From 2118bfae8cecb56a6847e9f02628cea12776a306 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20P=C3=A9riard-Tremblay?= Date: Mon, 24 Jul 2017 16:38:08 -0400 Subject: [PATCH 01/28] Update docker-host role --- docker-host/tasks/main.yml | 57 ++++++++++++++++++------- docker-host/templates/daemon.json.j2 | 16 +++++++ docker-host/templates/docker.service.j2 | 27 ------------ 3 files changed, 57 insertions(+), 43 deletions(-) create mode 100644 docker-host/templates/daemon.json.j2 delete mode 100644 docker-host/templates/docker.service.j2 diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 1bcd7810..9d477066 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -1,44 +1,64 @@ # This role installs the docker daemon --- -- name: Install apt-transport-https +- name: Remove older docker packages apt: - name: apt-transport-https + name: '{{ item }}' + state: absent + with_items: + - docker + - docker-engine + - docker.io + +- name: Install source requirements + apt: + name: '{{ item }}' state: present update_cache: yes + with_items: + - apt-transport-https + - ca-certificates + - gnupg2 -- name: Enable Docker repositories +- name: Add Docker repository apt_repository: - repo: 'deb https://apt.dockerproject.org/repo debian-{{ ansible_distribution_release }} main' + repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present update_cache: no -- name: Enable backports repository for docker-py +- name: Enable backports repository for python-docker (Jessie only) apt_repository: repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main' state: present + when: ansible_distribution_release == 'jessie' -- name: Install Docker repo keys +- name: Add Docker's official GPG key apt_key: - keyserver: pgp.mit.edu - id: 58118E89F3A912897C070ADBF76221572C52609D + url: "https://download.docker.com/linux/debian/gpg" + state: present -- name: Install docker and docker-py +- name: Install docker and python-docker apt: name: "{{ item }}" state: latest update_cache: yes with_items: - - docker-engine + - docker-ce - python-docker -- name: Configure docker service +- name: Copy Docker daemon configuration file template: - src: docker.service.j2 - dest: /lib/systemd/system/docker.service + src: daemon.json.j2 + dest: /etc/docker/daemon.json notify: - reload systemd - restart docker +- name: Remove options from docker systemd service + lineinfile: + path: /lib/systemd/system/docker.service + regexp: '^ExecStart=' + line: 'ExecStart=/usr/bin/dockerd' + - name: Creating Docker tmp directory file: path: "{{ docker_tmpdir }}" @@ -52,7 +72,7 @@ state: directory mode: "0644" owner: root - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled - name: Copy shellpki utility to Docker TLS directory template: @@ -62,8 +82,13 @@ with_items: - shellpki.sh - openssl.cnf - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled + +- name: Check if certs are already created + stat: + path: "{{ docker_tls_path }}/certs" + register: tls_certs_stat - name: Creating a CA, server key command: "{{ docker_tls_path }}/shellpki.sh init" - when: "{{ docker_tls_enabled }}" + when: docker_tls_enabled and not tls_certs_stat.stat.isdir is defined diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2 new file mode 100644 index 00000000..ab6cac19 --- /dev/null +++ b/docker-host/templates/daemon.json.j2 @@ -0,0 +1,16 @@ +{ + "debug": false + {% if docker_tls_enabled %} + , + "tls": true, + "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}", + "tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}", + "tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}" + {% endif %} + , + {% if docker_remote_access_enabled %} + "hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"] + {% else %} + "hosts": ["fd://"] + {% endif %} +} diff --git a/docker-host/templates/docker.service.j2 b/docker-host/templates/docker.service.j2 deleted file mode 100644 index 02229fd8..00000000 --- a/docker-host/templates/docker.service.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=Docker Application Container Engine -Documentation=https://docs.docker.com -After=network.target docker.socket -Requires=docker.socket - -[Service] -ExecStart=/usr/bin/docker daemon -H fd:// \ - {% if docker_tls_enabled %} - --tlsverify \ - --tlscacert={{ docker_tls_path }}/{{ docker_tls_ca }} \ - --tlscert={{ docker_tls_path }}/{{ docker_tls_cert }} \ - --tlskey={{ docker_tls_path }}/{{ docker_tls_key }} \ - {% endif %} - {% if docker_remote_access_enabled %} - -H tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }} - {% endif %} -MountFlags=slave -LimitNOFILE=1048576 -LimitNPROC=1048576 -LimitCORE=infinity -Environment="TMPDIR={{ docker_tmpdir }}" - -[Install] -WantedBy=multi-user.target From d033d9773add301999ec2166a2b444942dda2eda Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:49:14 -0400 Subject: [PATCH 02/28] etc-git: if sudo is used, the real user is the author --- etc-git/tasks/commit.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/etc-git/tasks/commit.yml b/etc-git/tasks/commit.yml index d7d1fbbf..31746443 100644 --- a/etc-git/tasks/commit.yml +++ b/etc-git/tasks/commit.yml @@ -16,8 +16,19 @@ tags: - commit-etc +- name: fetch current Git user.email + git_config: + name: user.email + repo: /etc + scope: local + register: git_config_user_email + +- name: set commit author + set_fact: + etc_git_commit_options: "{% if ansible_env.SUDO_USER %} --author \"{{ ansible_env.SUDO_USER }} <{{ git_config_user_email.config_value }}>\"{% endif %}" + - name: /etc modifications are committed - shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"" + shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}" args: chdir: /etc register: etc_commit_end_run From f20b95f0753e5246d1c2b43a3852bdb6312fbd9d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:50:23 -0400 Subject: [PATCH 03/28] etc-git: use the git_config module instead of ini --- etc-git/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index faf4e8c6..cd1a9673 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -21,11 +21,11 @@ register: git_init - name: Git user.email is configured - ini_file: - dest: /etc/.git/config - section: user - option: email - value: "" + git_config: + name: user.email + repo: /etc + scope: local + value: "root@{{ ansible_fqdn | default('localhost') }}" - name: /etc/.git is secure file: From 6871de457a563369ec6aab4ee36b0dfdfbb4480f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 16:51:35 -0400 Subject: [PATCH 04/28] etc_git: fix README to use tasks_from instead of task_from --- etc-git/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc-git/README.md b/etc-git/README.md index d0930e59..5c033843 100644 --- a/etc-git/README.md +++ b/etc-git/README.md @@ -15,7 +15,7 @@ There is also an independant task that can be executed to commit changes made in pre_tasks: - include_role: name: etc-git - task_from: commit.yml + tasks_from: commit.yml vars: commit_message: "Ansible pre-run my splendid playbook" @@ -25,7 +25,7 @@ There is also an independant task that can be executed to commit changes made in post_tasks: - include_role: