Merge branch 'unstable' into stable

2017-08-31 04:07:54 +02:00 · 2017-08-31 04:07:54 +02:00 · 6ac4bdf734
parent ca795dc8c3 409ac0d503
commit 6ac4bdf734
28 changed files with 153 additions and 393 deletions
--- a/etc-git/README.md
+++ b/etc-git/README.md
@ -27,5 +27,5 @@ There is also an independant task that can be executed to commit changes made in
      name: etc-git
      tasks_from: commit.yml
    vars:
-      commit_message: "Ansible pre-run my splendid playbook"
+      commit_message: "Ansible post-run my splendid playbook"
 ```
--- a/etc-git/tasks/main.yml
+++ b/etc-git/tasks/main.yml
@ -4,13 +4,6 @@
  apt:
    name: git
    state: present
  when: ansible_os_family == "Debian"
 - name: Git is installed (OpenBSD)
  openbsd_pkg:
    name: git
    state: present
  when: ansible_os_family == "OpenBSD"
 - name: /etc is versioned with git
  command: "git init ."
--- a/evocheck/README.md
+++ b/evocheck/README.md
@ -5,7 +5,6 @@ Install and run evocheck ; a script for checking various settings automatically.
 ## Tasks
 The roles does not install evocheck by default as it should be installed through dependencies.
 For OpenBSD, it should be packaged, but the work is not done yet.
 A separate `exec.yml` file can be imported manually in playbooks or roles to execute the script. Example :
--- a/evolinux-base/README.md
+++ b/evolinux-base/README.md
@ -33,7 +33,6 @@ Main variables are:
 * `evolinux_apt_hooks`: install APT hooks (default: `True`)
 * `evolinux_apt_remove_aptitude`: uninstall aptitude (default: `True`)
 * `evolinux_delete_nfs`: delete NFS tools (default: `True`)
 * `evolinux_ntp_server`: custom NTP server host or IP (default: `Null`)
 * `evolinux_additional_packages`: optional additional packages to install (default: `[]`)
 * `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
 * `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -83,7 +83,7 @@ evolinux_system_locales: True
 evolinux_system_set_timezone: True
 evolinux_system_timezone: "Europe/Paris"
-evolinux_system_vim_skip_defaults: true
+evolinux_system_vim_skip_defaults: True
 evolinux_system_vim_default_editor: True
 evolinux_system_profile: True
 evolinux_system_dirmode_adduser: True
@ -96,10 +96,6 @@ evolinux_system_alert5_init: True
 evolinux_system_alert5_enable: True
 evolinux_system_eni_auto: True
 evolinux_system_ntprestrict: True
 evolinux_system_set_ntpserver: True
 evolinux_system_ntpserver: "ntp.evolix.net"
 # root
 evolinux_root_include: True
--- a/evolinux-base/handlers/main.yml
+++ b/evolinux-base/handlers/main.yml
@ -72,7 +72,3 @@
    name: postfix
    state: reloaded
 - name: restart ntp
  service:
    name: ntp
    state: restarted
--- a/evolinux-base/tasks/default_www.yml
+++ b/evolinux-base/tasks/default_www.yml
@ -27,7 +27,7 @@
 - block:
  - name: Create private key and csr for default site ({{ ansible_fqdn }})
-    command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ evolinux_default_www_ssl_subject }}"
+    command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "{{ evolinux_default_www_ssl_subject }}"
    args:
      creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
--- a/evolinux-base/tasks/log2mail.yml
+++ b/evolinux-base/tasks/log2mail.yml
@ -14,5 +14,5 @@
  systemd:
    name: log2mail
    daemon-reload: yes
-    state: restarted
+    state: started
    enabled: yes
--- a/evolinux-base/tasks/packages.yml
+++ b/evolinux-base/tasks/packages.yml
@ -6,7 +6,6 @@
  with_items:
  - locales
  - sudo
  - ntp
  - ntpdate
  - lsb-release
  - dnsutils
--- a/evolinux-base/tasks/system.yml
+++ b/evolinux-base/tasks/system.yml
