Merge branch 'unstable' into stable

2017-12-20 18:08:03 +01:00 · 2017-12-20 18:08:03 +01:00 · 8a027f9521
parent e4daf04110 aeba94bcba
commit 8a027f9521
18 changed files with 43 additions and 36 deletions
--- a/apache/defaults/main.yml
+++ b/apache/defaults/main.yml
@ -1,8 +1,7 @@
 ---
-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-apache_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+apache_default_ipaddr_whitelist_ips: []
+apache_additional_ipaddr_whitelist_ips: []
+apache_ipaddr_whitelist_present: "{{ apache_default_ipaddr_whitelist_ips | union(apache_additional_ipaddr_whitelist_ips) | unique }}"
 apache_ipaddr_whitelist_absent: []

 apache_private_htpasswd_present: []
--- a/elasticsearch/templates/rotate_elasticsearch_logs.j2
+++ b/elasticsearch/templates/rotate_elasticsearch_logs.j2
@ -5,5 +5,5 @@ LOG_DIR=/var/log/elasticsearch
 USER=elasticsearch
 MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }}

-find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
-find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??.gz" -mtime +${MAX_AGE} -delete
+find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??" -o -name "*-????-??-??.log" \) -exec gzip --best {} \;
+find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??.gz" -o -name "*-????-??-??.log.gz" \) -ctime +${MAX_AGE} -delete
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -108,10 +108,9 @@ evolinux_evomaintenance_include: True

 evolinux_ssh_include: True

-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-evolinux_ssh_password_auth_addresses: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+evolinux_default_ssh_password_auth_addresses: []
+evolinux_additional_ssh_password_auth_addresses: []
+evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_addresses | union(evolinux_additional_ssh_password_auth_addresses) | unique }}"
 evolinux_ssh_match_address: True
 evolinux_ssh_disable_acceptenv: True
 evolinux_ssh_allow_current_user: False
--- a/evolinux-base/tasks/default_www.yml
+++ b/evolinux-base/tasks/default_www.yml
@ -10,7 +10,7 @@
  copy:
    src: default_www/img
    dest: /var/www/
-    mode: "0755"
+    mode: "0644"
    directory_mode: "0755"
    follow: yes
  when: evolinux_default_www_files
@ -19,7 +19,7 @@
  template:
    src: default_www/index.html.j2
    dest: /var/www/index.html
-    mode: "0755"
+    mode: "0644"
    force: no
  when: evolinux_default_www_files

--- a/evomaintenance/defaults/main.yml
+++ b/evomaintenance/defaults/main.yml
@ -17,7 +17,6 @@ evomaintenance_urgency_tel: "06.00.00.00.00"

 evomaintenance_realm: "{{ ansible_domain }}"

-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-evomaintenance_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+evomaintenance_default_hosts: []
+evomaintenance_additional_hosts: []
+evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@ -2,10 +2,9 @@
 general_alert_email: "root@localhost"
 fail2ban_alert_email: Null

-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-fail2ban_ignore_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+fail2ban_default_ignore_ips: []
+fail2ban_additional_ignore_ips: []
+fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"

 fail2ban_wordpress: False
 fail2ban_roundcube: False
--- a/ldap/defaults/main.yml
+++ b/ldap/defaults/main.yml
@ -1,4 +1,5 @@
 ---
 ldap_hostname: "{{ ansible_hostname }}"
+ldap_listen: "ldap://127.0.0.1:389/"
 ldap_domain: "{{ ansible_domain }}"
 ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
--- a/ldap/tasks/main.yml
+++ b/ldap/tasks/main.yml
@ -8,6 +8,13 @@
    - ldapvi
    - shelldap

+- name: change sldap listen ip:port
+  lineinfile:
+    dest: /etc/default/slapd
+    regexp: 'SLAPD_SERVICES=.*'
+    line: "SLAPD_SERVICES=\"{{ ldap_listen }}\""
+  notify: restart slapd
+
 - name: "Is /root/.ldapvirc present ?"
  stat:
    path: /root/.ldapvirc
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@ -7,11 +7,10 @@ minifirewall_int: "{{ ansible_default_ipv4.interface }}"
 minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"

-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
+minifirewall_default_trusted_ips: []
+minifirewall_additional_trusted_ips: []
 # and default to ['0.0.0.0/0'] if the result is still empty
-minifirewall_trusted_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}"
+minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}"
 minifirewall_privilegied_ips: []

 minifirewall_protected_ports_tcp: [22]
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@ -77,7 +77,8 @@ NTPOK='0.0.0.0/0'
 # Example: allow SSH from Trusted IPv6 addresses
 /sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT

-# Example: allow input HTTP/HTTPS/SMTP/DNS traffic
+# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic 
+/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT
--- a/nagios-nrpe/defaults/main.yml
+++ b/nagios-nrpe/defaults/main.yml
@ -1,8 +1,7 @@
 ---
-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+nagios_nrpe_default_allowed_hosts: []
+nagios_nrpe_additional_allowed_hosts: []
+nagios_nrpe_allowed_hosts: "{{ nagios_nrpe_default_allowed_hosts | union(nagios_nrpe_additional_allowed_hosts) | unique }}"
 nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
 nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@ -23,7 +23,8 @@ command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20

 # Specific services checks
 command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}'
-command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost  -f ~nagios/.my.cnf
+command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf
+command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600
 command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nagios,ou=ldapusers,{{ nagios_nrpe_ldap_dc }} -P {{ nagios_nrpe_ldap_passwd }} -b {{ nagios_nrpe_ldap_dc }}
 command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
 command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@ -3,10 +3,10 @@
 nginx_minimal: False
 nginx_jessie_backports: False

-evolix_trusted_ips: []
-additional_trusted_ips: []
-# Let's merge evolix_trusted_ips with additional_trusted_ips
-nginx_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+nginx_default_ipaddr_whitelist_ips: []
+nginx_additional_ipaddr_whitelist_ips: []
+nginx_ipaddr_whitelist_present: "{{ nginx_default_ipaddr_whitelist_ips | union(nginx_additional_ipaddr_whitelist_ips) | unique }}"
+
 nginx_ipaddr_whitelist_absent: []

 nginx_private_htpasswd_present: []
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -21,7 +21,7 @@
 - name: Node sources list ({{ nodejs_apt_version }}) is available
  apt_repository:
    repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
-    filename: nodesource.list
+    filename: nodesource
    update_cache: yes
    state: present
  tags:
--- a/php/meta/main.yml
+++ b/php/meta/main.yml
@ -12,6 +12,7 @@ galaxy_info:
  - name: Debian
    versions:
    - jessie
+    - stretch

 dependencies: []
  # List your role dependencies here, one per line.
--- a/php/tasks/php_jessie.yml
+++ b/php/tasks/php_jessie.yml
@ -13,6 +13,7 @@
  - php5-mysql
  - php5-pgsql
  - php-gettext
+  - php5-intl
  - php5-curl
  - php5-ssh2
  - libphp-phpmailer
--- a/php/tasks/php_stretch.yml
+++ b/php/tasks/php_stretch.yml
@ -7,6 +7,7 @@
  with_items:
  - php-cli
  - php-gd
+  - php-intl
  - php-imap
  - php-ldap
  - php-mcrypt
--- a/webapps/evoadmin-web/tasks/web.yml
+++ b/webapps/evoadmin-web/tasks/web.yml
@ -42,7 +42,7 @@
  template:
    src: config.local.php.j2
    dest: "{{ evoadmin_document_root}}/conf/config.local.php"
-    mode: "0644"
+    mode: "0640"
    owner: evoadmin
    group: evoadmin
    force: no