From 66a6e67de2b5a48d223436ec39f662a1e7f774e3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 21 Dec 2020 23:33:14 +0100 Subject: [PATCH 01/11] varnish: variable for jail configuration --- CHANGELOG.md | 2 ++ varnish/defaults/main.yml | 1 + varnish/templates/varnish.conf.buster.j2 | 2 +- varnish/templates/varnish.conf.jessie.j2 | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c391df9a..6c7a40bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release. ### Added +* varnish: variable for jail configuration + ### Changed ### Fixed diff --git a/varnish/defaults/main.yml b/varnish/defaults/main.yml index 7a7d8c2f..fd22bfe2 100644 --- a/varnish/defaults/main.yml +++ b/varnish/defaults/main.yml @@ -13,6 +13,7 @@ varnish_thread_pools: "{{ ansible_processor_cores * ansible_processor_count }}" varnish_thread_pool_add_delay: 0 varnish_thread_pool_min: 500 varnish_thread_pool_max: 5000 +varnish_jail: "unix,user=vcache" varnish_config_file: /etc/varnish/default.vcl varnish_secret_file: /etc/varnish/secret diff --git a/varnish/templates/varnish.conf.buster.j2 b/varnish/templates/varnish.conf.buster.j2 index 09dcf7c4..63439b61 100644 --- a/varnish/templates/varnish.conf.buster.j2 +++ b/varnish/templates/varnish.conf.buster.j2 @@ -2,4 +2,4 @@ [Service] ExecStart= -ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} diff --git a/varnish/templates/varnish.conf.jessie.j2 b/varnish/templates/varnish.conf.jessie.j2 index 59651b36..f340323d 100644 --- a/varnish/templates/varnish.conf.jessie.j2 +++ b/varnish/templates/varnish.conf.jessie.j2 @@ -2,6 +2,6 @@ [Service] ExecStart= -ExecStart=/usr/sbin/varnishd -j unix,user=vcache -F {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} +ExecStart=/usr/sbin/varnishd -F -j {{ varnish_jail }} {{ varnish_addresses | map('regex_replace', '^(.*)$', '-a \\1') | list | join(' ') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }} ExecReload= ExecReload=/etc/varnish/reload-vcl.sh From 74ac4c7570405e8f094c0c20f76def3e8a82fb12 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 23 Dec 2020 15:42:57 +0100 Subject: [PATCH 02/11] haproxy: add tags --- haproxy/tasks/main.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml index 78929bb0..972429c4 100644 --- a/haproxy/tasks/main.yml +++ b/haproxy/tasks/main.yml @@ -16,7 +16,7 @@ state: directory tags: - haproxy - - config + - ssl - name: Self-signed certificate is present in HAProxy ssl directory shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem" @@ -25,7 +25,7 @@ notify: reload haproxy tags: - haproxy - - config + - ssl - name: HAProxy stats_access_ips are present blockinfile: @@ -39,6 +39,7 @@ tags: - haproxy - config + - update-config - name: HAProxy stats_admin_ips are present blockinfile: @@ -52,6 +53,7 @@ tags: - haproxy - config + - update-config - name: HAProxy maintenance_ips are present blockinfile: @@ -62,6 +64,10 @@ {{ ip }} {% endfor %} notify: reload haproxy + tags: + - haproxy + - config + - update-config - name: HAProxy deny_ips are present blockinfile: @@ -72,6 +78,10 @@ {{ ip }} {% endfor %} notify: reload haproxy + tags: + - haproxy + - config + - update-config - include: packages_backports.yml when: haproxy_backports @@ -100,6 +110,7 @@ tags: - haproxy - config + - update-config - name: Rotate logs with dateext lineinfile: @@ -109,7 +120,7 @@ insertbefore: '}' tags: - haproxy - - config + - logrotate - name: Rotate logs with nodelaycompress lineinfile: @@ -119,6 +130,6 @@ insertbefore: '}' tags: - haproxy - - config + - logrotate - include: munin.yml From 6ee66d0a740ae65112a179941fe4b0896af4ad10 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 23 Dec 2020 15:43:05 +0100 Subject: [PATCH 03/11] varnish: add tags --- varnish/tasks/main.