diff --git a/etc-git/README.md b/etc-git/README.md index 5c033843..9028cc1c 100644 --- a/etc-git/README.md +++ b/etc-git/README.md @@ -27,5 +27,5 @@ There is also an independant task that can be executed to commit changes made in name: etc-git tasks_from: commit.yml vars: - commit_message: "Ansible pre-run my splendid playbook" + commit_message: "Ansible post-run my splendid playbook" ``` diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index a958bacc..58bf52f2 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -4,13 +4,6 @@ apt: name: git state: present - when: ansible_os_family == "Debian" - -- name: Git is installed (OpenBSD) - openbsd_pkg: - name: git - state: present - when: ansible_os_family == "OpenBSD" - name: /etc is versioned with git command: "git init ." diff --git a/evocheck/README.md b/evocheck/README.md index 4a0e80de..b669fe54 100644 --- a/evocheck/README.md +++ b/evocheck/README.md @@ -5,7 +5,6 @@ Install and run evocheck ; a script for checking various settings automatically. ## Tasks The roles does not install evocheck by default as it should be installed through dependencies. -For OpenBSD, it should be packaged, but the work is not done yet. A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example : diff --git a/evolinux-base/README.md b/evolinux-base/README.md index abd70e7d..8ef7a70e 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -33,7 +33,6 @@ Main variables are: * `evolinux_apt_hooks`: install APT hooks (default: `True`) * `evolinux_apt_remove_aptitude`: uninstall aptitude (default: `True`) * `evolinux_delete_nfs`: delete NFS tools (default: `True`) -* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`) * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index ae012b8b..822bbf9e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -83,7 +83,7 @@ evolinux_system_locales: True evolinux_system_set_timezone: True evolinux_system_timezone: "Europe/Paris" -evolinux_system_vim_skip_defaults: true +evolinux_system_vim_skip_defaults: True evolinux_system_vim_default_editor: True evolinux_system_profile: True evolinux_system_dirmode_adduser: True @@ -96,10 +96,6 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True -evolinux_system_ntprestrict: True -evolinux_system_set_ntpserver: True -evolinux_system_ntpserver: "ntp.evolix.net" - # root evolinux_root_include: True diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 002cd978..80b7378e 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -72,7 +72,3 @@ name: postfix state: reloaded -- name: restart ntp - service: - name: ntp - state: restarted diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 6e2b710e..2e67eb97 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -27,7 +27,7 @@ - block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 126bc48e..e6f624c1 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -14,5 +14,5 @@ systemd: name: log2mail daemon-reload: yes - state: restarted + state: started enabled: yes diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8089e397..bb1f81c9 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -6,7 +6,6 @@ with_items: - locales - sudo - - ntp - ntpdate - lsb-release - dnsutils diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 67638b55..261ef1a9 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -111,23 +111,8 @@ - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } when: evolinux_system_cron_random -# NTP listen retriction -- name: Listen only on lo interface - -# NTP server address - lineinfile: - dest: /etc/ntp.conf - line: "interface ignore wildcard" - notify: restart ntp - when: evolinux_system_ntprestrict - -- name: Configure NTP - replace: - dest: /etc/ntp.conf - regexp: "^server .*$" - replace: "server {{ evolinux_system_ntpserver }}" - notify: restart ntp - when: evolinux_system_set_ntpserver +- include_role: + name: ntpd ## alert5 diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index c3e2af96..94bd3cb4 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -11,9 +11,9 @@ minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] minifirewall_protected_ports_udp: [] -minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222] -minifirewall_public_ports_udp: [53] -minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] +minifirewall_public_ports_tcp: [22, 80, 443] +minifirewall_public_ports_udp: [] +minifirewall_semipublic_ports_tcp: [20, 21, 25] minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: [] diff --git a/monit/defaults/main.yml b/monit/defaults/main.yml index 39d28f24..2657f67d 100644 --- a/monit/defaults/main.yml +++ b/monit/defaults/main.yml @@ -1,7 +1,7 @@ --- monit_daemon_time: 60 monit_alert_dest: -monit_httpd_enable: true +monit_httpd_enable: True monit_httpd_port: 2812 monit_httpd_allow_items: - localhost diff --git a/munin/tasks/debian.yml b/munin/tasks/debian.yml deleted file mode 100644 index cec24e62..00000000 --- a/munin/tasks/debian.