name: etc-git - task_from: commit.yml + tasks_from: commit.yml vars: commit_message: "Ansible pre-run my splendid playbook" ``` From b6e8c1760ec7862c6c5a6e31ff2936361ced00d9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:14:56 -0400 Subject: [PATCH 05/28] nginx: fix typo for tags --- nginx/tasks/packages_jessie_backports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/packages_jessie_backports.yml b/nginx/tasks/packages_jessie_backports.yml index 703b9e2a..b9c1eaf9 100644 --- a/nginx/tasks/packages_jessie_backports.yml +++ b/nginx/tasks/packages_jessie_backports.yml @@ -4,7 +4,7 @@ name: apt tasks_from: backports.yml tags: - - haproxy + - nginx - packages - name: Prefer Nginx packages from jessie-backports From 2fc65d1b8b7a08059fa49408b99b78d988b79709 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:15:18 -0400 Subject: [PATCH 06/28] docker-host: use apt preferences and apt role * the "apt" role can deal with backports lists install * we'd rather use a preferences file for specific packages than simply installing jessie-backports --- docker-host/files/docker_preferences | 3 +++ docker-host/tasks/jessie_backports.yml | 23 +++++++++++++++++++++++ docker-host/tasks/main.yml | 6 ++---- 3 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 docker-host/files/docker_preferences create mode 100644 docker-host/tasks/jessie_backports.yml diff --git a/docker-host/files/docker_preferences b/docker-host/files/docker_preferences new file mode 100644 index 00000000..1a68427d --- /dev/null +++ b/docker-host/files/docker_preferences @@ -0,0 +1,3 @@ +Package: python-docker +Pin: release a=jessie-backports +Pin-Priority: 999 diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml new file mode 100644 index 00000000..0284a859 --- /dev/null +++ b/docker-host/tasks/jessie_backports.yml @@ -0,0 +1,23 @@ +--- +- include_role: + name: apt + tasks_from: backports.yml + tags: + - packages + +- name: Prefer python-docker package from jessie-backports + copy: + src: apt/docker_preferences + dest: /etc/apt/preferences.d/999-docker + force: yes + mode: "0640" + register: docker_apt_preferences + tags: + - packages + +- name: update apt + apt: + update_cache: yes + when: docker_apt_preferences | changed + tags: + - packages diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 9d477066..39c8f578 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -24,11 +24,9 @@ repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable' state: present update_cache: no + filename: docker.list -- name: Enable backports repository for python-docker (Jessie only) - apt_repository: - repo: 'deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main' - state: present +- include: jessie_backports.yml when: ansible_distribution_release == 'jessie' - name: Add Docker's official GPG key From 2dfd384fb84d4ddc4197059cdaf651455dd586ad Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 18:58:16 -0400 Subject: [PATCH 07/28] admin-users: users are in sudo group for Stretch --- admin-users/tasks/debian/main.yml | 15 ++++ admin-users/tasks/debian/profile.yml | 15 ++++ .../{adduser_debian.yml => debian/ssh.yml} | 71 ------------------- admin-users/tasks/debian/sudo_jessie.yml | 23 ++++++ admin-users/tasks/debian/sudo_stretch.yml | 7 ++ admin-users/tasks/debian/user.yml | 35 +++++++++ admin-users/tasks/main.yml | 8 +-- 7 files changed, 99 insertions(+), 75 deletions(-) create mode 100644 admin-users/tasks/debian/main.yml create mode 100644 admin-users/tasks/debian/profile.yml rename admin-users/tasks/{adduser_debian.yml => debian/ssh.yml} (50%) create mode 100644 admin-users/tasks/debian/sudo_jessie.yml create mode 100644 admin-users/tasks/debian/sudo_stretch.yml create mode 100644 admin-users/tasks/debian/user.yml diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml new file mode 100644 index 00000000..db737b42 --- /dev/null +++ b/admin-users/tasks/debian/main.yml @@ -0,0 +1,15 @@ +--- + +- include: user.yml + +- include: profile.yml + +- include: ssh.yml + +- include: sudo_jessie.yml + when: ansible_distribution_release == 'jessie' + +- include: sudo_stretch.yml + when: ansible_distribution_release == 'stretch' + +- meta: flush_handlers diff --git a/admin-users/tasks/debian/profile.yml b/admin-users/tasks/debian/profile.yml new file mode 100644 index 00000000..0101d4be --- /dev/null +++ b/admin-users/tasks/debian/profile.yml @@ -0,0 +1,15 @@ +--- + +- name: is evomaintenance installed? + stat: + path: "/usr/share/scripts/evomaintenance.sh" + register: evomaintenance_script + check_mode: no + +- name: "Add evomaintenance trap for '{{ user.name }}'" + lineinfile: + state: present + dest: '/home/{{ user.name }}/.profile' + insertafter: EOF + line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' + when: evomaintenance_script.stat.exists diff --git a/admin-users/tasks/adduser_debian.yml b/admin-users/tasks/debian/ssh.yml similarity index 50% rename from admin-users/tasks/adduser_debian.yml rename to admin-users/tasks/debian/ssh.yml index 87899375..0ee7d2d8 100644 --- a/admin-users/tasks/adduser_debian.yml +++ b/admin-users/tasks/debian/ssh.yml @@ -1,52 +1,5 @@ --- -- name: "Test if uid exists for '{{ user.name }}'" - command: 'getent passwd {{ user.uid }}' - register: uidisbusy - failed_when: False - changed_when: False - check_mode: no - -- name: "Add Unix account with classical uid for '{{ user.name }}'" - user: - state: present - uid: '{{ user.uid }}' - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: uidisbusy.rc != 0 - -- name: "Add Unix account with random uid for '{{ user.name }}'" - user: - state: present - name: '{{ user.name }}' - comment: '{{ user.fullname }}' - shell: /bin/bash - password: '{{ user.password_hash }}' - update_password: on_create - when: uidisbusy.rc == 0 - -- name: "Fix perms on homedirectory for '{{ user.name }}'" - file: - name: '/home/{{ user.name }}' - mode: "0700" - state: directory - -- name: is evomaintenance installed? - stat: - path: "/usr/share/scripts/evomaintenance.sh" - register: evomaintenance_script - check_mode: no - -- name: "Add evomaintenance trap for '{{ user.name }}'" - lineinfile: - state: present - dest: '/home/{{ user.name }}/.profile' - insertafter: EOF - line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0' - when: evomaintenance_script.stat.exists - name: "Create .ssh directory for '{{ user.name }}'" file: @@ -111,27 +64,3 @@ validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_matchuser_ssh.rc == 0 - -- name: Verify Evolinux sudoers file presence - template: - src: sudoers_debian.j2 - dest: /etc/sudoers.d/evolinux - force: false - validate: '/usr/sbin/visudo -cf %s' - register: copy_sudoers_evolinux - -- name: Verify Evolinux sudoers file permissions - file: - path: /etc/sudoers.d/evolinux - mode: "0440" - state: file - -- name: "Add user in sudoers file for '{{ user.name }}'" - replace: - dest: /etc/sudoers.d/evolinux - regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' - replace: '\1,{{ user.name }}' - validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed - -- meta: flush_handlers diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo_jessie.yml new file mode 100644 index 00000000..1d7d3a69 --- /dev/null +++ b/admin-users/tasks/debian/sudo_jessie.yml @@ -0,0 +1,23 @@ +--- + +- name: Verify Evolinux sudoers file presence + template: + src: sudoers_debian.j2 + dest: /etc/sudoers.d/evolinux + force: false + validate: '/usr/sbin/visudo -cf %s' + register: copy_sudoers_evolinux + +- name: Verify Evolinux sudoers file permissions + file: + path: /etc/sudoers.d/evolinux + mode: "0440" + state: file + +- name: "Add user in sudoers file for '{{ user.name }}'" + replace: + dest: /etc/sudoers.d/evolinux + regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' + replace: '\1,{{ user.name }}' + validate: '/usr/sbin/visudo -cf %s' + when: not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml new file mode 100644 index 00000000..899ac6ae --- /dev/null +++ b/admin-users/tasks/debian/sudo_stretch.yml @@ -0,0 +1,7 @@ +--- + +- name: "'{{ user.name }}' is in the sudo group" + user: + name: "{{ user.name }}" + groups: sudo + append: yes diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml new file mode 100644 index 00000000..c47fbdfc --- /dev/null +++ b/admin-users/tasks/debian/user.yml @@ -0,0 +1,35 @@ +--- + +- name: "Test if uid exists for '{{ user.name }}'" + command: 'getent passwd {{ user.uid }}' + register: uidisbusy + failed_when: False + changed_when: False + check_mode: no + +- name: "Add Unix account with classical uid for '{{ user.name }}'" + user: + state: present + uid: '{{ user.uid }}' + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: uidisbusy.rc != 0 + +- name: "Add Unix account with random uid for '{{ user.name }}'" + user: + state: present + name: '{{ user.name }}' + comment: '{{ user.fullname }}' + shell: /bin/bash + password: '{{ user.password_hash }}' + update_password: on_create + when: uidisbusy.rc == 0 + +- name: "Fix perms on homedirectory for '{{ user.name }}'" + file: + name: '/home/{{ user.name }}' + mode: "0700" + state: directory diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 50c43468..54e2fc53 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -1,15 +1,15 @@ --- - debug: - msg: "Warning: empty variable 'admin_users' admin-users tasks will skipped!" + msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" when: admin_users == {} -- include: adduser_debian.yml +- include: debian/main.yml vars: user: "{{ item.value }}" with_dict: "{{ admin_users }}" when: ansible_distribution == "Debian" and admin_users != {} -# - include: adduser_openbsd.yml user={{ item.value }} +# - include: openbsd/main.yml user={{ item.value }} # with_dict: "{{ admin_users }}" -# when: ansible_distribution == "OpenBSD" +# when: ansible_distribution == "OpenBSD" and admin_users != {} From 66eee11cf758d2f3172c8668c612e95e0965654f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 21:33:34 -0400 Subject: [PATCH 08/28] etc-git: show OS in task name --- etc-git/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc-git/tasks/main.yml b/etc-git/tasks/main.yml index cd1a9673..a958bacc 100644 --- a/etc-git/tasks/main.yml +++ b/etc-git/tasks/main.yml @@ -1,12 +1,12 @@ --- -- name: Git is installed +- name: Git is installed (Debian) apt: name: git state: present when: ansible_os_family == "Debian" -- name: Git is installed +- name: Git is installed (OpenBSD) openbsd_pkg: name: git state: present From 5e949d74fd5b31f411ee881cb81865006110b195 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 21:34:06 -0400 Subject: [PATCH 09/28] evomaintenance: check if minifirewall is installed --- evomaintenance/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/evomaintenance/tasks/main.yml b/evomaintenance/tasks/main.yml index 091c59d5..5837287c 100644 --- a/evomaintenance/tasks/main.yml +++ b/evomaintenance/tasks/main.yml @@ -23,15 +23,22 @@ - include: trap.yml home={{ item }} with_items: "{{ home_of_shell_users.stdout_lines }}" +- name: Is minifirewall installed? + stat: + path: /etc/default/minifirewall + register: minifirewall_default_file + - name: minifirewall section for evomaintenance lineinfile: dest: /etc/default/minifirewall line: "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s {{ item }} -m state --state ESTABLISHED,RELATED -j ACCEPT" insertafter: "^# EvoMaintenance" with_items: "{{ evomaintenance_hosts }}" + when: minifirewall_default_file.stat.exists - name: remove minifirewall example rule for the proxy lineinfile: dest: /etc/default/minifirewall regexp: '^#.*(--sport 5432).*(-s X\.X\.X\.X)' state: absent + when: minifirewall_default_file.stat.exists From 2179be09d167c024126b6e1449c7f6fa7c9ab88b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 22:05:44 -0400 Subject: [PATCH 10/28] admin-users: passwordless sudo for come commands --- admin-users/tasks/debian/main.yml | 6 +----- admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} | 9 ++++++--- admin-users/tasks/debian/sudo_stretch.yml | 7 ------- .../templates/{sudoers_debian.j2 => sudoers_jessie.j2} | 0 admin-users/templates/sudoers_stretch.j2 | 8 ++++++++ 5 files changed, 15 insertions(+), 15 deletions(-) rename admin-users/tasks/debian/{sudo_jessie.yml => sudo.yml} (71%) delete mode 100644 admin-users/tasks/debian/sudo_stretch.yml rename admin-users/templates/{sudoers_debian.j2 => sudoers_jessie.j2} (100%) create mode 100644 admin-users/templates/sudoers_stretch.j2 diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/debian/main.yml index db737b42..329ce50e 100644 --- a/admin-users/tasks/debian/main.yml +++ b/admin-users/tasks/debian/main.yml @@ -6,10 +6,6 @@ - include: ssh.yml -- include: sudo_jessie.yml - when: ansible_distribution_release == 'jessie' - -- include: sudo_stretch.yml - when: ansible_distribution_release == 'stretch' +- include: sudo.yml - meta: flush_handlers diff --git a/admin-users/tasks/debian/sudo_jessie.yml b/admin-users/tasks/debian/sudo.yml similarity index 71% rename from admin-users/tasks/debian/sudo_jessie.yml rename to admin-users/tasks/debian/sudo.yml index 1d7d3a69..793e67d5 100644 --- a/admin-users/tasks/debian/sudo_jessie.yml +++ b/admin-users/tasks/debian/sudo.yml @@ -2,9 +2,9 @@ - name: Verify Evolinux sudoers file presence template: - src: sudoers_debian.j2 + src: sudoers_{{ ansible_distribution_release }}.j2 dest: /etc/sudoers.d/evolinux - force: false + force: no validate: '/usr/sbin/visudo -cf %s' register: copy_sudoers_evolinux @@ -20,4 +20,7 @@ regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$' replace: '\1,{{ user.name }}' validate: '/usr/sbin/visudo -cf %s' - when: not copy_sudoers_evolinux.changed + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | version_compare('9', '<') + - not copy_sudoers_evolinux.changed diff --git a/admin-users/tasks/debian/sudo_stretch.yml b/admin-users/tasks/debian/sudo_stretch.yml deleted file mode 100644 index 899ac6ae..00000000 --- a/admin-users/tasks/debian/sudo_stretch.