||
register: ssl_copy_cert
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Copy SSL key
|
||||
copy:
|
||||
src: "ssl/{{ ssl_cert }}.key"
|
||||
dest: "/etc/ssl/private/{{ ssl_cert }}.key"
|
||||
mode: "0600"
|
||||
register: ssl_copy_key
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Copy SSL dhparam
|
||||
copy:
|
||||
src: "ssl/{{ ssl_cert }}.dhp"
|
||||
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
|
||||
mode: "0644"
|
||||
register: ssl_copy_dhp
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- name: Check if Haproxy is installed
|
||||
command: dpkg -l haproxy
|
||||
register: haproxy_check
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
tags:
|
||||
- ssl
|
||||
|
||||
- include: haproxy.yml
|
||||
when: haproxy_check.rc == 0
|
Loading…
Reference in a new issue