evolix
/
ansible-roles
18
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' into stable
gitea/ansible-roles/pipeline/head This commit looks good Details
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |4826|0|4826|0|:zzz: Details
gitea/ansible-roles/pipeline/tag This commit looks good Details

This commit is contained in:
Jérémy Lecour 2023-03-16 14:56:59 +01:00 committed by Jérémy Lecour
parent e1e4f39778 65ee8c7e45
commit 8e4e77cb8b
164 changed files with 2933 additions and 669 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.Jenkinsfile
View File

@ -6,6 +6,20 @@ pipeline {
}
stages {
stage('Anible Lint') {
agent {
docker {
image 'evolix/ansible-lint:latest'
}
}
steps {
script {
sh 'for role_dir in ./*/; do HOME=$WORKSPACE_TMP ansible-lint -p $role_dir || : ; done'
recordIssues(tools: [ansibleLint()])
}
}
}
stage('Build tagged docker image') {
when {
buildingTag()

7
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,7 @@
{
"files.associations": {
"*.yml": "ansible",
"*.yaml": "ansible"
},
"yaml.format.enable": false
}

59
CHANGELOG.md
View File

@ -8,6 +8,7 @@ The **major** part of the version is the year
The **minor** part changes is the month
The **patch** part changes is incremented if multiple releases happen the same month
## [Unreleased]
### Added
@ -20,6 +21,63 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Security
## [23.03] 2023-03-16
### Added
* apache: add task to enable mailgraph on default vhost and index.html
* apt: add move-apt-keyrings script/tasks
* apt: add tools to migrate sources to deb822 format
* fail2ban: add "Internal login failure" to Dovecot filter
* lxc: copy `/etc/profile.d/evolinux.sh` from host into container
* nagios-nrpe: add tasks/files for a wrapper
* nagios-nrpe: Print pool config path in check_phpfpm_multi output
* php: add `php_version` variable when sury is activated for each Debian version
* php: add a way to choose which version to install using sury repository
* postfix: Add task to enable mailgraph on packmail
* postgresql: configure max_connections
* userlogrotate: create dedicated role, separated from packweb-apache
* varnish: add `varnish_update_config` variable to disable configuration update
### Changed
* Use systemd module instead of command
* Removed all `warn: False` args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
* apt: Use pub.evolix.org instead of pub.evolix.net
* bind: refactor role
* elasticsearch: Disable garabge collector logging (JDK >= 9)
* evolinux-users: Update sudoers template to remove commands allowed without password
* listupgrade: upstream release 23.03.3
* kvmstats: use virsh domstats | awk to get guests informations
* nagios-nrpe : Rewrite `check_vrrpd` for a better check (check `rp_filter`, `vrrpd` and `uvrrpd` compatible, use arguments, …)
* openvpn: Change `check_openvpn` destination file to comply with recent EvoBSD change
* postfix: come back to default value of `notify_classes` for pack mails.
* userlogrotate: set rotate date format in right order (YYYY-MM-DD)!
* webapps/nextcloud : Change default data directory to be outside web root
* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
* yarn: update apt key
### Fixed
* Proper jinja spacing
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurring failures in Postfix.
* docker-host: fix type in `daemon.json` and remove host configuration that is already in the systemd service by default
* evolinux-base: ensure dbus is started and enabled (not by default in the case of an offline netinst)
* haproxy: fix missing admin ACL in stats module access permissions
* openvpn: fix the client cipher configuration to match the server cipher configuration
* php: fix error introduced in #33503e4538 (`False` evaluated as a String instead of Boolean)
* php: install using Sury repositories on Bullseye
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
* postfix: avoid Amavis transport to be considered dead when restarted.
* postfix: remove unused `aliases_scope=sub` from virtual_aliases.cf (it generated warnings)
* userlogrotate: fix bug introduced in commit 2e54944a246 (rotated files were not zipped)
* userlogrotate: skip zipping if .gz log already exists (prevents interactive question)
### Removed
* evolinux-base: subversion is not installed anymore
## [22.12] 2022-12-14
### Added
@ -34,6 +92,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* packweb-apache: enable `log_forensic` module
* rabbitmq: add link in default page
* varnish: create special tmp directory for syntax validation
* postfix: add localhost.$mydomain to mydestination
### Changed

30
amazon-ec2/tasks/create-instance.yml
View File

@ -3,34 +3,34 @@
- name: Launch new instance(s)
ec2:
state: present
aws_access_key: "{{aws_access_key}}"
aws_secret_key: "{{aws_secret_key}}"
region: "{{aws_region}}"
image: "{{ec2_base_ami}}"
instance_type: "{{ec2_instance_type}}"
count: "{{ec2_instance_count}}"
assign_public_ip: "{{ec2_public_ip}}"
group: "{{ec2_security_group.name}}"
key_name: "{{ec2_keyname}}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
region: "{{ aws_region }}"
image: "{{ ec2_base_ami }}"
instance_type: "{{ ec2_instance_type }}"
count: "{{ ec2_instance_count }}"
assign_public_ip: "{{ ec2_public_ip }}"
group: "{{ ec2_security_group.name }}"
key_name: "{{ ec2_keyname }}"
wait: yes
register: ec2
- name: Add newly created instance(s) to inventory
add_host:
hostname: "{{item.public_dns_name}}"
hostname: "{{ item.public_dns_name }}"
groupname: launched-instances
ansible_user: admin
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
loop: "{{ec2.instances}}"
loop: "{{ ec2.instances }}"
- debug:
msg: "Your newly created instance is reachable at: {{item.public_dns_name}}"
loop: "{{ec2.instances}}"
msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
loop: "{{ ec2.instances }}"
- name: Wait for SSH to come up on all instances (give up after 2m)
wait_for:
state: started
host: "{{item.public_dns_name}}"
host: "{{ item.public_dns_name }}"
port: 22
timeout: 120
loop: "{{ec2.instances}}"
loop: "{{ ec2.instances }}"

7
apache/tasks/server_status.yml
View File

@ -68,3 +68,10 @@
insertafter: "[apache_*]"
create: no
notify: restart munin-node
- name: add mailgraph URL in index.html
lineinfile:
dest: /var/www/index.html
state: present
line: ' <li><a href="/mailgraph">Stats Mail</a></li>'
insertbefore: "</ul>"

18
apache/templates/evolinux-default.conf.j2
View File

@ -35,6 +35,15 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Directory>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
CustomLog /var/log/apache2/access.log vhost_combined
ErrorLog /var/log/apache2/error.log
LogLevel warn
@ -118,6 +127,15 @@
Include /etc/apache2/ipaddr_whitelist.conf
</Location>
# Mailgraph configuration
Alias /mailgraph /usr/share/mailgraph
<Directory /usr/share/mailgraph>
DirectoryIndex mailgraph.cgi
Require all granted
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>
# BEGIN phpMyAdmin section
# END phpMyAdmin section

96
apt/files/deb822-migration.py Normal file
View File

@ -0,0 +1,96 @@
#!/bin/env python3
import re
import sys
import os
if len(sys.argv) > 1:
src_file = sys.argv[1]
else:
print("You must provide a source file as first argument", file=sys.stderr)
sys.exit(1)
if not os.access(src_file, os.R_OK):
print(src_file, "is not readable", file=sys.stderr)
sys.exit(2)
pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
sources = {}
def split_options(raw):
table = str.maketrans({
"[": None,
"]": None
})
options = raw.translate(table).split(' ')
return options
with open(src_file,'r') as file:
for line in file:
matches = re.match(pattern, line)
if matches is not None:
# print(matches.groupdict())
uri = matches['uri']
options = {}
if matches.group('options'):
for option in split_options(matches['options']):
if "=" in option:
key, value = option.split("=")
options[key] = value
if uri in sources:
sources[uri]["Types"].add(matches["type"])
sources[uri]["URIs"] = matches["uri"]
sources[uri]["Suites"].add(matches["suite"])
sources[uri]["Components"].update(matches["components"].split(' '))
else:
source = {
"Types": {matches['type']},
"URIs": matches['uri'],
"Enabled": "yes",
}
if matches.group('suite'):
source["Suites"] = set(matches['suite'].split(' '))
if matches.group('components'):
source["Components"] = set(matches['components'].split(' '))
if "arch" in options:
if "Architectures" in source:
source["Architectures"].append(options["arch"])
else:
source["Architectures"] = {options["arch"]}
if "signed-by" in options:
if "Signed-by" in source:
source["Signed-by"].append(options["signed-by"])
else:
source["Signed-by"] = {options["signed-by"]}
if "lang" in options:
if "Languages" in source:
source["Languages"].append(options["lang"])
else:
source["Languages"] = {options["lang"]}
if "target" in options:
if "Targets" in source:
source["Targets"].append(options["target"])
else:
source["Targets"] = {options["target"]}
sources[uri] = source
for i, (uri, source) in enumerate(sources.items()):
if i > 0:
print("")
for key, value in source.items():
if isinstance(value, str):
print("{}: {}".format(key, value) )
else:
print("{}: {}".format(key, ' '.join(value)) )
i += 1

48
apt/files/deb822-migration.sh Normal file
View File

@ -0,0 +1,48 @@
#!/bin/sh
deb822_migrate_script=$(command -v deb822-migration.py)
if [ -z "${deb822_migrate_script}" ]; then
deb822_migrate_script="./deb822-migration.py"
fi
if [ ! -x "${deb822_migrate_script}" ]; then
>&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable"
exit 1
fi
dest_dir="/etc/apt/sources.list.d"
rc=0
migrate_file() {
legacy_file=$1
deb822_file=$2
if [ -f "${legacy_file}" ]; then
if [ -f "${deb822_file}" ]; then
>&2 echo "ERROR: '${deb822_file}' already exists"
rc=2
else
${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
mv "${legacy_file}" "${legacy_file}.bak"
echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
else
>&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
rc=2
fi
fi
else
>&2 echo "ERROR: '${legacy_file}' not found"
rc=2
fi
}
migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
# shellcheck disable=SC2044
for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
deb822_file=$(basename "${legacy_file}" .list)
migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
done
exit ${rc}

32
apt/files/move-apt-keyrings.sh Normal file
View File

@ -0,0 +1,32 @@
#!/bin/sh
# Move apt repository key from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ and add "signed-by" tag in source list
#
# Example: move-apt-keyrings.sh http://repo.mongodb.org/apt/debian mongodb-server-[0-9\\.]+.asc
repository_pattern=$1
key=$2
found_files=$(grep --files-with-matches --recursive --extended-regexp "${repository_pattern}" "/etc/apt/sources.list.d/*.list")
old_key_file="/etc/apt/trusted.gpg.d/${key}"
new_key_file="/etc/apt/keyrings/${key}"
for file in ${found_files}; do
if ! grep --quiet "signed-by" "${file}"; then
signed_by="signed-by=${new_key_file}"
if grep --quiet "deb(-src)? \[" "${file}"; then
sed -i "s@deb\(-src\)\? \[\([^]]\+\)\]@deb\1 [\2 ${signed_by}]@" "${file}"
else
sed -i "s@deb\(-src\)\? @deb\1 [${signed_by}] @" "${file}"
fi
fi
done
if [ -f "${old_key_file}" ] && [ ! -f "${new_key_file}" ]; then
mv "${old_key_file}" "${new_key_file}"
fi
if [ -f "${new_key_file}" ]; then
chmod 644 "${new_key_file}"
chown root: "${new_key_file}"
fi