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/varnish/tasks/main.yml b/varnish/tasks/main.yml index 7274cba8..035ae4a4 100644 --- a/varnish/tasks/main.yml +++ b/varnish/tasks/main.yml @@ -17,6 +17,7 @@ notify: reload varnish tags: - varnish + - config - name: Copy Custom Varnish ExecReload script (Debian <10) template: @@ -48,6 +49,8 @@ - restart varnish tags: - varnish + - config + - update-config - name: Override Varnish systemd unit (Buster and later) template: @@ -60,17 +63,20 @@ - restart varnish tags: - varnish + - config + - update-config - name: Patch logrotate conf replace: name: /etc/logrotate.d/varnish regexp: '^(\s+)(/usr/sbin/invoke-rc.d {{item}}.*)' replace: '\1systemctl -q is-active {{item}} && \2' - with_items: + loop: - varnishlog - varnishncsa tags: - varnish + - logrotate - name: Copy Varnish configuration template: @@ -90,6 +96,8 @@ notify: reload varnish tags: - varnish + - config + - update-config - name: Create Varnish config dir file: @@ -98,6 +106,7 @@ mode: "0755" tags: - varnish + - config - name: Copy included Varnish config template: @@ -106,9 +115,11 @@ force: yes mode: "0644" with_fileglob: - - "templates/varnish/conf.d/*.vcl" + - "templates/varnish/conf.d/*.vcl" notify: reload varnish tags: - varnish + - config + - update-config - include: munin.yml From 51cec4bce10f08cf3d2bfa5b4ab9546d4805e685 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 23 Dec 2020 15:51:59 +0100 Subject: [PATCH 04/11] whitespaces --- .../templates/nginx_evoadminmail.conf.j2 | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 index b8ef073e..3c2750d3 100644 --- a/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 +++ b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 @@ -4,36 +4,35 @@ server { server_name {{ evoadminmail_host }}; return 301 https://{{ evoadminmail_host }}$request_uri; -} +} server { - listen 443 ssl; - # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 - + listen 443 ssl; + # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 + ssl_certificate /etc/ssl/certs/{{ evoadminmail_host }}.crt; ssl_certificate_key /etc/ssl/private/{{ evoadminmail_host }}.key; - + server_name {{ evoadminmail_host }}; - index index.php; - + access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - + root /usr/share/evoadmin-mail/; - + location / { try_files $uri $uri/ /index.php?$args; - } - - location ~ \.php$ { - fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock; + } + + location ~ \.php$ { + fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; - } - - location /fpm-status { - fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock; - fastcgi_index index.php; + } + + location /fpm-status { + fastcgi_pass unix:/run/php/php7.0-evoadmin-mail-fpm.sock; + fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; allow 127.0.0.1; From 1d56e002b42f856b6d094fb9e55d1ab325b2acdf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 23 Dec 2020 15:53:36 +0100 Subject: [PATCH 05/11] nginx: change from "nginx_status-XXX" to "server-status-XXX" --- CHANGELOG.md | 2 ++ nginx/tasks/server_status_write.yml | 8 ++++---- nginx/templates/evolinux-default.conf.j2 | 2 +- nginx/templates/munin/evolinux.nginx | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c7a40bd..fb48c5d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes incrementally at each release. ### Changed +* nginx: change from "nginx_status-XXX" to "server-status-XXX" + ### Fixed ### Removed diff --git a/nginx/tasks/server_status_write.yml b/nginx/tasks/server_status_write.yml index e0b069db..beb56c67 100644 --- a/nginx/tasks/server_status_write.yml +++ b/nginx/tasks/server_status_write.yml @@ -9,12 +9,12 @@ - name: add server-status suffix in default site index if missing replace: dest: /var/www/index.html - regexp: '"/nginx_status-?"' - replace: '"/nginx_status-{{ nginx_serverstatus_suffix }}"' + regexp: '"/server-status-?"' + replace: '"/server-status-{{ nginx_serverstatus_suffix }}"' - name: add server-status suffix in default VHost replace: dest: /etc/nginx/sites-available/evolinux-default.conf - regexp: 'location /nginx_status-? {' - replace: 'location /nginx_status-{{ nginx_serverstatus_suffix }} {' + regexp: 'location /server-status-? {' + replace: 'location /server-status-{{ nginx_serverstatus_suffix }} {' notify: reload nginx diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index 5662ba51..ab4f8803 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -50,7 +50,7 @@ server { listen 80; server_name munin; - location /nginx_status-{{ nginx_serverstatus_suffix | mandatory }} { + location /server-status-{{ nginx_serverstatus_suffix | mandatory }} { stub_status on; access_log off; } diff --git a/nginx/templates/munin/evolinux.nginx b/nginx/templates/munin/evolinux.nginx index f58c0078..f5633139 100644 --- a/nginx/templates/munin/evolinux.nginx +++ b/nginx/templates/munin/evolinux.nginx @@ -1,2 +1,2 @@ [nginx_*] -env.url http://munin/nginx_status-{{ nginx_serverstatus_suffix }} +env.url http://munin/server-status-{{ nginx_serverstatus_suffix }} From dd8b989bbe6ff60a98c68d237fcb0dc01145409c Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 24 Dec 2020 10:02:27 +0100 Subject: [PATCH 06/11] Add directive auth_basic off for nginx configuration --- certbot/templates/acme-challenge/nginx.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot/templates/acme-challenge/nginx.conf.j2 b/certbot/templates/acme-challenge/nginx.conf.j2 index e4d3244b..aeb42ea1 100644 --- a/certbot/templates/acme-challenge/nginx.conf.j2 +++ b/certbot/templates/acme-challenge/nginx.conf.j2 @@ -5,5 +5,6 @@ location ~ /.well-known/acme-challenge { alias {{ certbot_work_dir }}/; {% endif %} try_files $uri =404; + auth_basic off; allow all; } From feda9a63d865ca9ee530e8bbf1b88c08041349a7 Mon Sep 17 00:00:00 2001 From: Eric Morino Date: Thu, 24 Dec 2020 10:03:43 +0100 Subject: [PATCH 07/11] Add directive auth_basic off for nginx configuration --- evoacme/templates/nginx.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/evoacme/templates/nginx.conf.j2 b/evoacme/templates/nginx.conf.j2 index f76d927d..3b0d3982 100644 --- a/evoacme/templates/nginx.conf.j2 +++ b/evoacme/templates/nginx.conf.j2 @@ -5,5 +5,6 @@ location ~ /.well-known/acme-challenge { alias {{ evoacme_acme_dir }}/.well-known/acme-challenge; {% endif %} try_files $uri =404; + auth_basic off; allow all; } From 4dbd1b0bee5d2420ca3815df6c4f6c1aaa0489b8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 24 Dec 2020 10:26:28 +0100 Subject: [PATCH 08/11] certbot: disable auth for Let's Encrypt challenge --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb48c5d2..4255396a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. ### Changed +* certbot: disable auth for Let's Encrypt challenge * nginx: change from "nginx_status-XXX" to "server-status-XXX" ### Fixed From 442e9bcda843dffbb3f34048b9d8715a46fa7638 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 24 Dec 2020 10:33:25 +0100 Subject: [PATCH 09/11] cerbot: hook to sync certificates to remote servers --- CHANGELOG.md | 1 + certbot/files/hooks/sync_remote.sh | 62 ++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 certbot/files/hooks/sync_remote.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 4255396a..1daccf1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added +* certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers * varnish: variable for jail configuration ### Changed diff --git a/certbot/files/hooks/sync_remote.sh b/certbot/files/hooks/sync_remote.sh new file mode 100644 index 00000000..d041f895 --- /dev/null +++ b/certbot/files/hooks/sync_remote.