@ -111,23 +111,8 @@
  - { regexp: '^52\s*6(\s*1(\s*\*){2})', replace: '{{ 59|random(start=1) }} {{ [0,1,3,4,5,6,7]|random }}\1' }
  when: evolinux_system_cron_random
-# NTP listen retriction
+- include_role:
- name: Listen only on lo interface
+    name: ntpd
 # NTP server address
  lineinfile:
    dest: /etc/ntp.conf
    line: "interface ignore wildcard"
  notify: restart ntp
  when: evolinux_system_ntprestrict
 - name: Configure NTP
  replace:
    dest: /etc/ntp.conf
    regexp: "^server .*$"
    replace: "server {{ evolinux_system_ntpserver }}"
  notify: restart ntp
  when: evolinux_system_set_ntpserver
 ## alert5
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -11,9 +11,9 @@ minifirewall_privilegied_ips: []
 minifirewall_protected_ports_tcp: [22]
 minifirewall_protected_ports_udp: []
-minifirewall_public_ports_tcp: [25, 53, 443, 993, 995, 2222]
+minifirewall_public_ports_tcp: [22, 80, 443]
-minifirewall_public_ports_udp: [53]
+minifirewall_public_ports_udp: []
-minifirewall_semipublic_ports_tcp: [20, 21, 22, 80, 110, 143]
+minifirewall_semipublic_ports_tcp: [20, 21, 25]
 minifirewall_semipublic_ports_udp: []
 minifirewall_private_ports_tcp: [5666]
 minifirewall_private_ports_udp: []
--- a/monit/defaults/main.yml
+++ b/monit/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 monit_daemon_time: 60
 monit_alert_dest:
-monit_httpd_enable: true
+monit_httpd_enable: True
 monit_httpd_port: 2812
 monit_httpd_allow_items:
  - localhost
--- a/munin/tasks/debian.yml
+++ b/munin/tasks/debian.yml
@ -1,87 +0,0 @@
 ---
 - name: Ensure that Munin is installed
  apt:
    name: '{{ item }}'
    state: present
  with_items:
    - munin
    - munin-node
    - munin-plugins-core
    - munin-plugins-extra
  tags:
    - munin
    - packages
 - block:
  - name: Replace localdomain in Munin config
    replace:
      dest: /etc/munin/munin.conf
      regexp: 'localhost.localdomain'
      replace: '{{ ansible_fqdn }}'
    notify: restart munin-node
  - name: Rename the localdomain data dir
    command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
    args:
      creates: /var/lib/munin/{{ ansible_domain }}
      removes: /var/lib/munin/localdomain
    notify: restart munin-node
  when: not ansible_hostname == "localdomain"
  tags:
    - munin
 - name: Ensure some Munin plugins are disabled
  file:
    path: '/etc/munin/plugins/{{ item }}'
    state: absent
  with_items:
    - http_loadtime
    - exim_mailqueue
    - exim_mailstats
    - nfsd
    - nfsd4
    - nfs_client
    - nfs4_client
  notify: restart munin-node
  tags:
    - munin
 - name: Ensure some Munin plugins are enabled
  file:
    src: "/usr/share/munin/plugins/{{ item }}"
    dest: "/etc/munin/plugins/{{ item }}"
    state: link
  with_items:
    - meminfo
    - netstat_multi
    - tcp
  notify: restart munin-node
  tags:
    - munin
 - name: Enable sensors plugin unless VM detected
  file:
    src: /usr/share/munin/plugins/sensors_
    dest: /etc/munin/plugins/sensors_temp
    state: link
  when: ansible_virtualization_role != "guest"
  notify: restart munin-node
  tags:
    - munin
 - name: adjustments for grsec kernel
  blockinfile:
    dest: /etc/munin/plugin-conf.d/munin-node
    block: |
      [processes]
      user root
      [vmstat]
      user root
      [swap]
      user root
  when: ansible_kernel | search("-grs-")
--- a/munin/tasks/main.yml
+++ b/munin/tasks/main.yml
@ -1,6 +1,87 @@
 ---
 - include: debian.yml
  when: ansible_os_family == "Debian"
- include: openbsd.yml
+- name: Ensure that Munin is installed
-  when: ansible_os_family == "OpenBSD"