87
apt/files/pub_evolix.asc Normal file
View File

@ -0,0 +1,87 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOsRdcBEADDPJ8Tsqr5Z4crmQlNQM32hfufe7gTUrXo0cAL8clt92y1QX3N
YyMv0Re4+Ugo7JZd4jsF2Q1twJMxsX5rA12xDnHHcZRSc/E0DIYvPnfLzEHkwseN
OK4f9lI+xo06k+B3KQQKMeI/RjVaN6AiSply9ZGaZVeGGqd4es4PsU1VQMTWdclV
Bn54HBWUnL5dPStPMnNkt0bMQYIqc5733Yby3qMiUKcql2bl9TYBw8SaJXvClsLw
ERqit6FjljUOEeWtB4WZFpjhc/aqcxGcUTPHRrNTlNF0HCvk8JicEu4/lr99pwy7
7z6SRql++WGMSG06E4MBtUt+wWAmDDHNj3fdZPnoCaDFp7vxy/FEARB2aygTtu11
mLk4XOKheqU/WibWxoXRzyUCuclJ247Fh+YPxkYVG1dnDwpWGbYuRmzUapGLv4ma
dnKsQN0KhXzUqkSoybBgV208dGOP7BqdY6TVnyU0v/7XDeUqFEwnllRKMSYLilV3
huTifiCFTK45HACM/x2yckx8dyAuYg6cJaAR1yn1iaTexoyYPG9ZFifvMB6ranEm
vkmQq1e8/7xiNSQsh5F3Ybl5hh4GVLwsR6esfZsHG0Ve+CitsmcZgWnr0JJ2PZOk
+XHxMwo7Gb0/KVH9XGeoXk+eiNNW/kdcgBMkGkU3nWooVHDm7Dy54I5CzQARAQAB
tC9Fdm9saXggUHVibGljIFJlcG9zaXRvcnkgPGVxdWlwZStwdWJAZXZvbGl4LmZy
PokCVAQTAQoAPhYhBP+vfRvzUK1F+rMpCUaPWta4YwY9BQJjrEXXAhsDBQkHhM4A
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEEaPWta4YwY9V6oP/iYfZceiA1Sy
x9t/7CL3EReuvpdZtZYf2KklBfxEFtzkERV/KKMMpf8mKoGD6BA+ryUc7b4a8npq
yvKbSKDHGZW6gAbq8hneW71vRuNfPNqtfO98JbJO694nqX9sIYU2xQn0UIh0G6N7
D2bOcaicn8AgV/8cQZfgN9yRM4VhCoWZwhLqgROUqMYfDn3szamfkPcFiw10ToVt
c2PIFdqj2soKO9OrF5Ct/pztSGy1f+orDFiJ0AtRlqqRk9z18VB893qspfyd6y9N
q7IrQbYsiP+D8DcXYWZA1KURsI4LVQwsudNXokvGkYdnZitVgXI2lIaY7odDou5F
btZsCIEa45m7Vmvu0Wvtu/90EFbu9iwbOVrNpC7lLnfJpDObVXMiY1r0rQVuweEZ
ZbBcv1NUa3R0SPsPLPKf7L6dCx8gCpZjDVJLsgBeeSEV7XFQiYDbl8THasNTKCOa
C6v4h00mg0H6GhZvGMx+lcx8TzW6l3XXRoptHl4vkdE5usLFjy8/JWG3yJ7e2W3D
jVbPQ0UKJAnkGn1t+UJB1GP9O4annks0nPfcomjZzaDweIL8zSLPy5R9DGNgYLjp
5h/baLoNAOkaKssZrusq/P+BM2tdr3i/N6TK+dbrffz3hNgzSFFYVg51DspV7XWo
JKGqhqCgQpkms+NPJiKr4NDs6DdXn0IKuQINBGOsRdcBEAC9i5qcrYLTfeGrWPo3
Zok3jikNk181HC3HR7Wu8a5whCe/88GgJDY00sU2zZEF9hN/4Vtqq9FICVXUcs+F
5j+Gcb/sqAgwXuwk8LKuhbtR2cnz6I0GCsqNPuj+5uM7MXQlVWeIN5Z6zA/Jw++o
aENZHO6cnuep2KDNPUZzjmTHAa4+qXRL5cRXEOmMB1vtA8mm/43c7wicJ7MrZpba
mqzmiQPsQ2qfmCABfx8BwBgXCVON4sgtzCa+rYOPScsDtv0pv6uG+h/GJp4MdKBp
g3BfShQEAmOwwy3Pt2vo9Rw2s0uJJ9AM2O6tJ3x93YkUP5qj3Etr/eTcgVUiVvSs
h2Rrz2FLen3GMAcqUUDPViCy9nEWRAo7iWQgAKgr8WjeGerOmtsYPyjIQE47eX5M
Gomx0LVCGigYfkSAFIYzm5I+depmn1qTUyizfklvPr0bA/8Cs4zbqx6Pf6Rk5wvb
sJ4envk3dzQRNTH1Vt7Yoktyx1+VX0HFVEaPTQ3JlFORaHYwQQ97LaOZ0VmztE0A
5+CIFFdqp/0H7zGPol+LsPgqnzZZEQ2XFYPOy7/gB17zI2eWNWPAQmOdrUM/v12A
etnLEthZyALcjjBpJEVIHFnuaabYp+mdotycjDkBNSh+P+8H/UsMSrNVhheKQLB8
smzwFcSrAcnQbtiCjFWANTWyKQARAQABiQI8BBgBCgAmFiEE/699G/NQrUX6sykJ
Ro9a1rhjBj0FAmOsRdcCGwwFCQeEzgAACgkQRo9a1rhjBj0FZw//fNhJdx55ACvX
mpa8wz6eZOvzhr5GWSW5/Qie9nRjInPPI3bJ/jU0S/4ENqFBD9RSvY5F+0xCU67F
V2R3a3FFcB81HLIcUrkN0GH6fLcex0Js+grq/U117e2umdfGMKQG0UFJ+XonhtlT
foBcBjXPFr2NUaJB2SPo/RPQ3U+N3wMSm0ZbB/Xvxi5qMEb971dfObvsXTkQZvn7
b0TvccfHhyzs2IM8pZO3PamTwA5e16/2QqisRX4CeL0a/q3Yxfw4R8RPCrz/l0k5
FPdbdXaQuk5s+CiV+Nse7yFGoEoSlLpJM2BpueBsIg92joyOstZRm+tuCb5QefWI
7yFPfJU6xG1CMDqIGjXNU1tzSIoReGUBCNrE9UgzBQPPVD0jNM1WdW6HWSVR7jBb
+dvAeJNzQjJYlvKLQ383mAiVcwmCWBUp+R/kBPlLMGEpLlspti5fkmEc8xvtCaHc
fCLVWd0r2lUFUz+W53r8IXaRcxLtFinz7SHZPrlhaVwErdtlo+5X3kq39Mc4KCmF
bevT+qxlgzHXof+WGTYoc9IHkhDrvZ/TWeAUnBPvVn88dsBRtOC9f5wSCK4r9SfR
Dnf0lAsLWMpNtt812W8sA82RGXRUBwonZKa7YoGNKSa2vPJcUgmpIiHNtoLWpNa+
7pYGN7bV51zyQ1ERaLU5TBC9sPE70p25Ag0EY6xJaQEQAKsxFCb4Vxe8VuUEAKp/
RSRNGX/v9KqXVwbnf3kTYq9FMoplZBeqj4LQ22BqRzZ74ywoyfvHHtvkAtCbmrlc
8iLQEmicLug3Ibk97qm1lvvHnK9fqFOWh+Tx/omlaiSzEfAFbLEjNcplmq1ooqmX
fkI9zcefLZHtUFx6Clw3rwp79d/V5XJDM+2jwB47HfIhrW6jEubUuaXIHNR/GSSd
gTYuw55g9K97LhONX6ZvSBhjp4pOeUUbtFuG1fRkjPiObsB54fJ2R32yfm4jV53/
YgG/Ih/o97tKV+ishQIrr85SB3XiLFlGhQuu/0a/+/vfGVTbJOzrQrE+OCWt9Xm1
4b91MiVSSzXy6TGzPvpNXYR2PQZzVwvz7UctCikaE4gGB0lSH0LemDD0LZIZUwBL
1G9mlwFTkMYK0+iMyHFOKeAlUnSSpO6hFYr4GHOxAMGTjHqqEJZ3lBi9SBPc7AEK
3NcEp4etuiLOeaSBtqmUs+y7g8yMTrnyWPVxa0l5q4OUitbb2qvWYbaD3O22xYyj
9BlqzpG9uO6/d8HefDK8XMNCHlmwFoJj3HJlHJg7oN029vYsXEwBIhFyolAPzIvB
jpLKcebq9DJSObs1nHjAyVUpL4ZzRmujFcJYDYSixiqaWc/1aGTgUZQ/JDXcODiC
LgFu1vLTRf6hwKSb/vnZP5OtABEBAAGJBHIEGAEKACYWIQT/r30b81CtRfqzKQlG
j1rWuGMGPQUCY6xJaQIbAgUJA8JnAAJACRBGj1rWuGMGPcF0IAQZAQoAHRYhBA7H
BbTwXPF0hLMgRYefxhvnjx3ABQJjrElpAAoJEIefxhvnjx3ANpUQAIFLkLcx2z3M
jV0SgoAYertib9T/OOy/rsfeQjE6DFk6IArrHolZPA9g/PpTPuRwK165n5xw483q
BMyssUT9IK7SZxt0gbKpvZ0HFSCwSp5wdSJZymwB4AOcgRBU5rwC/9fFxYihgIym
Ig7TH9aWW4hDbEuGJDrKbhK+DpIL7lK3A5WUZk9ltGOpCcFctV3YnVgbMIwX5gO6
lZ5Zi6NHJEB3HauVZJ59NIPJ/f0xe5GMte/LXckyijs9ei4WOFOjstiW64EWkOBH
El0tj+LUxLznCP2szdXjkDN1P6/NDrY1Nid6/ECOfkh4xO/VHhkdSRAlhdP9FHiV
sy3KUUoPH5B805z1MyOI7UYUD/8CK0juIXcbw7isbVUmLf/VV8jEDmq3WWDj8YZp
IStn2AvQeo3VWGWUfkf3v7UthKandIUTIGc5isD+i6KvzzbggyyZWNtvb3/1wMrz
DUKGlFi/IjMhhElJ0oF3YGsBwz2V2UKP7pPIYo+f5zthc7SbmO9yxAQebEOc3prM
G/Br8JOZ90w1dy6CeIYxkM4YEhhG1K8CzD3ZTTI7vh8mwRc92A6HI2NFyxeYJCr0
IsUcFQpCyXMtcLRN75DGLIjIKdYrYJuwSiUgcH5FtgkuxMYfJEX9UX8rV7HAxUvs
UdIyHLl7k+khGlZa0/W6uCioFNiygnBEp7oP/iSj4Q2Xh5yKI6Jjw/IsfRcsiaac
lHc7uF0caYGMkqRNHiX17d5EtaidTbiqQii1W9slSPXmUuUcKfD1xUfLng7TbZVm
AdEbpHCT+q037cGCYFpHPMvw3OYhhGzYeh3+1oN9t3ZvyGlvAhkrtssDQB+gxX8r
adCpihziFLjm+6IvCLYHEh3gILVFbbhdYDDUduFFjf/snlJW7j8OVc7Cxa7FbPdf
SHLT9VESzf7oiwkP5/ijGmHiEQoJd9EWYkGGz+LZAXemBwe5ZnPPWVZvDEQRMe8v
2V8pa37vyReaK//O8xxGg3NzGTn9otwVr/4Ti9OxrSzmDWpd967oZ42IZSeSY2bz
kOaV8z4C8AIgIA7vWOS83Hncbrgf2nMCXmRjf0KTMm1P7Z0BQDWpxK9lP0nRpVAg
2T3/OjJ9KcAsTz02NFC3/kOUz//NcfDP747HsQB0sltIty140B7CfcWk0a0eKSad
OxGUehskjyKhO6v3dYF+8oR9p98Q8/Rh8r7evYy2mfhgJd7a9Cchn7612Y6k1SLf
nmPGYu3s0lf/k6GoHLfXXQIJDgWeua4ZBr6cgpGONLSvWBeCVaqnk8nhbNIiSBHk
jnrcX8xAtoPLgqg0+yi7rZ3NAauZcQE6UaNB+xjJxDOIpgVLUWtFyAG4MDeIh6GH
oA9QflpnDubMnCve
=ZCml
-----END PGP PUBLIC KEY BLOCK-----

