Merge branch 'unstable' into buster

CHANGELOG.md

@@ -10,8 +10,24 @@ The **patch** part changes incrementally at each release.
 
 ## [Unreleased]
 
+### Added
+
+### Changed
+
+### Fixed
+
+### Security
+
+## [9.10.1] - 2019-06-21
+
+### Changed
+* evocheck : update (version 19.06) from upstream
+
+## [9.10.0] - 2019-06-21
+
 ### Added
 * apache: add server status suffix in VHost (and default site) if missing
+* apache: add a variable to customize the server-status host
 * apt: add a script to manage packages with "hold" mark
 * etc-git: gitignore /etc/letsencrypt/.certbot.lock
 * evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
@@ -20,9 +36,10 @@ The **patch** part changes incrementally at each release.
 * redmine: enable gzip compression in nginx vhost
 
 ### Changed
-* evocheck : version 19.04 from upstream
+* evocheck : update (unreleased) from upstream
 * evomaintenance : use the web API instead of PG Insert
-* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5
+* fluentd: store gpg key locally
+* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
 * redmine: update default version to 4.0.3
 * nagios-nrpe: change required status code for http and https check
 * redmine: use custom errors-pages in Nginx vhost
@@ -39,8 +56,6 @@ The **patch** part changes incrementally at each release.
 * evolinux-users: Validate sshd config with "-t" instead of "-T"
 * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
 
-### Security
-
 ## [9.9.0] - 2019-04-16
 
 ### Added

apache/defaults/main.yml

@@ -19,3 +19,5 @@ apache_munin_include: True
 
 general_alert_email: "root@localhost"
 log2mail_alert_email: Null
+
+apache_serverstatus_host: 127.0.0.1

apache/tasks/server_status.yml

@@ -62,7 +62,8 @@
 - name: apache-status URL is configured for Munin
   lineinfile:
     dest: /etc/munin/plugin-conf.d/munin-node
-    line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
-    regexp: "env.url http://127.0.0.1/server-status"
+    line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
+    regexp: 'env.url http://[^\\/]+/server-status'
     insertafter: "[apache_*]"
     create: no
+  notify: restart munin-node

apt/tasks/backports.yml

@@ -5,7 +5,7 @@
     regexp: "backports"
     state: absent
   tags:
-  - apt
+    - apt
 
 - name: Backports sources list is installed
   template:
@@ -15,7 +15,7 @@
     mode: "0640"
   register: apt_backports_list
   tags:
-  - apt
+    - apt
 
 - name: Backports configuration
   copy:
@@ -25,7 +25,7 @@
     mode: "0640"
   register: apt_backports_config
   tags:
-  - apt
+    - apt
 
 - name: Archived backport are accepted (jessie)
   lineinfile:
@@ -34,10 +34,12 @@
     create: yes
     state: present
   when: ansible_lsb.codename == "jessie"
+  tags:
+    - apt
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_backports_list | changed or apt_backports_config | changed
   tags:
-  - apt
+    - apt

apt/tasks/basics.yml

@@ -8,21 +8,23 @@
     force: yes
   register: apt_basic_list
   tags:
-  - apt
+    - apt
 
 - name: Clean GANDI sources.list.d/debian-security.list
   file:
     path: '{{ item }}'
     state: absent
   with_items:
-  - /etc/apt/sources.list.d/debian-security.list
-  - /etc/apt/sources.list.d/debian-stretch.list
-  - /etc/apt/sources.list.d/debian-update.list
+    - /etc/apt/sources.list.d/debian-security.list
+    - /etc/apt/sources.list.d/debian-stretch.list
+    - /etc/apt/sources.list.d/debian-update.list
   when: apt_clean_gandi_sourceslist
+  tags:
+    - apt
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_basic_list | changed
   tags:
-  - apt
+    - apt

apt/tasks/config.yml

@@ -9,9 +9,11 @@
     state: present
     mode: "0640"
   with_items:
-  - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
-  - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
+    - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
+    - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
   when: apt_evolinux_config
+  tags:
+    - apt
 