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- - -- name: Ensure that Munin is installed - apt: - name: '{{ item }}' - state: present - with_items: - - munin - - munin-node - - munin-plugins-core - - munin-plugins-extra - tags: - - munin - - packages - -- block: - - name: Replace localdomain in Munin config - replace: - dest: /etc/munin/munin.conf - regexp: 'localhost.localdomain' - replace: '{{ ansible_fqdn }}' - notify: restart munin-node - - - name: Rename the localdomain data dir - command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} - args: - creates: /var/lib/munin/{{ ansible_domain }} - removes: /var/lib/munin/localdomain - notify: restart munin-node - - when: not ansible_hostname == "localdomain" - tags: - - munin - -- name: Ensure some Munin plugins are disabled - file: - path: '/etc/munin/plugins/{{ item }}' - state: absent - with_items: - - http_loadtime - - exim_mailqueue - - exim_mailstats - - nfsd - - nfsd4 - - nfs_client - - nfs4_client - notify: restart munin-node - tags: - - munin - -- name: Ensure some Munin plugins are enabled - file: - src: "/usr/share/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - meminfo - - netstat_multi - - tcp - notify: restart munin-node - tags: - - munin - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/share/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_virtualization_role != "guest" - notify: restart munin-node - tags: - - munin - -- name: adjustments for grsec kernel - blockinfile: - dest: /etc/munin/plugin-conf.d/munin-node - block: | - - [processes] - user root - - [vmstat] - user root - - [swap] - user root - when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index bb765176..cec24e62 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,6 +1,87 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: Ensure that Munin is installed + apt: + name: '{{ item }}' + state: present + with_items: + - munin + - munin-node + - munin-plugins-core + - munin-plugins-extra + tags: + - munin + - packages + +- block: + - name: Replace localdomain in Munin config + replace: + dest: /etc/munin/munin.conf + regexp: 'localhost.localdomain' + replace: '{{ ansible_fqdn }}' + notify: restart munin-node + + - name: Rename the localdomain data dir + command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} + args: + creates: /var/lib/munin/{{ ansible_domain }} + removes: /var/lib/munin/localdomain + notify: restart munin-node + + when: not ansible_hostname == "localdomain" + tags: + - munin + +- name: Ensure some Munin plugins are disabled + file: + path: '/etc/munin/plugins/{{ item }}' + state: absent + with_items: + - http_loadtime + - exim_mailqueue + - exim_mailstats + - nfsd + - nfsd4 + - nfs_client + - nfs4_client + notify: restart munin-node + tags: + - munin + +- name: Ensure some Munin plugins are enabled + file: + src: "/usr/share/munin/plugins/{{ item }}" + dest: "/etc/munin/plugins/{{ item }}" + state: link + with_items: + - meminfo + - netstat_multi + - tcp + notify: restart munin-node + tags: + - munin + +- name: Enable sensors plugin unless VM detected + file: + src: /usr/share/munin/plugins/sensors_ + dest: /etc/munin/plugins/sensors_temp + state: link + when: ansible_virtualization_role != "guest" + notify: restart munin-node + tags: + - munin + +- name: adjustments for grsec kernel + blockinfile: + dest: /etc/munin/plugin-conf.d/munin-node + block: | + + [processes] + user root + + [vmstat] + user root + + [swap] + user root + when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/openbsd.yml b/munin/tasks/openbsd.yml deleted file mode 100644 index fc9a1027..00000000 --- a/munin/tasks/openbsd.