4
apt/tasks/evolix_public.yml
View File

@ -18,8 +18,8 @@
- name: Add Evolix GPG key
copy:
src: reg.asc
dest: "{{ apt_keyring_dir }}/reg.asc"
src: pub_evolix.asc
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
force: yes
mode: "0644"
owner: root

7
apt/tasks/hold_packages.yml
View File

@ -1,5 +1,8 @@
---
- include_role:
name: evolix/remount-usr
- name: "hold packages (apt)"
shell: "set -o pipefail && (dpkg -l {{ item }} 2>/dev/null | grep -q -E '^(i|h)i') && ((apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }})"
args:
@ -76,8 +79,8 @@
- name: Check if Cron is installed
shell: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
register: is_cron
changed_when: false
failed_when: false
changed_when: False
failed_when: False
check_mode: no
tags:
- apt

31
apt/tasks/migrate-to-deb822.yml Normal file
View File

@ -0,0 +1,31 @@
---
- include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: Migration scripts are installed
copy:
src: "{{ item }}"
dest: "/usr/share/scripts/{{ item }}"
force: yes
mode: "0755"
loop:
- deb822-migration.py
- deb822-migration.sh
tags:
- apt
- name: Exec migration script
command: /usr/share/scripts/deb822-migration.sh
ignore_errors: yes
tags:
- apt

52
apt/tasks/move-apt-keyring.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: New APT keyrings directory is present
file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
owner: root
group: root
- include_role:
name: evolix/remount-usr
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: migration script is present
copy:
src: move-apt-keyrings.sh
dest: /usr/share/scripts/move-apt-keyrings.sh
mode: "0755"
owner: root
group: root
- name: Move repository signing key
command: "/usr/share/scripts/move-apt-keyrings.sh \"{{ item.repository_pattern }}\" \"{{ item.key }}\""
loop:
- { repository_pattern: "http://pub.evolix.net/", key: "reg.asc" }
- { repository_pattern: "http://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://pub.evolix.org/evolix", key: "pub_evolix.asc" }
- { repository_pattern: "https://artifacts.elastic.co/packages/[^/]+/apt", key: "elastics.asc" }
- { repository_pattern: "https://download.docker.com/linux/debian", key: "docker-debian.asc" }
- { repository_pattern: "https://downloads.linux.hpe.com/SDR/repo/mcp", key: "hpePublicKey2048_key1.asc" }
- { repository_pattern: "http://pkg.jenkins-ci.org/debian-stable", key: "jenkins.asc" }
- { repository_pattern: "https://packages.sury.org/php/", key: "sury.gpg" }
- { repository_pattern: "http://repo.mongodb.org/apt/debian", key: "mongodb-server-[0-9\\.]+.asc" }
- { repository_pattern: "http://apt.newrelic.com/debian/", key: "newrelic.asc" }
- { repository_pattern: "https://deb.nodesource.com/", key: "nodesource.asc" }
- { repository_pattern: "https://dl.yarnpkg.com/debian/", key: "yarn.asc" }
- { repository_pattern: "http://apt.postgresql.org/pub/repos/apt/", key: "postgresql.asc" }
register: _cmd
- name: Debug command
debug:
var: _cmd

6
apt/templates/evolix_public.list.j2
View File

@ -1,7 +1,3 @@
# {{ ansible_managed }}
{% if ansible_distribution_release == "bookworm" %}
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
{% else %}
deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
{% endif %}
deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix {{ ansible_distribution_release }} main

1
bind/defaults/main.yml
View File

@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_query_file_enabled: False
bind_cache_dir: /var/cache/bind

10
bind/handlers/main.yml
View File

@ -1,19 +1,21 @@
---
- name: reload systemd
command: systemctl daemon-reload
systemd:
daemon-reload: yes
- name: restart apparmor
service:
systemd:
name: apparmor
state: restarted
- name: restart bind
service:
systemd:
name: bind9
state: restarted
- name: restart munin-node
service:
systemd:
name: munin-node
state: restarted

11
bind/tasks/authoritative.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind

60
bind/tasks/main.yml
View File

@ -1,22 +1,30 @@
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
- name: set chroot variables
set_fact:
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_cache_dir: /var/cache/bind
bind_statistics_file: /var/run/named.stats
bind_chroot_path: /var/chroot-bind
when: bind_chroot_set | bool
- name: Check AppArmor
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False
changed_when: False
check_mode: no
register: check_apparmor
- name: configure apparmor
template:
src: apparmor.usr.sbin.named.j2
dest: /etc/apparmor.d/usr.sbin.named
owner: root
group: root
mode: '0644'
mode: "0644"
force: yes
notify: restart apparmor
when: check_apparmor.rc == 0
- name: package are installed
apt:
@ -25,47 +33,23 @@
- dnstop
state: present
- name: Set bind configuration for recursive server
template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
when: bind_recursive_server | bool
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind
when: bind_recursive_server | bool
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
- include: authoritative.yml
when: bind_authoritative_server | bool
- name: Create systemd service
- include: recursive.yml
when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie)
template:
src: bind9.service.j2
src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}"
owner: root
group: root
mode: "0644"
force: yes
notify:
- reload systemd
- restart bind
- reload systemd
- restart bind
when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot"

6
bind/tasks/munin.yml
View File

@ -19,7 +19,7 @@
- bind9_rndc
notify: restart munin-node
when:
- bind_authoritative_server
- bind_authoritative_server | bool
- munin_node_plugins_config.stat.exists
tags:
- bind
@ -32,10 +32,10 @@
state: link
loop:
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_recursive_server
- bind_recursive_server | bool
- bind_query_file_enabled | bool
- munin_node_plugins_config.stat.exists
tags:
- bind

19
bind/tasks/recursive.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Set bind configuration for recursive server
template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind

2
bind/templates/apparmor.usr.sbin.named.j2
View File

@ -56,7 +56,9 @@
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
{{ bind_log_file }} rw,
{% if bind_query_file_enabled | bool %}
{{ bind_query_file }} rw,
{% endif %}
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,

0
bind/templates/bind9.service.j2 → bind/templates/bind9.service.jessie.j2
View File

6
bind/templates/logrotate_bind.j2
View File

@ -1,7 +1,7 @@
{% if bind_chroot_set %}
{{ bind_chroot_path }}{{bind_log_file}} {
{% if bind_chroot_set | bool %}
{{ bind_chroot_path }}{{ bind_log_file }} {
{% else %}
{{bind_log_file}} {
{{ bind_log_file }} {
{% endif %}
weekly
missingok

10
bind/templates/munin-env_bind9.j2
View File

@ -1,9 +1,17 @@
[bind*]
user root
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
{% if bind_query_file_enabled | bool %}
{% if bind_chroot_set | bool %}
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
{% else %}
env.logfile {{ bind_query_file }}
{% endif %}
{% endif %}
{% if bind_authoritative_server %}
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
{% endif %}
env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120

12
bind/templates/named.conf.options_authoritative.j2
View File

@ -1,7 +1,7 @@
acl "foo" {
::ffff:192.0.2.21; 192.0.2.21;
2001:db8::21;
};
// acl "foo" {
// ::ffff:192.0.2.21; 192.0.2.21;
// 2001:db8::21;
// };
options {
directory "{{ bind_cache_dir }}";
@ -20,16 +20,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};

4
bind/templates/named.conf.options_recursive.j2
View File

@ -9,16 +9,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};

2
clamav/tasks/main.yml
View File

@ -13,7 +13,7 @@
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '200' }
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }

6
docker-host/defaults/main.yml
View File

@ -1,7 +1,7 @@
---
# If docher_home sets to /home/, the partition should be mounted with exec option.
docker_home: /var/lib/docker
docker_tmpdir: "{{docker_home}}/tmp"
docker_tmpdir: "{{ docker_home }}/tmp"
# Chose to use iptables instead of docker-proxy userland process
docker_conf_use_iptables: False
@ -20,9 +20,9 @@ docker_remote_access_enabled: False
docker_daemon_port: 2376
docker_daemon_listening_ip: 0.0.0.0
# TLS
# TLS
docker_tls_enabled: False
docker_tls_path: "{{docker_home}}/tls"
docker_tls_path: "{{ docker_home }}/tls"
docker_tls_ca: ca/ca.pem
docker_tls_ca_key: ca/ca-key.pem
docker_tls_cert: server/cert.pem

3
docker-host/handlers/main.yml
View File

@ -1,6 +1,7 @@
---
- name: reload systemd
command: systemctl daemon-reload
systemd:
daemon-reload: yes
- name: restart docker
service:

54
docker-host/templates/daemon.json.j2
View File

@ -1,40 +1,30 @@
{
"debug": false,
"debug": false
{# Docker data-dir (default to /var/lib/docker) #}
"data-root": "{{ docker_home }}",
,"data-root": "{{ docker_home }}"
{# Keep containers running while docker daemon downtime #}
"live-restore": {{ docker_conf_live_restore | to_json }},,
,"live-restore": {{ docker_conf_live_restore | to_json }}
{# Turn on user namespace remaping #}
"userns-remap": "default",
{% if docker_conf_use_iptables %}
,"userns-remap": "default"
{% if docker_conf_use_iptables %}
{# Use iptables instead of docker-proxy #}
"userland-proxy": false,
"iptables": true,
{% endif %}
,"userland-proxy": false
,"iptables": true
{% endif %}
{# Disable the possibility for containers processes to gain new privileges #}
"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }},
{% if docker_conf_disable_default_networking %}
,"no-new-privileges": {{ docker_conf_no_newprivileges | to_json }}
{% if docker_conf_disable_default_networking %}
{# Disable all default network connectivity #}
"bridge": "none",
"icc": false,
{% endif %}
{% if docker_tls_enabled %}
"tls": true,
"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",
"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}",
"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}",
{% endif %}
{% if docker_remote_access_enabled %}
"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
{% else %}
"hosts": ["fd://"]
{% endif %}
,"bridge": "none"
,"icc": false
{% endif %}
{% if docker_tls_enabled %}
,"tls": true
,"tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}"
,"tlscacert": "{{ docker_tls_path }}/{{ docker_tls_ca }}"
,"tlskey": "{{ docker_tls_path }}/{{ docker_tls_key }}"
{% endif %}
{% if docker_remote_access_enabled %}
,"hosts": ["tcp://{{ docker_daemon_listening_ip }}:{{ docker_daemon_port }}", "fd://"]
{% endif %}
}

2
dovecot/tasks/main.yml
View File

@ -87,7 +87,7 @@
name: log2mail
state: present
tags: dovecot
- name: dovecot is configured in log2mail
blockinfile:
path: /etc/log2mail/config/mail.conf

2
elasticsearch/tasks/additional_scripts.yml
View File

@ -2,7 +2,7 @@
- include_role:
name: evolix/remount-usr
when: elasticsearch_additional_scripts_dir is search ("/usr")
when: elasticsearch_additional_scripts_dir is search("/usr")
- name: "{{ elasticsearch_additional_scripts_dir }} exists"
file:

11
elasticsearch/tasks/configuration.yml
View File

@ -118,6 +118,17 @@
tags:
- config
- name: Disable garbage collector logs (JDK >= 9)
lineinfile:
dest: /etc/elasticsearch/jvm.options
regexp: "Xlog:gc"
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
owner: root
group: elasticsearch
mode: "0640"
tags:
- config
- name: Configure cluster members
lineinfile:
dest: /etc/elasticsearch/elasticsearch.yml

2
elasticsearch/tasks/datadir.yml
View File

@ -10,7 +10,7 @@
- name: "read the real datadir"
command: readlink -f /var/lib/elasticsearch
changed_when: false
changed_when: False
register: elasticsearch_current_real_datadir_test
check_mode: no
tags:

1
elasticsearch/tasks/logs.yml
View File

@ -17,3 +17,4 @@
group: root
mode: "0750"
when: is_cron_installed.rc == 0

3
elasticsearch/templates/rotate_elasticsearch_logs.j2
View File

@ -8,7 +8,6 @@ MAX_AGE={{ elasticsearch_log_rotate_days | mandatory }}
# Compress logs
find ${LOG_DIR} -type f -user ${USER} -name "*.log.????-??-??" -exec gzip --best {} \;
find ${LOG_DIR} -type f -user ${USER} -name "*-????-??-??.log" -exec gzip --best {} \;
find ${LOG_DIR} -type f -user ${USER} -name "*.log.??" -not -name "*.gz" -exec gzip --best {} \;
# Delete old logs
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete
find ${LOG_DIR} -type f -user ${USER} -name "*gz" -ctime +${MAX_AGE} -delete

2
etc-git/tasks/main.yml
View File

@ -6,7 +6,7 @@
state: present
tags:
- etc-git
when:
when:
- ansible_distribution == "Debian"
- name: Install and configure utilities

5
etc-git/tasks/repository.yml
View File

@ -2,14 +2,13 @@
- include_role:
name: evolix/remount-usr
when: repository_path is search ("/usr")
when: repository_path is search("/usr")
- name: "{{ repository_path }} is versioned with git"
command: "git init ."
args:
chdir: "{{ repository_path }}"
creates: "{{ repository_path }}/.git/"
warn: no
register: git_init
tags:
- etc-git
@ -54,7 +53,6 @@
command: "git log"
args:
chdir: "{{ repository_path }}"
warn: no
changed_when: False
failed_when: False
register: git_log
@ -66,7 +64,6 @@
shell: "git add -A . && git commit -m \"Initial commit via Ansible\""
args:
chdir: "{{ repository_path }}"
warn: no
register: git_commit
when: git_log.rc != 0 or (git_init is defined and git_init is changed)
tags:

2
etc-git/tasks/utils.yml
View File

@ -51,7 +51,7 @@
register: is_cron_installed
- block:
- name: Legacy cron jobs for /etc/.git status are absent
- name: Legacy cron jobs for /etc/.git status are absent
file:
dest: "{{ item }}"
state: absent

12
evoacme/templates/evoacme.conf.j2
View File

@ -1,9 +1,9 @@
### File generated by Ansible ###
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }}}
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }}}
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }}}
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }}}
SSL_KEY_DIR=${SSL_KEY_DIR:-{{ evoacme_ssl_key_dir }} }
ACME_DIR=${ACME_DIR:-{{ evoacme_acme_dir }} }
CSR_DIR=${CSR_DIR:-{{ evoacme_csr_dir }} }
CRT_DIR=${CRT_DIR:-{{ evoacme_crt_dir }} }
HOOKS_DIR=${HOOKS_DIR:-"{{ evoacme_hooks_dir }}"}
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }}}
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }}}
LOG_DIR=${LOG_DIR:-{{ evoacme_log_dir }} }
SSL_MINDAY=${SSL_MINDAY:-{{ evoacme_ssl_minday }} }

2
evocheck/files/evocheck.cf
View File

@ -1,5 +1,3 @@
# Managed by Ansible
#
# Configuration for evocheck
# Use this file to change configuration values defined in evocheck.sh
# Ex : IS_TMP_1777=0

2
evocheck/files/evocheck.jessie.sh
View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.11"
VERSION="23.03.01"
readonly VERSION
# base functions

164
evocheck/files/evocheck.sh Normal file → Executable file
View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.11"
VERSION="23.03.01"
readonly VERSION
# base functions
@ -100,6 +100,17 @@ is_installed(){
# logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() {
check_name=$1
shift
@ -113,6 +124,9 @@ failed() {
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
fi
fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
}
# check functions
@ -131,6 +145,13 @@ check_dpkgwarning() {
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
}
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
check_localhost_in_postfix_mydestination() {
# shellcheck disable=SC2016
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp '(localhost[^\\.]|localhost.localdomain|localhost.$mydomain)'; then
failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then."
fi
}
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
check_nrpepostfix() {
if is_installed postfix; then
@ -391,7 +412,7 @@ check_log2mailrunning() {
fi
}
check_log2mailapache() {
conf=/etc/log2mail/config/Apache
conf=/etc/log2mail/config/apache
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache"
@ -463,18 +484,26 @@ check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
}
# Vérification de la mise en place de la purge pour fail2ban
check_purge_fail2ban() {
# Vérification de la mise en place d'un cron de purge de la base SQLite de Fail2ban
check_fail2ban_purge() {
if is_debian_stretch || is_debian_buster; then
if is_installed fail2ban; then
test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron"
fi
fi
}
# Vérification qu'il ne reste pas des jails nommées ssh non renommées en sshd
check_ssh_fail2ban_jail_renamed() {
if is_installed fail2ban && [ -f /etc/fail2ban/jail.local ]; then
if grep --quiet --fixed-strings "[ssh]" /etc/fail2ban/jail.local; then
failed "IS_SSH_FAIL2BAN_JAIL_RENAMED" "Jail ssh must be renamed sshd in fail2ban >= 0.9."
fi
fi
}
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
check_evobackup_exclude_mount() {
excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
excludes_file=$(mktemp --tmpdir "evocheck.evobackup_exclude_mount.XXXXX")
files_to_cleanup+=("${excludes_file}")
# shellcheck disable=SC2044
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do
@ -643,7 +672,7 @@ check_notupgraded() {
fi
done
if $upgraded; then
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
last_upgrade=$(date +%s -d "$(zgrep --no-filename --no-messages upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
@ -841,10 +870,17 @@ check_redis_backup() {
# You could change the default path in /etc/evocheck.cf
# REDIS_BACKUP_PATH may contain space-separated paths, example:
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/redis/dump.rdb"}
for file in ${REDIS_BACKUP_PATH}; do
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${file})"
done
# Old default path: /home/backup/dump.rdb
# New default path: /home/backup/redis/dump.rdb
if [ -z "${REDIS_BACKUP_PATH}" ]; then
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
fi
else
for file in ${REDIS_BACKUP_PATH}; do
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
done
fi
fi
}
check_elastic_backup() {
@ -895,15 +931,15 @@ check_mysqlnrpe() {
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
fi
fi
fi
}
check_phpevolinuxconf() {
is_debian_stretch && phpVersion="7.0"
is_debian_buster && phpVersion="7.3"
is_debian_bullseye && phpVersion="7.4"
if is_installed php; then
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
} || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config"
fi
}
@ -929,8 +965,8 @@ check_duplicate_fs_label() {
# Do it only if thereis blkid binary
BLKID_BIN=$(command -v blkid)
if [ -n "$BLKID_BIN" ]; then
tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX")
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
tmpFile=$(mktemp --tmpdir "evocheck.duplicate_fs_label.XXXXX")
files_to_cleanup+=("${tmpFile}")
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
@ -1097,8 +1133,8 @@ check_evobackup_incs() {
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
if [ -f "${bkctld_cron_file}" ]; then
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "'bkctld inc' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "'check-incs.sh' is missing in ${bkctld_cron_file}"
else
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
fi
@ -1129,7 +1165,7 @@ check_chrooted_binary_uptodate() {
for process_name in ${process_list}; do
# what is the binary path?
original_bin=$(command -v "${process_name}")
for pid in $(pgrep ${process_name}); do
for pid in $(pgrep "${process_name}"); do
process_bin=$(realpath "/proc/${pid}/exe")
# Is the process chrooted?
real_root=$(realpath "/proc/${pid}/root")
@ -1157,7 +1193,6 @@ check_nginx_letsencrypt_uptodate() {
fi
fi
}
check_lxc_container_resolv_conf() {
if is_installed lxc; then
container_list=$(lxc-ls)
@ -1178,6 +1213,38 @@ check_lxc_container_resolv_conf() {
done
fi
}
# Check that there are containers if lxc is installed.
check_no_lxc_container() {
if is_installed lxc; then
containers_count=$(lxc-ls | wc -l)
if [ "$containers_count" -eq 0 ]; then
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
fi
fi
}
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
check_lxc_php_fpm_service_umask_set() {
if is_installed lxc; then
php_containers_list=$(lxc-ls --filter php)
missing_umask=""
for container in $php_containers_list; do
# Translate container name in service name
if [ "$container" = "php56" ]; then
service="php5-fpm"
else
service="${container:0:4}.${container:4}-fpm"
fi
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
if [ "$umask" != "0007" ]; then
missing_umask="${missing_umask} ${container}"
fi
done
if [ -n "${missing_umask}" ]; then
failed "IS_LXC_PHP_FPM_SERVICE_UMASK_SET" "UMask is not set to 0007 in PHP-FPM services of theses containers : ${missing_umask}."
fi
fi
}
download_versions() {
local file
file=${1:-}
@ -1280,8 +1347,8 @@ add_to_path() {
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
}
check_versions() {
versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX")
files_to_cleanup="${files_to_cleanup} ${versions_file}"
versions_file=$(mktemp --tmpdir "evocheck.versions.XXXXX")
files_to_cleanup+=("${versions_file}")
download_versions "${versions_file}"
add_to_path "/usr/share/scripts"
@ -1308,8 +1375,8 @@ main() {
# Detect operating system name, version and release
detect_os
main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
main_output_file=$(mktemp --tmpdir "evocheck.main.XXXXX")
files_to_cleanup+=("${main_output_file}")
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
@ -1322,6 +1389,7 @@ main() {
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
@ -1367,6 +1435,8 @@ main() {
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_PURGE_FAIL2BAN:=1}" = 1 && check_fail2ban_purge
test "${IS_SSH_FAIL2BAN_JAIL_RENAMED:=1}" = 1 && check_ssh_fail2ban_jail_renamed
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
@ -1418,6 +1488,8 @@ main() {
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
if [ -f "${main_output_file}" ]; then
@ -1431,9 +1503,12 @@ main() {
exit ${RC}
}
cleanup_temp_files() {
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
cleanup() {
# Cleanup tmp files
# shellcheck disable=SC2086,SC2317
rm -f ${files_to_cleanup[@]}
log "$PROGNAME exit."
}
PROGNAME=$(basename "$0")
@ -1444,17 +1519,23 @@ readonly PROGNAME
ARGS=$@
readonly ARGS
LOGFILE="/var/log/evocheck.log"
readonly LOGFILE
CONFIGFILE="/etc/evocheck.cf"
readonly CONFIGFILE
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# shellcheck disable=SC2034
readonly DATEFORMAT
# Disable LANG*
export LANG=C
export LANGUAGE=C
files_to_cleanup=""
# shellcheck disable=SC2064
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -1502,5 +1583,24 @@ while :; do
shift
done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
declare -a files_to_cleanup
files_to_cleanup=""
# shellcheck disable=SC2064
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
fi
# shellcheck disable=SC2086
main ${ARGS}
log "End of $PROGNAME execution."

