From 18dfb6967985d0f07030365c1523c3ee36066d87 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 11 Dec 2017 11:57:55 +0100 Subject: [PATCH 1/9] PHP: Install php-intl module (useful for modern frameworks) --- php/meta/main.yml | 1 + php/tasks/php_jessie.yml | 1 + php/tasks/php_stretch.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/php/meta/main.yml b/php/meta/main.yml index 6e8e624e..c861cb82 100644 --- a/php/meta/main.yml +++ b/php/meta/main.yml @@ -12,6 +12,7 @@ galaxy_info: - name: Debian versions: - jessie + - stretch dependencies: [] # List your role dependencies here, one per line. diff --git a/php/tasks/php_jessie.yml b/php/tasks/php_jessie.yml index 10d1c6f7..5d1d6965 100644 --- a/php/tasks/php_jessie.yml +++ b/php/tasks/php_jessie.yml @@ -13,6 +13,7 @@ - php5-mysql - php5-pgsql - php-gettext + - php5-intl - php5-curl - php5-ssh2 - libphp-phpmailer diff --git a/php/tasks/php_stretch.yml b/php/tasks/php_stretch.yml index 31ba2798..f20dbafb 100644 --- a/php/tasks/php_stretch.yml +++ b/php/tasks/php_stretch.yml @@ -7,6 +7,7 @@ with_items: - php-cli - php-gd + - php-intl - php-imap - php-ldap - php-mcrypt From 9328618d6df4c93efcebf17d2af0434da20f7b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 13 Dec 2017 14:53:21 +0100 Subject: [PATCH 2/9] Add check_mysql_slave for nagios nrpe default config --- nagios-nrpe/templates/evolix.cfg.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index 33ad9c51..468289b8 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -23,7 +23,8 @@ command[check_mailq]=/usr/lib/nagios/plugins/check_mailq -M postfix -w 10 -c 20 # Specific services checks command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H localhost -l nrpe -p '{{ nagios_nrpe_pgsql_passwd }}' -command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf +command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf +command[check_mysql_slave]=/usr/lib/nagios/plugins/check_mysql --check-slave -H localhost -f ~nagios/.my.cnf -w 1800 -c 3600 command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nagios,ou=ldapusers,{{ nagios_nrpe_ldap_dc }} -P {{ nagios_nrpe_ldap_passwd }} -b {{ nagios_nrpe_ldap_dc }} command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }} command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost From 806df7d77aa09b4a93e4c6ba9590f1cd902cb3d3 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 13 Dec 2017 15:41:45 +0100 Subject: [PATCH 3/9] nodejs: remove useless .list so we don't have nodesource.list.list --- nodejs/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml index bd276dc7..dc024cbd 100644 --- a/nodejs/tasks/main.yml +++ b/nodejs/tasks/main.yml @@ -21,7 +21,7 @@ - name: Node sources list ({{ nodejs_apt_version }}) is available apt_repository: repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main" - filename: nodesource.list + filename: nodesource update_cache: yes state: present tags: From a2acd250a62901b98d782a4ca5d47111ea76706e Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Wed, 13 Dec 2017 15:44:16 +0100 Subject: [PATCH 4/9] evolinux-base: have default_www files chmoded as 644 --- evolinux-base/tasks/default_www.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index d27ad70f..665e7eb0 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -10,7 +10,7 @@ copy: src: default_www/img dest: /var/www/ - mode: "0755" + mode: "0644" directory_mode: "0755" follow: yes when: evolinux_default_www_files @@ -19,7 +19,7 @@ template: src: default_www/index.html.j2 dest: /var/www/index.html - mode: "0755" + mode: "0644" force: no when: evolinux_default_www_files From bfb8a6cee813e2b6a1786bf60f86118dd562c376 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 15 Dec 2017 14:48:32 +0100 Subject: [PATCH 5/9] evoadmin-web: No need to have config.local.php world readable --- webapps/evoadmin-web/tasks/web.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 59c41582..d8405f8f 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -42,7 +42,7 @@ template: src: config.local.php.j2 dest: "{{ evoadmin_document_root}}/conf/config.local.php" - mode: "0644" + mode: "0640" owner: evoadmin group: evoadmin force: no From b90260ae286290a212663dea62ef8e4e2d9055de Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 15 Dec 2017 14:49:21 +0100 Subject: [PATCH 6/9] minifirewall: Make outgoing SSH in IPv6 works --- minifirewall/files/minifirewall.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index a15f78b2..0158e4ca 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -77,7 +77,8 @@ NTPOK='0.0.0.0/0' # Example: allow SSH from Trusted IPv6 addresses /sbin/ip6tables -A INPUT -i $INT -p tcp --dport 22 -s 2a01:9500:37:129::/64 -j ACCEPT -# Example: allow input HTTP/HTTPS/SMTP/DNS traffic +# Example: allow outgoing SSH/HTTP/HTTPS/SMTP/DNS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 22 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT From b3ec1f09b6d0b4a1db6805d49ce0f0c8af4b57a0 Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Mon, 18 Dec 2017 18:05:37 +0100 Subject: [PATCH 7/9] slapd: listen on 127.0.0.1:389 by default --- ldap/defaults/main.yml | 1 + ldap/tasks/main.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 88631a11..450c7a6c 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,4 +1,5 @@ --- ldap_hostname: "{{ ansible_hostname }}" +ldap_listen: "ldap://127.0.0.1:389/" ldap_domain: "{{ ansible_domain }}" ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index 84bed58d..ffecbad6 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -8,6 +8,13 @@ - ldapvi - shelldap +- name: change sldap listen ip:port + lineinfile: + dest: /etc/default/slapd + regexp: 'SLAPD_SERVICES=.