From 4a81d12d03a13f609ba13dfb7f406751796bfdd4 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 03:09:57 +0200 Subject: [PATCH 01/12] Delete OpenBSD stuff (mv to another repo), ansible-roles is now Linux-specific (even Debian-specific) --- etc-git/tasks/main.yml | 7 --- evocheck/README.md | 1 - munin/tasks/debian.yml | 87 -------------------------- munin/tasks/main.yml | 89 ++++++++++++++++++++++++-- munin/tasks/openbsd.yml | 100 ------------------------------ nagios-nrpe/tasks/debian.yml | 51 --------------- nagios-nrpe/tasks/main.yml | 55 +++++++++++++--- nagios-nrpe/tasks/openbsd.yml | 42 ------------- newsyslog/README.md | 5 -- newsyslog/files/newsyslog.conf | 15 ----- newsyslog/meta/main.yml | 15 ----- newsyslog/tasks/main.yml | 7 --- newsyslog/tasks/openbsd.yml | 12 ---- unbound/templates/unbound.conf.j2 | 4 -- 14 files changed, 133 insertions(+), 357 deletions(-) delete mode 100644 munin/tasks/debian.yml delete mode 100644 munin/tasks/openbsd.yml delete mode 100644 nagios-nrpe/tasks/debian.yml delete mode 100644 nagios-nrpe/tasks/openbsd.yml delete mode 100644 newsyslog/README.md delete mode 100644 newsyslog/files/newsyslog.conf delete mode 100644 newsyslog/meta/main.yml delete mode 100644 newsyslog/tasks/main.yml delete mode 100644 newsyslog/tasks/openbsd.yml diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index a958bacc..58bf52f2 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -4,13 +4,6 @@ apt: name: git state: present - when: ansible_os_family == "Debian" - -- name: Git is installed (OpenBSD) - openbsd_pkg: - name: git - state: present - when: ansible_os_family == "OpenBSD" - name: /etc is versioned with git command: "git init ." diff --git a/evocheck/README.md b/evocheck/README.md index 4a0e80de..b669fe54 100644 --- a/evocheck/README.md +++ b/evocheck/README.md @@ -5,7 +5,6 @@ Install and run evocheck ; a script for checking various settings automatically. ## Tasks The roles does not install evocheck by default as it should be installed through dependencies. -For OpenBSD, it should be packaged, but the work is not done yet. A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example : diff --git a/munin/tasks/debian.yml b/munin/tasks/debian.yml deleted file mode 100644 index cec24e62..00000000 --- a/munin/tasks/debian.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- - -- name: Ensure that Munin is installed - apt: - name: '{{ item }}' - state: present - with_items: - - munin - - munin-node - - munin-plugins-core - - munin-plugins-extra - tags: - - munin - - packages - -- block: - - name: Replace localdomain in Munin config - replace: - dest: /etc/munin/munin.conf - regexp: 'localhost.localdomain' - replace: '{{ ansible_fqdn }}' - notify: restart munin-node - - - name: Rename the localdomain data dir - command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} - args: - creates: /var/lib/munin/{{ ansible_domain }} - removes: /var/lib/munin/localdomain - notify: restart munin-node - - when: not ansible_hostname == "localdomain" - tags: - - munin - -- name: Ensure some Munin plugins are disabled - file: - path: '/etc/munin/plugins/{{ item }}' - state: absent - with_items: - - http_loadtime - - exim_mailqueue - - exim_mailstats - - nfsd - - nfsd4 - - nfs_client - - nfs4_client - notify: restart munin-node - tags: - - munin - -- name: Ensure some Munin plugins are enabled - file: - src: "/usr/share/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - meminfo - - netstat_multi - - tcp - notify: restart munin-node - tags: - - munin - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/share/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_virtualization_role != "guest" - notify: restart munin-node - tags: - - munin - -- name: adjustments for grsec kernel - blockinfile: - dest: /etc/munin/plugin-conf.d/munin-node - block: | - - [processes] - user root - - [vmstat] - user root - - [swap] - user root - when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/main.yml b/munin/tasks/main.yml index bb765176..cec24e62 100644 --- a/munin/tasks/main.yml +++ b/munin/tasks/main.yml @@ -1,6 +1,87 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: Ensure that Munin is installed + apt: + name: '{{ item }}' + state: present + with_items: + - munin + - munin-node + - munin-plugins-core + - munin-plugins-extra + tags: + - munin + - packages + +- block: + - name: Replace localdomain in Munin config + replace: + dest: /etc/munin/munin.conf + regexp: 'localhost.localdomain' + replace: '{{ ansible_fqdn }}' + notify: restart munin-node + + - name: Rename the localdomain data dir + command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }} + args: + creates: /var/lib/munin/{{ ansible_domain }} + removes: /var/lib/munin/localdomain + notify: restart munin-node + + when: not ansible_hostname == "localdomain" + tags: + - munin + +- name: Ensure some Munin plugins are disabled + file: + path: '/etc/munin/plugins/{{ item }}' + state: absent + with_items: + - http_loadtime + - exim_mailqueue + - exim_mailstats + - nfsd + - nfsd4 + - nfs_client + - nfs4_client + notify: restart munin-node + tags: + - munin + +- name: Ensure some Munin plugins are enabled + file: + src: "/usr/share/munin/plugins/{{ item }}" + dest: "/etc/munin/plugins/{{ item }}" + state: link + with_items: + - meminfo + - netstat_multi + - tcp + notify: restart munin-node + tags: + - munin + +- name: Enable sensors plugin unless VM detected + file: + src: /usr/share/munin/plugins/sensors_ + dest: /etc/munin/plugins/sensors_temp + state: link + when: ansible_virtualization_role != "guest" + notify: restart munin-node + tags: + - munin + +- name: adjustments for grsec kernel + blockinfile: + dest: /etc/munin/plugin-conf.d/munin-node + block: | + + [processes] + user root + + [vmstat] + user root + + [swap] + user root + when: ansible_kernel | search("-grs-") diff --git a/munin/tasks/openbsd.yml b/munin/tasks/openbsd.yml deleted file mode 100644 index fc9a1027..00000000 --- a/munin/tasks/openbsd.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- - -- name: Ensure that Munin is installed - openbsd_pkg: - name: '{{ item }}' - state: present - with_items: - - munin-server - - munin-node - tags: - - munin - - packages - -- name: Set munin.conf file - template: - src: munin.conf.j2 - dest: /etc/munin/munin.conf - mode: "0644" - tags: - - munin - -- name: Create munin www directory - file: - path: '{{ munin_dir }}' - state: directory - owner: _munin - group: www - mode: "0755" - tags: - - munin - -- name: Set munin-node config - template: - src: munin-node.conf.j2 - dest: /etc/munin/munin-node.conf - mode: "0644" - notify: restart munin_node - tags: - - munin - -- name: Install munin cron - copy: - src: "crontab" - dest: "/var/cron/tabs/_munin" - owner: "_munin" - group: "crontab" - tags: - - munin - -- name: Enable munin plugins - file: - src: "/usr/local/libexec/munin/plugins/{{ item }}" - dest: "/etc/munin/plugins/{{ item }}" - state: link - with_items: - - cpu - - df - - df_inode - - load - - memory - - munin_stats - - netstat - - open_files - - pf_changes - - pf_searches - - pf_states - - processes - - systat - - uptime - - users - - vmstat - notify: restart munin_node - tags: - - munin - -- name: Enable network graphs - file: - src: "/usr/local/libexec/munin/plugins/if_" - dest: "/etc/munin/plugins/if_{{ item }}" - state: link - notify: restart munin_node - with_items: "{{ ansible_interfaces }}" - -- name: Enable sensors plugin unless VM detected - file: - src: /usr/local/libexec/munin/plugins/sensors_ - dest: /etc/munin/plugins/sensors_temp - state: link - when: ansible_vio0 is undefined - notify: restart munin_node - tags: - - munin - -- name: Activating munin_node - service: - name: munin_node - enabled: yes - state: started - tags: - - munin diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml deleted file mode 100644 index dbb73903..00000000 --- a/nagios-nrpe/tasks/debian.