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- name: "'{{ user.name }}' is in the sudo group" - user: - name: "{{ user.name }}" - groups: sudo - append: yes diff --git a/admin-users/templates/sudoers_debian.j2 b/admin-users/templates/sudoers_jessie.j2 similarity index 100% rename from admin-users/templates/sudoers_debian.j2 rename to admin-users/templates/sudoers_jessie.j2 diff --git a/admin-users/templates/sudoers_stretch.j2 b/admin-users/templates/sudoers_stretch.j2 new file mode 100644 index 00000000..5332395c --- /dev/null +++ b/admin-users/templates/sudoers_stretch.j2 @@ -0,0 +1,8 @@ +Defaults umask=0077 + +Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount + +nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs +nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt + +%sudo ALL = NOPASSWD: MAINT From c97110f865118ef026cee1abdbf5da569ded6b37 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jul 2017 22:17:25 -0400 Subject: [PATCH 11/28] minifirewall: embed files instead of git clone --- minifirewall/files/minifirewall | 385 +++++++++++++++++++++++++++ minifirewall/files/minifirewall.conf | 99 +++++++ minifirewall/tasks/install.yml | 44 +-- 3 files changed, 497 insertions(+), 31 deletions(-) create mode 100755 minifirewall/files/minifirewall create mode 100644 minifirewall/files/minifirewall.conf diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall new file mode 100755 index 00000000..94260a96 --- /dev/null +++ b/minifirewall/files/minifirewall @@ -0,0 +1,385 @@ +#!/bin/sh + +# minifirewall is shellscripts for easy firewalling on a standalone server +# we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel +# See https://forge.evolix.org/projects/minifirewall + +# Copyright (c) 2007-2015 Evolix +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License. + +# Description +# script for standalone server + +# Start or stop minifirewall +# + +### BEGIN INIT INFO +# Provides: minfirewall +# Required-Start: +# Required-Stop: +# Should-Start: $network $syslog $named +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the firewall +# Description: Firewall designed for standalone server +### END INIT INFO + +DESC="minifirewall" +NAME="minifirewall" + + +# Variables configuration +######################### + +# iptables paths +IPT=/sbin/iptables +IPT6=/sbin/ip6tables + +# TCP/IP variables +LOOPBACK='127.0.0.0/8' +CLASSA='10.0.0.0/8' +CLASSB='172.16.0.0/12' +CLASSC='192.168.0.0/16' +CLASSD='224.0.0.0/4' +CLASSE='240.0.0.0/5' +ALL='0.0.0.0' +BROAD='255.255.255.255' +PORTSROOT='0:1023' +PORTSUSER='1024:65535' + + +case "$1" in + start) + + echo "Start IPTables rules..." + +# Stop and warn if error! +set -e +trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT + + +# sysctl network security settings +################################## + +# Don't answer to broadcast pings +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Ignore bogus ICMP responses +echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + +# Disable Source Routing +for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do +echo 0 > $i +done + +# Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks +# cf http://cr.yp.to/syncookies.html +echo 1 > /proc/sys/net/ipv4/tcp_syncookies + +# Disable ICMP redirects +for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do +echo 0 > $i +done + +for i in /proc/sys/net/ipv4/conf/*/send_redirects; do +echo 0 > $i +done + +# Enable Reverse Path filtering : verify if responses use same network interface +for i in /proc/sys/net/ipv4/conf/*/rp_filter; do +echo 1 > $i +done + +# log des paquets avec adresse incoherente +for i in /proc/sys/net/ipv4/conf/*/log_martians; do +echo 1 > $i +done + +# IPTables configuration +######################## + +$IPT -N LOG_DROP +$IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : ' +$IPT -A LOG_DROP -j DROP +$IPT -N LOG_ACCEPT +$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' +$IPT -A LOG_ACCEPT -j ACCEPT + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="/etc/default/minifirewall" + +if test -f $oldconfigfile; then + echo "$oldconfigfile is deprecated, rename to $configfile" >&2 + exit 1 +fi + +if ! test -f $configfile; then + echo "$configfile does not exist" >&2 + exit 1 +fi + +tmpfile=`mktemp` +. $configfile 2>$tmpfile >&2 +if [ -s $tmpfile ]; then + echo "$configfile returns standard or error output (see below). Stopping." >&2 + cat $tmpfile + exit 1 +fi +rm $tmpfile + +# Trusted ip addresses +$IPT -N ONLYTRUSTED +$IPT -A ONLYTRUSTED -j LOG_DROP +for x in $TRUSTEDIPS + do + $IPT -I ONLYTRUSTED -s $x -j ACCEPT + done + +# Privilegied ip addresses +# (trusted ip addresses *are* privilegied) +$IPT -N ONLYPRIVILEGIED +$IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED +for x in $PRIVILEGIEDIPS + do + $IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT + done + +# Chain for restrictions (blacklist IPs/ranges) +$IPT -N NEEDRESTRICT + +# We allow all on loopback interface +$IPT -A INPUT -i lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT +# if OUTPUTDROP +$IPT -A OUTPUT -o lo -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT + +# We avoid "martians" packets, typical when W32/Blaster virus +# attacked windowsupdate.com and DNS was changed to 127.0.0.1 +# $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP +$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP + + +# Local services restrictions +############################# + +# Allow services for $INTLAN (local server or local network) +$IPT -A INPUT -s $INTLAN -j ACCEPT + +# Enable protection chain for sensible services +for x in $SERVICESTCP1p + do + $IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT + done + +for x in $SERVICESUDP1p + do + $IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT + done + +# Public service +for x in $SERVICESTCP1 + do + $IPT -A INPUT -p tcp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT + done + +for x in $SERVICESUDP1 + do + $IPT -A INPUT -p udp --dport $x -j ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT + done + +# Privilegied services +for x in $SERVICESTCP2 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED + done + +for x in $SERVICESUDP2 + do + $IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED + done + +# Private services +for x in $SERVICESTCP3 + do + $IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED + done + +for x in $SERVICESUDP3 + do + $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED + done + + +# External services +################### + +# DNS authorizations +for x in $DNSSERVEURS + do + $IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT + $IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT + done + +# HTTP (TCP/80) authorizations +for x in $HTTPSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT + done + +# HTTPS (TCP/443) authorizations +for x in $HTTPSSITES + do + $IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT + done + +# FTP (so complex protocol...) authorizations +for x in $FTPSITES + do + # requests on Control connection + $IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT + # FTP port-mode on Data Connection + $IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT + # FTP passive-mode on Data Connection + # WARNING, this allow all connections on TCP ports > 1024 + $IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT + done + +# SSH authorizations +for x in $SSHOK + do + $IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT + done + +# SMTP authorizations +for x in $SMTPOK + do + $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -j ACCEPT + done + +# secure SMTP (TCP/465 et TCP/587) authorizations +for x in $SMTPSECUREOK + do + $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -j ACCEPT + $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -j ACCEPT + done + +# NTP authorizations +for x in $NTPOK + do + $IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT + $IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT + done + +# Always allow ICMP +$IPT -A INPUT -p icmp -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT + + +# IPTables policy +################# + +# by default DROP INPUT packets +$IPT -P INPUT DROP +[ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP + +# by default, no FORWARING (deprecated for Virtual Machines) +#echo 0 > /proc/sys/net/ipv4/ip_forward +#$IPT -P FORWARD DROP +#$IPT6 -P FORWARD DROP + +# by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets) +$IPT -P OUTPUT ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT +$IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +$IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -p udp -j DROP +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT +[ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP + +trap - INT TERM EXIT + + echo "...starting IPTables rules is now finish : OK" + ;; + + stop) + + echo "Flush all rules and accept everything..." + + # Delete all rules + $IPT -F INPUT + $IPT -F OUTPUT + $IPT -F LOG_DROP + $IPT -F LOG_ACCEPT + $IPT -F ONLYTRUSTED + $IPT -F ONLYPRIVILEGIED + $IPT -F NEEDRESTRICT + $IPT -t nat -F + $IPT -t mangle -F + [ "$IPV6" != "off" ] && $IPT6 -F INPUT + [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + + # Accept all + $IPT -P INPUT ACCEPT + $IPT -P OUTPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT + [ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT + #$IPT -P FORWARD ACCEPT + #$IPT -t nat -P PREROUTING ACCEPT + #$IPT -t nat -P POSTROUTING ACCEPT + + # Delete non-standard chains + $IPT -X LOG_DROP + $IPT -X LOG_ACCEPT + $IPT -X ONLYPRIVILEGIED + $IPT -X ONLYTRUSTED + $IPT -X NEEDRESTRICT + + echo "...flushing IPTables rules is now finish : OK" + ;; + + status) + + $IPT -L -n -v --line-numbers + $IPT -t nat -L -n -v --line-numbers + $IPT -t mangle -L -n -v --line-numbers + $IPT6 -L -n -v --line-numbers + $IPT6 -t mangle -L -n -v --line-numbers + ;; + + reset) + + echo "Reset all IPTables counters..." + + $IPT -Z + $IPT -t nat -Z + $IPT -t mangle -Z + [ "$IPV6" != "off" ] && $IPT6 -Z + [ "$IPV6" != "off" ] && $IPT6 -t mangle -Z + + echo "...reseting IPTables counters is now finish : OK" + ;; + + restart) + + $0 stop + $0 start + ;; + + *) + + echo "Usage: $0 {start|stop|restart|status|reset|squid}" + exit 1 +esac + +exit 0 + diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf new file mode 100644 index 00000000..12ea853f --- /dev/null +++ b/minifirewall/files/minifirewall.conf @@ -0,0 +1,99 @@ +# Configuration for minifirewall : https://forge.evolix.org/projects/minifirewall +# For fun, we keep last change from first CVS repository: +# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ + +# Main interface +INT='eth0' + +# IPv6 +IPV6=on + +# Trusted IPv4 local network +# ...will be often IP/32 if you don't trust anything +INTLAN='192.168.0.2/32' + +# Trusted IPv4 addresses for private and semi-public services +TRUSTEDIPS='62.212.121.90 88.179.18.233 31.170.8.4 31.170.9.129' + +# Privilegied IPv4 addresses for semi-public services +# (no need to add again TRUSTEDIPS) +PRIVILEGIEDIPS='' + + +# Local services IPv4/IPv6 restrictions +####################################### + +# Protected services +# (add also in Public services if needed) +SERVICESTCP1p='22' +SERVICESUDP1p='' + +# Public services (IPv4/IPv6) +SERVICESTCP1='25 53 443 993 995 2222' +SERVICESUDP1='53' + +# Semi-public services (IPv4) +SERVICESTCP2='20 21 22 80 110 143' +SERVICESUDP2='' + +# Private services (IPv4) +SERVICESTCP3='5666' +SERVICESUDP3='' + +# Standard output IPv4 access restrictions +########################################## + +# DNS authorizations +# (if you have local DNS server, set 0.0.0.0/0) +DNSSERVEURS='0.0.0.0/0' + +# HTTP authorizations +# (you can use DNS names but set cron to reload minifirewall regularly) +# (if you have HTTP proxy, set 0.0.0.0/0) +HTTPSITES='security.debian.org pub.evolix.net volatile.debian.org mirror.evolix.org backports.debian.org hwraid.le-vert.net zidane.evolix.net antispam00.evolix.org spamassassin.apache.org sa-update.space-pro.be sa-update.secnap.net www.sa-update.pccc.com sa-update.dnswl.org' + +# HTTPS authorizations +HTTPSSITES='0.0.0.0/0' + +# FTP authorizations +FTPSITES='' + +# SSH authorizations +SSHOK='0.0.0.0/0' + +# SMTP authorizations +SMTPOK='0.0.0.0/0' + +# SMTP secure authorizations (ports TCP/465 and TCP/587) +SMTPSECUREOK='' + +# NTP authorizations +NTPOK='0.0.0.0/0' + + +# IPv6 Specific rules +##################### + +# Example: allow SSH from Trusted IPv6 addresses +/sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT + +# Example: allow input HTTP/HTTPS/SMTP/DNS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT + +# Example: allow output DNS, NTP and traceroute traffic +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT +#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT + +# Example: allow DHCPv6 +/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT + +# IPv4 Specific rules +##################### + +# /sbin/iptables ... diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index 8e211fb9..47d72b44 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -1,37 +1,19 @@ --- -- name: clone git repository - git: - repo: "{{ minifirewall_git_url}}" - dest: "{{ minifirewall_checkout_path }}" - clone: yes - -# WARN: these tasks copy the file if there are not already there -# They don't update files. - -- name: is init script present? - stat: - path: /etc/init.d/minifirewall - check_mode: no - register: init_minifirewall - - name: init script is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall /etc/init.d/minifirewall" - when: not init_minifirewall.stat.exists - - -- name: is configuration present? - stat: - path: /etc/default/minifirewall - check_mode: no - register: default_minifirewall + copy: + src: minifirewall + dest: /etc/init.d/minifirewall + force: no + mode: "0700" + owner: root + group: root - name: configuration is copied - command: "cp {{ minifirewall_checkout_path }}/minifirewall.conf /etc/default/minifirewall" - when: not default_minifirewall.stat.exists - -- name: fix configuration rights - file: - path: /etc/default/minifirewall + copy: + src: minifirewall.conf + dest: /etc/default/minifirewall + force: no mode: "0600" - state: file + owner: root + group: root From