2
evocheck/files/evocheck.wheezy.sh
View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.11"
VERSION="23.03.01"
readonly VERSION
# base functions

2
evocheck/tasks/install.yml
View File

@ -1,7 +1,7 @@
---
- include_role:
name: evolix/remount-usr
when: evocheck_bin_dir is search ("/usr")
when: evocheck_bin_dir is search("/usr")
tags:
- evocheck

4
evolinux-base/handlers/main.yml
View File

@ -23,13 +23,9 @@
- name: remount /home
command: mount -o remount /home
args:
warn: no
- name: remount /var
command: mount -o remount /var
args:
warn: no
- name: restart nginx

6
evolinux-base/tasks/hostname.yml
View File

@ -4,6 +4,12 @@
name: dbus
state: present
- name: dbus is enabled and started
service:
name: dbus
state: started
enabled: true
- name: Set hostname "{{ evolinux_hostname }}"
hostname:
name: "{{ evolinux_hostname }}"

1
evolinux-base/tasks/packages.yml
View File

@ -55,7 +55,6 @@
- mutt
- tree
- git
- subversion
- rsync
- bc
- pinentry-curses

2
evolinux-users/tasks/main.yml
View File

@ -16,7 +16,7 @@
vars:
user: "{{ item.value }}"
loop: "{{ evolinux_users | dict2items }}"
when:
when:
- user.create == evolinux_users_create
- evolinux_users | length > 0

2
evolinux-users/templates/sudoers_jessie.j2
View File

@ -1,6 +1,6 @@
Defaults umask=0077
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
User_Alias ADMINS = {{ user.name }}
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs

2
evolinux-users/templates/sudoers_stretch.j2
View File

@ -1,6 +1,6 @@
Defaults umask=0077
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh
nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall

2
fail2ban/files/dovecot-evolix.conf
View File

@ -1,3 +1,3 @@
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Internal login failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=<HOST>,.*
ignoreregex =

15
fail2ban/tasks/fix-dbpurgeage.yml
View File

@ -1,3 +1,4 @@
---
- name: Sqlite needed
ansible.builtin.apt:
name:
@ -6,10 +7,20 @@
- name: Register bantime from default config from package
shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
register: default_dbpurgeage
changed_when: false
register: dbpurgeage
changed_when: False
check_mode: false
- name:
set_fact:
dbpurgeage_default : "{{ dbpurgeage.stdout }}"
when: dbpurgeage.stdout | regex_search("^\\d+\w+$")
- name:
set_fact:
dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
when: dbpurgeage.stdout | regex_search("^\\d+$")
- name: Add crontab
template:
src: fail2ban_dbpurge.j2

2
fail2ban/tasks/main.yml
View File

@ -97,7 +97,7 @@
marker: "# ANSIBLE MANAGED"
block: |
[DEFAULT]
dbpurgeage = {{ fail2ban_recidive_bantime}}
dbpurgeage = {{ fail2ban_recidive_bantime }}
insertafter: EOF
create: yes
mode: "0644"

2
fail2ban/templates/fail2ban_dbpurge.j2
View File

@ -2,7 +2,7 @@
# Juin - Decembre 2022 : #64088
# Purge pour Stretch et Buster
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ bantime.stdout }} second') > datetime(timeofban, 'unixepoch');"
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )

2
fail2ban/templates/jail.local.j2
View File

@ -16,7 +16,7 @@ destemail = {{ fail2ban_alert_email or general_alert_email | mandatory }}
# ACTIONS
banaction = iptables-multiport
action = %({{fail2ban_default_action}})s
action = %({{ fail2ban_default_action }})s
[sshd]

4
filebeat/tasks/main.yml
View File

@ -84,8 +84,8 @@
command: grep logstash-input-beats /usr/share/logstash/Gemfile
check_mode: no
register: logstash_plugin_installed
failed_when: false
changed_when: false
failed_when: False
changed_when: False
when:
- filebeat_logstash_plugin | bool
- logstash_plugin.stat.exists

2
haproxy/templates/haproxy.default.cfg.j2
View File

@ -63,7 +63,7 @@ listen stats
acl stats_users http_auth(stats_users)
stats http-request auth realm "HAProxy admin" if !stats_access_ips !stats_users
{% else %}
stats http-request deny if !stats_access_ips
stats http-request deny if !stats_access_ips !stats_admin_ips
{% endif %}
http-request set-log-level silent

2
java/tasks/openjdk.yml
View File

@ -25,7 +25,7 @@
- name: Install specific openjdk package
apt:
name: "openjdk-{{ java_version}}-jre-headless"
name: "openjdk-{{ java_version }}-jre-headless"
default_release: "{{ java_apt_release }}"
state: present
tags:

1
keepalived/files/notify.sh
View File

@ -1,2 +1,3 @@
#!/bin/bash
echo $1 $2 is in $3 state > /var/run/keepalive.state
chmod og+r /var/run/keepalive.state

2
kibana/tasks/main.yml
View File

@ -126,8 +126,6 @@
# - name: Get mount options for /usr partition
# shell: "mount | grep 'on /usr type'"
# args:
# warn: no
# register: mount
# changed_when: False
# failed_when: False

61
kvm-host/files/kvmstats.sh
View File

@ -42,25 +42,34 @@ error () {
main() {
for VM in $(virsh list --name --all | sed '/^$/d' | sort)
do
echo "$VM"
# cpu
virsh vcpucount --current "$VM"
# mem
# libvirt stores memory in KiB, POW must be lowered by 1
virsh dommemstat "$VM" 2>/dev/null | awk 'BEGIN{ret=1}$1~/^actual$/{print $2 / '$((POW / 1024))';ret=0}END{exit ret}' ||
virsh dumpxml "$VM" | awk -F'[<>]' '$2~/^memory unit/{print $3/'$((POW / 1024))'}'
# disk
for BLK in $(virsh domblklist "$VM" | sed '1,2d;/-$/d;/^$/d' | awk '{print $1}')
do
virsh domblkinfo "$VM" "$BLK" 2>/dev/null
done | awk '/Physical:/ { size += $2 } END { print int(size / '${POW}') }'
# state
virsh domstate "$VM" | grep -q '^running$' && echo yes || echo no
done | xargs -n5 | {
printf '%s ' "${VM}"
virsh domstats "${VM}" | awk '
BEGIN {
FS = "="
}
/vcpu\.current/ {
vcpu = $2
}
/balloon\.current/ {
mem = $2
}
/balloon\.maximum/ {
if (!mem)
mem = $2
}
/block\.[0-9]+\.physical/ {
disksize += $2
}
/state\.state/ {
if ($2 == 1)
running = "yes"
else
running = "no"
}
END {
print vcpu, mem / 1024 ^ 2, disksize / 1024 ^ 3, running
}'
done | {
echo vm vcpu ram disk running
awk '{ print } /yes$/ { vcpu += $2; ram += $3; disk += $4; running++ } END { print "TOTAL(running)", vcpu, ram, disk, running }'
test "$SHOW_AVAIL" && {
@ -72,7 +81,19 @@ main() {
column -t
;;
'html')
awk 'BEGIN{print "<html><body>\n<table>"}{printf "<tr>";for(i=1;i<=NF;i++)printf "<td>%s</td>", $i;print "</tr>"}END{print "</table>\n</body></html>"}'
awk '
BEGIN {
print "<html><body>\n<table>"
}
{
printf "<tr>"
for(i = 1; i <= NF; i++)
printf "<td>%s</td>", $i
print "</tr>"
}
END {
print "</table>\n</body></html>"
}'
;;
'csv')
tr ' ' ','

2
kvm-host/tasks/ssh.yml
View File

@ -9,7 +9,7 @@
command: cat /root/.ssh/id_rsa.pub
register: ssh_keys
check_mode: no
changed_when: false
changed_when: False
- name: Print ssh public keys
debug:

2
kvm-host/tasks/tools.yml
View File

@ -8,7 +8,7 @@
- include_role:
name: remount-usr
when: kvm_scripts_dir is search ("/usr")
when: kvm_scripts_dir is search("/usr")
- name: add-vm script is present
copy:

33
listupgrade/files/listupgrade.sh
View File

@ -9,13 +9,13 @@
# - 60 : current release is not in the $r_releases list
# - 70 : at least an upgradable package is not in the $r_packages list
VERSION="21.06.3"
VERSION="23.03.3"
show_version() {
cat <<END
listupgrade.sh version ${VERSION}
Copyright 2018-2021 Evolix <info@evolix.fr>,
Copyright 2018-2023 Evolix <info@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Romain Dessort <rdessort@evolix.fr>,
Ludovic Poujol <lpoujol@evolix.fr>,
@ -84,6 +84,7 @@ Subject: Prochain creneau pour mise a jour de votre serveur ${hostname}
X-Debian-Release: ${local_release}
X-Packages: ${packagesParsable}
X-Date: ${date}
X-Listupgrade-Version: ${VERSION}
Bonjour,
@ -100,15 +101,15 @@ semaine prochaine.
Voici la listes de packages qui seront mis à jour :
$(cat "${packages}" | sort | uniq)
$(sort -h "${packages}" | uniq)
Liste des packages dont la mise-à-jour a été manuellement suspendue :
$(cat "${packagesHold}" | sort | uniq)
$(sort -h "${packagesHold}" | uniq)
Liste des services qui seront redémarrés :
$(cat "${servicesToRestart}" | sort | uniq)
$(sort -h "${servicesToRestart}" | uniq)
N'hésitez pas à nous faire toute remarque sur ce créneau d'intervention le plus
tôt possible.
@ -181,6 +182,28 @@ main() {
fi
local_release=$(cut -f 1 -d . </etc/debian_version)
# In case the version is a release name and not a number
case "${local_release}" in
*jessie*)
local_release=8
;;
*stretch*)
local_release=9
;;
*buster*)
local_release=10
;;
*bullseye*)
local_release=11
;;
*bookworm*)
local_release=12
;;
*trixie*)
local_release=13
;;
esac
if force_mode; then
if ! cron_mode; then

2
listupgrade/tasks/main.yml
View File

@ -47,7 +47,7 @@
- name: Enable listupgrade cron
cron:
name: "lisupgrade.sh"
name: "listupgrade.sh"
cron_file: "listupgrade"
user: root
job: "/usr/share/scripts/listupgrade.sh --cron {{ listupgrade_cron_force | bool | ternary('--force','') }}"

3
logstash/handlers/main.yml
View File

@ -7,4 +7,5 @@
daemon_reload: yes
- name: reload systemd
command: systemctl daemon-reload
systemd:
daemon-reload: yes

2
lxc-php/tasks/main.yml
View File

@ -4,7 +4,7 @@
msg: Please configure var lxc_php_version
when: lxc_php_version is none
- name: "Update APT cache in container {{lxc_php_version}}"
- name: "Update APT cache in container {{ lxc_php_version }}"
lxc_container:
name: "{{ lxc_php_version }}"
container_command: "apt-get update"

6
lxc-php/tasks/php80.yml
View File

@ -20,12 +20,12 @@
mode: "0644"
loop:
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/"
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php80 main"
- name: copy pub.evolix.net GPG key
copy:
src: reg.asc
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
src: pub_evolix.asc
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
mode: "0644"
owner: root
group: root

6
lxc-php/tasks/php81.yml
View File

@ -20,12 +20,12 @@
mode: "0644"
loop:
- "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
- "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/"
- "deb [signed-by={{ apt_keyring_dir }}/pub_evolix.asc] http://pub.evolix.org/evolix bullseye-php81 main"
- name: copy pub.evolix.net GPG key
copy:
src: reg.asc
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
src: pub_evolix.asc
dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/pub_evolix.asc
mode: "0644"
owner: root
group: root