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- - -- name: Ensure that Munin is installed - openbsd_pkg: - name: '{{ item }}' - state: present - with_items: - - munin-server - - munin-node - tags: - - munin - - packages - -- name: Set munin.conf file - template: - src: munin.conf.j2 - dest: /etc/munin/munin.conf - mode: "0644" - tags: - - munin - -- name: Create munin www directory - file: - path: '{{ munin_dir }}' - state: directory - owner: _munin - group: www - mode: "0755" - tags: - - munin - -- name: Set munin-node config - template: - src: munin-node.conf.j2 - dest: /etc/munin/munin-node.conf - mode: "0644" - notify: restart munin_node - tags: - - munin - -- name: Install munin cron - copy: - src: "crontab" - dest: "/var/cron/tabs/_munin" - owner: "_munin" - group: "crontab" - tags: - - munin - -- name: Enable munin plugins - file: - src: "/usr/local/libexec/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - cpu - - df - - df_inode - - load - - memory - - munin_stats - - netstat - - open_files - - pf_changes - - pf_searches - - pf_states - - processes - - systat - - uptime - - users - - vmstat - notify: restart munin_node - tags: - - munin - -- name: Enable network graphs - file: - src: "/usr/local/libexec/munin/plugins/if_" - dest: "/etc/munin/plugins/if_{{ item }}" - state: link - notify: restart munin_node - with_items: "{{ ansible_interfaces }}" - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/local/libexec/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_vio0 is undefined - notify: restart munin_node - tags: - - munin - -- name: Activating munin_node - service: - name: munin_node - enabled: yes - state: started - tags: - - munin diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml deleted file mode 100644 index dbb73903..00000000 --- a/nagios-nrpe/tasks/debian.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: packages are installed - apt: - name: "{{ item }}" - state: present - with_items: - - nagios-nrpe-server - - nagios-plugins - - nagios-plugins-basic - - nagios-plugins-common - - nagios-plugins-contrib - - nagios-plugins-standard - -- name: custom configuration is present - template: - src: evolix.cfg.j2 - dest: /etc/nagios/nrpe.d/evolix.cfg - group: nagios - mode: "0640" - notify: restart nagios-nrpe-server - -- name: Nagios config is secured - file: - dest: /etc/nagios/ - mode: "0750" - group: nagios - state: directory - notify: restart nagios-nrpe-server - -- include: remount_usr_rw.yml - when: nagios_plugins_directory | search ("/usr") - tags: - - nagios-plugins - -- name: Nagios plugins are installed - copy: - src: plugins/ - dest: "{{ nagios_plugins_directory }}/" - mode: "0755" - notify: restart nagios-nrpe-server - tags: - - nagios-plugins - -- name: Nagios lib is secured - file: - dest: /usr/local/lib/nagios/ - mode: "0755" - group: nagios - recurse: yes - state: directory - notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index e723d322..dbb73903 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,10 +1,51 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" - tags: - - nagios +- name: packages are installed + apt: + name: "{{ item }}" + state: present + with_items: + - nagios-nrpe-server + - nagios-plugins + - nagios-plugins-basic + - nagios-plugins-common + - nagios-plugins-contrib + - nagios-plugins-standard -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: custom configuration is present + template: + src: evolix.cfg.j2 + dest: /etc/nagios/nrpe.d/evolix.cfg + group: nagios + mode: "0640" + notify: restart nagios-nrpe-server + +- name: Nagios config is secured + file: + dest: /etc/nagios/ + mode: "0750" + group: nagios + state: directory + notify: restart nagios-nrpe-server + +- include: remount_usr_rw.yml + when: nagios_plugins_directory | search ("/usr") tags: - - nagios + - nagios-plugins + +- name: Nagios plugins are installed + copy: + src: plugins/ + dest: "{{ nagios_plugins_directory }}/" + mode: "0755" + notify: restart nagios-nrpe-server + tags: + - nagios-plugins + +- name: Nagios lib is secured + file: + dest: /usr/local/lib/nagios/ + mode: "0755" + group: nagios + recurse: yes + state: directory + notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/openbsd.yml b/nagios-nrpe/tasks/openbsd.yml deleted file mode 100644 index 5229778e..00000000 --- a/nagios-nrpe/tasks/openbsd.