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: packages are installed - apt: - name: "{{ item }}" - state: present - with_items: - - nagios-nrpe-server - - nagios-plugins - - nagios-plugins-basic - - nagios-plugins-common - - nagios-plugins-contrib - - nagios-plugins-standard - -- name: custom configuration is present - template: - src: evolix.cfg.j2 - dest: /etc/nagios/nrpe.d/evolix.cfg - group: nagios - mode: "0640" - notify: restart nagios-nrpe-server - -- name: Nagios config is secured - file: - dest: /etc/nagios/ - mode: "0750" - group: nagios - state: directory - notify: restart nagios-nrpe-server - -- include: remount_usr_rw.yml - when: nagios_plugins_directory | search ("/usr") - tags: - - nagios-plugins - -- name: Nagios plugins are installed - copy: - src: plugins/ - dest: "{{ nagios_plugins_directory }}/" - mode: "0755" - notify: restart nagios-nrpe-server - tags: - - nagios-plugins - -- name: Nagios lib is secured - file: - dest: /usr/local/lib/nagios/ - mode: "0755" - group: nagios - recurse: yes - state: directory - notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/main.yml b/nagios-nrpe/tasks/main.yml index e723d322..dbb73903 100644 --- a/nagios-nrpe/tasks/main.yml +++ b/nagios-nrpe/tasks/main.yml @@ -1,10 +1,51 @@ --- -- include: debian.yml - when: ansible_os_family == "Debian" - tags: - - nagios +- name: packages are installed + apt: + name: "{{ item }}" + state: present + with_items: + - nagios-nrpe-server + - nagios-plugins + - nagios-plugins-basic + - nagios-plugins-common + - nagios-plugins-contrib + - nagios-plugins-standard -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" +- name: custom configuration is present + template: + src: evolix.cfg.j2 + dest: /etc/nagios/nrpe.d/evolix.cfg + group: nagios + mode: "0640" + notify: restart nagios-nrpe-server + +- name: Nagios config is secured + file: + dest: /etc/nagios/ + mode: "0750" + group: nagios + state: directory + notify: restart nagios-nrpe-server + +- include: remount_usr_rw.yml + when: nagios_plugins_directory | search ("/usr") tags: - - nagios + - nagios-plugins + +- name: Nagios plugins are installed + copy: + src: plugins/ + dest: "{{ nagios_plugins_directory }}/" + mode: "0755" + notify: restart nagios-nrpe-server + tags: + - nagios-plugins + +- name: Nagios lib is secured + file: + dest: /usr/local/lib/nagios/ + mode: "0755" + group: nagios + recurse: yes + state: directory + notify: restart nagios-nrpe-server diff --git a/nagios-nrpe/tasks/openbsd.yml b/nagios-nrpe/tasks/openbsd.yml deleted file mode 100644 index 5229778e..00000000 --- a/nagios-nrpe/tasks/openbsd.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: packages are installed - openbsd_pkg: - name: "{{ item }}" - state: present - with_items: - - nrpe-- - - monitoring-plugins - -- name: Create nrpe.d dir - file: - path: /etc/nrpe.d - state: directory - owner: root - group: wheel - mode: "0755" - -- name: Include nrpe.d dir in nrpe.cfg - lineinfile: - dest: /etc/nrpe.cfg - line: 'include_dir=/etc/nrpe.d' - -- name: custom configuration is present - template: - src: evolix_bsd.cfg.j2 - dest: /etc/nrpe.d/evolix.cfg - notify: restart nrpe - -- name: Nagios plugins are installed - copy: - src: plugins_bsd/ - dest: /usr/local/libexec/nagios/plugins/ - owner: root - group: wheel - mode: "0755" - notify: restart nrpe - -- name: Starting and enabling nrpe - service: - name: nrpe - enabled: yes - state: started diff --git a/newsyslog/README.md b/newsyslog/README.md deleted file mode 100644 index 2b974979..00000000 --- a/newsyslog/README.md +++ /dev/null @@ -1,5 +0,0 @@ -Role Name -========= - -Configure newsyslog by Evolix standard - diff --git a/newsyslog/files/newsyslog.conf b/newsyslog/files/newsyslog.conf deleted file mode 100644 index 5b51ebc8..00000000 --- a/newsyslog/files/newsyslog.