diff --git a/CHANGELOG.md b/CHANGELOG.md index 98a91bd9..9472e665 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,8 +10,24 @@ The **patch** part changes incrementally at each release. ## [Unreleased] +### Added + +### Changed + +### Fixed + +### Security + +## [9.10.1] - 2019-06-21 + +### Changed +* evocheck : update (version 19.06) from upstream + +## [9.10.0] - 2019-06-21 + ### Added * apache: add server status suffix in VHost (and default site) if missing +* apache: add a variable to customize the server-status host * apt: add a script to manage packages with "hold" mark * etc-git: gitignore /etc/letsencrypt/.certbot.lock * evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later) @@ -20,9 +36,10 @@ The **patch** part changes incrementally at each release. * redmine: enable gzip compression in nginx vhost ### Changed -* evocheck : version 19.04 from upstream +* evocheck : update (unreleased) from upstream * evomaintenance : use the web API instead of PG Insert -* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 +* fluentd: store gpg key locally +* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3 * redmine: update default version to 4.0.3 * nagios-nrpe: change required status code for http and https check * redmine: use custom errors-pages in Nginx vhost @@ -39,8 +56,6 @@ The **patch** part changes incrementally at each release. * evolinux-users: Validate sshd config with "-t" instead of "-T" * nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-* -### Security - ## [9.9.0] - 2019-04-16 ### Added diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index ffc74b4e..15ff1a53 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -19,3 +19,5 @@ apache_munin_include: True general_alert_email: "root@localhost" log2mail_alert_email: Null + +apache_serverstatus_host: 127.0.0.1 diff --git a/apache/tasks/server_status.yml b/apache/tasks/server_status.yml index 6497966b..1d6cd8df 100644 --- a/apache/tasks/server_status.yml +++ b/apache/tasks/server_status.yml @@ -62,7 +62,8 @@ - name: apache-status URL is configured for Munin lineinfile: dest: /etc/munin/plugin-conf.d/munin-node - line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto" - regexp: "env.url http://127.0.0.1/server-status" + line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto" + regexp: 'env.url http://[^\\/]+/server-status' insertafter: "[apache_*]" create: no + notify: restart munin-node diff --git a/apt/tasks/backports.yml b/apt/tasks/backports.yml index 02e189a3..0bdc82c7 100644 --- a/apt/tasks/backports.yml +++ b/apt/tasks/backports.yml @@ -5,7 +5,7 @@ regexp: "backports" state: absent tags: - - apt + - apt - name: Backports sources list is installed template: @@ -15,7 +15,7 @@ mode: "0640" register: apt_backports_list tags: - - apt + - apt - name: Backports configuration copy: @@ -25,7 +25,7 @@ mode: "0640" register: apt_backports_config tags: - - apt + - apt - name: Archived backport are accepted (jessie) lineinfile: @@ -34,10 +34,12 @@ create: yes state: present when: ansible_lsb.codename == "jessie" + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_backports_list | changed or apt_backports_config | changed tags: - - apt + - apt diff --git a/apt/tasks/basics.yml b/apt/tasks/basics.yml index edd3ea0c..9f792a7f 100644 --- a/apt/tasks/basics.yml +++ b/apt/tasks/basics.yml @@ -8,21 +8,23 @@ force: yes register: apt_basic_list tags: - - apt + - apt - name: Clean GANDI sources.list.d/debian-security.list file: path: '{{ item }}' state: absent with_items: - - /etc/apt/sources.list.d/debian-security.list - - /etc/apt/sources.list.d/debian-stretch.list - - /etc/apt/sources.list.d/debian-update.list + - /etc/apt/sources.list.d/debian-security.list + - /etc/apt/sources.list.d/debian-stretch.list + - /etc/apt/sources.list.d/debian-update.list when: apt_clean_gandi_sourceslist + tags: + - apt - name: Apt update apt: update_cache: yes when: apt_basic_list | changed tags: - - apt + - apt diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 264e8dd7..988aac7a 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -9,9 +9,11 @@ state: present mode: "0640" with_items: - - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } + - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } when: apt_evolinux_config + tags: + - apt - name: DPkg invoke hooks lineinfile: @@ -21,24 +23,32 @@ state: present mode: "0640" with_items: - - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" - - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" - - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" - - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" + - "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };" + - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };" + - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };" + - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };" when: apt_hooks + tags: + - apt - name: Remove Aptitude apt: name: aptitude state: absent when: apt_remove_aptitude + tags: + - apt - name: Updating APT cache apt: update_cache: yes changed_when: False + tags: + - apt - name: Upgrading system apt: upgrade: dist when: apt_upgrade + tags: + - apt diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml index ba0a0da6..e5a15279 100644 --- a/apt/tasks/evolix_public.yml +++ b/apt/tasks/evolix_public.yml @@ -12,6 +12,8 @@ apt_key: #url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D data: "{{ lookup('file', 'reg.gpg') }}" + tags: + - apt - name: Evolix public list is installed template: @@ -21,11 +23,11 @@ mode: "0640" register: apt_evolix_public tags: - - apt + - apt - name: Apt update apt: update_cache: yes when: apt_evolix_public | changed tags: - - apt + - apt diff --git a/apt/tasks/hold_packages.yml b/apt/tasks/hold_packages.yml index 0939335b..b44a1581 100644 --- a/apt/tasks/hold_packages.yml +++ b/apt/tasks/hold_packages.yml @@ -5,6 +5,8 @@ register: apt_mark changed_when: "'{{ item }} set on hold.' in apt_mark.stdout" with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "hold packages (config)" lineinfile: @@ -13,12 +15,16 @@ create: True state: present with_items: "{{ apt_hold_packages }}" + tags: + - apt - name: "unhold packages (apt)" shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}" register: apt_mark changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout" with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: "unhold packages (config)" lineinfile: @@ -27,6 +33,8 @@ create: True state: absent with_items: "{{ apt_unhold_packages }}" + tags: + - apt - name: /usr/share/scripts exists file: @@ -35,6 +43,8 @@ owner: root group: root state: directory + tags: + - apt - name: Check scripts is installed copy: @@ -42,6 +52,8 @@ dest: /usr/share/scripts/check_held_packages.sh force: yes mode: "0755" + tags: + - apt - name: Check for held packages (script) cron: @@ -55,3 +67,5 @@ day: "{{ apt_check_hold_cron_day }}" month: "{{ apt_check_hold_cron_month }}" state: "present" + tags: + - apt diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml index b02e779f..bb531d4e 100644 --- a/apt/tasks/main.yml +++ b/apt/tasks/main.yml @@ -4,36 +4,36 @@ fail: msg: only compatible with Debian >= 8 when: - - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') + - ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<') tags: - - apt + - apt - name: Custom configuration include: config.yml when: apt_config tags: - - apt + - apt - name: Install basics repositories include: basics.yml when: apt_install_basics tags: - - apt + - apt - name: Install APT Backports repository include: backports.yml when: apt_install_backports tags: - - apt + - apt - name: Install Evolix Public APT repository include: evolix_public.yml when: apt_install_evolix_public tags: - - apt + - apt - name: Install check for packages marked hold include: hold_packages.yml when: apt_install_hold_packages tags: - - apt + - apt diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6e9985f2..857b7919 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -315,7 +315,7 @@ check_nrpeperms() { } check_minifwperms() { if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%a" $MINIFW_FILE) + actual=$(stat --format "%a" "$MINIFW_FILE") expected="600" test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi @@ -386,7 +386,7 @@ check_raidsoft() { } # Verification du LogFormat de AWStats check_awstatslogformat() { - if is_installed apache2.2-common awstats; then + if is_installed apache2 awstats; then grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ || failed "IS_AWSTATSLOGFORMAT" fi @@ -531,20 +531,30 @@ check_userlogrotate() { } # Verification de la syntaxe de la conf d'Apache check_apachectl() { - if is_installed apache2.2-common; then + if is_installed apache2; then /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" fi } # Check if there is regular files in Apache sites-enabled. check_apachesymlink() { - if is_installed apache2.2-common; then - stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + if is_installed apache2; then + apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) + nbApacheFind=$(wc -m <<< "$apacheFind") + if [[ $nbApacheFind -gt 1 ]]; then + if [[ $VERBOSE == 1 ]]; then + while read -r line; do + failed "IS_APACHESYMLINK" "Not