 - name: DPkg invoke hooks
   lineinfile:
@@ -21,24 +23,32 @@
     state: present
     mode: "0640"
   with_items:
-  - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
-  - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
-  - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
-  - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
+    - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
+    - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
+    - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
+    - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
   when: apt_hooks
+  tags:
+    - apt
 
 - name: Remove Aptitude
   apt:
     name: aptitude
     state: absent
   when: apt_remove_aptitude
+  tags:
+    - apt
 
 - name: Updating APT cache
   apt:
     update_cache: yes
   changed_when: False
+  tags:
+    - apt
 
 - name: Upgrading system
   apt:
     upgrade: dist
   when: apt_upgrade
+  tags:
+    - apt

apt/tasks/evolix_public.yml

@@ -12,6 +12,8 @@
   apt_key:
     #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
     data: "{{ lookup('file', 'reg.gpg') }}"
+  tags:
+    - apt
 
 - name: Evolix public list is installed
   template:
@@ -21,11 +23,11 @@
     mode: "0640"
   register: apt_evolix_public
   tags:
-  - apt
+    - apt
 
 - name: Apt update
   apt:
     update_cache: yes
   when: apt_evolix_public | changed
   tags:
-  - apt
+    - apt

apt/tasks/hold_packages.yml

@@ -5,6 +5,8 @@
   register: apt_mark
   changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
   with_items: "{{ apt_hold_packages }}"
+  tags:
+    - apt
 
 - name: "hold packages (config)"
   lineinfile:
@@ -13,12 +15,16 @@
     create: True
     state: present
   with_items: "{{ apt_hold_packages }}"
+  tags:
+    - apt
 
 - name: "unhold packages (apt)"
   shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
   register: apt_mark
   changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
   with_items: "{{ apt_unhold_packages }}"
+  tags:
+    - apt
 
 - name: "unhold packages (config)"
   lineinfile:
@@ -27,6 +33,8 @@
     create: True
     state: absent
   with_items: "{{ apt_unhold_packages }}"
+  tags:
+    - apt
 
 - name: /usr/share/scripts exists
   file:
@@ -35,6 +43,8 @@
     owner: root
     group: root
     state: directory
+  tags:
+    - apt
 
 - name: Check scripts is installed
   copy:
@@ -42,6 +52,8 @@
     dest: /usr/share/scripts/check_held_packages.sh
     force: yes
     mode: "0755"
+  tags:
+    - apt
 
 - name: Check for held packages (script)
   cron:
@@ -55,3 +67,5 @@
     day: "{{ apt_check_hold_cron_day }}"
     month: "{{ apt_check_hold_cron_month }}"
     state: "present"
+  tags:
+    - apt

apt/tasks/main.yml

@@ -4,36 +4,36 @@
   fail:
     msg: only compatible with Debian >= 8
   when:
-  - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
+    - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
   tags:
-  - apt
+    - apt
 
 - name: Custom configuration
   include: config.yml
   when: apt_config
   tags:
-  - apt
+    - apt
 
 - name: Install basics repositories
   include: basics.yml
   when: apt_install_basics
   tags:
-  - apt
+    - apt
 
 - name: Install APT Backports repository
   include: backports.yml
   when: apt_install_backports
   tags:
-  - apt
+    - apt
 
 - name: Install Evolix Public APT repository
   include: evolix_public.yml
   when: apt_install_evolix_public
   tags:
-  - apt
+    - apt
 