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Syslog for Pack Evolix -# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST -# logfile_name owner:group mode count size when flags -/var/cron/log root:wheel 600 52 * 168 Z -/var/log/authlog root:wheel 640 52 * 168 Z -/var/log/daemon 640 52 * 168 Z -/var/log/lpd-errs 640 7 * 24 Z -/var/log/maillog 640 52 * 168 Z -/var/log/messages 644 52 * 168 Z -/var/log/secure 600 52 * 168 Z -/var/log/wtmp 644 7 * $W6D4 ZB -/var/log/xferlog 640 7 250 * Z -/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x pflogd" -/var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd" -/var/www/logs/error.log 644 7 250 * Z "pkill -USR1 -u root -U root -x httpd" diff --git a/newsyslog/meta/main.yml b/newsyslog/meta/main.yml deleted file mode 100644 index a6ad9ab5..00000000 --- a/newsyslog/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: Evolix - description: Basic configuration of newsyslog - - issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues - - license: GPLv2 - - min_ansible_version: 2.2 - - platforms: - - name: OpenBSD - versions: - - 6.1 - diff --git a/newsyslog/tasks/main.yml b/newsyslog/tasks/main.yml deleted file mode 100644 index a7ecf987..00000000 --- a/newsyslog/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -#- include: debian.yml -# when: ansible_os_family == "Debian" - -- include: openbsd.yml - when: ansible_os_family == "OpenBSD" diff --git a/newsyslog/tasks/openbsd.yml b/newsyslog/tasks/openbsd.yml deleted file mode 100644 index 28be4862..00000000 --- a/newsyslog/tasks/openbsd.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# no need to enable any daemon, it's run (by default) with cron(8) -- name: Configuring newsyslog - copy: - src: newsyslog.conf - dest: /etc/newsyslog.conf - owner: root - group: wheel - mode: "0644" - tags: - - log - - newsyslog diff --git a/unbound/templates/unbound.conf.j2 b/unbound/templates/unbound.conf.j2 index 2447ea41..73c03141 100644 --- a/unbound/templates/unbound.conf.j2 +++ b/unbound/templates/unbound.conf.j2 @@ -15,11 +15,7 @@ server: # root-hints: "/var/unbound/etc/named.cache" # Uncomment to enable DNSSEC validation. -{% if ansible_os_family == "OpenBSD" %} - auto-trust-anchor-file: "/var/unbound/db/root.key" -{% else %} #auto-trust-anchor-file: "/etc/unbound/root.key" -{% endif %} # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. From 03f4eaf2695a45604e481c23ea9c1a5e4019aaf4 Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Tue, 29 Aug 2017 11:22:21 -0400 Subject: [PATCH 02/12] fix example --- etc-git/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc-git/README.md b/etc-git/README.md index 5c033843..9028cc1c 100644 --- a/etc-git/README.md +++ b/etc-git/README.md @@ -27,5 +27,5 @@ There is also an independant task that can be executed to commit changes made in name: etc-git tasks_from: commit.yml vars: - commit_message: "Ansible pre-run my splendid playbook" + commit_message: "Ansible post-run my splendid playbook" ``` From 859822709d5e1fe3117d17b7a3ff64becb7e41aa Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 29 Aug 2017 23:21:58 +0200 Subject: [PATCH 03/12] Revert "Fix: openssl req -subj arg need to be "/CN="" because bad var during test This reverts commit 8cfa0a6ef25be1532423f3d9eb3f9b320549380e. --- evolinux-base/tasks/default_www.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 6e2b710e..2e67eb97 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -27,7 +27,7 @@ - block: - name: Create private key and csr for default site ({{ ansible_fqdn }}) - command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}" + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}" args: creates: "/etc/ssl/private/{{ ansible_fqdn }}.key" From 251d3236628799d62d3519ec300365d5ce8efdf6 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 03:37:38 +0200 Subject: [PATCH 04/12] Fix: forgot an include in main squid config file --- squid/files/evolinux-defaults.