+  apt:
    name: '{{ item }}'
    state: present
  with_items:
    - munin
    - munin-node
    - munin-plugins-core
    - munin-plugins-extra
  tags:
    - munin
    - packages
 - block:
  - name: Replace localdomain in Munin config
    replace:
      dest: /etc/munin/munin.conf
      regexp: 'localhost.localdomain'
      replace: '{{ ansible_fqdn }}'
    notify: restart munin-node
  - name: Rename the localdomain data dir
    command: mv /var/lib/munin/localdomain /var/lib/munin/{{ ansible_domain }}
    args:
      creates: /var/lib/munin/{{ ansible_domain }}
      removes: /var/lib/munin/localdomain
    notify: restart munin-node
  when: not ansible_hostname == "localdomain"
  tags:
    - munin
 - name: Ensure some Munin plugins are disabled
  file:
    path: '/etc/munin/plugins/{{ item }}'
    state: absent
  with_items:
    - http_loadtime
    - exim_mailqueue
    - exim_mailstats
    - nfsd
    - nfsd4
    - nfs_client
    - nfs4_client
  notify: restart munin-node
  tags:
    - munin
 - name: Ensure some Munin plugins are enabled
  file:
    src: "/usr/share/munin/plugins/{{ item }}"
    dest: "/etc/munin/plugins/{{ item }}"
    state: link
  with_items:
    - meminfo
    - netstat_multi
    - tcp
  notify: restart munin-node
  tags:
    - munin
 - name: Enable sensors plugin unless VM detected
  file:
    src: /usr/share/munin/plugins/sensors_
    dest: /etc/munin/plugins/sensors_temp
    state: link
  when: ansible_virtualization_role != "guest"
  notify: restart munin-node
  tags:
    - munin
 - name: adjustments for grsec kernel
  blockinfile:
    dest: /etc/munin/plugin-conf.d/munin-node
    block: |
      [processes]
      user root
      [vmstat]
      user root
      [swap]
      user root
  when: ansible_kernel | search("-grs-")
--- a/munin/tasks/openbsd.yml
+++ b/munin/tasks/openbsd.yml
@ -1,100 +0,0 @@
 ---
 - name: Ensure that Munin is installed
  openbsd_pkg:
    name: '{{ item }}'
    state: present
  with_items:
    - munin-server
    - munin-node
  tags:
    - munin
    - packages
 - name: Set munin.conf file
  template:
    src: munin.conf.j2
    dest: /etc/munin/munin.conf
    mode: "0644"
  tags:
    - munin
 - name: Create munin www directory
  file:
    path: '{{ munin_dir }}'
    state: directory
    owner: _munin
    group: www
    mode: "0755"
  tags:
    - munin
 - name: Set munin-node config
  template:
    src: munin-node.conf.j2
    dest: /etc/munin/munin-node.conf
    mode: "0644"
  notify: restart munin_node
  tags:
    - munin
 - name: Install munin cron
  copy:
    src: "crontab"
    dest: "/var/cron/tabs/_munin"
    owner: "_munin"
    group: "crontab"
  tags:
    - munin
 - name: Enable munin plugins
  file:
    src: "/usr/local/libexec/munin/plugins/{{ item }}"
    dest: "/etc/munin/plugins/{{ item }}"
    state: link
  with_items:
  - cpu
  - df
  - df_inode
  - load
  - memory
  - munin_stats
  - netstat
  - open_files
  - pf_changes
  - pf_searches
  - pf_states
  - processes
  - systat
  - uptime
  - users
  - vmstat
  notify: restart munin_node
  tags:
    - munin
 - name: Enable network graphs
  file:
    src: "/usr/local/libexec/munin/plugins/if_"
    dest: "/etc/munin/plugins/if_{{ item }}"
    state: link
  notify: restart munin_node
  with_items: "{{ ansible_interfaces }}"
 - name: Enable sensors plugin unless VM detected
  file:
    src: /usr/local/libexec/munin/plugins/sensors_
    dest: /etc/munin/plugins/sensors_temp
    state: link
  when: ansible_vio0 is undefined
  notify: restart munin_node
  tags:
    - munin
 - name: Activating munin_node
  service:
    name: munin_node
    enabled: yes
    state: started
  tags:
    - munin
--- a/nagios-nrpe/tasks/debian.yml
+++ b/nagios-nrpe/tasks/debian.yml
@ -1,51 +0,0 @@
 ---
 - name: packages are installed
  apt:
    name: "{{ item }}"
    state: present
  with_items:
    - nagios-nrpe-server
    - nagios-plugins
    - nagios-plugins-basic
    - nagios-plugins-common
    - nagios-plugins-contrib
    - nagios-plugins-standard
 - name: custom configuration is present
  template:
    src: evolix.cfg.j2
    dest: /etc/nagios/nrpe.d/evolix.cfg
    group: nagios
    mode: "0640"
  notify: restart nagios-nrpe-server
 - name: Nagios config is secured
  file:
    dest: /etc/nagios/
    mode: "0750"
    group: nagios
    state: directory
  notify: restart nagios-nrpe-server
 - include: remount_usr_rw.yml
  when: nagios_plugins_directory | search ("/usr")
  tags:
  - nagios-plugins
 - name: Nagios plugins are installed
  copy:
    src: plugins/
    dest: "{{ nagios_plugins_directory }}/"
    mode: "0755"
  notify: restart nagios-nrpe-server
  tags:
  - nagios-plugins
 - name: Nagios lib is secured
  file:
    dest: /usr/local/lib/nagios/
    mode: "0755"
    group: nagios
    recurse: yes
    state: directory
  notify: restart nagios-nrpe-server
--- a/nagios-nrpe/tasks/main.yml
+++ b/nagios-nrpe/tasks/main.yml
@ -1,10 +1,51 @@
 ---
- include: debian.yml
+- name: packages are installed
-  when: ansible_os_family == "Debian"
+  apt:
-  tags:
+    name: "{{ item }}"
-  - nagios
+    state: present
  with_items:
    - nagios-nrpe-server
    - nagios-plugins
    - nagios-plugins-basic
    - nagios-plugins-common
    - nagios-plugins-contrib
    - nagios-plugins-standard
- include: openbsd.yml
+- name: custom configuration is present
-  when: ansible_os_family == "OpenBSD"
+  template:
    src: evolix.cfg.j2
    dest: /etc/nagios/nrpe.d/evolix.cfg
    group: nagios
    mode: "0640"
  notify: restart nagios-nrpe-server
 - name: Nagios config is secured
  file:
    dest: /etc/nagios/
    mode: "0750"
    group: nagios
    state: directory
  notify: restart nagios-nrpe-server
 - include: remount_usr_rw.yml
  when: nagios_plugins_directory | search ("/usr")
  tags:
-  - nagios
+  - nagios-plugins
 - name: Nagios plugins are installed
  copy:
    src: plugins/
    dest: "{{ nagios_plugins_directory }}/"
    mode: "0755"
  notify: restart nagios-nrpe-server
  tags:
  - nagios-plugins
 - name: Nagios lib is secured
  file:
    dest: /usr/local/lib/nagios/
    mode: "0755"
    group: nagios
    recurse: yes
    state: directory
  notify: restart nagios-nrpe-server
--- a/nagios-nrpe/tasks/openbsd.yml
+++ b/nagios-nrpe/tasks/openbsd.yml
@ -1,42 +0,0 @@
 ---
 - name: packages are installed
  openbsd_pkg:
    name: "{{ item }}"
    state: present
  with_items:
    - nrpe--
    - monitoring-plugins
 - name: Create nrpe.d dir
  file:
    path: /etc/nrpe.d
    state: directory
    owner: root
    group: wheel
    mode: "0755"
 - name: Include nrpe.d dir in nrpe.cfg
  lineinfile:
    dest: /etc/nrpe.cfg
    line: 'include_dir=/etc/nrpe.d'
 - name: custom configuration is present
  template:
    src: evolix_bsd.cfg.j2
    dest: /etc/nrpe.d/evolix.cfg
  notify: restart nrpe
 - name: Nagios plugins are installed
  copy:
    src: plugins_bsd/
    dest: /usr/local/libexec/nagios/plugins/
    owner: root
    group: wheel
    mode: "0755"
  notify: restart nrpe
 - name: Starting and enabling nrpe
  service:
    name: nrpe
    enabled: yes
    state: started
--- a/newsyslog/README.md
+++ b/newsyslog/README.md
@ -1,5 +0,0 @@
 Role Name
 =========