 - name: Install check for packages marked hold
   include: hold_packages.yml
   when: apt_install_hold_packages
   tags:
-  - apt
+    - apt

evocheck/files/evocheck.sh

@@ -315,7 +315,7 @@ check_nrpeperms() {
 }
 check_minifwperms() {
     if [ -f "$MINIFW_FILE" ]; then
-        actual=$(stat --format "%a" $MINIFW_FILE)
+        actual=$(stat --format "%a" "$MINIFW_FILE")
         expected="600"
         test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
     fi
@@ -386,7 +386,7 @@ check_raidsoft() {
 }
 # Verification du LogFormat de AWStats
 check_awstatslogformat() {
-    if is_installed apache2.2-common awstats; then
+    if is_installed apache2 awstats; then
         grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
             || failed "IS_AWSTATSLOGFORMAT"
     fi
@@ -531,20 +531,30 @@ check_userlogrotate() {
 }
 # Verification de la syntaxe de la conf d'Apache
 check_apachectl() {
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
     fi
 }
 # Check if there is regular files in Apache sites-enabled.
 check_apachesymlink() {
-    if is_installed apache2.2-common; then
-        stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
+    if is_installed apache2; then
+        apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
+        nbApacheFind=$(wc -m <<< "$apacheFind")
+        if [[ $nbApacheFind -gt 1 ]]; then
+            if [[ $VERBOSE == 1 ]]; then
+                while read -r line; do
+                    failed "IS_APACHESYMLINK" "Not a symlink: $line"
+                done <<< "$apacheFind"
+            else
+                failed "IS_APACHESYMLINK"
+            fi
+        fi
     fi
 }
 # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
 check_apacheipinallow() {
     # Note: Replace "exit 1" by "print" in Perl code to debug it.
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
             | grep -iv "from all" \
             | grep -iv "env=" \
@@ -559,7 +569,7 @@ check_muninapacheconf() {
     else
         muninconf="/etc/apache2/conf-available/munin.conf"
     fi
-    if is_installed apache2.2-common; then
+    if is_installed apache2; then
         test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
     fi
 }
@@ -881,12 +891,17 @@ check_mysqlmunin() {
 }
 check_mysqlnrpe() {
     if is_debian_stretch && is_installed mariadb-server; then
-        nagios_file="~nagios/.my.cnf"
-        { test -f $nagios_file \
-            && [ "$(stat -c %U $nagios_file)" = "nagios" ] \
-            && [ "$(stat -c %a $nagios_file)" = "600" ] \
-            && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost  -f $nagios_file";
-        } || failed "IS_MYSQLNRPE"
+        nagios_file=~nagios/.my.cnf
+
+        if ! test -f ${nagios_file}; then
+            failed "IS_MYSQLNRPE" "${nagios_file} is missing"
+        elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \
+             || [ "$(stat -c %a ${nagios_file})" != "600" ]; then
+            failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions"
+        else
+            grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
+            || failed "IS_MYSQLNRPE" "check_mysql is missing"
+        fi
     fi
 }
 check_phpevolinuxconf() {
@@ -1078,9 +1093,7 @@ check_evomaintenanceconf() {
             && grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
             && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
             && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
-            && grep "^REALM" $f | grep -qv "example.com" \
-            && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \
-            && grep "^API_KEY" $f | grep -qv "secretkey";
+            && grep "^REALM" $f | grep -qv "example.com"
         } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
     else
         failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
@@ -1102,7 +1115,7 @@ check_evobackup_incs() {
     if is_installed bkctld; then
         bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
         if [ -f "${bkctld_cron_file}" ]; then
-            root_crontab=$(grep -v "^#" ${bkctld_cron_file})
+            root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
             echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
             echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
         else
@@ -1111,6 +1124,12 @@ check_evobackup_incs() {
     fi
 }
 
+check_osprober() {
+    if is_installed os-prober qemu-kvm; then
+        failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server"
+    fi
+}
+
 main() {
     # Default return code : 0 = no error
     RC=0
@@ -1158,7 +1177,7 @@ main() {
         test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
         test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
         test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
-        test "${IS_DISKPERF:=1}" = 1 && check_diskperf
+        test "${IS_DISKPERF:=0}" = 1 && check_diskperf
         test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
         test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
         test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
@@ -1231,6 +1250,7 @@ main() {
         test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
         test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
         test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
+        test "${IS_OSPROBER:=1}" = 1 && check_osprober
     fi
 
     #-----------------------------------------------------------
@@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
 # shellcheck disable=2124
 readonly ARGS=$@
 