aaded131763cb43da737f9b0c47d23ceadb0477c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:24:26 -0400 Subject: [PATCH 12/28] apache: add missing reload notifications --- apache/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 7c4c8d40..a5ecf9fc 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -38,6 +38,7 @@ - expires - headers - cgi + notify: reload apache tags: - apache @@ -49,6 +50,7 @@ group: root mode: "0640" force: yes + notify: reload apache tags: - apache @@ -60,6 +62,7 @@ group: root mode: "0640" force: no + notify: reload apache tags: - apache @@ -70,6 +73,7 @@ with_items: - z-evolinux-defaults.conf - zzz-evolinux-custom.conf + notify: reload apache tags: - apache From 84fdd356fa888bb8b4e35003a8e12038759d9640 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:27:34 -0400 Subject: [PATCH 13/28] apache: formatting --- apache/templates/evolinux-default.conf.j2 | 97 ++++++++++++----------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index bc272364..cd107d2d 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -38,12 +38,12 @@ LogLevel warn - RewriteEngine on - # Redirect to HTTPS, execpt for munin, because some plugins - # can't handle HTTPS! :( - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + RewriteEngine on + # Redirect to HTTPS, execpt for munin, because some plugins + # can't handle HTTPS! :( + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR] + RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] @@ -52,53 +52,54 @@ - - ServerName {{ ansible_fqdn }} - #ServerAlias {{ ansible_fqdn }} + + ServerName {{ ansible_fqdn }} + #ServerAlias {{ ansible_fqdn }} - DocumentRoot /var/www/ + DocumentRoot /var/www/ - - Include /etc/apache2/private_ipaddr_whitelist.conf - - - Options -Indexes - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - SSLEngine on - SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} - SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} + SSLEngine on + SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} + SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} - # We override these 2 Directory directives setted in apache2.conf. - # We want no access except from allowed IP address. - - Include /etc/apache2/private_ipaddr_whitelist.conf - + # We override these 2 Directory directives setted in apache2.conf. + # We want no access except from allowed IP address. + + Include /etc/apache2/private_ipaddr_whitelist.conf + - # Munin. We need to set Directory directive as Alias take precedence. - Alias /munin /var/cache/munin/www - - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - - - Options -Indexes - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + # Munin. We need to set Directory directive as Alias take precedence. + Alias /munin /var/cache/munin/www + + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + + + Options -Indexes + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. - ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - Require all denied - Include /etc/apache2/private_ipaddr_whitelist.conf - + # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence. + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all denied + Include /etc/apache2/private_ipaddr_whitelist.conf + - CustomLog /var/log/apache2/access.log vhost_combined - ErrorLog /var/log/apache2/error.log - LogLevel warn - + CustomLog /var/log/apache2/access.log vhost_combined + ErrorLog /var/log/apache2/error.log + LogLevel warn + + From e90d8ceec3a13e741f59a35b261dde6fa7c194b8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:28:03 -0400 Subject: [PATCH 14/28] apache: "Require local" instead of "Require ip 127.0.0.1" --- apache/templates/evolinux-default.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index cd107d2d..48fec271 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -47,7 +47,7 @@ - Require ip 127.0.0.1 + Require local From 03aae520e883fa76dc9312208293290b3a23f5d7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 28 Jul 2017 15:28:19 -0400 Subject: [PATCH 15/28] apache: server-status only for default vhost --- apache/files/evolinux-defaults.conf | 7 +++++++ apache/tasks/main.yml | 6 ++++++ apache/templates/evolinux-default.conf.j2 | 17 +++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf index ca02d032..e4f1f512 100644 --- a/apache/files/evolinux-defaults.conf +++ b/apache/files/evolinux-defaults.conf @@ -22,3 +22,10 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 Require all denied + + + ExtendedStatus On + + ProxyStatus On + + diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index a5ecf9fc..2c919a41 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -66,6 +66,12 @@ tags: - apache +- name: disable status.conf + file: + dest: /etc/apache2/mods-enabled/status.conf + state: absent + notify: reload apache + - name: Ensure Apache config files are enabled command: "a2enconf {{ item }}" register: command_result diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 48fec271..a1f681e4 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -49,6 +49,15 @@ Require local + + + + SetHandler server-status + include /etc/apache2/private_ipaddr_whitelist.conf + Require local + + + @@ -101,5 +110,13 @@ ErrorLog /var/log/apache2/error.log LogLevel warn + + + SetHandler server-status + include /etc/apache2/private_ipaddr_whitelist.conf + Require local + + + From b71db80afeec3158833819c1e35be9705bc63546 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 3 Aug 2017 15:18:30 -0400 Subject: [PATCH 16/28] Move variable file to defaults/ --- munin/{vars => defaults}/main.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename munin/{vars => defaults}/main.yml (100%) diff --git a/munin/vars/main.yml b/munin/defaults/main.yml similarity index 100% rename from munin/vars/main.yml rename to munin/defaults/main.yml From b8894cc50948d08100a5b9255aa2bffd2fe8faf7 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Thu, 3 Aug 2017 16:15:27 -0400 Subject: [PATCH 17/28] Remount /usr rw before writing on it --- evoadmin/tasks/remount_usr_rw.yml | 15 +++++++++++++++ evoadmin/tasks/user.yml | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 evoadmin/tasks/remount_usr_rw.yml diff --git a/evoadmin/tasks/remount_usr_rw.yml b/evoadmin/tasks/remount_usr_rw.yml new file mode 100644 index 00000000..8c51aee2 --- /dev/null +++ b/evoadmin/tasks/remount_usr_rw.yml @@ -0,0 +1,15 @@ +--- +- name: Get mount options for partitions + shell: "mount | grep 'on /usr type'" + args: + warn: no + register: mount + changed_when: False + failed_when: False + when: not ansible_check_mode + +- name: Remount /usr if it is a partition and it is not mounted in rw + command: "mount -o remount,rw /usr" + when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw") + args: + warn: no diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml index e3442cd1..8023777d 100644 --- a/evoadmin/tasks/user.yml +++ b/evoadmin/tasks/user.yml @@ -25,6 +25,9 @@ # Warning: Need sudo! become_user: "{{ evoadmin_username }}" +- include: remount_usr_rw.yml + when: evoadmin_scripts_dir | search ("/usr") + - name: "Create {{ evoadmin_scripts_dir }}" file: dest: "{{ evoadmin_scripts_dir }}" From ce0644e976463fd7bda8ff5d263244c3234fa4ca Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Fri, 4 Aug 2017 09:52:51 -0400 Subject: [PATCH 18/28] copy general_alert_email/log2mail_alert_email to Apache role --- apache/README.md | 1 + apache/defaults/main.yml | 3 +++ packweb-apache/README.md | 2 +- packweb-apache/defaults/main.yml | 1 - 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apache/README.md b/apache/README.md index bd45539b..66804981 100644 --- a/apache/README.md +++ b/apache/README.md @@ -14,5 +14,6 @@ Main variables are : * `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; * `apache_private_htpasswd_present` : list of users to have in the private htpasswd ; * `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. +* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 65048f14..810a0676 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -12,3 +12,6 @@ apache_evolinux_default_ssl_key: /etc/ssl/private/ssl-cert-snakeoil.key apache_phpmyadmin_set: False apache_phpmyadmin_suffix: "" apache_serverstatus_suffix: "" + +general_alert_email: "root@localhost" +log2mail_alert_email: Null diff --git a/packweb-apache/README.md b/packweb-apache/README.md index a8bae5f0..d3f3f5b6 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -10,6 +10,6 @@ Everything is in the `tasks/main.yml` file for now. Main variables are : -* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). +* `packweb_enable_evoadmin_vhost` : enable VirtualHost for evoadmin (web interface to create web accounts) The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 0301183f..9457fd8a 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -1,5 +1,4 @@ --- # defaults file for packweb-apache general_alert_email: "root@localhost" -log2mail_alert_email: Null packweb_enable_evoadmin_vhost: True From 6bf818b52d48faef7c394112e1ae27911434c25c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 3 Aug 2017 15:16:23 -0400 Subject: [PATCH 19/28] fix: path is 2.3+ only --- docker-host/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml index 39c8f578..6fc0b28c 100644 --- a/docker-host/tasks/main.yml +++ b/docker-host/tasks/main.yml @@ -53,7 +53,7 @@ - name: Remove options from docker systemd service lineinfile: - path: /lib/systemd/system/docker.service + dest: /lib/systemd/system/docker.service regexp: '^ExecStart=' line: 'ExecStart=/usr/bin/dockerd' From 3bd758759e7f8a61b7add68f157d30d273773be9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 4 Aug 2017 10:46:00 -0400 Subject: [PATCH 20/28] admin-users: add users to sudo group for Stretch --- admin-users/tasks/debian/user.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml index c47fbdfc..10e4980c 100644 --- a/admin-users/tasks/debian/user.yml +++ b/admin-users/tasks/debian/user.yml @@ -28,6 +28,13 @@ update_password: on_create when: uidisbusy.rc == 0 +- name: "Add user to sudo group (Stretch)" + user: + name: '{{ user.name }}' + groups: sudo + append: yes + when: ansible_distribution_release == "stretch" + - name: "Fix perms on homedirectory for '{{ user.name }}'" file: name: '/home/{{ user.name }}' From 15e7c72a23a528b651d865f6d8e8c6d9c5c1a9d9 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Fri, 4 Aug 2017 10:48:37 -0400 Subject: [PATCH 21/28] Fix systemd handler to restart elasticsearch with systemd --- elasticsearch/handlers/main.yml | 7 ++----- elasticsearch/tasks/bootstrap_checks.yml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/elasticsearch/handlers/main.yml b/elasticsearch/handlers/main.yml index e1249341..c8a57b70 100644 --- a/elasticsearch/handlers/main.yml +++ b/elasticsearch/handlers/main.yml @@ -1,10 +1,7 @@ --- - name: restart elasticsearch - service: - name: elasticsearch - state: restarted - -- name: reload elasticsearch unit systemd: daemon_reload: yes + name: elasticsearch + state: restarted diff --git a/elasticsearch/tasks/bootstrap_checks.yml b/elasticsearch/tasks/bootstrap_checks.yml index b7d6547d..a79204b2 100644 --- a/elasticsearch/tasks/bootstrap_checks.yml +++ b/elasticsearch/tasks/bootstrap_checks.yml @@ -38,6 +38,6 @@ option: "LimitMEMLOCK" value: "infinity" notify: - - reload elasticsearch unit + - restart elasticsearch tags: - config From 3b03b8a74b82ce0a43807743925f8622b006a776 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Thu, 3 Aug 2017 22:13:50 +0200 Subject: [PATCH 22/28] php-fpm: support for Debian > 8 --- php-fpm/tasks/main.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/php-fpm/tasks/main.yml b/php-fpm/tasks/main.yml index 3131af3b..f05ae125 100644 --- a/php-fpm/tasks/main.yml +++ b/php-fpm/tasks/main.yml @@ -1,4 +1,15 @@ -- name: ensure packages are installed +- name: Ensure php5-fpm package is installed apt: name: php5-fpm state: present + when: ansible_distribution_major_version | version_compare('8', '<=') + tags: + - php-fpm + +- name: Ensure php-fpm packages is installed + apt: + name: php-fpm + state: present + when: ansible_distribution_major_version | version_compare('9', '>=') + tags: + - php-fpm From ab0e7b010b2238145831945b0a0c1cd94fcd1b20 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Fri, 4 Aug 2017 18:53:08 +0200 Subject: [PATCH 23/28] nginx: fix link to default vhost --- nginx/tasks/main_regular.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 7f11ed32..bc58503b 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -119,7 +119,7 @@ - name: default vhost is enabled file: src: /etc/nginx/sites-available/evolinux-default.conf - dest: /etc/nginx/sites-enabled/default.conf + dest: /etc/nginx/sites-enabled/default state: link force: yes notify: reload nginx From f75601a7ceefe3013040cc0b8fa0bd2bdf724d75 Mon Sep 17 00:00:00 2001 From: Romain Dessort Date: Fri, 4 Aug 2017 18:17:56 -0400 Subject: [PATCH 24/28] Fix permission on nrpe.d/evolix.cfg --- nagios-nrpe/tasks/debian.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nagios-nrpe/tasks/debian.yml b/nagios-nrpe/tasks/debian.yml index d50bc533..dbb73903 100644 --- a/nagios-nrpe/tasks/debian.yml +++ b/nagios-nrpe/tasks/debian.yml @@ -15,6 +15,8 @@ template: src: evolix.cfg.j2 dest: /etc/nagios/nrpe.d/evolix.cfg + group: nagios + mode: "0640" notify: restart nagios-nrpe-server - name: Nagios config is secured From db2b418be478f3289432e2f8d44effbd057224f1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 4 Aug 2017 18:08:41 -0400 Subject: [PATCH 25/28] evolinux-base: fix typo in README --- evolinux-base/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/README.md b/evolinux-base/README.md index 7e51066c..abd70e7d 100644 --- a/evolinux-base/README.md +++ b/evolinux-base/README.md @@ -21,7 +21,7 @@ Various tasks for Evolinux setup. ## Available variables -Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a . Finer grained tasks disabling is done in each group of tasks. +Each tasks group is included in the `main.yml` file with a condition based on a variable like `evolinux_hostname_include` (mostly `True` by default). The variables can be set to `False` to disable a task group. Finer grained tasks disabling is done in each group of tasks. Main