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: packages are installed - openbsd_pkg: - name: "{{ item }}" - state: present - with_items: - - nrpe-- - - monitoring-plugins - -- name: Create nrpe.d dir - file: - path: /etc/nrpe.d - state: directory - owner: root - group: wheel - mode: "0755" - -- name: Include nrpe.d dir in nrpe.cfg - lineinfile: - dest: /etc/nrpe.cfg - line: 'include_dir=/etc/nrpe.d' - -- name: custom configuration is present - template: - src: evolix_bsd.cfg.j2 - dest: /etc/nrpe.d/evolix.cfg - notify: restart nrpe - -- name: Nagios plugins are installed - copy: - src: plugins_bsd/ - dest: /usr/local/libexec/nagios/plugins/ - owner: root - group: wheel - mode: "0755" - notify: restart nrpe - -- name: Starting and enabling nrpe - service: - name: nrpe - enabled: yes - state: started diff --git a/newsyslog/README.md b/newsyslog/README.md deleted file mode 100644 index 2b974979..00000000 --- a/newsyslog/README.md +++ /dev/null @@ -1,5 +0,0 @@ -Role Name -========= - -Configure newsyslog by Evolix standard - diff --git a/newsyslog/files/newsyslog.conf b/newsyslog/files/newsyslog.conf deleted file mode 100644 index 5b51ebc8..00000000 --- a/newsyslog/files/newsyslog.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Syslog for Pack Evolix -# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST -# logfile_name owner:group mode count size when flags -/var/cron/log root:wheel 600 52 * 168 Z -/var/log/authlog root:wheel 640 52 * 168 Z -/var/log/daemon 640 52 * 168 Z -/var/log/lpd-errs 640 7 * 24 Z -/var/log/maillog 640 52 * 168 Z -/var/log/messages 644 52 * 168 Z -/var/log/secure 600 52 * 168 Z -/var/log/wtmp 644 7 * $W6D4 ZB -/var/log/xferlog 640 7 250 * Z -/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd" -/var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd" -/var/www/logs/error.log 644 7 250 * Z "pkill -USR1 -u root -U root -x httpd" diff --git a/newsyslog/meta/main.yml b/newsyslog/meta/main.yml deleted file mode 100644 index a6ad9ab5..00000000 --- a/newsyslog/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: Evolix - description: Basic configuration of newsyslog - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: OpenBSD - versions: - - 6.1 - diff --git a/newsyslog/tasks/main.yml b/newsyslog/tasks/main.yml deleted file mode 100644 index a7ecf987..00000000 --- a/newsyslog/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -#- include: debian.yml -# when: ansible_os_family == "Debian" - -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" diff --git a/newsyslog/tasks/openbsd.yml b/newsyslog/tasks/openbsd.yml deleted file mode 100644 index 28be4862..00000000 --- a/newsyslog/tasks/openbsd.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# no need to enable any daemon, it's run (by default) with cron(8) -- name: Configuring newsyslog - copy: - src: newsyslog.conf - dest: /etc/newsyslog.conf - owner: root - group: wheel - mode: "0644" - tags: - - log - - newsyslog diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index c48a2dd4..380bd0e7 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,6 +1,7 @@ --- +ntpd_only_local: True ntpd_servers: -- 'pool.ntp.org' +- 'ntp.evolix.net' ntpd_acls: - '127.0.0.1' - '::1' diff --git a/ntpd/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 index e004ec6a..272bb43c 100644 --- a/ntpd/templates/ntp.conf.j2 +++ b/ntpd/templates/ntp.conf.j2 @@ -2,6 +2,11 @@ driftfile /var/lib/ntp/ntp.drift +{% if ntpd_only_local is defined and ntpd_only_local %} +# Only listen on 127.0.0.1 and ::1 +interface ignore wildcard + +{% endif %} # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ diff --git a/squid/files/evolinux-defaults.conf b/squid/files/evolinux-defaults.conf index 3153221a..ef11ea69 100644 --- a/squid/files/evolinux-defaults.conf +++ b/squid/files/evolinux-defaults.conf @@ -33,3 +33,4 @@ refresh_pattern . 0 20% 4320 logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined +include /etc/squid/evolinux-custom.conf diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 index 2447ea41..73c03141 100644 --- a/unbound/templates/unbound.conf.j2 +++ b/unbound/templates/unbound.conf.j2 @@ -15,11 +15,7 @@ server: # root-hints: "/var/unbound/etc/named.cache" # Uncomment to enable DNSSEC validation. -{% if ansible_os_family == "OpenBSD" %} - auto-trust-anchor-file: "/var/unbound/db/root.key" -{% else %} #auto-trust-anchor-file: "/etc/unbound/root.key" -{% endif %} # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 87237248..170e2416 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -43,6 +43,8 @@ src: config.local.php.j2 dest: "{{ evoadmin_document_root}}/conf/config.local.php" mode: "0644" + owner: evoadmin + group: evoadmin force: no - name: add www-evoadmin to shadow group