2
lxc-php/tasks/umask.yml
View File

@ -11,7 +11,7 @@
path: "{{ lxc_rootfs_path }}/etc/systemd/system/{{ lxc_php_services[lxc_php_version] }}.d"
state: directory
register: systemd_path
- name: "[Service] est présent dans la surchage des services PHP-FPM des conteneurs LXC."
ansible.builtin.lineinfile:
path: "{{ systemd_path.path }}/evolinux.conf"

2
lxc-php/templates/mailname.j2
View File

@ -1 +1 @@
{{ansible_fqdn}}
{{ ansible_fqdn }}

2
lxc-solr/tasks/solr.yml
View File

@ -39,4 +39,4 @@
mode: '0755'
- name: "Install Solr {{ solr_version }}"
command: "lxc-attach -n {{name}} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{name}} -p {{ solr_port }}"
command: "lxc-attach -n {{ name }} -- /root/solr-{{ solr_version }}/bin/install_solr_service.sh /root/solr-{{ solr_version }}.tgz -d /home/solr/{{ name }} -p {{ solr_port }}"

14
lxc/tasks/create-container.yml
View File

@ -1,7 +1,7 @@
---
- name: "Check if container {{ name }} exists"
command: "lxc-ls {{ name }}"
changed_when: false
changed_when: False
check_mode: no
register: container_exists
@ -56,3 +56,15 @@
lxc_container:
name: "{{ name }}"
state: started
- name: "Ensure /etc/profile.d exists in container"
ansible.builtin.file:
path: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d"
mode: '0755'
state: directory
- name: "Copy host /etc/profile.d/evolinux into container"
ansible.builtin.copy:
src: "/etc/profile.d/evolinux.sh"
remote_src: true
dest: "/var/lib/lxc/{{ name }}/rootfs/etc/profile.d/evolinux.sh"

6
lxc/tasks/main.yml
View File

@ -32,8 +32,8 @@
- name: Check if root has subuids
command: grep '^root:100000:10000$' /etc/subuid
failed_when: false
changed_when: false
failed_when: False
changed_when: False
register: root_subuids
when: lxc_unprivilegied_containers | bool
@ -45,7 +45,7 @@
- name: Get filesystem options
command: findmnt --noheadings --target /var/lib/lxc --output OPTIONS
changed_when: false
changed_when: False
check_mode: no
register: check_fs_options

2
memcached/tasks/nrpe.yml
View File

@ -8,7 +8,7 @@
- block:
- name: Install dependencies
apt:
name:
name:
- libcache-memcached-perl
- libmemcached11

16
minifirewall/files/minifirewall
View File

@ -29,7 +29,7 @@
# Description: Firewall designed for standalone server
### END INIT INFO
VERSION="22.06"
VERSION="23.02"
NAME="minifirewall"
# shellcheck disable=SC2034
@ -147,6 +147,9 @@ fi
# }
## Beware that commands executed from included files are not modified by this trick.
remove_colors() {
sed -r 's/\x1B\[(;?[0-9]{1,3})+[mGK]//g'
}
syslog_info() {
if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
@ -268,9 +271,9 @@ check_unpersisted_state() {
elif [ -z "${diff_bin}" ]; then
printf "${YELLOW}skip state comparison (Can't find diff command)${RESET}\n" >&2
else
# store current state
# store current state (without colors)
mkdir -p "$(dirname "${STATE_FILE_CURRENT}")"
status_without_numbers > "${STATE_FILE_CURRENT}"
status_without_numbers | remove_colors > "${STATE_FILE_CURRENT}"
# clean previous diff file
rm -f "${STATE_FILE_DIFF}"
@ -310,9 +313,9 @@ report_state_changes() {
check_unpersisted_state
fi
# Then reset the known state
# Then reset the known state (without colors)
mkdir -p "$(dirname "${STATE_FILE_LATEST}")"
status_without_numbers > "${STATE_FILE_LATEST}"
status_without_numbers | remove_colors > "${STATE_FILE_LATEST}"
# But if there is a previous known state
# let's compare with the new known state
@ -920,8 +923,9 @@ stop() {
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
# Save previous state (without colors)
mkdir -p "$(dirname "${STATE_FILE_PREVIOUS}")"
status_without_numbers > "${STATE_FILE_PREVIOUS}"
status_without_numbers | remove_colors > "${STATE_FILE_PREVIOUS}"
# Delete all rules
${IPT} -F INPUT

63
minifirewall/tasks/main.yml
View File

@ -6,6 +6,8 @@
stat:
path: /etc/init.d/minifirewall
register: _minifirewall_check
tags:
- always
# Legacy versions of minifirewall don't define the VERSION variable
- name: Look for minifirewall version
@ -14,6 +16,8 @@
changed_when: False
check_mode: False
register: _minifirewall_version_check
tags:
- always
- name: Set install mode to legacy if needed
set_fact:
@ -24,21 +28,30 @@
- minifirewall_install_mode != 'modern'
- not (minifirewall_force_upgrade_script | bool)
- _minifirewall_version_check.rc == 1 # grep didn't find but the file exists
tags:
- always
- name: Set install mode to modern if not legacy
set_fact:
minifirewall_install_mode: modern
when: minifirewall_install_mode != 'legacy'
tags:
- always
- name: Debug install mode
debug:
var: minifirewall_install_mode
verbosity: 1
tags:
- always
- name: 'Set minifirewall_restart_handler_name to "noop"'
set_fact:
minifirewall_restart_handler_name: "restart minifirewall (noop)"
when: not (minifirewall_restart_if_needed | bool)
when:
- not (minifirewall_restart_if_needed | bool)
tags:
- always
- name: 'Set minifirewall_restart_handler_name to "legacy"'
set_fact:
@ -46,6 +59,8 @@
when:
- minifirewall_restart_if_needed | bool
- minifirewall_install_mode == 'legacy'
tags:
- always
- name: 'Set minifirewall_restart_handler_name to "modern"'
set_fact:
@ -53,6 +68,8 @@
when:
- minifirewall_restart_if_needed | bool
- minifirewall_install_mode != 'legacy'
tags:
- always
#######################################################################
@ -62,54 +79,74 @@
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_main_file is defined
tags:
- always
- name: Install tasks (modern mode)
include: install.yml
import_tasks: install.yml
when: minifirewall_install_mode != 'legacy'
- name: Install tasks (legacy mode)
include: install.legacy.yml
import_tasks: install.legacy.yml
when: minifirewall_install_mode == 'legacy'
- name: Debug minifirewall_update_config
debug:
var: minifirewall_update_config | bool
verbosity: 1
tags:
- always
- name: Config tasks (modern mode)
include: config.yml
include_tasks: config.yml
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_update_config | bool
tags:
- manage
- name: Config tasks (legacy mode)
include: config.legacy.yml
include_tasks: config.legacy.yml
args:
apply:
tags:
- manage
when:
- minifirewall_install_mode == 'legacy'
- minifirewall_update_config | bool
- name: Utils tasks
include: utils.yml
include_tasks: utils.yml
- name: NRPE tasks
include: nrpe.yml
include_tasks: nrpe.yml
- name: Activation tasks
include: activate.yml
include_tasks: activate.yml
- name: Debug minifirewall_tail_included
debug:
var: minifirewall_tail_included | bool
verbosity: 1
tags:
- always
- name: Tail tasks (modern mode)
include: tail.yml
include_tasks: tail.yml
args:
apply:
tags:
- manage
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_tail_included | bool
- name: Tail tasks (legacy mode)
include: tail.legacy.yml
include_tasks: tail.legacy.yml
args:
apply:
tags:
- manage
when:
- minifirewall_install_mode == 'legacy'
- minifirewall_tail_included | bool
@ -120,10 +157,14 @@
debug:
var: minifirewall_restart_force | bool
verbosity: 1
tags:
- always
- name: Force restart minifirewall (legacy)
command: /bin/true
notify: "restart minifirewall (legacy)"
tags:
- always
when:
- minifirewall_install_mode == 'legacy'
- minifirewall_restart_force | bool
@ -131,6 +172,8 @@
- name: Force restart minifirewall (modern)
command: /bin/true
notify: "restart minifirewall (modern)"
tags:
- always
when:
- minifirewall_install_mode != 'legacy'
- minifirewall_restart_force | bool

14
mongodb/tasks/main_bullseye.yml
View File

@ -3,7 +3,7 @@
- fail:
msg: Not compatible with Debian 11 (Bullseye)
when:
- ansible_distribution_release == "bullseye"
- ansible_distribution_release == "bullseye"
- mongodb_version is version('5.0', '<')
- name: Look for legacy apt keyring
@ -20,8 +20,8 @@
- name: Add MongoDB GPG key
copy:
src: "server-{{mongodb_version}}.asc"
dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc"
src: "server-{{ mongodb_version }}.asc"
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
force: yes
mode: "0644"
owner: root
@ -29,16 +29,16 @@
- name: Enable APT sources list
apt_repository:
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
state: present
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Disable unsigned APT sources list
apt_repository:
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main"
state: absent
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Install packages

6
mongodb/tasks/main_buster.yml
View File

@ -14,7 +14,7 @@
- name: Add MongoDB GPG key
copy:
src: "server-{{mongodb_version}}.asc"
src: "server-{{ mongodb_version }}.asc"
dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
force: yes
mode: "0644"
@ -25,14 +25,14 @@
apt_repository:
repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
state: present
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Disable unsigned APT sources list
apt_repository:
repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
state: absent
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Install packages

12
mongodb/tasks/main_jessie.yml
View File

@ -14,8 +14,8 @@
- name: Add MongoDB GPG key
copy:
src: "server-{{mongodb_version}}.asc"
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
src: "server-{{ mongodb_version }}.asc"
dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{ mongodb_version }}.asc"
force: yes
mode: "0644"
owner: root
@ -23,16 +23,16 @@
- name: Enable APT sources list
apt_repository:
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
state: present
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Disable APT sources list
apt_repository:
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{mongodb_version}} main"
repo: "deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/{{ mongodb_version }} main"
state: absent
filename: "mongodb-org-{{mongodb_version}}"
filename: "mongodb-org-{{ mongodb_version }}"
update_cache: yes
- name: Install packages

2
munin/tasks/main.yml
View File

@ -85,7 +85,7 @@
src: /usr/share/munin/plugins/sensors_
dest: "/etc/munin/plugins/sensors_{{ item }}"
state: link
with_items:
with_items:
- fan
- temp
when: ansible_virtualization_role == "host"

8
mysql-oracle/tasks/utils.yml
View File

@ -5,7 +5,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Scripts directory exists
file:
@ -106,7 +106,7 @@
name: evolix/remount-usr
tags:
- mysql
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: mysqltuner is installed
# copy:
@ -132,7 +132,7 @@
name: evolix/remount-usr
tags:
- mysql
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: mysql-optimize.sh is installed
copy:
@ -203,7 +203,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Install my-add.sh
copy:

4
mysql/defaults/main.yml
View File

@ -50,8 +50,10 @@ mysql_restart_if_needed: True
mysql_performance_schema: True
mysql_skip_enabled: False
# replication variables:
mysql_replication: false
mysql_replication: False
mysql_log_bin: null
mysql_binlog_format: mixed
mysql_server_id: null