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/squid/files/evolinux-defaults.conf b/squid/files/evolinux-defaults.conf index 3153221a..ef11ea69 100644 --- a/squid/files/evolinux-defaults.conf +++ b/squid/files/evolinux-defaults.conf @@ -33,3 +33,4 @@ refresh_pattern . 0 20% 4320 logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined +include /etc/squid/evolinux-custom.conf From ca4b0d5b1db77ef389ceee39fc5a2a7881691e39 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 03:46:34 +0200 Subject: [PATCH 05/12] log2mail need to be started and not restarted each time --- evolinux-base/tasks/log2mail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/log2mail.yml b/evolinux-base/tasks/log2mail.yml index 126bc48e..e6f624c1 100644 --- a/evolinux-base/tasks/log2mail.yml +++ b/evolinux-base/tasks/log2mail.yml @@ -14,5 +14,5 @@ systemd: name: log2mail daemon-reload: yes - state: restarted + state: started enabled: yes From 1524146f1031dc042afdf3de72322abfa85f8446 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Wed, 30 Aug 2017 04:06:46 +0200 Subject: [PATCH 06/12] force own:group for config.local.php --- webapps/evoadmin-web/tasks/web.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 87237248..170e2416 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -43,6 +43,8 @@ src: config.local.php.j2 dest: "{{ evoadmin_document_root}}/conf/config.local.php" mode: "0644" + owner: evoadmin + group: evoadmin force: no - name: add www-evoadmin to shadow group From 4e4cbdb3c9bbd20376da968c0b6f21e600c1973e Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 30 Aug 2017 14:25:46 +0200 Subject: [PATCH 07/12] ntpd: listen only on localhost by default --- ntpd/defaults/main.yml | 1 + ntpd/templates/ntp.conf.j2 | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index c48a2dd4..5c5e9781 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,4 +1,5 @@ --- +ntpd_only_local: true ntpd_servers: - 'pool.ntp.org' ntpd_acls: diff --git a/ntpd/templates/ntp.conf.j2 b/ntpd/templates/ntp.conf.j2 index e004ec6a..272bb43c 100644 --- a/ntpd/templates/ntp.conf.j2 +++ b/ntpd/templates/ntp.conf.j2 @@ -2,6 +2,11 @@ driftfile /var/lib/ntp/ntp.drift +{% if ntpd_only_local is defined and ntpd_only_local %} +# Only listen on 127.0.0.1 and ::1 +interface ignore wildcard + +{% endif %} # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ From d72cd0184d22daad00a27333c2936696ab08fdca Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:21:57 +0200 Subject: [PATCH 08/12] minor fix. true -> True --- ntpd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 5c5e9781..880986f8 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,5 +1,5 @@ --- -ntpd_only_local: true +ntpd_only_local: True ntpd_servers: - 'pool.ntp.org' ntpd_acls: From b801c883acde7022a58b6ba0a18e49bcf265ee30 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:23:07 +0200 Subject: [PATCH 09/12] minor fix: true -> True --- evolinux-base/defaults/main.yml | 2 +- monit/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index ae012b8b..f4ef9b2e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -83,7 +83,7 @@ evolinux_system_locales: True evolinux_system_set_timezone: True evolinux_system_timezone: "Europe/Paris" -evolinux_system_vim_skip_defaults: true +evolinux_system_vim_skip_defaults: True evolinux_system_vim_default_editor: True evolinux_system_profile: True evolinux_system_dirmode_adduser: True diff --git a/monit/defaults/main.yml b/monit/defaults/main.yml index 39d28f24..2657f67d 100644 --- a/monit/defaults/main.yml +++ b/monit/defaults/main.yml @@ -1,7 +1,7 @@ --- monit_daemon_time: 60 monit_alert_dest: -monit_httpd_enable: true +monit_httpd_enable: True monit_httpd_port: 2812 monit_httpd_allow_items: - localhost From 5d3870f20f4afb81030bf4391e1fb439146bd065 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:23:59 +0200 Subject: [PATCH 10/12] using ntp.evolix.net by default --- ntpd/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ntpd/defaults/main.yml