-readonly VERSION="19.04"
+readonly VERSION="19.06"
 
 # Disable LANG*
 export LANG=C
@@ -1396,4 +1416,5 @@ while :; do
     shift
 done
 
+# shellcheck disable=SC2086
 main ${ARGS}

fluentd/files/fluentd.gpg

@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C
+nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi
+GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ
+utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP
+pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J
+tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A
+Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy
+tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru
+owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw
+MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3
+jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB
+tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp
+Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF
+AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA
+nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/
+xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp
+jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a
+iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa
+wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e
+WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe
+cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru
+3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57
+zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE
+12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92
+fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu
+RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo
+uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW
+iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd
+gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq
+hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS
+EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU
+Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ
+WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX
+h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG
++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs
+A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC
+GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S
+zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF
+J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ
+h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK
+yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD
+kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C
+eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+
+pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d
+GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I
+ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g
+pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G
+5Ow=
+=Me4L
+-----END PGP PUBLIC KEY BLOCK-----

fluentd/tasks/main.yml

@@ -2,7 +2,8 @@
 
 - name: Fluentd GPG key is installed
   apt_key:
-    url: https://packages.treasuredata.com/GPG-KEY-td-agent
+    # url: https://packages.treasuredata.com/GPG-KEY-td-agent
+    data: "{{ lookup('file', 'fluentd.gpg') }}"
   tags:
     - packages
     - fluentd

lxc-php/README.md

@@ -0,0 +1,23 @@
+# lxc-php
+
+Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian.
+
+*note : this role depend on the lxc role.*
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+As this role depend on the lxc role, please refer to it for a variable exhaustive list.
+
+Here is the list of available variables for the PHP part:
+
+* `php_conf_short_open_tag` Default: `"Off"`
+* `php_conf_expose_php` Default: `"Off"`
+* `php_conf_display_errors` Default: `"Off"`
+* `php_conf_log_errors` Default: `"On"`
+* `php_conf_html_errors` Default: `"Off"`
+* `php_conf_allow_url_fopen` Default: `"Off"`
+* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"`

lxc/tasks/main.yml

@@ -3,9 +3,9 @@
   apt:
     name: '{{ item }}'
   with_items:
-  - lxc
-  - debootstrap
-  - xz-utils
+    - lxc
+    - debootstrap
+    - xz-utils
 
 - name: Copy LXC default containers configuration
   template:
@@ -21,8 +21,13 @@
 
 - name: Add subuid and subgid ranges to root
   command: usermod -v 100000-199999 -w 100000-109999 root
-  when: lxc_unprivilegied_containers and root_subuids.rc
+  when:
+    - lxc_unprivilegied_containers
+    - root_subuids.rc
 
 - name: Create containers
-  include: "create-container.yml name={{item.name}} release={{item.release}}"
+  include: create-container.yml
+  vars:
+    name: "{{ item.name }}"
+    release: "{{item.release}}"
   with_items: "{{lxc_containers}}"

rbenv/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 rbenv_version: v1.1.2
-rbenv_ruby_version: 2.5.5
+rbenv_ruby_version: 2.6.3
 rbenv_root: "~/.rbenv"
 rbenv_repo: "https://github.com/rbenv/rbenv.git"
 rbenv_plugins:

webapps/evoadmin-web/handlers/main.yml

@@ -5,5 +5,10 @@
     name: apache2
     state: reloaded
 
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
+
 - name: newaliases
   command: newaliases

webapps/evoadmin-web/tasks/web.yml

@@ -46,3 +46,10 @@
     owner: evoadmin
     group: evoadmin
     force: no
+
+- name: Enable proxy_fcgi
+  apache2_module:
+    state: present
+    name: proxy_fcgi
+  notify: restart apache2
+  when: evoadmin_multi_php == True

webapps/evoadmin-web/templates/web-add.conf.j2

@@ -1,5 +1,5 @@
 CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
 WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
-{% if evoadmin_multi_php == "True" %}
+{% if evoadmin_multi_php == True %}
 PHP_VERSIONS=(56 70 73)
 {% endif %}