47
mysql/files/mysql_skip.sh Normal file
View File

@ -0,0 +1,47 @@
#!/bin/sh
# File containing error messages to skip (one per line).
error_messages="/etc/mysql_skip.conf"
# Sleep interval between 2 check.
sleep_interval="1"
# Exit when Seconds_Behind_Master reached 0.
exit_when_uptodate="false"
# Options to pass to mysql.
#mysql_opt="-P 3307"
# File to log skipped queries to (leave empty for no logs).
log_file="/var/log/mysql_skip.log"
mysql_skip_error() {
error="$1"
error="$(date --iso-8601=seconds) Skiping: $error"
printf "Skipping: $error\n"
mysql $mysql_opt -e 'SET GLOBAL SQL_SLAVE_SKIP_COUNTER=1; START SLAVE;'
[ -n "$log_file" ] && echo "$error" >>"$log_file"
}
while true; do
slave_status="$(mysql $mysql_opt -e 'SHOW SLAVE STATUS\G')"
seconds_behind_master=$(echo "$slave_status" |grep 'Seconds_Behind_Master: ' |awk -F ' ' '{print $2}')
last_SQL_error="$(echo "$slave_status" |grep 'Last_SQL_Error: ' |sed 's/^.\+Last_SQL_Error: //')"
if [ "$seconds_behind_master" = "0" ]; then
#printf 'Replication is up to date!\n'
if [ "$exit_when_uptodate" = "true" ]; then
exit 0
fi
elif [ -z "$last_SQL_error" ]; then
sleep $sleep_interval
elif echo "$last_SQL_error" |grep -q -f $error_messages; then
mysql_skip_error "$last_SQL_error"
fi
sleep 1
done

2
mysql/tasks/main.yml
View File

@ -45,3 +45,5 @@
- include_tasks: log2mail.yml
- include_tasks: utils.yml
- include_tasks: mysql_skip.yml

54
mysql/tasks/mysql_skip.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: "Copy script mysql_skip.sh into /usr/local/bin/"
copy:
src: mysql_skip.sh
dest: "/usr/local/bin/mysql_skip.sh"
owner: root
group: root
mode: "0700"
force: yes
tags:
- mysql_skip
- name: "Copy config file for mysql_skip.sh"
template:
src: mysql_skip.conf.j2
dest: "/etc/mysql_skip.conf"
owner: root
group: root
mode: "0600"
tags:
- mysql_skip
- name: "Create log file for mysql_skip.sh"
file:
path: "/var/log/mysql_skip.log"
state: touch
owner: root
group: adm
mode: "0640"
tags:
- mysql_skip
- name: "Copy logrotate file for mysql_skip.sh"
template:
src: mysql_skip.logrotate.j2
dest: "/etc/logrotate.d/mysql_skip"
owner: root
group: root
mode: "0600"
tags:
- mysql_skip
- name: "Copy mysql_skip.sh systemd unit"
template:
src: mysql_skip.systemd.j2
dest: /etc/systemd/system/mysql_skip.service
force: yes
- name: "Start or stop systemd unit"
systemd:
name: mysql_skip
daemon_reload: yes
state: "{{ mysql_skip_enabled | bool | ternary('started', 'stopped') }}"

8
mysql/tasks/utils.yml
View File

@ -5,7 +5,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Ensure scripts directory exists
file:
@ -96,7 +96,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Install mysqltuner
# copy:
@ -132,7 +132,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Optimize script for MySQL
copy:
@ -196,7 +196,7 @@
- include_role:
name: evolix/remount-usr
when: _mysql_scripts_dir is search ("/usr")
when: _mysql_scripts_dir is search("/usr")
- name: Install my-add.sh
copy:

1
mysql/templates/mysql_skip.conf.j2 Normal file
View File

@ -0,0 +1 @@
## Put your matched patern here ##

10
mysql/templates/mysql_skip.logrotate.j2 Normal file
View File

@ -0,0 +1,10 @@
/var/log/mysql_skip.log {
missingok
notifempty
monthly
rotate 12
compress
create 640 root adm
dateext
dateformat -%Y%m%d%H
}

16
mysql/templates/mysql_skip.systemd.j2 Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Script for skip define mysql replication errors
[Service]
ExecStart=/usr/local/bin/mysql_skip.sh
Type=simple
User=root
Group=root
PIDFile=/run/mysql_skip.pid
ExecStop=/bin/kill -- $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target

2
mysql/templates/replication.cnf.j2
View File

@ -1,4 +1,4 @@
# {{ansible_managed}}
# {{ ansible_managed }}
[mysqld]
{% if mysql_log_bin %}

83
nagios-nrpe/files/alerts_switch Normal file
View File

@ -0,0 +1,83 @@
#!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
#
# You should not alter this file.
# If you need to, create and customize a copy.
set -e
readonly PROGNAME=$(basename $0)
readonly PROGDIR=$(readlink -m $(dirname $0))
readonly ARGS="$@"
usage() {
echo "$PROGNAME action prefix"
}
disable_alerts () {
disabled_file="$1_disabled"
enabled_file="$1_enabled"
if [ -e "${enabled_file}" ]; then
mv "${enabled_file}" "${disabled_file}"
else
touch "${disabled_file}"
chmod 0644 "${disabled_file}"
fi
}
enable_alerts () {
disabled_file="$1_disabled"
enabled_file="$1_enabled"
if [ -e "${disabled_file}" ]; then
mv "${disabled_file}" "${enabled_file}"
else
touch "${enabled_file}"
chmod 0644 "${enabled_file}"
fi
}
now () {
date --iso-8601=seconds
}
log_disable () {
echo "$(now) - alerts disabled by $(logname || echo unknown)" >> $1
}
log_enable () {
echo "$(now) - alerts enabled by $(logname || echo unknown)" >> $1
}
main () {
local action=$1
local prefix=$2
local base_dir="/var/lib/misc"
mkdir -p "${base_dir}"
local file_path="${base_dir}/${prefix}_alerts"
local log_file="/var/log/${prefix}_alerts.log"
case "$action" in
enable)
enable_alerts ${file_path}
log_enable ${log_file}
;;
disable)
disable_alerts ${file_path}
log_disable ${log_file}
;;
help)
usage
;;
*)
>&2 echo "Unknown action '$action'"
exit 1
;;
esac
}
main $ARGS

217
nagios-nrpe/files/alerts_wrapper Normal file
View File

@ -0,0 +1,217 @@
#!/bin/bash
# https://forge.evolix.org/projects/evolix-private/repository
#
# You should not alter this file.
# If you need to, create and customize a copy.
VERSION="21.04"
readonly VERSION
# base functions
show_version() {
cat <<END
alerts_wrapper version ${VERSION}
Copyright 2018-2021 Evolix <info@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>
and others.
alerts_wrapper comes with ABSOLUTELY NO WARRANTY.This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
alerts_wrapper is supposed to wrap an NRPE command and overrides the return code.
Usage: alerts_wrapper --limit=1d --name=check_name command with optional arguments
or alerts_wrapper --name=check_name command with optional arguments
or alerts_wrapper check_name command with optional arguments
Options
--limit max age of the "check file" ;
can be "1d" for 1 day, "5m" for 5 minutes…
or more complex expressions like "1w2d10m42s"
--name check name
-h, --help print this message and exit
-V, --version print version and exit
END
}
time_in_seconds() {
if echo "${1}" | grep -E -q '^([0-9]+[wdhms])+$'; then
echo "${1}" | sed 's/w/ * 604800 + /g; s/d/ * 86400 + /g; s/h/ * 3600 + /g; s/m/ * 60 + /g; s/s/ + /g; s/+ $//' | xargs expr
elif echo "${1}" | grep -E -q '^([0-9]+$)'; then
echo "${1} * 3600" | xargs expr
else
return 1
fi
}
delay_from_alerts_disabled_file() {
last_change=$(stat -c %Z "${alerts_disabled_file}")
limit_seconds=$(time_in_seconds "${wrapper_limit}" || time_in_seconds "${wrapper_limit_default}")
limit_date=$(date --date "${limit_seconds} seconds ago" +"%s")
echo $(( last_change - limit_date ))
}
enable_check() {
if [ "$(id -u)" -eq "0" ] ; then
/usr/local/bin/alerts_switch enable "${check_name}"
else
sudo /usr/local/bin/alerts_switch enable "${check_name}"
fi
}
main() {
${check_command} > "${check_stdout}"
check_rc=$?
readonly check_rc
delay=0
if [ -e "${alerts_disabled_file}" ]; then
delay=$(delay_from_alerts_disabled_file)
if [ "${delay}" -le "0" ]; then
enable_check
fi
fi
if [ -e "${alerts_disabled_file}" ]; then
formatted_last_change=$(date --date "@$(stat -c %Z "${alerts_disabled_file}")" +'%c')
readonly formatted_last_change
echo "ALERTS DISABLED for ${check_name} (since ${formatted_last_change}, delay: ${delay} sec) - $(cat "${check_stdout}")"
if [ ${check_rc} = 0 ]; then
# Nagios OK
exit 0
else
# Nagios WARNING
exit 1
fi
else
cat "${check_stdout}"
exit ${check_rc}
fi
}
# Default: 1 day before re-enabling the check
wrapper_limit_default="1d"
readonly wrapper_limit_default
if [[ "${1}" =~ -.* ]]; then
# parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
-V|--version)
show_version
exit 0
;;
--limit)
# with value separated by space
if [ -n "$2" ]; then
wrapper_limit=$2
shift
else
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--limit=?*)
# with value speparated by =
wrapper_limit=${1#*=}
;;
--limit=)
# without value
printf 'ERROR: "--limit" requires a non-empty option argument.\n' >&2
exit 1
;;
--name)
# with value separated by space
if [ -n "$2" ]; then
check_name=$2
shift
else
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1
fi
;;
--name=?*)
# with value speparated by =
check_name=${1#*=}
;;
--name=)
# without value
printf 'ERROR: "--name" requires a non-empty option argument.\n' >&2
exit 1
;;
--)
# End of all options.
shift
break
;;
-?*)
# ignore unknown options
printf 'WARN: Unknown option : %s\n' "$1" >&2
exit 1
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
# The rest is the command
check_command="$*"
else
# no option is passed (backward compatibility with previous version)
# treat the first argument as check_name and the rest as the command
check_name="${1}"
shift
check_command="$*"
fi
# Default values or errors
if [ -z "${wrapper_limit}" ]; then
wrapper_limit="${wrapper_limit_default}"
fi
if [ -z "${check_name}" ]; then
printf 'ERROR: You must specify a check name, with --name.\n' >&2
exit 1
fi
if [ -z "${check_command}" ]; then
printf 'ERROR: You must specify a command to execute.\n' >&2
exit 1
fi
readonly check_name
readonly check_command
readonly wrapper_limit
alerts_disabled_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly alerts_disabled_file
check_file="/var/lib/misc/${check_name}_alerts_disabled"
readonly check_file
check_stdout=$(mktemp --tmpdir=/tmp "${check_name}_stdout.XXXX")
readonly check_stdout
# shellcheck disable=SC2064
trap "rm ${check_stdout}" EXIT
main

4
nagios-nrpe/files/check_async
View File

@ -59,9 +59,9 @@ delay_from_check_file() {
enable_check() {
if [ "$(id -u)" -eq "0" ] ; then
/usr/share/scripts/alerts_switch enable "${check_name}"
/usr/local/bin/alerts_switch enable "${check_name}"
else
sudo /usr/share/scripts/alerts_switch enable "${check_name}"
sudo /usr/local/bin/alerts_switch enable "${check_name}"
fi
}

8
nagios-nrpe/files/plugins/check_phpfpm_multi
View File

@ -56,20 +56,20 @@ for pool_file in $POOL_FILES; do
if [ "${ret}" -ge 2 ]; then
nb_crit=$((nb_crit + 1))
output="${output}${result}\n"
[ "${return}" -le 2 ] && return=2
elif [ "${ret}" -ge 1 ]; then
nb_warn=$((nb_warn + 1))
output="${output}${result}\n"
[ "${return}" -le 1 ] && return=1
else
nb_ok=$((nb_ok + 1))
output="${output}$(echo "$result" | cut -d '|' -f1)\n"
[ "${return}" -le 0 ] && return=0
fi
result_status=$(echo ${result} | awk -F' - ' '{ print $1}')
result_content=$(echo ${result} | awk -F' - ' '{ print $2}')
output="${output}${result_status} - ${pool_file} - ${result_content}\n"
done;
done
[ "${return}" -ge 0 ] && header="OK"