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +set -u + +error() { + >&2 echo "${PROGNAME}: $1" + exit 1 +} +debug() { + if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then + >&2 echo "${PROGNAME}: $1" + fi +} +found_renewed_lineage() { + test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem" +} +domain_from_cert() { + openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//' +} +main() { + if [ -z "${RENEWED_LINEAGE}" ]; then + error "Missing RENEWED_LINEAGE environment variable (usually provided by certbot)." + fi + if [ -z "${servers}" ]; then + debug "Empty server list, skip." + exit 0 + fi + + if found_renewed_lineage; then + RENEWED_DOMAINS=${RENEWED_DOMAINS:-$(domain_from_cert)} + + remore_lineage=${remote_dir}/renewed_lineage/$(basename ${RENEWED_LINEAGE}) + + for server in ${servers}; do + remote_host="root@${server}" + ssh ${remote_host} "mkdir -p ${remote_dir}" \ + || error "Couldn't create ${remote_dir} directory ${server}" + + rsync --archive --copy-links --delete ${RENEWED_LINEAGE}/ ${remote_host}:${remore_lineage}/ \ + || error "Couldn't sync certificate on ${server}" + + rsync --archive --copy-links --delete --exclude $0 --delete-excluded ${hooks_dir}/ ${remote_host}:${remote_dir}/hooks/ \ + || error "Couldn't sync hooks on ${server}" + + ssh ${remote_host} "export RENEWED_LINEAGE=\"${remore_lineage}/\" RENEWED_DOMAINS=${RENEWED_DOMAINS}; find ${remote_dir}/hooks/ -mindepth 1 -maxdepth 1 -type f -executable -exec {} \;" \ + || error "Something went wrong on ${server} for deploy hooks" + done + else + error "Couldn't find required files in \`${RENEWED_LINEAGE}'" + fi +} + +readonly PROGNAME=$(basename "$0") +readonly VERBOSE=${VERBOSE:-"0"} +readonly QUIET=${QUIET:-"0"} + +readonly hooks_dir="/etc/letsencrypt/renewal-hooks/deploy" +readonly remote_dir="/root/cert_sync" + +readonly servers="" + +main From 7ec074838367fa9b8fd60eb0ef93310077d0066b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 24 Dec 2020 13:56:11 +0100 Subject: [PATCH 10/11] certbot: detect domains if missing --- CHANGELOG.md | 1 + certbot/files/hooks/z-commit-etc.sh | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1daccf1e..b868e562 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release. ### Added +* certbot: detect domains if missing * certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers * varnish: variable for jail configuration diff --git a/certbot/files/hooks/z-commit-etc.sh b/certbot/files/hooks/z-commit-etc.sh index c83a4039..5442bbc6 100644 --- a/certbot/files/hooks/z-commit-etc.sh +++ b/certbot/files/hooks/z-commit-etc.sh @@ -9,6 +9,13 @@ debug() { >&2 echo "${PROGNAME}: $1" fi } +domain_from_cert() { + if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ]; then + openssl x509 -noout -subject -in "${RENEWED_LINEAGE}/fullchain.pem" | sed 's/^.*CN\ *=\ *//' + else + debug "Unable to find \`${RENEWED_LINEAGE}/fullchain.pem', skip domain detection." + fi +} main() { export GIT_DIR="/etc/.git" export GIT_WORK_TREE="/etc" @@ -17,6 +24,9 @@ main() { changed_lines=$(${git_bin} status --porcelain | wc -l | tr -d ' ') if [ "${changed_lines}" != "0" ]; then + if [ -z "${RENEWED_DOMAINS}" ] && [ -n "${RENEWED_LINEAGE}" ]; then + RENEWED_DOMAINS=$(domain_from_cert) + fi debug "Committing for ${RENEWED_DOMAINS}" ${git_bin} add --all message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})" @@ -32,6 +42,5 @@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} readonly git_bin=$(command -v git) -readonly letsencrypt_dir=/etc/letsencrypt main From 19da5ea1f718aff07fea6e38f4a1f5dceb4dcfaa Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 24 Dec 2020 14:00:37 +0100 Subject: [PATCH 11/11] Release 10.4.0 --- CHANGELOG.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b868e562..2d30104f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,18 @@ The **patch** part changes incrementally at each release. ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [10.4.0] 2020-12-24 + +### Added + * certbot: detect domains if missing * certbot: new "sync_remote.sh" hook to sync certificates and execute hooks on remote servers * varnish: variable for jail configuration @@ -21,12 +33,6 @@ The **patch** part changes incrementally at each release. * certbot: disable auth for Let's Encrypt challenge * nginx: change from "nginx_status-XXX" to "server-status-XXX" -### Fixed - -### Removed - -### Security - ## [10.3.0] 2020-12-21 ### Added