variables are: From 4b8456c5b7773ac7648435c844368a92ea65da99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 5 Aug 2017 12:13:24 -0400 Subject: [PATCH 26/28] Fix ssh security policy --- admin-users/defaults/main.yml | 1 + admin-users/tasks/debian/ssh.yml | 2 +- admin-users/tasks/debian/user.yml | 6 ++- evolinux-base/tasks/ssh.yml | 62 +++++++++++++++++++++---------- 4 files changed, 49 insertions(+), 22 deletions(-) diff --git a/admin-users/defaults/main.yml b/admin-users/defaults/main.yml index e0c1ff04..ad5f42cb 100644 --- a/admin-users/defaults/main.yml +++ b/admin-users/defaults/main.yml @@ -1,2 +1,3 @@ --- admin_users: {} +admin_users_group: adm diff --git a/admin-users/tasks/debian/ssh.yml b/admin-users/tasks/debian/ssh.yml index 0ee7d2d8..d74a51f2 100644 --- a/admin-users/tasks/debian/ssh.yml +++ b/admin-users/tasks/debian/ssh.yml @@ -27,7 +27,7 @@ lineinfile: dest: /etc/ssh/sshd_config line: "\nAllowUsers {{ user.name }}" - insertafter: '^# ForceCommand cvs server' + insertafter: 'Subsystem' validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd when: grep_allowusers_ssh.rc != 0 diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/debian/user.yml index 10e4980c..7de5b778 100644 --- a/admin-users/tasks/debian/user.yml +++ b/admin-users/tasks/debian/user.yml @@ -28,10 +28,14 @@ update_password: on_create when: uidisbusy.rc == 0 +- name: "Create {{ admin_users_group }}" + group: + name: "{{ admin_users_group }}" + - name: "Add user to sudo group (Stretch)" user: name: '{{ user.name }}' - groups: sudo + groups: 'sudo,{{ admin_users_group }}' append: yes when: ansible_distribution_release == "stretch" diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index d74dcef3..6f79c982 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -1,29 +1,51 @@ --- -- name: verify Match Address directive - command: "grep 'Match Address' /etc/ssh/sshd_config" - changed_when: False - failed_when: False - check_mode: no - register: grep_matchaddress_ssh - -- name: Add Match Address sshd directive - lineinfile: +- name: Security directives for Evolinux + blockinfile: dest: /etc/ssh/sshd_config - line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" + block: | + Match Group sudo + PasswordAuthentication no + Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} + PasswordAuthentication yes + marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS" + insertafter: EOF validate: '/usr/sbin/sshd -T -f %s' notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] -- name: Modify Match Address sshd directive - replace: - dest: /etc/ssh/sshd_config - regexp: '^(Match Address ((?!{{ item }}).)*)$' - replace: '\1,{{ item }}' - validate: '/usr/sbin/sshd -T -f %s' - with_items: "{{ evolinux_ssh_password_auth_addresses }}" - notify: reload sshd - when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# - name: verify Match Address directive +# command: "grep 'Match Address' /etc/ssh/sshd_config" +# changed_when: False +# failed_when: False +# check_mode: no +# register: grep_matchaddress_ssh +# +# - name: Add Match Address sshd directive +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Address {{ evolinux_ssh_password_auth_addresses | join(',') }}\n PasswordAuthentication yes" +# insertafter: '# +ForceCommand cvs server' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc != 0 and evolinux_ssh_password_auth_addresses != [] +# +# - name: Modify Match Address sshd directive +# replace: +# dest: /etc/ssh/sshd_config +# regexp: '^(Match Address ((?!{{ item }}).)*)$' +# replace: '\1,{{ item }}' +# validate: '/usr/sbin/sshd -T -f %s' +# with_items: "{{ evolinux_ssh_password_auth_addresses }}" +# notify: reload sshd +# when: evolinux_ssh_match_address and grep_matchaddress_ssh.rc == 0 +# +# - name: Add Match Group sudo without password +# lineinfile: +# dest: /etc/ssh/sshd_config +# line: "\nMatch Group sudo\n PasswordAuthentication no" +# insertbefore: '^Match Address' +# validate: '/usr/sbin/sshd -T -f %s' +# notify: reload sshd - name: disable SSH access for root replace: From 1bcd24a4c19c626975e7a6555630216b8e69b3df Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Aug 2017 00:24:12 -0400 Subject: [PATCH 27/28] admin-users: remove openbsd mentions --- admin-users/tasks/{debian/main.yml => admin_user.yml} | 0 admin-users/tasks/main.yml | 8 ++------ admin-users/tasks/{debian => }/profile.yml | 0 admin-users/tasks/{debian => }/ssh.yml | 0 admin-users/tasks/{debian => }/sudo.yml | 0 admin-users/tasks/{debian => }/user.yml | 0 6 files changed, 2 insertions(+), 6 deletions(-) rename admin-users/tasks/{debian/main.yml => admin_user.yml} (100%) rename admin-users/tasks/{debian => }/profile.yml (100%) rename admin-users/tasks/{debian => }/ssh.yml (100%) rename admin-users/tasks/{debian => }/sudo.yml (100%) rename admin-users/tasks/{debian => }/user.yml (100%) diff --git a/admin-users/tasks/debian/main.yml b/admin-users/tasks/admin_user.yml similarity index 100% rename from admin-users/tasks/debian/main.yml rename to admin-users/tasks/admin_user.yml diff --git a/admin-users/tasks/main.yml b/admin-users/tasks/main.yml index 54e2fc53..c7eeaf39 100644 --- a/admin-users/tasks/main.yml +++ b/admin-users/tasks/main.yml @@ -4,12 +4,8 @@ msg: "Warning: empty 'admin_users' variable, tasks will be skipped!" when: admin_users == {} -- include: debian/main.yml +- include: admin_user.yml vars: user: "{{ item.value }}" with_dict: "{{ admin_users }}" - when: ansible_distribution == "Debian" and admin_users != {} - -# - include: openbsd/main.yml user={{ item.value }} -# with_dict: "{{ admin_users }}" -# when: ansible_distribution == "OpenBSD" and admin_users != {} + when: admin_users != {} diff --git a/admin-users/tasks/debian/profile.yml b/admin-users/tasks/profile.yml similarity index 100% rename from admin-users/tasks/debian/profile.yml rename to admin-users/tasks/profile.yml diff --git a/admin-users/tasks/debian/ssh.yml b/admin-users/tasks/ssh.yml similarity index 100% rename from admin-users/tasks/debian/ssh.yml rename to admin-users/tasks/ssh.yml diff --git a/admin-users/tasks/debian/sudo.yml b/admin-users/tasks/sudo.yml similarity index 100% rename from admin-users/tasks/debian/sudo.yml rename to admin-users/tasks/sudo.yml diff --git a/admin-users/tasks/debian/user.yml b/admin-users/tasks/user.yml similarity index 100% rename from admin-users/tasks/debian/user.yml rename to admin-users/tasks/user.yml From e02e116002babc12c41e2ee83bf10b08f96720ae Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 9 Aug 2017 01:18:20 -0400 Subject: [PATCH 28/28] docker-host: fix a bad path --- docker-host/tasks/jessie_backports.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-host/tasks/jessie_backports.yml b/docker-host/tasks/jessie_backports.yml index 0284a859..727ee7c8 100644 --- a/docker-host/tasks/jessie_backports.yml +++ b/docker-host/tasks/jessie_backports.yml @@ -7,7 +7,7 @@ - name: Prefer python-docker package from jessie-backports copy: - src: apt/docker_preferences + src: docker_preferences dest: /etc/apt/preferences.d/999-docker force: yes mode: "0640"