254
nagios-nrpe/files/plugins/check_vrrpd
View File

@ -1,94 +1,190 @@
#!/bin/bash
# shellcheck disable=SC2207,SC2009,SC2076
# README
#
# Variable to adjust : is_master and vrrpd_processes.
# vrrpd_processes is the number of vrrpd processes that should run on the server.
# is_master defines whether the vrrpd group should be master (1) or backup (0).
#
# If some instances have to be master and some other have to be backup,
# then the value of is_master is 2 and the states has to be precised in arguments.
# e.g. : ./check_vrrpd master backup master
# The order is defined by the output order of `ps auwx | grep vrrp`
usage() {
cat << EOL
Usage :
RC=0
IFS='
'
$0 --master X,Y --backup Z
is_master=2 # 1 if master ; 0 if backup ; 2 if mixed master and backup, in this case, it has to be precised in arguments
vrrpd_processes=3 # number of vrrpd processes that should be running
is_vrrpd_running=$(sudo /usr/lib/nagios//plugins/check_procs -C vrrpd -c $vrrpd_processes:$vrrpd_processes)
rc_is_vrrpd_running=$?
IP_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $--NF}'; done))
INT_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $13}'; done))
ID_vrrpd=($(for i in $(ps auwx | grep vrrpd | grep -v grep | grep -v check); do echo $i | awk '{print $19}'; done))
-m|--master ID_MASTER # VRRP ID that should be master, separated by a comma ","
-b|--backup ID_BACKUP # VRRP ID that should be backup, separated by a comma ","
[--vrrpd] # Check for vrrpd daemon (default)
[--uvrrpd] # Check for uvrrpd daemon
EOL
}
if [[ $rc_is_vrrpd_running -ne 0 ]]; then
echo $is_vrrpd_running instead of $vrrpd_processes
unset ID_master
unset ID_backup
vrrpd_option="unset"
uvrrpd_option="unset"
unset critical_output
critical_state="unset"
unset warning_output
warning_state="unset"
unset ok_output
ok_state="unset"
exit_code=0
used_daemon="vrrpd"
IFS="
"
# If no argument then show usage
if [ "$#" -eq 0 ]; then
usage
exit 2
fi
for i in $(seq 0 $((${#ID_vrrpd[*]}-1))); do
ifconfig vrrp_${ID_vrrpd[$i]}_${INT_vrrpd[$i]} >/dev/null 2>&1
# If has interface
if [[ $? -eq 0 ]]; then
# If has to be master : OK
if [[ $is_master -eq 1 ]]; then
echo OK - ${IP_vrrpd[$i]} exists and is master
# If has to be backup : KO
elif [[ $is_master -eq 0 ]]; then
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
RC=2
# We retrieve the state it should be from args
elif [[ $is_master -eq 2 ]]; then
arg=$(($i+1))
state=${!arg}
# If has to be master : OK
if [[ $state = master ]]; then
echo OK - ${IP_vrrpd[$i]} exists and is master
# If has to be backup : KO
elif [[ $state = backup ]]; then
echo CRITICAL - ${IP_vrrpd[$i]} exists whereas it should be backup
RC=2
while :; do
case $1 in
-h|-\?|--help) # Call a "usage" function to display a synopsis, then exit.
usage
exit
;;
-m|--master) # Takes an option argument, ensuring it has been specified.
if [ -n "$2" ]; then
ID_master=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
shift
else
echo "CRITICAL - The arguments have to be master or backup. Exiting"
printf 'ERROR: "--master" requires a non-empty option argument.\n' >&2
exit 2
fi
# Unknown
else
RC=3
fi
# If hasn't interface
elif [[ $? -ne 0 ]]; then
# If has to be master : KO
if [[ $is_master -eq 1 ]]; then
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
RC=2
# If has to be backup : OK
elif [[ $is_master -eq 0 ]]; then
echo OK - ${IP_vrrpd[$i]} is backup
# We retrieve the state it should be from args
elif [[ $is_master -eq 2 ]]; then
arg=$(($i+1))
state=${!arg}
# If has to be master : KO
if [[ $state = master ]]; then
echo CRITICAL - ${IP_vrrpd[$i]} does not exist whereas it should be master
RC=2
# If has to be backup : OK
elif [[ $state = backup ]]; then
echo OK - ${IP_vrrpd[$i]} is backup
;;
-b|--backup) # Takes an option argument, ensuring it has been specified.
if [ -n "$2" ]; then
ID_backup=($(echo "$2" | tr "," "\n")) # Make an array with values separated by ","
shift
else
echo "CRITICAL - The arguments have to be master or backup. Exiting"
printf 'ERROR: "--backup" requires a non-empty option argument.\n' >&2
exit 2
fi
# Unknown
else
RC=3
fi
# Unknown
else
RC=3
fi
;;
--vrrpd)
used_daemon="vrrpd"
vrrpd_option="set"
;;
--uvrrpd)
used_daemon="uvrrpd"
uvrrpd_option="set"
;;
-?*)
printf 'WARNING: Unknown option (ignored): %s\n' "$1" >&2
;;
*) # Default case: If no more options then break out of the loop.
break
esac
shift
done
exit $RC
# Make sure that each given ID is given once only
all_ID=("${ID_master[@]}" "${ID_backup[@]}")
uniqueNum=$(printf '%s\n' "${all_ID[@]}"|awk '!($0 in seen){seen[$0];c++} END {print c}')
if [ "$uniqueNum" != ${#all_ID[@]} ]; then
echo "ERROR : At least one VRRP ID is given multiple times"
exit 2
fi
# Make sure --vrrpd and --uvrrpd are not both set
if [ $vrrpd_option = "set" ] && [ $uvrrpd_option = "set" ]; then
echo "ERROR : You cannot set both parameters --vrrpd and --uvrrpd"
exit 2
fi
# Make sure no sysclt parameter "rp_filter" is set to 1
if grep -q 1 /proc/sys/net/ipv4/conf/*/rp_filter; then
critical_output="${critical_output}CRITICAL - rp_filter is set to 1 at least for one interface\n"
critical_state="set"
fi
vrrpd_processes_number=$((${#ID_master[@]}+${#ID_backup[@]})) # Number of vrrpd processes that should be running = length of arrays ID_master + ID_backup
regex_ipv4="((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])"
regex_ipv6="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))"
vrrpd_processes=$(ps auwx | grep "$used_daemon" | grep -v -e grep -e check)
ID_running_vrrpd=($(for i in ${vrrpd_processes}; do echo "$i" | grep -Eo -- "-v [0-9]+" | awk '{print $2}'; done))
# Check the number of running vrrpd processes in comparison to the number of ID given
if ! sudo /usr/lib/nagios/plugins/check_procs -C "$used_daemon" -c $vrrpd_processes_number:$vrrpd_processes_number >/dev/null; then
critical_output="${critical_output}CRITICAL : $vrrpd_processes_number VRRP ID are given but $(ps auwx | grep "$used_daemon" | grep -v -e grep -e check -c) $used_daemon processes are running\n"
if pgrep uvrrp >/dev/null && [ $uvrrpd_option = "unset" ]; then
critical_output="${critical_output}It seems that uvrrpd is running. Use parameter --uvrrpd\n"
fi
critical_state="set"
fi
IFS=" "
# For each ID_master, make sure a process exist
if [ ${#ID_master[@]} -ne 0 ]; then
for i in "${ID_master[@]}"; do
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface exists
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
if [ "$used_daemon" = "vrrpd" ]; then
int_name="vrrp_${i}_${INT_current_vrrpd}"
elif [ "$used_daemon" = "uvrrpd" ]; then
int_name="${INT_current_vrrpd}_${i}"
fi
if /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is master\n"
ok_state="set"
else
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is backup while it should be master\n"
warning_state="set"
fi
else
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
critical_state="set"
fi
done
fi
# For each ID_backup, make sure a process exist
if [ ${#ID_backup[@]} -ne 0 ]; then
for i in "${ID_backup[@]}"; do
# If array contains the current ID, then a process exist, and we have to make sure the corresponding interface does not exist
if [[ " ${ID_running_vrrpd[*]} " =~ " $i " ]]; then
vrrpd_current_proccess=$(echo "$vrrpd_processes" | grep -E -- "-v $i ")
INT_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo -- "-i \S+" | awk '{print $2}')
IP_current_vrrpd=$(echo "$vrrpd_current_proccess" | grep -Eo "${regex_ipv4}|${regex_ipv6}")
if [ "$used_daemon" = "vrrpd" ]; then
int_name="vrrp_${i}_${INT_current_vrrpd}"
elif [ "$used_daemon" = "uvrrpd" ]; then
int_name="${INT_current_vrrpd}_${i}"
fi
if ! /sbin/ifconfig "$int_name" 2> /dev/null | grep -q "$IP_current_vrrpd"; then
ok_output="${ok_output}OK - ID $i has a process and $IP_current_vrrpd is backup\n"
ok_state="set"
else
warning_output="${warning_output}WARNING - The IP $IP_current_vrrpd for ID $i is master while it should be backup\n"
warning_state="set"
fi
else
critical_output="${critical_output}CRITICAL - No process is running for VRRP ID $i\n"
critical_state="set"
fi
done
fi
# Make $exit_code the highest set
if [ "$critical_state" = "set" ]; then
exit_code=2
elif [ "$warning_state" = "set" ]; then
exit_code=1
elif [ "$ok_state" = "set" ]; then
exit_code=0
fi
# Echo most critical output first, least last
if [ -n "$critical_output" ]; then
echo -e "$critical_output" | grep -v "^$"
fi
if [ -n "$warning_output" ]; then
echo -e "$warning_output" | grep -v "^$"
fi
if [ -n "$ok_output" ]; then
echo -e "$ok_output" | grep -v "^$"
fi
exit $exit_code

4
nagios-nrpe/tasks/main.yml
View File

@ -58,7 +58,7 @@
- include_role:
name: evolix/remount-usr
when: nagios_plugins_directory is search ("/usr")
when: nagios_plugins_directory is search("/usr")
tags:
- nagios-nrpe
- nagios-plugins
@ -83,3 +83,5 @@
notify: restart nagios-nrpe-server
tags:
- nagios-nrpe
- include_tasks: wrapper.yml

42
nagios-nrpe/tasks/wrapper.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: "Remount /usr if needed"
include_role:
name: remount-usr
- name: check if old script is present
stat:
path: /usr/share/scripts/alerts_switch
register: old_alerts_switch
- name: alerts_switch is at the right place
command: "mv /usr/share/scripts/alerts_switch /usr/local/bin/alerts_switch"
args:
creates: /usr/local/bin/alerts_switch
when: old_alerts_switch.stat.exists
- name: "copy alerts_switch"
copy:
src: alerts_switch
dest: /usr/local/bin/alerts_switch
owner: root
group: root
mode: "0750"
force: yes
- name: "symlink for backward compatibility"
file:
src: /usr/local/bin/alerts_switch
dest: /usr/share/scripts/alerts_switch
state: link
when: old_alerts_switch.stat.exists
- name: "copy alerts_wrapper"
copy:
src: alerts_wrapper
dest: "{{ nagios_plugins_directory }}/alerts_wrapper"
owner: root
group: staff
mode: "0755"
force: yes

Some files were not shown because too many files have changed in this diff Show More