b/ntpd/defaults/main.yml index 880986f8..380bd0e7 100644 --- a/ntpd/defaults/main.yml +++ b/ntpd/defaults/main.yml @@ -1,7 +1,7 @@ --- ntpd_only_local: True ntpd_servers: -- 'pool.ntp.org' +- 'ntp.evolix.net' ntpd_acls: - '127.0.0.1' - '::1' From 4eb891b8b7f60fb7aa9db955fe0bee34bb9bd11c Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 03:31:00 +0200 Subject: [PATCH 11/12] use role ntpd in evolinux-base --- evolinux-base/README.md | 1 - evolinux-base/defaults/main.yml | 4 ---- evolinux-base/handlers/main.yml | 4 ---- evolinux-base/tasks/packages.yml | 1 - evolinux-base/tasks/system.yml | 19 ++----------------- 5 files changed, 2 insertions(+), 27 deletions(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index abd70e7d..8ef7a70e 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -33,7 +33,6 @@ Main variables are: * `evolinux_apt_hooks`: install APT hooks (default: `True`) * `evolinux_apt_remove_aptitude`: uninstall aptitude (default: `True`) * `evolinux_delete_nfs`: delete NFS tools (default: `True`) -* `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`) * `evolinux_additional_packages`: optional additional packages to install (default: `[]`) * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ; * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`) diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index f4ef9b2e..822bbf9e 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -96,10 +96,6 @@ evolinux_system_alert5_init: True evolinux_system_alert5_enable: True evolinux_system_eni_auto: True -evolinux_system_ntprestrict: True -evolinux_system_set_ntpserver: True -evolinux_system_ntpserver: "ntp.evolix.net" - # root evolinux_root_include: True diff --git a/evolinux-base/handlers/main.yml b/evolinux-base/handlers/main.yml index 002cd978..80b7378e 100644 --- a/evolinux-base/handlers/main.yml +++ b/evolinux-base/handlers/main.yml @@ -72,7 +72,3 @@ name: postfix state: reloaded -- name: restart ntp - service: - name: ntp - state: restarted diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index 8089e397..bb1f81c9 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -6,7 +6,6 @@ with_items: - locales - sudo - - ntp - ntpdate - lsb-release - dnsutils diff --git a/evolinux-base/tasks/system.yml b/evolinux-base/tasks/system.yml index 67638b55..261ef1a9 100644 --- a/evolinux-base/tasks/system.yml +++ b/evolinux-base/tasks/system.yml @@ -111,23 +111,8 @@ - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' } when: evolinux_system_cron_random -# NTP listen retriction -- name: Listen only on lo interface - -# NTP server address - lineinfile: - dest: /etc/ntp.conf - line: "interface ignore wildcard" - notify: restart ntp - when: evolinux_system_ntprestrict - -- name: Configure NTP - replace: - dest: /etc/ntp.conf - regexp: "^server .*$" - replace: "server {{ evolinux_system_ntpserver }}" - notify: restart ntp - when: evolinux_system_set_ntpserver +- include_role: + name: ntpd ## alert5 From 409ac0d503d395007c7bb0f33b62bdd963b7228e Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Thu, 31 Aug 2017 04:05:33 +0200 Subject: [PATCH 12/12] ajust minfirewall default config (mostly let port 22 in public port to avoid failure during Ansible connection) --- minifirewall/defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index c3e2af96..94bd3cb4 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -11,9 +11,9 @@ minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] minifirewall_protected_ports_udp: [] -minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222] -minifirewall_public_ports_udp: [53] -minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143] +minifirewall_public_ports_tcp: [22, 80, 443] +minifirewall_public_ports_udp: [] +minifirewall_semipublic_ports_tcp: [20, 21, 25] minifirewall_semipublic_ports_udp: [] minifirewall_private_ports_tcp: [5666] minifirewall_private_ports_udp: []