*' + line: "SLAPD_SERVICES=\"{{ ldap_listen }}\"" + notify: restart slapd + - name: "Is /root/.ldapvirc present ?" stat: path: /root/.ldapvirc From 223bfbdc5ac271cc7abae49c55c67a9e9adf0b17 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 19 Dec 2017 18:08:29 +0100 Subject: [PATCH 8/9] Elasticsearch logs can have multiple patterns --- elasticsearch/templates/rotate_elasticsearch_logs.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/elasticsearch/templates/rotate_elasticsearch_logs.j2 b/elasticsearch/templates/rotate_elasticsearch_logs.j2 index 14d2d31d..95969f89 100644 --- a/elasticsearch/templates/rotate_elasticsearch_logs.j2 +++ b/elasticsearch/templates/rotate_elasticsearch_logs.j2 @@ -5,5 +5,5 @@ LOG_DIR=/var/log/elasticsearch USER=elasticsearch MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }} -find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \; -find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??.gz" -mtime +${MAX_AGE} -delete +find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??" -o -name "*-????-??-??.log" \) -exec gzip --best {} \; +find ${LOG_DIR} -type f -user ${USER} \( -name "*.log.????-??-??.gz" -o -name "*-????-??-??.log.gz" \) -ctime +${MAX_AGE} -delete From aeba94bcba40f3c59ad09062ea23dee7cbef644f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 20 Dec 2017 18:04:54 +0100 Subject: [PATCH 9/9] default/additional variables List of hosts/ip are a combination of 2 lists allowing overrides --- apache/defaults/main.yml | 7 +++---- evolinux-base/defaults/main.yml | 7 +++---- evomaintenance/defaults/main.yml | 7 +++---- fail2ban/defaults/main.yml | 7 +++---- minifirewall/defaults/main.yml | 7 +++---- nagios-nrpe/defaults/main.yml | 7 +++---- nginx/defaults/main.yml | 8 ++++---- 7 files changed, 22 insertions(+), 28 deletions(-) diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index b21e1d59..901f3c20 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -1,8 +1,7 @@ --- -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -apache_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +apache_default_ipaddr_whitelist_ips: [] +apache_additional_ipaddr_whitelist_ips: [] +apache_ipaddr_whitelist_present: "{{ apache_default_ipaddr_whitelist_ips | union(apache_additional_ipaddr_whitelist_ips) | unique }}" apache_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 54e5d85c..297735f4 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -108,10 +108,9 @@ evolinux_evomaintenance_include: True evolinux_ssh_include: True -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -evolinux_ssh_password_auth_addresses: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +evolinux_default_ssh_password_auth_addresses: [] +evolinux_additional_ssh_password_auth_addresses: [] +evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_addresses | union(evolinux_additional_ssh_password_auth_addresses) | unique }}" evolinux_ssh_match_address: True evolinux_ssh_disable_acceptenv: True evolinux_ssh_allow_current_user: False diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml index 2d0bf1b6..1806f691 100644 --- a/evomaintenance/defaults/main.yml +++ b/evomaintenance/defaults/main.yml @@ -17,7 +17,6 @@ evomaintenance_urgency_tel: "06.00.00.00.00" evomaintenance_realm: "{{ ansible_domain }}" -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -evomaintenance_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +evomaintenance_default_hosts: [] +evomaintenance_additional_hosts: [] +evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}" diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 73cd46cb..45c2477a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,10 +2,9 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -fail2ban_ignore_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +fail2ban_default_ignore_ips: [] +fail2ban_additional_ignore_ips: [] +fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}" fail2ban_wordpress: False fail2ban_roundcube: False diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 4c8498cf..4f82138d 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -7,11 +7,10 @@ minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips +minifirewall_default_trusted_ips: [] +minifirewall_additional_trusted_ips: [] # and default to ['0.0.0.0/0'] if the result is still empty -minifirewall_trusted_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}" +minifirewall_trusted_ips: "{{ minifirewall_default_trusted_ips | union(minifirewall_additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}" minifirewall_privilegied_ips: [] minifirewall_protected_ports_tcp: [22] diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml index 96c3ddd3..4a1eb1c0 100644 --- a/nagios-nrpe/defaults/main.yml +++ b/nagios-nrpe/defaults/main.yml @@ -1,8 +1,7 @@ --- -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +nagios_nrpe_default_allowed_hosts: [] +nagios_nrpe_additional_allowed_hosts: [] +nagios_nrpe_allowed_hosts: "{{ nagios_nrpe_default_allowed_hosts | union(nagios_nrpe_additional_allowed_hosts) | unique }}" nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT" nagios_nrpe_ldap_passwd: LDAP_PASSWD nagios_nrpe_pgsql_passwd: PGSQL_PASSWD diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 38dcbb89..bea3159f 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -3,10 +3,10 @@ nginx_minimal: False nginx_jessie_backports: False -evolix_trusted_ips: [] -additional_trusted_ips: [] -# Let's merge evolix_trusted_ips with additional_trusted_ips -nginx_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}" +nginx_default_ipaddr_whitelist_ips: [] +nginx_additional_ipaddr_whitelist_ips: [] +nginx_ipaddr_whitelist_present: "{{ nginx_default_ipaddr_whitelist_ips | union(nginx_additional_ipaddr_whitelist_ips) | unique }}" + nginx_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: []