 Configure newsyslog by Evolix standard
--- a/newsyslog/files/newsyslog.conf
+++ b/newsyslog/files/newsyslog.conf
@ -1,15 +0,0 @@
 # Syslog for Pack Evolix
 # MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
 # logfile_name          owner:group     mode count size when  flags
 /var/cron/log           root:wheel      600  52    *    168   Z
 /var/log/authlog        root:wheel      640  52    *    168   Z
 /var/log/daemon                         640  52    *    168   Z
 /var/log/lpd-errs                       640  7     *    24    Z
 /var/log/maillog                        640  52    *    168   Z
 /var/log/messages                       644  52    *    168   Z
 /var/log/secure                         600  52    *    168   Z
 /var/log/wtmp                           644  7     *    $W6D4 ZB
 /var/log/xferlog                        640  7     250  *     Z
 /var/log/pflog                          600  3     250  *     ZB "pkill -HUP -u root -U root -t - -x pflogd"
 /var/www/logs/access.log                644  4     *    $W0   Z "pkill -USR1 -u root -U root -x httpd"
 /var/www/logs/error.log                 644  7     250  *     Z "pkill -USR1 -u root -U root -x httpd"
--- a/newsyslog/meta/main.yml
+++ b/newsyslog/meta/main.yml
@ -1,15 +0,0 @@
 galaxy_info:
  author: Evolix
  description: Basic configuration of newsyslog
  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
  license: GPLv2
  min_ansible_version: 2.2
  platforms:
  - name: OpenBSD
    versions:
      - 6.1
--- a/newsyslog/tasks/main.yml
+++ b/newsyslog/tasks/main.yml
@ -1,7 +0,0 @@
 ---
 #- include: debian.yml
 #  when: ansible_os_family == "Debian"
 - include: openbsd.yml
  when: ansible_os_family == "OpenBSD"
--- a/newsyslog/tasks/openbsd.yml
+++ b/newsyslog/tasks/openbsd.yml
@ -1,12 +0,0 @@
 ---
 # no need to enable any daemon, it's run (by default) with cron(8)
 - name: Configuring newsyslog
  copy:
    src: newsyslog.conf
    dest: /etc/newsyslog.conf
    owner: root
    group: wheel
    mode: "0644"
  tags:
    - log
    - newsyslog
--- a/ntpd/defaults/main.yml
+++ b/ntpd/defaults/main.yml
@ -1,6 +1,7 @@
 ---
 ntpd_only_local: True
 ntpd_servers:
- 'pool.ntp.org'
+- 'ntp.evolix.net'
 ntpd_acls:
 - '127.0.0.1'
 - '::1'
--- a/ntpd/templates/ntp.conf.j2
+++ b/ntpd/templates/ntp.conf.j2
@ -2,6 +2,11 @@
 driftfile /var/lib/ntp/ntp.drift
 {% if ntpd_only_local is defined and ntpd_only_local %}
 # Only listen on 127.0.0.1 and ::1
 interface ignore wildcard
 {% endif %}
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/
--- a/squid/files/evolinux-defaults.conf
+++ b/squid/files/evolinux-defaults.conf
@ -33,3 +33,4 @@ refresh_pattern .               0       20%     4320
 logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
 access_log /var/log/squid/access.log combined
 include /etc/squid/evolinux-custom.conf
--- a/unbound/templates/unbound.conf.j2
+++ b/unbound/templates/unbound.conf.j2
@ -15,11 +15,7 @@ server:
 	# root-hints: "/var/unbound/etc/named.cache"
 	# Uncomment to enable DNSSEC validation.
 {% if ansible_os_family == "OpenBSD" %}
 	auto-trust-anchor-file: "/var/unbound/db/root.key"
 {% else %}
 	#auto-trust-anchor-file: "/etc/unbound/root.key"
 {% endif %}
 	# Serve zones authoritatively from Unbound to resolver clients.
 	# Not for external service.
--- a/webapps/evoadmin-web/tasks/web.yml
+++ b/webapps/evoadmin-web/tasks/web.yml
@ -43,6 +43,8 @@
    src: config.local.php.j2
    dest: "{{ evoadmin_document_root}}/conf/config.local.php"
    mode: "0644"
    owner: evoadmin
    group: evoadmin
    force: no
 - name: add www-evoadmin to shadow group