a symlink: $line" + done <<< "$apacheFind" + else + failed "IS_APACHESYMLINK" + fi + fi fi } # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). check_apacheipinallow() { # Note: Replace "exit 1" by "print" in Perl code to debug it. - if is_installed apache2.2-common; then + if is_installed apache2; then grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ | grep -iv "from all" \ | grep -iv "env=" \ @@ -559,7 +569,7 @@ check_muninapacheconf() { else muninconf="/etc/apache2/conf-available/munin.conf" fi - if is_installed apache2.2-common; then + if is_installed apache2; then test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" fi } @@ -881,12 +891,17 @@ check_mysqlmunin() { } check_mysqlnrpe() { if is_debian_stretch && is_installed mariadb-server; then - nagios_file="~nagios/.my.cnf" - { test -f $nagios_file \ - && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ - && [ "$(stat -c %a $nagios_file)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; - } || failed "IS_MYSQLNRPE" + nagios_file=~nagios/.my.cnf + + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi } check_phpevolinuxconf() { @@ -1078,9 +1093,7 @@ check_evomaintenanceconf() { && grep "^FULLFROM" $f | grep -qv "John Doe " \ && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com" \ - && grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \ - && grep "^API_KEY" $f | grep -qv "secretkey"; + && grep "^REALM" $f | grep -qv "example.com" } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" else failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" @@ -1102,7 +1115,7 @@ check_evobackup_incs() { if is_installed bkctld; then bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} if [ -f "${bkctld_cron_file}" ]; then - root_crontab=$(grep -v "^#" ${bkctld_cron_file}) + root_crontab=$(grep -v "^#" "${bkctld_cron_file}") echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" else @@ -1111,6 +1124,12 @@ check_evobackup_incs() { fi } +check_osprober() { + if is_installed os-prober qemu-kvm; then + failed "IS_OSPROBER" "Removal of os-prober package is recommended as it can cause serious issue on KVM server" + fi +} + main() { # Default return code : 0 = no error RC=0 @@ -1158,7 +1177,7 @@ main() { test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers - test "${IS_DISKPERF:=1}" = 1 && check_diskperf + test "${IS_DISKPERF:=0}" = 1 && check_diskperf test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw @@ -1231,6 +1250,7 @@ main() { test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs + test "${IS_OSPROBER:=1}" = 1 && check_osprober fi #----------------------------------------------------------- @@ -1343,7 +1363,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ -readonly VERSION="19.04" +readonly VERSION="19.06" # Disable LANG* export LANG=C @@ -1396,4 +1416,5 @@ while :; do shift done +# shellcheck disable=SC2086 main ${ARGS} diff --git a/fluentd/files/fluentd.gpg b/fluentd/files/fluentd.gpg new file mode 100644 index 00000000..7a998316 --- /dev/null +++ b/fluentd/files/fluentd.gpg @@ -0,0 +1,53 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C +nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi +GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ +utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP +pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J +tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A +Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy +tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru +owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw +MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3 +jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB +tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp +Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF +AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA +nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/ +xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp +jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a +iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa +wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e +WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe +cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru +3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57 +zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE +12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92 +fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu +RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo +uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW +iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd +gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq +hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS +EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU +Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ +WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX +h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG ++xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs +A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC +GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S +zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF +J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ +h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK +yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD +kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C +eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+ +pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d +GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I +ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g +pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G +5Ow= +=Me4L +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml index cad4f17e..30a4f0bf 100644 --- a/fluentd/tasks/main.yml +++ b/fluentd/tasks/main.yml @@ -2,7 +2,8 @@ - name: Fluentd GPG key is installed apt_key: - url: https://packages.treasuredata.com/GPG-KEY-td-agent + # url: https://packages.treasuredata.com/GPG-KEY-td-agent + data: "{{ lookup('file', 'fluentd.gpg') }}" tags: - packages - fluentd diff --git a/lxc-php/README.md b/lxc-php/README.md new file mode 100644 index 00000000..bb7475d9 --- /dev/null +++ b/lxc-php/README.md @@ -0,0 +1,23 @@ +# lxc-php + +Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian. + +*note : this role depend on the lxc role.* + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +As this role depend on the lxc role, please refer to it for a variable exhaustive list. + +Here is the list of available variables for the PHP part: + +* `php_conf_short_open_tag` Default: `"Off"` +* `php_conf_expose_php` Default: `"Off"` +* `php_conf_display_errors` Default: `"Off"` +* `php_conf_log_errors` Default: `"On"` +* `php_conf_html_errors` Default: `"Off"` +* `php_conf_allow_url_fopen` Default: `"Off"` +* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"` diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml index c606a02c..11d267c5 100644 --- a/lxc/tasks/main.yml +++ b/lxc/tasks/main.yml @@ -3,9 +3,9 @@ apt: name: '{{ item }}' with_items: - - lxc - - debootstrap - - xz-utils + - lxc + - debootstrap + - xz-utils - name: Copy LXC default containers configuration template: @@ -21,8 +21,13 @@ - name: Add subuid and subgid ranges to root command: usermod -v 100000-199999 -w 100000-109999 root - when: lxc_unprivilegied_containers and root_subuids.rc + when: + - lxc_unprivilegied_containers + - root_subuids.rc - name: Create containers - include: "create-container.yml name={{item.name}} release={{item.release}}" + include: create-container.yml + vars: + name: "{{ item.name }}" + release: "{{item.release}}" with_items: "{{lxc_containers}}" diff --git a/rbenv/defaults/main.yml b/rbenv/defaults/main.yml index 2c0ecd28..533834cd 100644 --- a/rbenv/defaults/main.yml +++ b/rbenv/defaults/main.yml @@ -1,6 +1,6 @@ --- rbenv_version: v1.1.2 -rbenv_ruby_version: 2.5.5 +rbenv_ruby_version: 2.6.3 rbenv_root: "~/.rbenv" rbenv_repo: "https://github.com/rbenv/rbenv.git" rbenv_plugins: diff --git a/webapps/evoadmin-web/handlers/main.yml b/webapps/evoadmin-web/handlers/main.yml index edb3404e..669b0553 100644 --- a/webapps/evoadmin-web/handlers/main.yml +++ b/webapps/evoadmin-web/handlers/main.yml @@ -5,5 +5,10 @@ name: apache2 state: reloaded +- name: restart apache2 + service: + name: apache2 + state: restarted + - name: newaliases command: newaliases diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 23b35204..d9be3b6e 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -46,3 +46,10 @@ owner: evoadmin group: evoadmin force: no + +- name: Enable proxy_fcgi + apache2_module: + state: present + name: proxy_fcgi + notify: restart apache2 + when: evoadmin_multi_php == True diff --git a/webapps/evoadmin-web/templates/web-add.conf.j2 b/webapps/evoadmin-web/templates/web-add.conf.j2 index b3362fbe..4bc41ad8 100644 --- a/webapps/evoadmin-web/templates/web-add.conf.j2 +++ b/webapps/evoadmin-web/templates/web-add.conf.j2 @@ -1,5 +1,5 @@ CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" -{% if evoadmin_multi_php == "True" %} +{% if evoadmin_multi_php == True %} PHP_VERSIONS=(56 70 73) {% endif %}